On The State Of The Inter-domain And Intra-domain Routing Security
1On the State of the Inter-domain and Intra-domainRouting SecurityMingwei ZhangUniversity of Oregon, Eugene, OR, USAEmail: mingwei@cs.uoregon.eduAbstract—Routing is a key component for buildingan interconnected network architecture. There are interdomain and intra-domain routing protocols. The interdomain routing protocol has experienced increasinglyfrequent anomalies, such as IP prefix hijackings, routeleaks, or impact from large-scale disruptive routing events.The intra-domain routing also suffers from various attacksoriginated from within an autonomous system, such astopology manipulation and host-based flooding attack.Security upgrades to the existing protocols and accuratedetection mechanisms have therefore been proposed andexperienced. In this study, we conduct a comprehensivesurvey on the existing security mechanisms for both interdomain and intra-domain routing protocols. For interdomain routing protocol, we study the de facto protocol –Border Gateway Protocol (BGP). For intra-domain routingprotocol, we investigate the recent software-domain networking paradigm and the OpenFlow protocol. For eachrouting protocol, we investigate both attack preventionsolutions and attack detection solutions. We summarizethe strengths and weaknesses of every existing solution,and discuss the missing gaps that need further research.I. I NTRODUCTIONThe Internet consists of many domains, each of whichhas autonomous control over its own networking infrastructure. Such domains are also called AutonomousSystems (ASes). People designed routing protocols toconnect hosts and routers within one domain and exchange information between domains. The routing protocols can be categorized into inter-domain and intradomain protocols. The inter-domain routing protocolsaim to exchange routing information between domains,allowing each domain to decide the routes toward anydestinations on the Internet. The de facto routing protocol for inter-domain routing is Border Gateway Protocol(BGP) [1]. The intra-domain protocols exchange reachability between different networking devices within onedomain (AS). Traditional intra-domain routing protocolsinclude RIP [2], OSPF [3], IS-IS [4], EIGRP [5], etc. Therecently emerged new routing paradigm, the softwaredefined networking (SDN) [6] and OpenFlow [7] areFig. 1: An example of inter-domain and intra-domainrouting.quickly getting adopted due to their features such asprogrammability, unified interface, and centralized control mechanisms. Network operators can also implementtraditional routing protocols on a SDN platform. Suchfeatures make SDN and OpenFlow more preferable tothe traditional protocols. Fig. 1 shows an example ofinter-domain and intra-domain routing, where machineA talks to machine B, and the traffic travels through aset of routers. The routing from router 1 to 4 is withinAS1 and is intra-domain routing; while the routing fromrouter 4 to 7 is inter-domain routing.As the Internet relies on the routing protocols forits normal operations, it is very important to ensurethe routing protocols are secure against security threats.Unfortunately, neither intra-domain nor inter-domainrouting protocols are bulletproof against various threats.In this report, we closely examine the security propertiesand the existing security solutions of both protocols.Specifically, we examine BGP as the main inter-domainrouting protocol, and examine SDN and OpenFlow asthe representative of the intra-domain routing protocol.Regarding the security for inter-domain routing, originally BGP was not designed to carry many securityproperties. The Internet experienced a number of interdomain anomalies such as IP prefix hijackings, largescale route leaks, or Internet “earthquakes” caused by
2various reasons. BGP is designed with the assumptionthat everyone on the Internet does not act maliciously,and it lacks sufficient verification mechanisms for theupdate messages. However, such an assumption doesnot hold anymore in today’s Internet. Numerous routingincidents show that even some Internet providers atnational level conduct malicious activities on the Internetand pose severe security and privacy threats to Internetusers [8], [9], [10], [11].Regarding the security for intra-domain routing, SDNalso suffers from severe security problems. SDN architecture consists of the end-hosts, switches, controllers,and applications, and each component could suffer fromsecurity attacks. The applications running on top of thecontrollers may encompass security loopholes or malicious exploits; the controllers can be made unavailableto legitimate