L1L wnage: Packlng PL8/PSS and

MML Core neLwork LlemenLs

1 SecurlLy
1
!"# #%&'()%*#%"
2
L1L neLwork Cvervlew
3
CorporaLe & Moblle uaLa rlsk lncreased
L1L from auackers perspecuve
All l - always on - always vulnerable?
Spear-hlshlng
8oLneLs & Malware
lloodlng
1ro[an & 8ackdoors
lv6 renders nA1 proLecuon lnemclenL
SpllL Pandshake 1C auacks prevenLs lS and
Anuvlrus
very famlllar archlLecLure for auackers: A1CA, Llnux
lnLrlcaLe and new proLocols: ulameLer, S1, x2, C1
4
2C 3C Lo L1L: 8eallLy and Legacy
+, -, !"#
81S node 8 enode 8
8SC merged lnLo node 8 merged lnLo enode 8
MSC / vL8 8nC MML, MSC roxy
PL8 PL8, lMS PSS, PL L1L SAL PSS, Su8/SuM
S1 S1, SC Legacy S1
CCSn CCSn un CW
SCSn SCSn MML/SCW
ln ln/C8l C8l
8An llrewall 8An llrewall SeCW
5
user daLa conLenL: L1L user lane
6
L1L neLwork Auack Surface
lull l only?
no: full l double exposure
ackeLs (S uomaln)
2x auack surface
C1 sull presenL
S1A/x2A new
ClrculLs (CS uomaln)
2x auack surface
SlC18An & SS7 wlll sLay for many years
lMS & ulameLer
7
3C and L1L LogeLher
8
8An
LC
CSl8 vs. vCL1L vulnerablllLy auack
surface
CSl8
CS lall 8ack from 4C Lo 3C
asL ls presenL
SS7 and SlC18An sLack vulnerablllues (uoS, spoof, .)
vCL1L
Whole new auack surface
new An, new neLwork Lo hack, new servers,
Closer Lo Lhe Core neLwork == more serlous vulns
lMS (CSCl = Sl server, unS, .)
SLandard? no.
9
lSu ln[ecuon ln Sl Lhrough vCL1L
?es, Sl. known. buL.
lnLerneL Sl + SS7 lSu == Sl-l and Sl-1 == lSu ln[ecuon !

Remote
Core
Network
DoS
SS7
compromise
External
signaling
injection
Spoong of
ISUP
messages
Fake billing
Ouch!
11
CSl8 Auack surface Lhrough MSC roxy
and SS7 + SlC18An
All SlC18An auack surface exposed
All SS7 auack surface exposed
MosL dangerous:
Loglcal uenlal of Servlce auacks
SS-based SCC uoS (1 Cvlu#480)
1l-based SS7 uoS (1 Cvlu#481)
LqulpmenL Crash/uenlal of Servlce auacks
Lrlcsson MSC Crash uoS (1 vlu#330)
nSn PL8 Crash uoS (1 vlu#148)
Lrlcsson S1 Crash uoS (1 vlu#187)
12
Severity Critical
Description

NGHLR SS7 stack software is not robust and suffers
from Remote Denial of Service.
Impact
Enables any person sending malicious SCCP trafc to
the HLR to crash it. This includes the whole
international SS7 network as HLRs need always to be
globally reachable.
P1vid#148 - https://saas.p1sec.com/vulns/148
8ellablllLy for Lelco
AblllLy Lo cope wlLh x mllllon of requesLs
noL AblllLy Lo cope wlLh malformed Lramc
nSn nCPL8 remoLe uenlal of Servlce caused by
fraglle SS7 sLack
CSM MA prlmluve MA_lC8WA8u_ACCLSS_SlCnALLlnC
enables 8An slgnallng ln[ecuon
Severity Medium
Description

This GSM MAP MSU
"MAP_FORWARD_ACCESS_SIG
NALLING" forwards any content
to the Radio Access Network
(RAN).
Impact
The result is that some external
entities may send or spoof
MAP_FORWARD_ACCESS_SIGN
ALLING MSUs to target MSC GTs
and have the vulnerable MSCs to
inject this signaling into the radio
network (typically RANAP).
P1vid#145 - https://saas.p1sec.com/vulns/145
normal
Spoofed
Spoof and ln[ecL radlo slgnallng
As lf lL was comlng from 8adlo neLwork
lun Anu-forenslcs
Same auack as vlu#187
Also crash Lrlcsson Lramc monlLorlng log analysls
forenslc Lools (1 vku vlu#213)
Code sharlng beLween enforcemenL and forenslc
Lools
15
P1vid#213 - https://saas.p1sec.com/vulns/213
3C and L1L LogeLher
16
8An
LC
eer Lo eer 8adlo Access neLwork
x2A
enode8's
eer Lo eer
1ranslauon
Lvery base sLauon can Lalk Lo every oLher
neLwork auack surface lncrease
1oLal spread lnLo Lhe 8An neLwork
CperaLor-wlde L2 neLwork
L2 auacks, less defense ln depLh, scannlng only blocked by
slze of neLwork
uld C1 dlsappear? no
17
18
user daLa bLw en8s: L1L user lane
L1L 8An Cvervlew
19
Typically a
common
physical
connection
X2
Mul
Mul S1
IP/Ethernet transport
MME
OSS-RC
LTE RAN
X2
Mul
S1 UP
X2
Mul S1
S1
Evolved Packet Network (EPC)
SGW
S1 CP
SeGW
Typically a
common
physical
connection
X2
Mul
Mul S1
IP/Ethernet transport
MME
OSS-RC
LTE RAN
X2
Mul
S1 UP
X2
Mul S1
S1
Evolved Packet Network (EPC)
SGW
S1 CP
SeGW

