rfc5909.Securing Neighbor Discovery Proxy Problem Statement

rfc5909.Securing Neighbor Discovery Proxy Problem Statement
rfc5909.Securing Neighbor Discovery Proxy Problem Statement

Internet Engineering Task Force (IETF) J-M. Combes Request for Comments: 5909 France Telecom Orange Category: Informational S. Krishnan ISSN: 2070-1721 Ericsson G. Daley Netstar Logicalis July 2010 Securing Neighbor Discovery Proxy: Problem Statement

Abstract

Neighbor Discovery Proxies are used to provide an address presence on a link for nodes that are no longer present on the link. They allow a node to receive packets directed at its address by allowing another device to perform Neighbor Discovery operations on its behalf.

Neighbor Discovery Proxy is used in Mobile IPv6 and related protocols to provide reachability from nodes on the home network when a Mobile Node is not at home, by allowing the Home Agent to act as proxy. It is also used as a mechanism to allow a global prefix to span multiple links, where proxies act as relays for Neighbor Discovery messages.

Neighbor Discovery Proxy currently cannot be secured using Secure

Neighbor Discovery (SEND). Today, SEND assumes that a node

advertising an address is the address owner and in possession of

appropriate public and private keys for that node. This document

describes how existing practice for proxy Neighbor Discovery relates to SEND.

Status of This Memo

This document is not an Internet Standards Track specification; it is published for informational purposes.

This document is a product of the Internet Engineering Task Force

(IETF). It represents the consensus of the IETF community. It has

received public review and has been approved for publication by the

Internet Engineering Steering Group (IESG). Not all documents

approved by the IESG are a candidate for any level of Internet

Standard; see Section 2 of RFC 5741.

Information about the current status of this document, any errata,

and how to provide feedback on it may be obtained at

https://www.360docs.net/doc/1b15515353.html,/info/rfc5909.

Combes, et al. Informational [Page 1]

Copyright Notice

Copyright (c) 2010 IETF Trust and the persons identified as the

document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust’s Legal

Provisions Relating to IETF Documents

(https://www.360docs.net/doc/1b15515353.html,/license-info) in effect on the date of

publication of this document. Please review these documents

carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of

the Trust Legal Provisions and are provided without warranty as

described in the Simplified BSD License.

Combes, et al. Informational [Page 2]

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3

2. Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2.1. IPv6 Mobile Nodes and Neighbor Discovery Proxy . . . . . . 4 2.2. IPv6 Fixed Nodes and Neighbor Discovery Proxy . . . . . . 6

2.3. Bridge-Like ND Proxies . . . . . . . . . . . . . . . . . . 6

3. Proxy Neighbor Discovery and SEND . . . . . . . . . . . . . . 9 3.1. CGA Signatures and Proxy Neighbor Discovery . . . . . . . 9 3.2. Non-CGA Signatures and Proxy Neighbor Discovery . . . . . 10 3.3. Securing Proxy DAD . . . . . . . . . . . . . . . . . . . . 11

3.4. Securing Router Advertisements . . . . . . . . . . . . . . 11

4. Potential Approaches to Securing Proxy ND . . . . . . . . . . 12 4.1. Secured Proxy ND and Mobile IPv6 . . . . . . . . . . . . . 12 4.1.1. Mobile IPv6 and Router-Based Authorization . . . . . . 13 4.1.2. Mobile IPv6 and Per-Address Authorization . . . . . . 13 4.1.3. Cryptographic-Based Solutions . . . . . . . . . . . . 13 4.1.4. Solution Based on the ’Point-to-Point’ Link Model . . 14 4.2. Secured Proxy ND and Bridge-Like Proxies . . . . . . . . . 14 4.2.1. Authorization Delegation . . . . . . . . . . . . . . . 14 4.2.2. Unauthorized Routers and Proxies . . . . . . . . . . . 14 4.2.3. Multiple Proxy Spans . . . . . . . . . . . . . . . . . 15 4.2.4. Routing Infrastructure Delegation . . . . . . . . . . 15 4.2.

5. Local Delegation . . . . . . . . . . . . . . . . . . . 16 4.2.

6. Host Delegation of Trust to Proxies . . . . . . . . . 17

4.3. Proxying Unsecured Addresses . . . . . . . . . . . . . . . 17

5. Two or More Nodes Defending the Same Address . . . . . . . . . 18

6. Security Considerations . . . . . . . . . . . . . . . . . . . 19 6.1. Router Trust Assumption . . . . . . . . . . . . . . . . . 19 6.2. Certificate Transport . . . . . . . . . . . . . . . . . . 19

6.3. Timekeeping . . . . . . . . . . . . . . . . . . . . . . . 19

7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20

8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 20 8.1. Normative References . . . . . . . . . . . . . . . . . . . 20 8.2. Informative References . . . . . . . . . . . . . . . . . . 21

1. Introduction

Neighbor Discovery Proxy is defined in IPv6 Neighbor Discovery

[RFC4861]. It is used in networks where a prefix has to span

multiple links [RFC4389] but also in Mobile IPv6 [RFC3775] (and so in Mobile-IPv6-based protocols like Network Mobility (NEMO) [RFC3963],

Fast Handovers for Mobile IPv6 (FMIPv6) [RFC5568], or Hierarchical

Mobile IPv6 (HMIPv6) [RFC5380]) and in the Internet Key Exchange

Protocol (IKE) version 2 (IKEv2) [RFC4306]. It allows a device that is not physically present on a link to have another advertise its

presence, and forward packets to the off-link device.

Combes, et al. Informational [Page 3]

Neighbor Discovery Proxy relies upon another device, the proxy, to

monitor for Neighbor Solicitations (NSs), and answer with Neighbor

Advertisements (NAs). These proxy Neighbor Advertisements direct

data traffic through the proxy. Proxied traffic is then forwarded to the end destination.

2. Scenarios

This section describes the different scenarios where the interaction between Secure Neighbor Discovery (SEND) and ND Proxy raises issues.

2.1. IPv6 Mobile Nodes and Neighbor Discovery Proxy

The goal of IPv6 mobility is to allow nodes to remain reachable while moving around in the IPv6 Internet. The following text is focused on Mobile IPv6 but the issue raised by the interaction between SEND and ND Proxy may be the same with Mobile IPv6 based protocols (e.g.,

NEMO, HMIPv6).

For Mobile IPv6 Mobile Nodes (MNs), it is necessary to keep existing sessions going or to allow new sessions even when one leaves the home network.

In order to continue existing sessions, when nodes are present on the home link, the Proxy (i.e., the Home Agent in Mobile IPv6) sends an

unsolicited NA to the all-nodes multicast address on the home link as specified [RFC3775].

For new sessions, the Proxy, which listens to the MN’s address

responds with a Neighbor Advertisement that originates at its own

IPv6 address and has the proxy’s address as the Target Link-Layer

Address, but contains the absent mobile in the Target Address field

of the Neighbor Advertisement. In this case, SEND cannot be applied because the address in the Target Address field is not the same as

the one in the Source Address field of the IP header.

As seen in Figure 1, solicitors send a multicast solicitation to the solicited nodes multicast address (based on the unicast address) of

the absent node (a mobile node that is away from the home link). Combes, et al. Informational [Page 4]

Absent Mobile Proxy Solicitor

NS:SL3=S,DL3=Sol(A),TA=A

+-----+ SL2=s,DL2=sol(a),SLL=s

| |<================

| |

| |================>

+-----+ NA:SL3=P,DL3=S,TA=A,

SL2=p,DL2=s,TLL=p

Legend:

SL3: Source IPv6 Address NS: Neighbor Solicitation

DL3: Destination IPv6 Address NA: Neighbor Advertisement

SL2: Source Link-Layer Address RS: Router Solicitation

DL2: Destination Link-Layer Address RA: Router Advertisement

TA: Target Address

SLL/TLL: Source/Target Link-Layer Address Option

Figure 1

While at home, if the MN has configured Cryptographically Generated

Addresses (CGAs) [RFC3972], it can secure establishment by its on-

link neighbors of Neighbor Cache Entries (NCEs) for its CGAs by using SEND [RFC3971]. SEND security requires a node sending Neighbor

Advertisements for a given address to be in possession of the public/ private key pair that generated the address.

When an MN moves away from the home link, a proxy has to undertake

Neighbor Discovery signaling on behalf of the MN. In Mobile IPv6,

the role of the proxy is undertaken by the Home Agent. While the

Home Agent has a security association with the MN, it does not have

access to the public/private key pair used to generate the MN’s CGA. Thus, the Home Agent acting as an ND proxy cannot use SEND for the

address it is proxying [RFC3971].

When an MN moves from the home network to a visited network, the

proxy will have to override the MN’s existing Neighbor Cache Entries that are flagged as secure [RFC3971]. This is needed for the Home

Agent to intercept traffic sent on-link to the MN that would

otherwise be sent to the MN’s link-layer address.

With the current SEND specification, any solicitation or

advertisement sent by the proxy will be unsecure and thus will not be able to update the MN’s NCE for the home address because it is

flagged as secured. These existing Neighbor Cache Entries will only time-out after Neighbor Unreachability Detection [RFC4861] concludes the Home Address is unreachable at the link layer recorded in the

NCE.