needs when receiving a large number offake requests; the switches can be compromised to actmaliciously when forwarding traffic; and the end-hostscan also exploit the loophole in OpenFlow and disruptthe SDN controllers.In investigating BGP and SDN security solutions, wefocus on analyzing their strengths and weaknesses, aswell as their deployment status on the Internet. We categorize the security solutions into two general categories:the attack prevention solutions and the attack detectionsolutions (Fig. 2). The attack prevention solutions aimto proactively stop potential attacks through securityupgrade of either the protocol design or the protocoloperations. Meanwhile, the attack detection solutionsaim to reactively detect abnormal events regarding theoperation of the protocols, providing triggers for timelyreaction to such events. The attack prevention mechanisms for BGP have been heavily studied for a long time.However, none of these mechanisms has been largelydeployed to date, leaving the Internet still vulnerable tothe inter-domain routing attacks. On the contrary, sinceSDN is still young, the majority of the SDN securitywork look at attack prevention, with the attack detectionfor SDN less explored.This report is organized as follows. We survey theexisting BGP attack prevention solutions in section III,and review the main BGP attack detection mechanismsin section IV. In section V, we look at the solutionsthat try to secure the SDN architecture and operations.Section VI is then focused on how SDN can be appliedto solve other security problems. At last, in section VIIwe summarize the survey and discuss some related issuesabout the security of Internet routing.Fig. 2: Internet routing security taxonomy.II. BACKGROUNDInternet routing security has been a hot research topicssince late 1990s. There are many related projects that tryto improve the security of the Internet routing, from theinter-domain (BGP) and intra-domain (SDN) perspectives. In this section, we provide some background ofthe BGP and SDN security research in general.A. BGP SecurityThe Internet started with only a few connected networks for research and military purposes. Until late1980s, there was no clear definition of the autonomoussystems (ASes). This lack of domain-level hierarchyhindered the scalability of the Internet. In 1989, thefirst version of Border Gateway Protocol (BGP) wasproposed. BGP clearly defines the concept of AS andthe operations between ASes for exchanging routing information. Since then, the Internet started the exponentialexpansion.However, the BGP is not perfectly secure. In 1998,Labvotiz et al. first studied the instability of the Internetrouting. This paper is one of the earliest papers thatstudied the vulnerabilities of the Internet. Researchersalso discovered two major attacks that can severely disrupt the Internet: prefix hijacking and AS path spoofing.Fig. 3 shows the examples of these two attacks. Since2000, there were many projects focused on preventingsuch attacks on BGP (Fig. 4): S-BGP [12] in 2000,soBGP [13] in 2002, IRV [14] in 2003, SPV [15] in2004, psBGP [16] in 2005. These projects showed thatBGP operations can be secured with upgrades of theprotocol and the operations.However, all of these projects relied on certain infrastructure to distribute the routing information securely. Itwas not until the establishment of Resource Public KeyInfrastructure (RPKI) in early 2010s do the BGP securityprojects have such a reliable infrastructure to submit andaccess verifiable routing information. With the deployment of RPKI, BGPsec was then proposed and quickly
3(a) An example of a BGP prefix hijacking attack(b) An example of a BGP AS path spoofing attackFig. 3: Examples of BGP prefix hijacking and AS path spoofing YearFig. 4: Timeline of the major BGP attack preventionprojects.being deployed. Unfortunately, the deployment rate ofRPKI and BGPsec is still far from sufficient to date.With the low deployment rate, the aforementioned BGPattack prevention solutions cannot effectively prevent thestop the attacks on BGP. As a result, it is very importantfor people to be able to detect and react to the attacksquickly and accurately.B. SDN SecuritySoftware-defined networking is a very new networkingtechnology, and has not yet been recognized as the defacto approach for intra-domain routing. However, webelieve SDN is the future of the intra-domain routing.First, it is fully compatible with all the traditional intradomain routing protocols. Using the centralized approachfor controlling the network, a network operator can implement any existing or new routing protocols as applications running on the controller. Second, the separationof the control logic and forwarding actions makes SDNcan not only achieve the goal of the traditional routingprotocols but also many other new tasks. These featuresmake SDN very popular among the large networks,where the operators require maximum flexibilities ofthe networking functionalities as well as the centralizedmanagement over the entire network.In terms of security, researchers have discovered several new attacks on SDN. In section V, we examinethe main security solutions against the attacks. However,there are also many security aspects that are yet to bestudied. Instead of securing SDN itself, there are severalprojects that use SDN for securing the Internet, suchas conducting anomaly detection or defending againstDDoS attacks. In section VI, we also investigates theapplications of SDN on solving other security problemsof the Internet.III. BGP ATTACK P REVENTIONThe design of Border Gateway Protocol (BGP) wasbased on the assumption that all the autonomous systems(ASes) are trustworthy. The assumption no longer holdsas we have seen an increasing frequent appearance ofthe malicious attacks on the Internet carried out by ASesthat exploit the loopholes in BGP. The current version ofBGP allows ASes to announce origination of any prefixeswithout authentication (Fig. 3a), propagate routes withmanipulated path information(Fig. 3b), or even send outentirely forged routing information. Due to the lackof verifiable global routing information, an AS cannoteffectively verify the information received from otherASes, and can only rely on its own knowledge aboutthe legitimacy of the updates, which has proven to beineffective by the repeated occurrences of the maliciousattacks and misconfigurations.Researchers have proposed multiple solutions ranging from cryptographic to multi-party collaborative approaches to securing the BGP operations and preventingthe attacks entirely. In the following subsections, we introduce the design and core ideas of the majority optionsof attack prevention mechanisms. For each mechanism,we also discuss its essential drawbacks and its deployability. At last, we discuss the overall future of the attackprevention mechanisms.A. OverviewFrom the main technology used, the main attackprevention system can be categorized into three types:
4methodBGPSec [9], [12], [17]soBGP [13]psBGP [16]SPV [15]Listen & Whisper [18]RAVS [19]IRRIRV [14]GTSM [20]TCP MD5 Sig. [21]IPSEC dhighhighhighlowmediumlowlowmediumlowlowmediumdata AN/ApathXXXXXXXXoriginXXdeploymentXXXXXXXXTABLE I: BGP Attack Prevention Mechanisms1) control-plane cryptographic approaches,2) control-plane non-cryptographic approaches, and3) data-plane-based approaches.The control-plane approaches aim to secure the controlplane information exchanged among ASes, while thedata-plane approaches focus on securing the communication channel between the BGP routers. The controlplane-based solutions can also be coarsely categorizedinto cryptographic and non-cryptographic approaches.Table I lists the current main BGP attack preventionsystems. The method column represents the name ofevery attack prevention mechanism; the control-planecolumn indicates if the method mainly operates onthe control-plane; the crypto-based column shows if amethod applies cryptographic approaches or not; theoverhead column represents the operational cost of eachmechanism, ranging from low to high; the data sourcecolumn indicates the type of data sources used by thesemethods; the path and origin columns show that whetherthe approach can secure the AS paths and prefix originof the BGP updates respectively; and the deploymentcolumn shows if the method is currently being deployed,regardless of the deployment ratio.B. Prevention Without Cryptography from the ControlPlaneWe start our survey for BGP attack prevention methods by investigating the prevention mechanisms that donot heavily depend on cryptographic methods. Specifically, we examine two main methods in this area: theInternet Routing Registry (IRR), and Inter-domain RouteValidation (IRV). IRR uses centralized trusted databasesto maintain and offer access of correct routing information; IRV enables active queries for the correctness ofBGP updates, trusting each AS to provide the accuraterouting information about itself. In this following subsection, we closely investigate theses two methods andanalyze their strengths and weaknesses.1) Internet Routing Registry (IRR): People first builtthe Internet Routing Registry (IRR) to serve as generalrepositories of routing information, connectivity, androuting policies. IRR consists of several databases