Combes, et al. Informational [Page 5]

Where secured proxy services are not able to be provided, a proxy’s

advertisement may be overridden by a rogue proxy without the

receiving host realizing that an attack has occurred. This is

identical to what happens in a network where SEND is not deployed.

2.2. IPv6 Fixed Nodes and Neighbor Discovery Proxy

This scenario is a sub-case of the previous one. In this scenario,

the IPv6 node will never be on the link where the ND messages are

proxied. For example, an IPv6 node gains remote access to a network protected by a security gateway that runs IKEv2 [RFC4306]. When a

node needs an IP address in the network protected by a security

gateway, the security gateway assigns an address dynamically using

Configuration Payload during IKEv2 exchanges. The security gateway

then needs to receive packets sent to this address; one way to do so would be to proxy ND messages.

2.3. Bridge-Like ND Proxies

The Neighbor Discovery (ND) Proxy specification [RFC4389] defines an alternative method to classic bridging. Just as with classic

bridging, multiple link-layer segments are bridged into a single

segment, but with the help of proxying at the IP layer rather than

link-layer bridging. In this case, the proxy forwards messages while modifying their source and destination MAC addresses, and it rewrites their solicited and override flags and Link-Layer Address Options.

This rewriting is incompatible with SEND signed messages for a number of reasons:

o Rewriting elements within the message will break the digital

signature.

o The source IP address of each packet is the packet’s origin, not

the proxy’s address. The proxy is unable to generate another

signature for this address, as it doesn’t have the CGA private key [RFC3971].

Thus, proxy modification of SEND solicitations may require sharing of credentials between the proxied node and the proxying node or

creation of new options with proxying capabilities.

While bridge-like ND proxies aim to provide as little interference

with ND mechanisms as possible, SEND has been designed to prevent

modification or spoofing of advertisements by devices on the link. Combes, et al. Informational [Page 6]

Of particular note is the fact that ND Proxy performs a different

kind of proxy Neighbor Discovery to Mobile IPv6 [RFC3775] [RFC4389]. RFC 3775 (Mobile IPv6) specifies that the Home Agent as proxy sends

Neighbor Advertisements from its own address with the Target Address set to the absent Mobile Node’s address. The Home Agent’s own link- layer address is placed in the Target Link-Layer Address Option

[RFC3775]. On the other hand, ND Proxy resends messages containing

their original address, even after modification (i.e., the IP source address remains the same) [RFC4389]. Figure 2 describes packet

formats for proxy Neighbor solicitation and advertisement as

specified by RFC 4389.

Advertiser Proxy Solicitor

NS:SL3=S,DL3=Sol(A),TA=A, NS:SL3=S,DL3=Sol(A),TA=A,

SL2=p,DL2=sol(a),SLL=p +-----+ SL2=s,DL2=sol(a),SLL=s

<==================| |<================

| |

==================>| |================>

NA:SL3=A,DL3=S,TA=A, +-----+ NA:SL3=A,DL3=S,TA=A

SL2=a,DL2=p,TLL=a SL2=p,DL2=s,TLL=p

Legend:

SL3: Source IPv6 Address NS: Neighbor Solicitation

DL3: Destination IPv6 Address NA: Neighbor Advertisement

SL2: Source Link-Layer Address

DL2: Destination Link-Layer Address

TA: Target Address

SLL/TLL: Source/Target Link-Layer Address Option

Figure 2

In order to use the same security procedures for both ND Proxy and

Mobile IPv6, changes may be needed to the proxying procedures in

[RFC4389], as well as changes to SEND.

An additional (and undocumented) requirement for bridge-like proxying is the operation of router discovery. Router discovery packets may

similarly modify Neighbor Cache state, and require protection from

SEND.

In Figure 3, the router discovery messages propagate without

modification to the router address, but elements within the message

change. This is consistent with the description of Neighbor

Discovery above.

Combes, et al. Informational [Page 7]

Advertiser Proxy Solicitor

RS:SL3=S,DL3=AllR, RS:SL3=S,DL3=AllR,

SL2=p,DL2=allr,SLL=p +-----+ SL2=s,DL2=allr,SLL=s

<==================| |<================

| |

==================>| |================>

RA:SL3=A,DL3=S, +-----+ RA:SL3=A,DL3=S,

SL2=a,DL2=p,SLL=a SL2=p,DL2=s,SLL=p

Legend:

SL3: Source IPv6 Address RS: Router Solicitation

DL3: Destination IPv6 Address RA: Router Advertisement

SL2: Source Link-Layer Address

DL2: Destination Link-Layer Address

TA: Target Address

SLL/TLL: Source/Target Link-Layer Address Option

Figure 3

Once again, these messages may not be signed with a CGA signature by the proxy, because it does not own the source address.

Additionally, Authorization Delegation Discovery messages need to be exchanged for bridge-like ND proxies to prove their authority to

forward. Unless the proxy receives explicit authority to act as a

router, or the router knows of its presence, no authorization may be made. This explicit authorization requirement may be at odds with

the zero configuration goal of ND proxying [RFC4389].

An alternative (alluded to in an appendix of ND Proxy [RFC4389])

suggests that the proxy send Router Advertisements (RAs) from its own address. As described by ND Proxy, this is insufficient for

providing proxied Neighbor Advertisement service, but may be matched with Neighbor solicitation and advertisement services using the

proxy’s source address in the same way as Mobile IPv6 [RFC4389]

[RFC3775]. This means that all router and Neighbor advertisements

would come from the proxied address, but may contain a target address that allows proxied Neighbor presence to be established with peers on other segments. Router discovery in this case has the identity of

the original (non-proxy) router completely obscured in router

discovery messages.

The resultant proxy messages would have no identifying information

indicating their origin, which means that proxying between multiple

links would require state to be stored on outstanding solicitations

(effectively a ND only NAT). This level of state storage may be

undesirable.

Combes, et al. Informational [Page 8]

Mobile IPv6 does not experience this issue when supplying its own

address, since ND messages are never forwarded on to the absent node (the Home Agent having sufficient information to respond itself).

Authorization from a router may still be required for Router

Advertisement, and will be discussed in Section 4.2.

3. Proxy Neighbor Discovery and SEND

There are currently no existing secured Neighbor Discovery procedures for proxied addresses, and all Neighbor Advertisements from SEND

nodes are required to have equal source and target addresses, and be signed by the transmitter (Section 7.4 of [RFC3971]).

Signatures over SEND messages are required to be applied on the CGA

source address of the message, and there is no way of indicating that a message is proxied.

Even if the message is able to be transmitted from the original

owner, differences in link-layer addressing and options require

modification by a proxy. If a message is signed with a CGA-based

signature, the proxy is unable to regenerate a signature over the

changed message as it lacks the keying material.

Therefore, a router wishing to provide proxy Neighbor Advertisement

service cannot use existing SEND procedures on those messages.

A host may wish to establish a session with a device that is not on- link but is proxied. As a SEND host, it prefers to create Neighbor

Cache Entries using secured procedures. Since SEND signatures cannot be applied to an existing proxy Neighbor Advertisement, it must

accept non-SEND advertisements in order to receive proxy Neighbor

Advertisements.

Neighbor Cache spoofing of another node therefore becomes trivial, as any address may be proxy-advertised to the SEND node, and overridden only if the node is there to protect itself. When a node is present to defend itself, it may also be difficult for the solicitor

determine the difference between a proxy-spoofing attack, and a

situation where a proxied device returns to a link and overrides

other proxy advertisers [RFC4861].

3.1. CGA Signatures and Proxy Neighbor Discovery

SEND defines one public-key and signature format for use with

Cryptographically Generated Addresses (CGAs) [RFC3972]. CGAs are

intended to tie address ownership to a particular public/private key pair.

Combes, et al. Informational [Page 9]

In SEND as defined today, Neighbor Discovery messages (including the IP Addresses from the IPv6 header) are signed with the same key used to generate the CGA. This means that message recipients have proof

that the signer of the message owned the address.

When a proxy replaces the message’s source IPv6 address with its own CGA, the existing CGA option and RSA signature option would need to

be replaced with ones that correspond to the CGA of the proxy. To be valid according to the SEND specification, the Target Address of the Neighbor Advertisement message would need to be replaced also to be

equal to the Source Address [RFC3971].

Additional authorization information may be needed to prove that the proxy is indeed allowed to advertise for the target address, as is

described in Section 4.

3.2. Non-CGA Signatures and Proxy Neighbor Discovery

Where a proxy retains the original source address in a proxied

message, existing security checks for SEND will fail, since fields

within the message will be changed. In order to achieve secured

proxy Neighbor Discovery in this case, extended authorization

mechanisms may be needed for SEND.

SEND provides mechanisms for extension of SEND to non-CGA-based

authorization. Messages are available for Authorization Delegation

Discovery, which is able to carry arbitrary PKIX/X.509 certificates

[RFC5280].

There is, however, no specification of keying information option

formats analogous to the SEND CGA Option [RFC3971]. The existing

option allows a host to verify message integrity by specifying a key and algorithm for digital signature, without providing authorization via mechanisms other than CGA ownership.

The digital signature in SEND is transported in the RSA Signature

Option. As currently specified, the signature operation is performed over a CGA Message type, and allows for CGA verification. Updating

the signature function to support non-CGA operations may be

necessary.