wherenetwork operators publish their routing policies and announcements so that other network operators can utilizethe data. The information includes ASes’ relationshipswith other ASes, the routes learned and propagated fromother ASes, the preferences if multiple routes exist, etc.Such information is structured into data objects usingthe Routing Policy Specification Language (RPSL) [23],[24]. Network operators can verify each BGP updateagainst the known routing information obtained fromIRR databases.However, IRR suffers from out-of-date information.The information in IRR databases may be accurate atthe time of submission, but this may not be true by thetime users access the information. The organizations donot have enough motivation to keep their IRR recordsup to date, especially for those ASes that update routinginformation frequently. Users of IRR information thuscannot confidently decide if the suspicious BGP updatescontains anomalous information or simply newer legitimate information. Despite the weakness, researchers stilluse IRR on various topics [25], [26], [27], [28]. Signaoset al. even evaluated the efficacy of using the inaccurateIRR and claimed that it is still very helpful [29]. However, such weakness makes IRR less reliable in termsof verifying BGP information. As a result, people haveto seek other approaches to obtaining authentic BGPinformation.2) Inter-domain Route Validation (IRV): In the globalregistry model used by IRR, ASes do not have enoughmotivation to update a third-party registry of regardingtheir routing information. To address this shortcoming,Goodell et al. proposed the Inter-domain Route Validation (IRV) [14] architecture that extends the existingmodel into per-AS routing registry. IRV provides outof-band verification information using a query-based ap-
5proach. It defines an information distribution protocol forASes to exchange routing data with each other withoutthe involvement of a third party. Each IRV-enabled ASimplements an IRV server that stores all local routinginformation. The routers that receive BGP updates canquery the IRV servers of the ASes on the path to validatethe information. Upon receiving a query, the IRV serverwill respond based on its local policy. Since every IRVserver resides within each AS, the information can bekept up-to-date with minimum cost.IRV also has a set of issues that were not specified inthe paper. First, the discovery of an IRV server withinan AS is not clear. A querying AS does not necessarilyknow every IRV servers’ IP addresses. However, theauthors did not introduce any mechanism for an AS todiscover the IP addresses of other ASes’ IRV servers,Second, the message authentication of the IRV query andreply was not specified, leaving it possible for attackersto forge illegitimate IRV messages. Third, in partialdeployment scenarios where only a set of ASes on theInternet enables IRV, a querying AS can only verify aportion of the AS path.C. Prevention with Cryptography from the Control PlaneThe majority of the BGP attack prevention systems tryto secure the assets (prefix origin and AS paths) throughcryptographic approaches. The main argument behindthis is that there are hardly any trustworthy verificationsources that an AS could refer to, leaving fewer optionsbut to establish and use cryptographically-secured datasources. In this subsection, we survey the main attackprevention solutions that use cryptographic approaches.To date, BGPsec is the only BGP security upgradethat has been deployed on the Internet. Though thedeployment rate is still bleak, we could foresee a betterscenario in near the future. In the rest of this subsection,we look at other attack prevention solutions proposedprior to BGPsec, but not deployed on the Internet.1) RAVS: Kim et al. proposed a solution with verifiable search called Identity-based Registry with Authorized and Verifiable Search (RAVS) [19]. RAVSfeatures the following capabilities that out-performs theIRR method. First, it enables public key exchange cryptographically transform the AS number to the public keyof each AS. This allows every AS to easily authenticateitself to the RAVS system without requiring a globallydeployed public-key infrastructure. Second, RAVS usesSearch Permission Generator to control search permissions based on AS credentials. Only the authorized ASescan query the registry. Third, every search result canbe verified cryptographically. All entries in the RAVSFig. 5: An example of querying RPKI for prefixownership information.database are signed with the private key of the ownerASes, allowing other ASes to verify them with the publickey of the owner ASes. Such scheme allows RAVSto provide verifiable routing information to the ASes.Unfortunately, RAVS has never been adopted on theInternet.2) RPKI: As another attempt to construct a trustworthy database for routing information, people proposedand built Resource Public Key Infrastructure (RPKI).The main purpose of RPKI is to provide a centralizedrepository for all resource-related information with cryptographic protection. One of the main types of resourceis the ownership information of IP prefixes.As discussed in section III-A, one of the main threatstoward the Internet routing is prefix hijacking (Fig. 3a).Exploiting the lack of verification mechanism in BGPprotocol design, the attackers can send announcementsto claim the ownership of any prefixes, or to change theAS-level path toward a target prefix. In an ideal scenariowhere every AS on the Internet knows the legitimateowner of every IP prefix, forged announcements fromthe attackers will not be propagated. However, in realworld scenarios, it is hard, if not impossible, to obtain thecorrect and up-to-date prefixes ownership information.RPKI is a public key infrastructure specifically designed to store and provide information of the resources(or assets of ASes) on the Internet. RPKI is not intendedto replace the current IRR system, but to provide extrasecurity property for the information. For example, whenan BGP router received an announcement of a prefixB originated from AS X , the router can query RPKIrepository (or a local cache) for the ownership information of this prefix, and then verify the correctness of theinformation (Fig. 5). The result could be valid, invalid,or unknown. Based on the verification result and localsecurity policy, the receiving router can then make therouting decision. Wahlisch et al. [30], [31] describedthe procedure of detecting suspicious prefix ownershipchanges, and Huston et al. [9] also provided a morecomprehensive description of RPKI architecture and itsusage.However, RPKI is also facing a number of problems.The first problem is the scaling issue. To date, RPKI
6Fig. 6: An BGPsec AS path protection example.only covers less than 10% of the IP space. Through aset of calculation, Osterweil et al. estimated that the sizeof RPKI with full deployment will consist of 650,000encrypted objects [32], which will incur a more than 4day time overhead for a full synchronization. If considerthe key rollover cases, the overhead would be evenhigher. The second problem is that RPKI system itselfcan also be abused to take down prefixes. The revocationof any objects does not need any acknowledgement fromthe current prefix owner [33]. In [34], Heilman et al.proposed a set of countermeasures to maintain countableRPKI operations with explicit acknowledge responses forevery potential damaging operations. Nonetheless, RPKIis still considered to be the best information source forBGP security mechanisms.3) BGPsec: With RPKI protecting the prefix origininformation, BGPsec (originally S-BGP) is proposed tofurther ensure that the path toward any prefixes is alsoprotected [9], [12], [17]. First, in every BGP updateannouncing a new AS path to a prefix, the path segmentsin the AS path are protected with a signature fromeach hop along the path that the update propagated. Arouter receiving a BGP update can check the signaturepacked “BGPsec Path” attribute. Each signature anyhop appends also contains a “Subject Key Identifier”that uniquely represents a router or AS’s identity inthe RPKI, which the receiving party can use to verifythe signature. Fig. 61 shows an example where AS1originates an update for prefix 10.0.1.0/24, propagatesthe update to AS2, and AS2 propagates it to AS3. Oneach propagation, the AS in question will sign the ASpath content. The receiving AS (AS3) can validate allthe signatures from every AS on the path and validatethe entire AS path.BGPsec is considered the best and most 47/archived issues/ipj 14-2/142 bgp.htmlsolutions toward securing BGP; however, it still facesseveral challenges. Lychev et al. argued that with the unavoidable stage of partial deployment, BGPsec provides“only meagre benefits over origin authentication whenthese popular policies are used” [35]. To accommodateits legacy next-hop routers, a router running BGPsechas to downgrade its protocol to legacy BGP, and thuslose all the cryptographic protections provided by theprevious hops. Once the downgrade happened at onehop along the propagation, previous signed signatureswill no longer be available to the downstream ASes,neither can the downstream entities continue to useBGPsec to partially sign the path. In [36], Li et al.presented two types of