Within SEND, more advanced functions such as routing may be

authorized by certificate path verification using Authorization

Delegation Discovery.

With non-CGA signatures and authentication, certificate contents for authorization may need to be determined, as outlined in Section 4. Combes, et al. Informational [Page 10]

While SEND provides for extensions to new non-CGA methods, existing

SEND hosts may silently discard messages with unverifiable RSA

signature options (Section 5.2.2 of [RFC3971]), if configured only to accept SEND messages. In cases where unsecured Neighbor Cache

Entries are still accepted, messages from new algorithms will be

treated as unsecured.

3.3. Securing Proxy DAD

Initiation of proxy Neighbor Discovery also requires Duplicate

Address Detection (DAD) checks of the address [RFC4862]. These DAD

checks need to be performed by sending Neighbor Solicitations, from

the unspecified source address, with the target being the proxied

address.

In existing SEND procedures, the address that is used for CGA tests

on DAD NS is the target address. A Proxy that originates this

message while the proxied address owner is absent is unable to

generate a CGA-based signature for this address and must undertake

DAD with an unsecured NS. It may be possible that the proxy can

ensure that responding NAs are secured though.

Where bridge-like ND proxy operations are being performed, DAD NSs

may be copied from the original source, without modification

(considering they have an unspecified source address and contain no

link-layer address options) [RFC4389].

If non-CGA-based signatures are available, then the signature over

the DAD NS doesn’t need to have a CGA relationship to the Target

Address, but authorization for address configuration needs to be

shown using certificates.

In case there is a DAD collision between two SEND nodes on different interfaces of the proxy, it is possible that the proxy may not have

the authority to modify the NA defending the address. In this case, the proxy still needs to modify the NA and pass it onto the other

interfaces even if it will fail SEND verification on the receiving

node.

3.4. Securing Router Advertisements

While Router Solicitations are protected in the same manner as

Neighbor Solicitations, the security for Router Advertisements is

mainly based on the use of certificates. Even though the mechanism

for securing RAs is different, the problems that arise due to the

modification of the L2 addresses are exactly the same: the proxy

needs to have the right security material (e.g., certificate) to sign the RA messages after modification.

Combes, et al. Informational [Page 11]

4. Potential Approaches to Securing Proxy ND

SEND nodes already have the concept of delegated authority through

requiring external authorization of routers to perform their routing and advertisement roles. The authorization of these routers takes

the form of delegation certificates.

Proxy Neighbor Discovery requires a delegation of authority (on

behalf of the absent address owner) to the proxier. Without this

authority, other devices on the link have no reason to trust an

advertiser.

For bridge-like proxies, it is assumed that there is no preexisting

trust between the host owning the address and the proxy. Therefore, authority may necessarily be dynamic or based on topological roles

within the network [RFC4389].

Existing trust relationships lend themselves to providing authority

for proxying in two alternative ways.

First, the SEND router authorization mechanisms described above

provide delegation from the organization responsible for routing in

an address domain to the certified routers. It may be argued that

routers so certified may be trusted to provide service for nodes that form part of a link’s address range, but are themselves absent.

Devices which are proxies could either be granted the right to proxy by the network’s router, or be implicitly allowed to proxy by virtue of being an authorized router.

Second, where the proxied address is itself a CGA, the holder of the public and private keys is seen to be authoritative about the

address’s use. If this address owner was able to sign the proxier’s address and public key information, it would be possible to identify that the proxy is known and trusted by the CGA address owner for

proxy service. This method requires that the proxied address know or learn the proxy’s address and public key, and that the certificate

signed by the proxied node’s is passed to the proxy, either while

they share the same link, or at a later stage.

In both methods, the original address owner’s advertisements need to override the proxy if it suddenly returns, and therefore timing and

replay protection from such messages need to be carefully considered.

4.1. Secured Proxy ND and Mobile IPv6

Mobile IPv6 has a security association between the Mobile Node and

Home Agent. The Mobile Node sends a Binding Update to the Home

Agent, to indicate that it is not at home. This implies that the Combes, et al. Informational [Page 12]

Mobile Node wishes the Home Agent to begin proxy Neighbor Discovery

operations for its home address(es).

4.1.1. Mobile IPv6 and Router-Based Authorization

A secured Proxy Neighbor Advertisements proposal based on existing

router trust would require no explicit authorization signaling

between HA and MN to allow proxying. Hosts on the home link will

believe proxied advertisements solely because they come from a

trusted router.

Where the home agent operates as a router without explicit trust to

route from the advertising routing infrastructure (such as in a home, with a router managed by an ISP), more explicit proxying

authorization may be required, as described in Section 4.2.

4.1.2. Mobile IPv6 and Per-Address Authorization

Where proxy Neighbor Discovery is delegated by the MN to the home

agent, the MN needs to learn the public key for the Home Agent, so

that it can generate a certificate authorizing the public/private key pair to be used in proxying. It may conceivably do this using

Certificate Path Solicitations either over a home tunnel, when it is away from home, or during router discovery while still at home

[RFC3971] [RFC3775].

When sending its Binding Update to the HA, the MN would need to

provide a certificate containing the subject’s (i.e., proxy HA’s)

public key and address, the issuer’s (i.e., MN’s) CGA and public key, and timestamps indicating when the authority began and when it ends. This certificate would need to be transmitted at binding time.

Messaging or such an exchange mechanism would have to be developed. 4.1.3. Cryptographic-Based Solutions

Specific cryptographic algorithms may help to allow trust between

entities of a same group.

This is the case, for example, with ring signature algorithms. These algorithms generate a signature using the private key of any member

from the same group, but to verify the signature the public keys of

all group members are required. Applied to SEND, the addresses are

cryptographically generated using multiple public keys, and the

Neighbor Discovery messages are signed with an RSA ring signature

[RING]. (Note that the cryptographic algorithms that are the

foundation for [RING] and other similar solutions are not widely

accepted in the security community; additional research is needed

before a Standards Track protocol could be developed.)

Combes, et al. Informational [Page 13]

4.1.4. Solution Based on the ’Point-to-Point’ Link Model

Another approach is to use the ’Point-to-Point’ link model.

In this model, one prefix is provided per MN, and only an MN and the HA are on a same link. The consequence is the HA no longer needs to act as ND Proxy.

One way to design such a solution is to use virtual interfaces, on

the MN and the HA, and a virtual link between them. Addresses

generated on the virtual interfaces will only be advertised on the

virtual link. For Mobile IPv6, this results in a virtual Home

Network where the MN will never come back.

4.2. Secured Proxy ND and Bridge-Like Proxies

In link-extension environments, the role of a proxy is more

explicitly separated from that of a router. In SEND, routers may

expect to be authorized by the routing infrastructure to advertise

and may provide this authority to hosts in order to allow them to

change forwarding state.

Proxies are not part of the traditional infrastructure of the

Internet, and hosts or routers may not have an explicit reason to

trust them, except that they can forward packets to regions where

otherwise those hosts or routers could not reach.

4.2.1. Authorization Delegation

If a proxy can convince a device that it should be trusted to perform proxying function, it may require that device to vouch for its

operation in dealing with other devices. It may do this by receiving a certificate, signed by the originating device that the proxy is

believed capable of proxying under certain circumstances.

This allows nodes receiving proxied Neighbor Discovery packets to

quickly check if the proxy is authorized for the operation. There

are several bases for such trust, and requirements in proxied

environments, which are discussed below.

4.2.2. Unauthorized Routers and Proxies

Routers may be advertising on networks without any explicit

authorization, and SEND hosts will register these routers if there

are no other options [RFC3971]. While proxies may similarly attempt to advertise without authority, this provides no security for the

routing infrastructure. Any device can be setup as a SEND proxy/

router so long as it signs its own ND messages from its CGA.

Combes, et al. Informational [Page 14]

This may not help in the case that a proxy attempts to update

Neighbor Cache Entries for a SEND node that moves between links,

since the SEND node’s authority to advertise its own CGA address

would not be superseded by a proxy with no credentials.

4.2.3. Multiple Proxy Spans

Proxies may have multiple levels of nesting, which allow the network to connect between non-adjacent segments.

In this case, authority delegated at one point will have to be

redelegated (possibly in a diluted form) to proxies further away from the origin of the trust.

Trust Proxy A Proxy B Distant

Origin - T Node - D

+-----+ +-----+

| | | |

+-----+ +-----+ +-----+ +-----+

| | | | | |

------------| |------------| |----------

| | | |

+-----+ +-----+

==========> ==============> ==========>

Deleg(A,T) Deleg(B,Deleg(A,T)) Advertise(D, Deleg(B,

Deleg(A,T))

Figure 4

As shown in Figure 4, the Proxy A needs to redelegate authority to

proxy for T to Proxy B; this allows it to proxy advertisements that

target T back to D.

4.2.4. Routing Infrastructure Delegation

Where it is possible for the proxy to pre-establish trust with the

routing infrastructure, or at least to the local router, it may be

possible to authorize proxying as a function of routing within the

subnet. The router or CA may then be able to certify proxying for

only a subset of the prefixes for which it is itself certified.

If a router or CA provides certification for a particular prefix, it may be able to indicate that only proxying is supported, so that

Neighbor Cache Entries of routers connected to Internet

infrastructure are never overridden by the proxy, if the router is

present on a segment.