attacks that work even whenBGPsec fully deployed: the wormhole attack and themole attack. The wormhole attack shows that BGPseccannot tell or defend fake BGP links created by tunneledBGP sessions. With the help from the others, an attackercan effectively announce a totally legitimate path to thetarget victim with shorter path length. The mole attackexploits the fact that some ISP would rent IP prefixesfrom its provider and not utilize them with a defaultforwarding path in place. An attack could exploit suchsituations by simply sending traffic to the unutilizedprefixes to generate a loop of traffic. Such loop of trafficcan eventually saturate the link between the victim ASand its provider.4) Other Cryptographic Solutions: As discussed previously, the only BGP security upgrade that has beendeployed to date is BGPsec. There are several othersolutions proposed before BGPsec that have not beenadopted, including soBGP [37], psBGP [16], andSPV [15]. Unfortunately, none of these approaches havebeen widely deployed to date. We investigate thesemethods and in the rest of this section.In 2003, White et al. [37], [13] proposed soBGP thatuses cryptographic certificates to prevent forged prefixorigin announcements and invalid AS path updates. Every AS that deploys soBGP should obtain an “EntityCert” certificate to authenticate its own identity to others.To secure the prefix origin information, soBGP usescryptographic certificates, “AuthCert”s, to provide verifiable announcement of prefix ownerships. To announcethe ownership of a prefix, an AS needs to obtain an“AuthCert” from a trusted third party. The AS can thenannounce the prefix with the corresponding “AuthCert”attached to the update, and sign the announcement withits own private key. A receiving router can verify theannouncement by validating the signatures of the updateand the “AuthCert” attached. To enable the validation ofthe AS path updates, soBGP requires all enabled ASesto broadcast AS relationship information using another
7certificate, “ASPolicyCert”. The relationship informationof an AS includes the identities of neighbor ASes, andthe policy for each neighbor AS. An “ASpolicyCert”essentially asserts the feasibility of an AS to forwardtraffic to other ASes. Each soBGP enabled AS will buildits own Internet topology based on the “ASPolicyCert”obtained from the broadcast, and then validate the ASpath updates against this topology. For example, ASA must first announce that it connects to AS B using“ASPolicyCert” before it can propagate any BGP updatescontaining the link between A and B.Comparing to BGPsec or BGPsec, the advantage ofsoBGP is the relatively low overhead. After building thetopology and the prefix ownership information, an AScan then validate all BGP updates using its own datawithout active query even during partial deployment.However, the solution relies on the assumption thatASes can reliably distribute (or broadcast) the policyinformation as well as the identity information of theASes (such as the public keys of the ASes). Without areliable information distribution mechanism like RPKI,soBGP is not able to deploy on the Internet.In 2005, Wan et al. introduced Pretty Secure BGP(psBGP) [16] that utilizes a decentralized trust modelfor verifying IP prefix ownership. To announce theownership of a prefix, an AS needs to send out anownership assertion signed with its own public keyand distribute to its neighbor ASes. When receiving anassertion, an AS will decide whether to propagate suchassertion to its neighbors based on its own judgment.The number of assertions from the prefix owner andits peers indicates its level of authenticity. Similar toBGPsec, the path verification is done by validating a setof signatures attached by the ASes along the propagationpaths. Different from BGPsec, psBGP allows partial pathsignatures using a confidence value for the validation,which reflects how likely a path is valid.psBGP is essentially built upon a AS-level reputationsystem, which assumes the infeasibility of constructing a hierarchical PKI system for resource assertions.However, the reputation system would result in indeterministic decisions in many cases. The verification ofthe AS paths in BGP updates is also dependent on thedecision logic of the confidence system, and potentiallycould be manipulated by the resourceful attackers. Thus,psBGP could be applied as a secondary route verificationmechanism, but not a reliable method preventing therouting attacks.In 2004, Hu and Sirbu introduced Secure Path Vector(SPV) [15], proposing to use symmetric cryptographyto secure the BGP updates. The main goal of SPV isto secure BGP updates