Combes, et al. Informational [Page 15]

Hosts understanding such certificates may allow authorized proxies

and routers to override the host when assuming proxy roles, if the

host is absent.

Proxy certificate signing could be done either dynamically (requiring exchanges of identity and authorization information) or statically

when the network is set up.

4.2.

5. Local Delegation

Where no trust tie exists between the authority that provides the

routing infrastructure and the provider of bridging and proxying

services, it may still be possible for SEND hosts to trust the

bridging provider to authorize proxying operations.

SEND itself requires that routers be able to show authorization, but doesn’t require routers to have a single trusted root.

A local bridging/proxying authority trust delegation may be possible. It would be possible for this authority to pass out local-use

certificates, allowing proxying on a specific subnet or subnets, with a separate authorization chain to those subnets for the routers with Internet access.

This would require little modification to SEND, other than the

addition of router-based proxy authority (as in Section 4.2.4), and

proxies would in effect be treated as routers by SEND hosts

[RFC3971]. Distribution of keying and trust material for the initial bootstrap of proxies would not be provided though (and may be

static).

Within small domains, key management and distribution may be a

tractable problem, so long as these operations are simple enough to

perform.

Since these domains may be small, it may be necessary to provide

certificate chains for trust anchors that weren’t requested in

Certificate Path Solicitations, if the proxy doesn’t have a trust

chain to any requested trust anchor.

This is akin to ’suggesting’ an appropriate trusted root. It may

allow for user action in allowing trust extension when visiting

domains without ties to a global keying infrastructure. In this

case, the trust chain would have to start with a self-signed

certificate from the original CA.

Combes, et al. Informational [Page 16]

4.2.6. Host Delegation of Trust to Proxies

Unlike Mobile IPv6, for bridge-like proxied networks, there is no

existing security association upon which to transport proxying

authorization credentials.

Thus, proxies need to convince Neighbors to delegate proxy authority to them, in order to proxy-advertise to nodes on different segments. It will be difficult without additional information to distinguish

between legitimate proxies and devices that have no need or right to proxy (and may want to make two network segments appear connected).

When proxy advertising, proxies must not only identify that proxying needs to occur, but provide proof that they are allowed to do so, so that SEND Neighbor Cache Entries may be updated. Unless the

authorization to update such entries is tied to address ownership

proofs from the proxied host or the verifiable routing

infrastructure, spoofing may occur.

When a host received a proxied Neighbor advertisement, it would be

necessary to check authorization in the same way that authorization

delegation discovery is performed in SEND.

Otherwise, certificate transport will be required to exchange

authorization between proxied nodes and proxies.

Proxies would have to be able to delegate this authorization to

downstream proxies, as described in Section 4.2.3.

4.3. Proxying Unsecured Addresses

Where the original Neighbor Discovery message is unsecured, there is an argument for not providing secured proxy service for that node.

In both the Mobile IPv6 and extended networks cases, the node may

arrive back at the network and require other hosts to map their

existing Neighbor Cache Entry to the node’s link-layer address. The re-arriving node’s overriding of link-layer address mappings will

occur without SEND in this case.

It is notable that without SEND protection any node may spoof the

arrival, and effectively steal service across an extended network.

This is the same as in the non-proxy case, and is not made

significantly worse by the proxy’s presence (although the identity of the attacker may be masked if source addresses are being replaced). Combes, et al. Informational [Page 17]

If signatures over the proxied messages were to be used, re-arrival

and override of the Neighbor Cache Entries would have to be allowed, so the signatures would indicate that at least the proxy wasn’t

spoofing (even if the original sender was).

For non-SEND routers, though, it may be possible for secured proxies to send signed router advertisement messages, in order to ensure that routers aren’t spoofed, and subsequently switched to different parts of the extended network.

This has problems in that the origin is again unsecured, and any node on the network could spoof router advertisement for an unsecured

address. These spoofed messages may become almost indistinguishable (except for the non-CGA origin address) from unspoofed messages from SEND routers.

Given these complexities, the simplest method is to allow unsecured

devices to be spoofed from any port on the network, as is the case

today.

5. Two or More Nodes Defending the Same Address

All the previous sections of this document focused on the case where two nodes defend the same address (i.e., the node and the proxy).

However, there are also cases where two or more nodes are defending

the same address. This is at least the case for:

o Nodes having the same address, as the Mobile Access Gateway’s

(MAG’s) ingress link-local address in Proxy Mobile IPv6 (PMIPv6)

[RFC5213].

o Nodes having a common anycast address [RFC4291].

The problem statement, described previously in this document, applies for these cases, and the issues are the same from a signaling point

of view.

Multicast addresses are not mentioned here because Neighbor Discovery Protocol is not used for them.

In the first case, [RFC5213] assumes that the security material used by SEND (i.e., public-private key pair) is shared between all the

MAGs. For the second case, there is no solution today. But, in the same way, it should be possible to assume that the nodes having a

common anycast address could also share the security material. Combes, et al. Informational [Page 18]

It is important to notice that when many nodes defending the same

address are not in the same administrative domain (e.g., MAGs in

different administrative domains but in the same PMIPv6 domain

[RFC5213]), sharing the security material used by SEND may raise a

security issue.

6. Security Considerations

6.1. Router Trust Assumption

Router-based authorization for Secured Proxy ND may occur without the knowledge or consent of a device. It is susceptible to the ’Good

Router Goes Bad’ attack described in [RFC3756].

6.2. Certificate Transport

Certificate delegation relies upon transfer of the new credentials to the proxying HA in order to undertake ND proxy on its behalf. Since the binding cannot come into effect until DAD has taken place, the

delegation of the proxying authority necessarily predates the return of the Binding Ack, as described in [RFC3775]. In the case above

described, the home tunnel that comes into creation as part of the

binding process may be required for transport of Certificate Path

Solicitations or Advertisements [RFC3971]. This constitutes a

potential chicken-and-egg problem. Either modifications to initial

home binding semantics or certificate transport are required. This

may be trivial if certificates are sent in the clear between the MN’s Care-of Address (CoA) and the HA without being tunneled.

6.3. Timekeeping

All of the presented methods rely on accurate timekeeping on the

receiver nodes of Neighbor Discovery Timestamp Options.

For router-authorized proxy ND, a Neighbor may not know that a

particular ND message is replayed from the time when the proxied host was still on-link, since the message’s timestamp falls within the

valid timing window. Where the router advertises its secured proxy

NA, a subsequent replay of the old message will override the NCE

created by the proxy.

Creating the NCE in this way, without reference to accurate

subsequent timing, may only be done once. Otherwise, the receiver

will notice that the timestamp of the advertisement is old or doesn’t match.

Combes, et al. Informational [Page 19]

One way of creating a sequence of replayable messages that have

timestamps likely to be accepted is to pretend to do an unsecured DAD on the address each second while the MN is at home. The attacker

saves each DAD defense in a sequence. The granularity of SEND

timestamp matching is around one second, so the attacker has a set of SEND NAs to advertise, starting at a particular timestamp, and valid for as many seconds as the original NA gathering occurred.

This sequence may then be played against any host that doesn’t have a timestamp history for that MN, by tracking the number of seconds

elapsed since the initial transmission of the replayed NA to that

victim, and replaying the appropriate cached NA.

Where certificate-based authorization of ND proxy is in use, the

origination/starting timestamp of the delegated authority may be used to override a replayed (non-proxy) SEND NA, while also ensuring that the Proxy NA’s timestamp (provided by the proxy) is fresh. A

returning MN would advertise a more recent timestamp than the

delegated authority and thus override it. This method is therefore

not subject to the above attack, since the proxy advertisement’s

certificate will have a timestamp greater than any replayed messages, preventing it from being overridden.

7. Acknowledgments

James Kempf and Dave Thaler particularly contributed to work on this document. Contributions to discussion on this topic helped to

develop this document. The authors would also like to thank Jari

Arkko, Vijay Devarapalli, Mohan Parthasarathy, Marcelo Bagnulo,

Julien Laganier, Tony Cheneau, Michaela Vanderveen, Sean Shen, and

Sheng Jiang for their comments and suggestions.

Jean-Michel Combes is partly funded by MobiSEND, a research project

supported by the French ’National Research Agency’ (ANR).

8. References

8.1. Normative References

[RFC3775] Johnson, D., Perkins, C., and J. Arkko, "Mobility Support in IPv6", RFC 3775, June 2004.

[RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure

Neighbor Discovery (SEND)", RFC 3971, March 2005.

[RFC3972] Aura, T., "Cryptographically Generated Addresses (CGA)",

RFC 3972, March 2005.

Combes, et al. Informational [Page 20]

TEMSDiscovery2.5操作指南概论

TEMS DISCOVERY DISCOVERY的几大功能: 一:数据展示(地理化窗口/layer 3/图形化显示)都是在project中可以直接打开显示的。二:出报告 三:地理化的差值分析/平均分析 Discovery和TI导入数据的想法不一样,TI是用logfile进行导入后分析,discovery是通过PROJECT形式导入各种数据(.cel/map/log这些数据是基于project) 第一步:新建一个project:点击project explorer---new

上图中我们需要给project定义一个project name。然后SAVE一下。(再导入cell/map之前GIS/CELL CONFIGATION是空的,导入之后这里会有相应的显示) UDR:uers defined region(用户自定义区域) 第二步: 导入数据 路测数据 地理化数据

小区数据 天线数据(天线的主瓣旁瓣) 覆盖图(planning tools导出来的)

在导入.cel(小区数据) 文件时的选项:要定义小区数据是属于哪一个project(define target project),然后Browse小区数据。 导入过程中,我们会在TASK WINDOW中看到相应的project/.cel导入信息。 导入好小区数据之后我们会在project Explorer中看到我们新建的project (20100801)中会出现Composite(组合)/datasets(数据组),现在这里还是空的,然后我们右键project(比如:20100801)—view/edit properties会看到我们cell configuration已经存在CELL文件了。 ,

Deep Learning for Human Part Discovery in Images

Deep Learning for Human Part Discovery in Images Gabriel L.Oliveira,Abhinav Valada,Claas Bollen,Wolfram Burgard and Thomas Brox Abstract—This paper addresses the problem of human body part segmentation in conventional RGB images,which has several applications in robotics,such as learning from demon-stration and human-robot handovers.The proposed solution is based on Convolutional Neural Networks(CNNs).We present a network architecture that assigns each pixel to one of a prede?ned set of human body part classes,such as head, torso,arms,legs.After initializing weights with a very deep convolutional network for image classi?cation,the network can be trained end-to-end and yields precise class predictions at the original input resolution.Our architecture particularly improves on over-?tting issues in the up-convolutional part of the network.Relying only on RGB rather than RGB-D images also allows us to apply the approach outdoors.The network achieves state-of-the-art performance on the PASCAL Parts dataset.Moreover,we introduce two new part segmentation datasets,the Freiburg sitting people dataset and the Freiburg people in disaster dataset.We also present results obtained with a ground robot and an unmanned aerial vehicle. I.INTRODUCTION Convolutional Neural Networks(CNNs)have recently achieved unprecedented results in multiple visual perception tasks,such as image classi?cation[14],[24]and object detection[7],[8].CNNs have the ability to learn effective hierarchical feature representations that characterize the typical variations observed in visual data,which makes them very well-suited for all visual classi?cation tasks.Feature descriptors extracted from CNNs can be transferred also to related tasks.The features are generic and work well even with simple classi?ers[25]. In this paper,we are not just interested in predicting a single class label per image,but in predicting a high-resolution semantic segmentation output,as shown in Fig.1. Straightforward pixel-wise classi?cation is suboptimal for two reasons:?rst,it runs in a dilemma between localization accuracy and using large receptive?elds.Second,standard implementations of pixel-wise classi?cation are inef?cient computationally.Therefore,we build upon very recent work on so-called up-convolutional networks[4],[16].In contrast to usual classi?cation CNNs,which contract the high-resolution input to a low-resolution output,these networks can take an abstract,low-resolution input and predict a high-resolution output,such as a full-size image[4].In Long et al.[16], an up-convolutional network was attached to a classi?cation network,which resolves the above-mentioned dilemma:the contractive network part includes large receptive?elds,while the up-convolutional part provides high localization accuracy. All authors are with the Department of Computer Science at the University of Freiburg,79110Freiburg,Germany.This work has partly been supported by the European Commission under ERC-StG-PE7-279401-VideoLearn, ERC-AG-PE7-267686-LIFENA V,and FP7-610603-EUROPA2. (a)PASCAL Parts(b)MS COCO (c)Freiburg Sitting People(d)Freiburg People in Disaster Fig.1:Input image(left)and the corresponding mask(right) predicted by our network on various standard datasets. In this paper,we technically re?ne the architecture of Long et al.and apply it to human body part segmentation,where we focus especially on the usability in a robotics context.Apart from architectural changes,we identify data augmentation strategies that substantially increase performance. For robotics,human body part segmentation can be a very valuable tool,especially when it can be applied both indoors and outdoors.For persons who cannot move their upper body, some of the most basic actions such as drinking water is rendered impossible without assistance.Robots could identify human body parts,such as hands,and interact with them to perform some of these tasks.Other applications such as learning from demonstration and human robot handovers can also bene?t from accurate human part segmentation.For a learning-from-demonstration task,one could take advantage of the high level description of human parts.Each part could be used as an explicit mapping between the human and joints of the robot for learning control actions.Tasks such as human-robot handovers could also bene?t.A robot that needs to hand a tool to its human counterpart must be able to detect where the hands are to perform the task. Human body part segmentation has been considered a very challenging task in computer vision due to the wide variability of the body parts’appearance.There is large variation due to pose and viewpoint,self-occlusion,and clothing.Good results have been achieved in the past in conjunction with depth sensors[22].We show that CNNs can handle this variation very well even with regular RGB cameras,which can be used also outdoors.The proposed network architecture yields correct body part labels and also localizes them precisely. We outperform the baseline by Long et al.[16]by a large

中国电视纪录片发展现状研究

中国电视纪录片发展现状研究 本文的目的在于研究中国电视纪录片发展现状。新中国成立以来电视纪录片的的发展经历了四个阶段新闻纪录、专题纪录、创新纪录、媒 介融合。从研究历史出发通过对当下纪录片生态环境、市场化问题、 话语权三大问题的现状分析归纳出体制内外纪录片发展中共同面临 的问题。世纪在新的传播环境和传播语境下中国当下的电视纪录片依 托传播学的理念从自身改造突破问题寻找出路。关键词电视纪录片市场化问题话语权传播过程引言引言研究缘起在年第届奥斯卡金像奖 提名名单中华人女导演杨紫烨凭借执导的环保题材纪录短片《仇岗卫士》成功入围最佳纪录短片提名。杨紫烨接受采访时说“现在是中国纪录片最好的时代。与“最好时代”不相称的是纪录片现状的尴尬局面翻阅电视报几乎找不到它的身影即使找到了也被安排在午夜等非黄 金时段相亲节目选秀节目竟猜节目……充斥于荧屏成为了老百姓茶 余饭后的谈资。与二十世纪九十年代的辉煌相比电视纪录片节目渐渐 冷清甚至已淡出人们的视线。纪录片遇到了怎样的困境把电视台的资源拱手让于其他节目电视纪录片在中国为何会有此境遇它的出路又 在哪里这就是笔者写作的缘起也是重点研究的问题。纪录得益于电 影。年月日法国卢米埃尔兄弟开创了电影的先河,工厂大门》、火车到站》、《婴儿进餐》等影片的公开收费放映使得电影真正走入了人类世 界展示出独有的光影魅力。这些影片就像一幅幅活动的相片带有很大程度的纪实性质。而就在年电影很快登陆中国。上海、北京、香港、

台湾陆续出现电影但放映的都是外国人的影片。直到年北京丰泰照相馆的老板任庆泰以著名京剧艺术家谭鑫培作为拍摄对象拍下了他表 演定军山》的几个片断观众反响热烈。这预示了中国纪录片的萌芽。 而国际上公认的第一部纪录电影是罗伯特?弗拉哈迪在年拍摄的北方的纳努克》这也是他的第一部电影。直到今天这部电影仍然充满着无穷的魔力被热爱纪录片的专家学者作为研究欣赏图本。原因就在于他开创了纪录片的拍摄手法。纪录片依托电影发展壮大在电影和电视界闯下了一番天地被全世界人民所认同。从年电视发明以后人们就可以足不出户了解世界新闻、博览社会百态。影视合流成了趋势。电视 纪录片应电视技术的成熟、媒体力量的聚合诞生了。美国国家地理频道、探索频道依托纪录片而崛起、发展英国的日本的在世界上在纪录片的专属领域中享有美誉。中国的电视杨紫烨现在是中国纪录片最好时代新浪网? 引言纪录片发从年起步至今已走过了五十三年的历史 现状又是如何呢研究的目的和意义选择中国电视纪录片的现状作为 论文的研究对象其目的和意义在于第一新千年已进入第十一个年头 科学技术日新月异中国电视纪录片自身在承载内容和外在形式上都 表现出个性化、丰富化的特点通过回顾半个世纪的电视纪录史分析出每个时期电视纪录片的共性站在历史的肩头才能更好的审视现在展 望未来。第二电视生态环境与纪录片发展息息相关在市场经济时代纪 录片面临着哪些问题又该如何把握自己的话语权这些问题的探讨是 纪录片现状生存必须面对的课题。第三电视纪录片是一个复杂动态的

用STM32F4-Discovery套件自带调试器烧录STM32芯片

用STM32F4-Discovery套件自带调试器烧录STM32芯片 碧云天书 STM32F4-Discovery自带了SWD调试连接器,可以用来调试和烧录STM32芯片和开发板。一般STM32开发板上的调试接口为20脚的JTAG接口,而STM32F4-Discovery板载的SWD调试连接器为6教SWD接口,可以用一条20脚转6脚的连接线将SWD调试器连接到开发板的JTAG接口上。 一、硬件连接 下图是JLink接口的SWD端口配置图,可以作为连接参考。引脚编号为简易牛角座顶视图对应的编号。红线标识的引脚对应着ST-LINK/V2调试连接器CN2的6个引脚。 表1STM32F4-Discovery自带的ST-LINK/V2调试连接器CN2引脚定义(SWD) 引脚CN2说明 1VDD_TARGET来自应用的VDD 2SWCLK SWD时钟 3GND地线 4SWDIO SWD数据输入/输出 5NRST目标MCU的复位 6SWO保留(TRACESWO,连接目标MCU的PB3,可以不接) 由于使用ST-LINK/V2上的NRST就得断开SB11锡桥,因此不使用NRST线。需要连接剩下的5根线,分别是VCC,SWDIO,SWCLK,SWO,GND。其中SWO也可以不接,这样就只需要连4条线。下面的表2总结了连线方式。 表2连接STM32F4-Discovery自带的ST-LINK/V2调试连接器到开发板JTAG接口的连线 VDD SWCLK GND SWDIO SWO(可省略) 12346 ST-LINK/V2 (CN2) JTAG接口194713