against AS path fabrications, in-cluding forging whole AS paths or modifying partial ASpath segments. SPV uses tree-authenticated hash valuesfor AS path validation. First, the prefix owners needsto have the knowledge of the private key associate withthe prefix. The distribution of the prefixes’ public/privatekeys is proposed to done in places like ICANN. Then,the prefix originator announces the prefixes with a set ofone-time signatures together with the private keys forthem. During each propagation, the sending AS signitself into the ASPATH using the private key for thesignature. The receiving AS can verify the ASPATHwith all the one-time signatures through a hash-treestyle authentication. Since the private keys was used andremoved, the attacker cannot recreate the key and thuscannot replace a previous AS number with its own. Toensure the security of the constructed verification tree,SPV requires the originator periodically re-announce theprefixes.Comparing to the BGPsec, the authors claim thatSPV achieves significantly performance improvementby changing nested digital signature authentication withhash-tree-authentication. The performance improvementcomes from the computational complexity differencebetween symmetric and asymmetric cryptography usedin SPV and BGPsec. Though with some performanceimprovement against BGPsec, SPV still suffers somesevere problems. First, the re-announcement frequencycould greatly affect the overall traffic and computationalload on the BGP routers, which was not taken intoconsideration in their evaluation. Second, the “epochs”of verification trees require a higher level of timesynchronization. Also, as discovered in [38], SPV cannotfully protect BGP against route forgery and eavesdropping.D. Prevention from the Data PlaneThere are some other methods that prevent attacksfrom data-plane level, including IPSEC, TCP MD5 field,and Generalized
an interconnected network architecture. There are inter-domain and intra-domain routing protocols. The inter-domain routing protocol has experienced increasingly frequent anomalies, such as IP prefix hijackings, route leaks, or impact from large-scale disruptive routing events. The intra-domain routing also suffers from various attacks
May 02, 2018 · D. Program Evaluation ͟The organization has provided a description of the framework for how each program will be evaluated. The framework should include all the elements below: ͟The evaluation methods are cost-effective for the organization ͟Quantitative and qualitative data is being collected (at Basics tier, data collection must have begun)
Silat is a combative art of self-defense and survival rooted from Matay archipelago. It was traced at thé early of Langkasuka Kingdom (2nd century CE) till thé reign of Melaka (Malaysia) Sultanate era (13th century). Silat has now evolved to become part of social culture and tradition with thé appearance of a fine physical and spiritual .
On an exceptional basis, Member States may request UNESCO to provide thé candidates with access to thé platform so they can complète thé form by themselves. Thèse requests must be addressed to esd rize unesco. or by 15 A ril 2021 UNESCO will provide thé nomineewith accessto thé platform via their émail address.
̶The leading indicator of employee engagement is based on the quality of the relationship between employee and supervisor Empower your managers! ̶Help them understand the impact on the organization ̶Share important changes, plan options, tasks, and deadlines ̶Provide key messages and talking points ̶Prepare them to answer employee questions
Dr. Sunita Bharatwal** Dr. Pawan Garga*** Abstract Customer satisfaction is derived from thè functionalities and values, a product or Service can provide. The current study aims to segregate thè dimensions of ordine Service quality and gather insights on its impact on web shopping. The trends of purchases have
Chính Văn.- Còn đức Thế tôn thì tuệ giác cực kỳ trong sạch 8: hiện hành bất nhị 9, đạt đến vô tướng 10, đứng vào chỗ đứng của các đức Thế tôn 11, thể hiện tính bình đẳng của các Ngài, đến chỗ không còn chướng ngại 12, giáo pháp không thể khuynh đảo, tâm thức không bị cản trở, cái được
Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. Crawford M., Marsh D. The driving force : food in human evolution and the future.
Le genou de Lucy. Odile Jacob. 1999. Coppens Y. Pré-textes. L’homme préhistorique en morceaux. Eds Odile Jacob. 2011. Costentin J., Delaveau P. Café, thé, chocolat, les bons effets sur le cerveau et pour le corps. Editions Odile Jacob. 2010. 3 Crawford M., Marsh D. The driving force : food in human evolution and the future.