连接线实物 使用STM32F4-Discovery自带的ST-LINK/V2调试连接器时,需要把CN3上的跳线拔掉,这时板载的ST-LINK/V2处于调试外部开发板状态。如下图:

Discovery纽约时代广场探索博物馆EB-5项目

Discovery纽约时代广场探索博物馆EB-5项目 项目概况 探索频道(Discovery Channel)于1985年在美国创立,探索频道目前覆盖全球 超过160个国家、4亿5千万个家庭,探索公司同时也是美国的上市公司,是美国最大的主流媒体之一。 Discovery博物馆(mDiscovery Times Square)成立于2009年,是探索频道(Discovery)的官方合作伙伴,为纽约市的前五大的博物馆。地处于时代广场核心的44街与第七第八大道中间,过去成功展出:泰坦尼克号、哈利波特、法老王和兵马俑等世界知名展览,已接待超过数百万人次的游客。继成功推出纽约时代广场第一期娱乐项目“百老汇4D剧院”项目(进展顺利,投资者均取得I-526移民申请通过)后,曼哈顿区域中心(MRC)又重磅推出位于纽约时代广场的第二期娱乐项目Discovery博物馆——探索纽约项目,该项目与第一期4D剧院项目仅隔一街距离。

项目特点 独一无二的地理优势 纽约时代广场在2013年迎接了5340万次游客,游客总消费超过了400亿美金,旅游消费预计将会在未来4年每年以8.5%的速度增长。 良好的发展前景——纽约市的旅游统计表

足够的就业机会创造 依照Michael Evans所做出的就业人数计算(即RIMS Ⅱ计算方式,该计算方法为美国移民局比较推荐的就业机会计算方式),该项目预计产生593个新的就业机会。远远超过EB-5所需的240个就业机会空间高达60%。 银行专户还款 Discovery博物馆参观门票预计价格为22美元,娱乐产业一直以来都是现金流十分可观的产业,依照与其他时代广场相似项目比较并且保守评估推算,每年项目净利润预计高达一千万美元以上,项目承诺在营运方面将保留60%的现金存放至还款账户中,专款专户作为未来贷款五年还款准备。 资金结构

DAVID使用方法介绍

DAVID使用说明文档 一、DAVID简介 DA VID (the Database for Annotation,Visualization and Integrated Discovery)的网址是https://www.360docs.net/doc/1b15515353.html,/。DA VID是一个生物信息数据库,整合了生物学数据和分析工具,为大规模的基因或蛋白列表(成百上千个基因ID或者蛋白ID列表)提供系统综合的生物功能注释信息,帮助用户从中提取生物学信息。 DA VID这个工具在2003年发布,目前版本是v6.7。和其他类似的分析工具,如GoMiner,GOstat等一样,都是将输入列表中的基因关联到生物学注释上,进而从统计的层面,在数千个关联的注释中,找出最显著富集的生物学注释。最主要是功能注释和信息链接。 二、分析工具: DAVID需要用户提供感兴趣的基因列表,在基因背景下,使用提供的分析工具,提取该列表中含有的生物信息。这里说的基因列表和背景文件的选取对结果至关重要。 1.基因列表:这个基因列表可能是上游的生物信息分析产生的基因ID列表。对于富集分析而言,一般情况下,大量的基因组成的列 表有更高的统计意义,对富集程度高的特殊Terms有更高的敏感度。富集分析产生的p-value在相同或者数量相同的基因列表中具有可比性。 DAVID对于基因列表的格式要求为每行一个基因ID或者是基因ID用逗号分隔开。基因列表的质量会直接影响到分析结果。这里定性给出好的基因列表应该具有的特点,一个好的基因列表至少要满足以下的大部分的要求: (1)包含与研究目的相关的大部分重要的基因(如标识基因)。

教你DIY中文增强版Geexbox

教你DIY中文增强版Geexbox Geexbox是一款可以从光盘上直接启动的Linux多媒体操作系统【当然也可以从硬盘和USB闪存上启动】,它是基于Linux和MPlayer进行开发应用的,它可以让你不用进windows 就可以欣赏大片。它几乎支持大部分主流媒体格式,包括AVI、RM、RMVB、MPEG-4、MP3及外挂中文字幕,可以让旧电脑变成强悍的媒体中心。可惜官方提供的只有英文的ISO 镜像,因此网上也出现了不少网友定制的中文版。他们是怎么做的呢?其实很简单。利用官方提供的GeeXboX ISO Generator,你也可以轻松DIY属于自己的Geexbox中文增强版。还犹豫什么呢?下面就和笔者一起来体会DIY的乐趣。 一、GeeXboX ISO Generator初上手 “工欲善其事,必先利其器”,首先,请你到Geexbox的官方网站 (https://www.360docs.net/doc/1b15515353.html,/en/downloads.html)下载最新的GeeXboX ISO Generator。然后将下载到的geexbox-generator-1.0.i386.tar.gz用Winrar解压到硬盘中(本文以“D:\geexbox”为例进行说明)。进入解压目录,双击generator.exe运行软件(这个镜像生成器还包括在Linux和Macosx下使用的程序)。进入程序界面,你可以看到八个标签页,它们分别是:界面设置(Interface)、音频设置(Audio)、视频设置(Video)、遥控设置(Remote control)、网络设置(Network)、服务设置(Services)、液晶显示设置(Lcd display)、套件设置(Packages)。 接下来,请你单击“Packages“,进入套件设置项。这里列出的都是一些非常有用却没有包含在压缩包中的解码器(Codecs)、固件(Filmwares)、字体(Fonts)和主题(Themes)。建议你选中所有的解码器、固件、主题以及字体——“Chinese Simplified-GB2312”,然后点击”DownlOad”按钮下载。好啦,沏杯热茶慢慢等,Generator自己会通过网络把相应的文件下载到本地硬盘中。(如图1)心急的朋友如果受不了牛速,你也可以直接进入官方ftp下载所需资源: ⑴.解码器:https://www.360docs.net/doc/1b15515353.html,/codecs/ 将下得的压缩包解压至 D:\geexbox\iso\GEEXBOX\codec\即可。 ⑵.固件:https://www.360docs.net/doc/1b15515353.html,/firmwares/ 将下得的压缩包解压至 D:\geexbox\iso\GEEXBOX\firmwares\即可。 ⑶.字体:https://www.360docs.net/doc/1b15515353.html,/fonts/ 将下得的压缩包解压至 D:\geexbox\i18n\fonts\即可。

discovery软件在测井资料标准化中的应用

discovery软件在测井资料标准化中的应用 趋势而分析方法是依据物质的某一物理参数的测量值来研究幷空间分布特点及变化规律的方法。任何汕出实际地质参数在横向上差不多上具有某种规律性渐变,即可看作是趋势面变化。趋势而分析的差不多思路确实是对标准层的测井响应多项式趋势面作图,并认为与地层原始趋势而具有一致性。若趋势面分析的残差图仅为随机变量,则是测井刻度误差造成的,若存在一组专门残差值,则认为是岩性变化导致的0 1981年J H Doveton和E?Bomcman 进一步用趋势而分析来描述这一标准化过程,1991年石汕大学熊绮华教授在进行牛庄洼陷万全汕田油藏描述研究过程中采纳该方法对测井曲线进行标准化。 Discovery软件是应用较为广泛的油藏描述软件,该软件在用趋势面分析方法进行测井 曲线标准化方而具有操作简单、图形化输出及运算等特点,使得测井曲线标准化变得专门方便。 1 Discovery软件的趋势面分析方法 1.1趋势面分析方法的数学原理 若趋势而分析的残差图仅为随机变量,则是测井刻度误差造成的,若存在一组专门残差值,则认为是岩性变化导致的。它的数学方法概述如下: 设用z(x,y)表示所研究的地质特点,其中(x,y)是平面上点的坐标.则趋势值和剩余值用下式表示: z(x,y)= Z (x,y)+e 其中:2(xj)为趋势值,C为剩余值。 关于已知的数据:z,x\yiJH2 No 通常用回来分析求出趋势值和剩余值,即依照已知的数据求出回来方程f(x?y),使得: N 2 =乞忆一/(兀,片)] r-l 达到最小。实际上这确实是最小二乘意义下的曲面拟合咨询题,即依据运算值z(xj)用回来分析方法求出一个回来而: 对应于回来而上的值Z = 为趋势值,残差z,.名为剩余值。

纪录片制作机构

探索频道(Discovery Channel)是由探索传播公司(Discovery Communications, Inc./DCI;NASDAQ:DISCA,旗下拥有197多家全球性电视网,包括Discovery探索频道、动物星球频道、Discovery科学频道和Discovery高清视界频道等)于1985年创立的,总部位于美国马里兰州蒙哥马利县银泉市。探索频道主要播放流行科学、科技、历史、考古及自然纪录片。 探索频道自1985年在美国启播后、现今已成为世界上发展最迅速的有线电视网络之一、覆盖面遍及全国百分之九十九的有线电视订户、在全球145个国家和地区有超过14400万个家庭订户。探索频道是全球最大的纪录片制作及买家、它吸引全球最优秀的纪录片制作人、所以探索频道的节目均被认为是世界上最优秀的纪实娱乐节目。也是世界上发行最广的电视品牌,目前到达全球160多个国家和地区的30600多万家庭,以35种不同语言播出节目。 探索频道在世界主要国家地区均有落地,但探索频道会因应不同地区设立不同版本,加上字幕或配音。美国版本主要播放写实电视节目,如著名的流言终结者系列。亚洲探索频道除着重播放写实节目之外,也播放文化节目,如介绍中国、日本文化的一系列节目。 亚洲探索频道于1994年成立,总部在新加坡,为美国Discovery传播公司(DCI)的全资附属机构,提供二十四小时精彩的纪实娱乐节目。据2005年泛亚媒体调查(PAX)的结果显示,探索频道在富裕成人中连续9年被公认为亚洲地区收视人口最多的有线及卫星电视频道。在新加坡举办的2004年“亚洲电视大奖”评选中,探索频道还荣膺“年度最佳有线及卫星电视频道”。 中国国际电视总公司(中央电视台全额投资的大型国有独资公司,成立于1984年,是中国内地规模最大、赢利能力最强的传媒公司)境外卫星代理部接收探索频道信号,通过亚太6号卫星(东经134度)发射KU波段信号。该服务一般只提供给三星级或以上的涉外宾馆酒店,外国人居住区,领事馆及大使馆。中国大陆各省市的地方电视台会转播或播放探索频道制作的节目。同时,还与浙江华数集团成立合资公司,向由杭州电视台开办的四个面向全国播出的高清付费电视频道(求索纪录、求索生活、求索科学、求索动物)提供绝大多数的节目内容。

discover微波操作手册

微波合成仪标准操作手册 一、操作流程 1、例行检查:仪器开机前,首先检查仪器整体是否正常;反应腔及内衬溢出杯是否清洁;检查自 动压控装置APD是否清洁;自动进样器是否在正常位置;仪器电源线、数据线、气体管路连接情况是否正常。经检查一切正常方可开机。如内衬、APD不清洁或其它问题未经处理而运行仪器所造成的损害,属于非正常操作范畴。 2、开机顺序:先打开计算机电源,再打开Discover主机电源,然后运行Synergy软件(在计算机 桌面上)。最后打开空压机电源。 3、登记制度:检查、开机均正常,请认真按规定填写仪器使用记录,记录信息不全将承担后续使 用问题的责任。检查、开机、运行过程中,发现任何问题请及时联系管理员。 4、启动软件:运行Synergy软件,选择用户名并输入密码,进入软件操作界面后,可从屏幕右下 方工具栏察看Discover和Explorer的联机情况。 5、放入样品:按要求装配好微波反应管(详见第六部分),放入仪器衰减器。 6、选择方法:打开软件界面中相应用户的“M ethod”文件夹图标,选择所需方法,单击鼠标左键拖 拽到相应样品位置,如有需要,可新建方法或对方法进行修改(详见第四部分) 7、运行前检查:检查衰减器是否处于锁定状态;察看屏幕右侧温度、压力的显示是否正常。 8、运行方法:点击软件界面上部工具栏中的“P lay”按钮,仪器自动运行。 二、禁止的操作项 1、严禁频繁开关机;开机后1min内关机;关机后1min内开机。 2、严禁修改电脑系统设置如注册表项等内容。 3、严禁使用破损的、有裂痕的、划痕严重的反应瓶。 4、严禁使用变形的样品盖。 5、反应瓶盖必须严格按要求装配,禁止未经过检查就放置于自动进样器架上。 6、严禁将标签纸粘贴在反应瓶的任何部位。 7、严禁将文献中多模微波仪器(特别是家用微波炉)的反应条件直接用于该仪器。 8、严禁长时间无人值守,仪器运行过程中,必须每2小时进行巡视查看,并做好检查记录。 9、微波程序运行过程中,严禁非仪器管理员在线修改反应参数。 10、仪器登陆用户只有管理员的权限可以设置为“Admin”其他均设置为“User”。 11、仪器各登陆用户的参数设置应符合仪器要求(详见第三部分),禁止修改。

SuperScan 使用教程

扫描工具SuperScan使用教程(如何使用SuperScan) SuperScan 是由Foundstone开发的一款免费的,但功能十分强大的工具,与许多同类工具比较,它既是一款黑客工具,又是一款网络安全工具。一名黑客可以利用它的拒绝服务攻击(DoS,denial of service)来收集远程网络主机信息。而做为安全工具,SuperScan能够帮助你发现你网络中的弱点。下面我将为你介绍从哪里得到这款软件并告诉你如何使用它。 如何获得SuperScan SuperScan4.0是免费的,并且你可以在如下地址下载: https://www.360docs.net/doc/1b15515353.html,:81/up/soft3_2010/SuperScan.rar 因为SuperScan有可能引起网络包溢出,所以Foundstone站点声明某些杀毒软件可能识别SuperScan是一款拒绝服务攻击(Dos)的代理。 SuperScan4.0只能在Windows XP或者Windows 2000上运行。对一些老版本的操作系统,你必须下载SuperScan3.0版。 SuperScan的使用 给SuperScan解压后,双击SuperScan4.exe,开始使用。打开主界面,默认为扫描(Scan)菜单,允许你输入一个或多个主机名或IP范围。你也可以选文件下的输入地址列表。输入主机名或IP范围后开始扫描,点Play button,SuperScan开始扫描地址,如下图A。

图A:SuperScan允许你输入要扫描的IP范围。 扫描进程结束后,SuperScan将提供一个主机列表,关于每台扫描过的主机被发现的开放端口信息。SuperScan还有选择以HTML格式显示信息的功能。如图B。

美国探索教育视频资源服务平台

1、美国探索教育视频资源服务平台 平台内容及意义 大众文化的流行,娱乐学习一体化的浪潮席卷全球。同时随着社会发展,多学科交叉融合,使得社会对大学生综合能力要求颇高。在某一个方面出类拔萃的复合型人才,越来越受到企业社会的青睐。综合性人才在当今社会炙手可热,因此学校在重视专业课的同时,加强对课外知识的普及符合当今教育时代的发展需求。 美国探索教育视频资源服务平台坚持以“科教兴国”为总方略,以提高在校师生综合素质、开拓师生眼界为宗旨;以教育、科学、文化、历史、探险等为题材的多学科交叉融合的教育视频资源服务平台。平台始终坚持科学研究与教学理论相统一,历史知识和文化教育相结合,以求达到师生即使足不出户,亦能知大千世界之神奇、能知世界各地前沿性科学技术,能解世间万物之疑惑。此平台已经成为西安数图网络科技有限公司一个独具特色的教育资源服务平台。 平台特色 美国探索教育视频资源服务平台,结合高校科学教育及科普知识所需,精选整合美国探索频道(Discovery)和美国国家地理频道(National Geography)两大世界知名频道近年来的最新节目,精心制作而成。 1、美国探索频道(Discovery) 1985年开播 使用客户在全球达到160多个国家,3亿零6百多万家庭。 通过15颗卫星用36种语言、24小时播放来源于全球不同地方摄制的精彩高品质纪实节目 2、美国国家地理频道(National Geography) 遍布全球达171个国家及地区 通过48种语言收看 荣获1次奥斯卡金像奖和2次金像奖提名,129座艾美奖 平台分类 自然科学,历史人文,科学发现,生命科学,旅游风光,体育探索,军事侦探,交通机械,工程建筑

discovery教程

第一章:前言 (1) 第二章:微机油藏描述系统集成 (3) 一、Landmark公司微机油藏描述系统发展历程 (3) 二、微机油藏描述系统各模块集成 (4) (一)工区、数据管理系统 (二)GESXplorer地质分析与制图系统 (三)SeisVision 2D/3D二维三维地震解释系统 (四)PRIZM 测井多井解释系统 (五)ZoneManager层管理与预测 (六)GMAPlus正演建模 三、Discovery微机油藏描述系统软件特色 (12) 第三章:微机三维地震解释系统软件应用方案研究 (13) 一、工区建立 (13) (一)工区目录建立 (二)一般工区建立 (三)工区管理 二、数据输入 (20) (一)地质数据输入 1 井头数据输入 2 井斜数据输入 3 分层数据输入 4 试油数据输入 5 生产数据加载 6 速度数据输入 (二)测井数据输入 1 ASCII格式测井数据输入 2 LAS格式测井数据输入 (三)地震数据输入 1 SEG-Y三维地震数据输入 2 层位数据输入 3 断层数据输入

三、微机地质应用 (31) (一)微机地质应用工作流程工作流程 1 地质分析工作流程 2 沉积相分析工作流程 (二)微机地质应用 1 井位图建立 2 等值线图(isomap)建立 3 各种剖面图(Xsection)建立 4 生产现状图制作 5 沉积相图制作 四、微机三维地震解释综合应用 (48) (一)微机三维地震解释工作流程 1 合成记录及层位工作流程 2 地震解释工作流程 3 速度分析工作流程 (二)微机三维地震解释综合应用 1 地震迭后处理-相干体 2 合成记录制作及层位标定 3 层位和断层建立、解释 4 三维可视化 5 速度分析与时深转换 6 构造成图 7 地震测网图建立 8 地震属性提取 五、微机单井测井解释及多井评价 (104) (一)微机单井测井解释及多井评价工作流程 1 测井曲线环境校正与标准化工作流程 2 测井分析流程 (二)微机单井测井解释及多井评价 1 打开测井曲线 2 测井曲线显示模板制作 3.测井曲线显示、编辑与预处理 4.交会图制作与分析 5 测井解释模型建立与解释 6 测井解释成果报告

BBC一百多部记录片

BBC一百多部记录片 BBC.生物记录片.细胞 https://www.360docs.net/doc/1b15515353.html,/cszGSiqUkU9cr(访问密码:e215)自然风光喜马拉雅山脉 https://www.360docs.net/doc/1b15515353.html,/cs4iYcAeiHKIn 提取码:28c1自然风光巴厘岛 https://www.360docs.net/doc/1b15515353.html,/csizn3trNnCGv 提取码:e5edBBC纪录片《野性水域终极挑战》[MKV] https://www.360docs.net/doc/1b15515353.html,/Qi24t6zR3TyCK (提取码:bbcb)[历史地理] 詹姆斯·卡梅隆的深海挑战. https://www.360docs.net/doc/1b15515353.html,/lk/cJxR8pIvfSvR8 访问密码4076远方的家-边疆行全100集 https://www.360docs.net/doc/1b15515353.html,/cszGATNBFhjjw(访问密码:52c6)美丽中国湿地行50集

https://www.360docs.net/doc/1b15515353.html,/cszX2JZKa6UVy 访问密码2f2f李小龙:勇士的旅程》(Bruce Lee A Warriors Journey) https://www.360docs.net/doc/1b15515353.html,/csFPTqFZr8GTz 提取码6c71CHC高清纪录片:星球奥秘之地球雪球期MKV 720P 1.4G 英语中字 https://www.360docs.net/doc/1b15515353.html,/QGEpqiPbfGfsG (访问密码:cdb2)探索频道:狂野亚洲:四季森林 https://www.360docs.net/doc/1b15515353.html,/cJxPJZXa8wGzA 访问密码1034BBC 纪录片《美国的未来》[MKV/4集全] https://www.360docs.net/doc/1b15515353.html,/QivxnUNbqLEau (提取码:27fe)生命的奇迹.全5集 https://www.360docs.net/doc/1b15515353.html,/cJXTIkq5jLBY5 访问密码7d2f《华尔街》高清收藏版[HDTV/720p/MKV/全10集] https://www.360docs.net/doc/1b15515353.html,/cy5PrZeud43Rk 提取码8497远方的家-沿海行(高清全112集) https://www.360docs.net/doc/1b15515353.html,/cszX4jUKD29ay 访问密码a52aBBC

全球最好的电视台

全球著名电视台 掌门人:霍珂灵 标签:文化国家 电视台(TV station /television station )指的是制作电视节目并通过电视或网络播放的媒体机构。它由国家或商业机构创办的媒体运作组织,传播视频和音频同步的资讯信息,这些资讯信息可通过有线或无线方式为公众提供付费或免费的视频节目。其播出时间固定,节目内容一部分为其自己制作,也有相当部分为外购。比较有名的电视台:CNN,BBC,TVB,CCTV等。 美国有线电视新闻网(CNN ) CNN由特德·特纳于1980年创办,1995年被时代—华纳公司兼并。总部设在美国佐治亚州首府亚特兰大市,在美国本土以外设有28个分部,在世界各地的雇员达4000人。CNN使用英语和西班牙语广播,它的资金来源于用户付费和广告收入。CNN因独家报道1991年海湾战争而成为家喻户晓的有线新闻广播公司,目前已覆盖全球210个国家和地区。 ? 什么叫CNN? ?CNN是什么? ?CNN什么意思啊好像最近很流行还有什么流行词啊? ?美国的CNN公司是什么东西请消息说明一下 ?CNN 是美国的还是法国的 ?CNN歪曲报道原文 英国广播公司(BBC) 这一新闻频道由英国广播公司于1991年成立。它在海外拥有250名记者和58个分部,资金来源于用户付费和广告收入。该频道声称在全球拥有2.7亿个家庭用户。英国广播公司今年宣布,计划于2007年新开播一个阿拉伯语的新闻频道。 ? BBC是什么? ?BBC什么意思 ?BBC是什么啊 ?BBC是哪个国家的媒体哦? ?bbc的经典语录(games[TV]的BBC) ?求bbc所有纪录片目录 半岛电视台(AlJazeera) 半岛电视台由卡塔尔政府于1996年成立。它在全球雇有170名记者,拥有26个分部。世界各地都能收看到半岛电视台的阿拉伯语频道。半岛电视台因不断报道伊拉克和中东其他地区的一些事件而遭到美国的指责。美国总统布什甚至曾计划轰炸它的卡塔尔总部。2006年,该电视台还将推出英语频道。 ?半岛电视台的相关资料? ?卡塔尔半岛电视台与cctv ?为什么半岛电视台收视率全球第一?cctv1呢? ?基地组织为什么要把拉登的录音送到半岛电视台? ?半岛电视台在中东哪里?据说很有名的! ?半岛电视台是哪国的 欧洲新闻电视台(Euronews) 欧洲新闻电视台建立于1993年,它的特点之一就是使用英语、法语、德语、意大利语、葡萄牙语、西班牙语和俄语7种语言播报新闻。该电视台所以能这样做是因为它主要使用各个通讯社提供的图像,而没有亮相屏幕的新闻主播。该电视台由19个欧洲公共部门电视频道共同所有,总部设在法国城市里昂,雇

纪录片是否要完全真实

纪录片不一定要完全真实 对于纪录片真实性的鉴定,就犹如不同的人看《哈姆雷特》,每个人都有自己的看法,而我的观点是:纪录片不一定要完全真实。我在这里提到的完全真实是指没有摆拍,没有编排。我认为纪录片中可以存在重现,摆拍。 有种对纪录片的定义是:一切真实记录社会和自然事物的非虚构的电影片或电视片都是纪录片。对于非虚构的电影片或电视片就可能存在编排和摆拍。 我的想法在国外和少数中国导演那里可以得到些许的认可。 在国外,纪录片是很受欢迎的,甚至纪录片的频道需要付费。就拿众所周知的美国的Discovery探索频道为例,美国的Discovery探索频道于1985年开播,是世界上发行最广的电视品牌,目前到达全球160多个国家和地区的3亿零6百多万家庭,以35种不同语言播出节目。 美国的Discovery探索频道的很多纪录片就是摆拍,重现的。Discovery有一档栏目叫重案夜现场,这个栏目并不是完全跟拍警方的破案过程,而是进行情景再现的,以摆拍,采访的方式进行重述。在这个节目里事件是真实的,专家的口述是真实的,而犯罪现场的以及犯罪证据,甚至犯罪过程的还原都是情景再现的,除了重案夜现场,历史零时差,与恐龙共舞特别篇等等都是情景再现的方式。情景再现即编排和摆拍。

黑格尔曾经说过:真实不是别的,而是缓慢的成熟过程。我觉得这句话,对于中国的纪录片仍然是很实用的。在我们国家,为什么人们不喜欢看纪录片?我想很大原因是因为我们国家的纪录片很多是不成熟的,但是有些导演的纪录片是很招人喜欢的,比如张以庆导演的影片《英和白》《幼儿园》《周周的世界》,冷冶夫的《伴》《油菜花开》等等,那么他们的影片是否是完全真实的呢? 冷冶夫在接受采访时说,他的《油菜花开》:“基本全部是摆拍,因为它是一种实验纪录片,国外翻译过来是“真实电影”,这种纪录片除了载体好以外,它的故事也好。我在主流媒体做的都是纪实风格的纪录片,很多人看不到我的另一面,所以我今天斗胆地放了这样一部片子”。当记者问到:“那您觉得摆拍还叫纪录片吗?”冷冶夫答道:“其实国际上往往把有没有这件事作为纪录片的鉴定。写剧本拍摄,那属于虚构的故事片,如果有这么件事,不管你怎么弄,它都是属于非虚构类的。国外对纪录片的分类特别粗,你也可以看到,包括国外那些Discovery节目几乎都用了情景再现的方式。” 我个人喜欢看《油菜花开》这样的纪录片,首先它的镜头很美,假如是跟拍,想必一定没有这么美的镜头;其次选材更容易,事件的结局知道,就更容易分析这件事件,就更容易找到切入点,在接下来编排摆拍时就更容易制造氛围,从而达到教育感化等效果,如果从开始就跟拍的纪录片,不一定能准确料定时间的结局,就不容易分析事件。 张以庆导演的纪录片一直以选材新颖,立意深刻著称,他肯花大

相关文档
最新文档