wnlng CSS:
L2 neLwork mlsLakes always happen
Can'L caLch lL wlLh muluple overlapplng /8
neLworks: auLomaLe!
lrom any enode8 Lo Lhe nMS
lrom any enode8 Lo any enode8
?ou can beL on lnsecure provlslonlng
Amerlcan example & 8emoLe mlscongurauon
20
enode8 Pardware Auacks
21
DUS (2G+3G+4G) & DUL (4G)
Radio
Local Ethernet ports
(not TDM anymore)
Uplink to DWDM / Optical net
Ericsson RBS 6602
Hardware (in)security system
L1L: LqulpmenL Auack surface lncrease
ulameLer (new)
Added surface
new code, maLurlLy ln quesuon
very few commerclal fuzzers supporL lL
Lven less really Lrlgger bugs ln ulameLer (depLh pbm)
S1/x2A (new)
C1 + MA wlLhln Lwo compleLely new proLocols
WlLh encapsulauon of user Lramc (non Access SLraLum
proLocol)
WhaL could posslbly go wrong?
22
23
24
ulameLer audlL/fuzzlng problem
25
AudlLor blas #1:
Cpen sLandards doesn'L mean vlslon
ulameLer
nearly every parameLer ls opuonal
8esulL
nobody knows whaL ls a valld comblnauon .
1o LesL / fuzz / ln[ecL
ComblnaLorlal exploslon
Sequence / ulalogue / llow
Av comblnauon
Av values
luzzed parameLer
Lven manufacLurer don'L know how Lo successfully
lnsLrumenL Lhe uevlce under 1esL
luzzer SupporL ls noL luzzer successful Lrlggerlng
26
AudlLor blas #2: luzzlng ls as deep as
fuzzer goes
And fuzzer never go deep enough
Commerclal fuzzer
0 trigger/1000 iteration
SLandard own fuzzer
13 triggers/1000 iterations

need LargeL-speclc developmenL
CusLomlzed own fuzzer:
85 triggers/1000 iterations
27
L1L: new rlsk wlLh ulameLer
ulameLer lnformauon
neLwork dlssemlnauon
ulameLer awesomeness
dlsLrlbuuon/cenLrallzauon
lLs own evll slde
resenL ln many daLabase
PSS, SuM/Su8, Cuu

1he goal was Lo cenLrallze
1he resulL ls one more
daLabase
28
L1L Puawel Speclc
29
uSn = SCSn + MML
uCW = SeCW + SCW + un CW / CW
wnlng L1L PSS:
C++ SCL ln[ecuon everywhere
30
L1L PSS wnlng meLhodology
CSS ls consldered Core
lL ls accesslble by enode8s
Someume: neLwork lLerlng mlsLakes
Cen: Allowed for rovlslonnlng
CSS can connecL Lo PSS
PSS exporLs Loo many servlces
Mux/1unnel klnd of Lhlnklng
one porL == many servlces
31
L1L LC funcuonal plane, no CAM
32
Add CAM: complexlLy exploslon
33
AudlLor blas #3:
Manual vlslon ls always lncompleLe
need some auLomauon
200 Ans * 16 mllllon ls == need Lo have
dedlcaLed scanner
Lach valld C1 Lunnel ls a new 16 mllllons ls Lo scan
Address space exploslon
?ou CAnnC1 do lL manually
?ou CAnnC1 do lL wlLhouL speclc scanners
34
wnlng MML: Pardcoded encrypuon keys
35
P1 VKB CVID#485 DES Hardcoded keys everywhere
uemo
36
Legacy S lnLerfaces of lnLeresL Lo L1L
Cl : lnLerface from CCSn Lo lnLerneL
Cn : lnLerface beLween SCSn and oLher SCSn and
(lnLernal) CCSn
Cp : lnLerface beLween lnLernal SCSn and exLernal
CCSn (C8x used here)
37
eunS vs lunS
Leaks Lo lnLerneL
asslve unSmon
Leaks Lo C8S
Leaks Lo 3C daLa
Leaks Lo L1L LC
Legacy C8S / uM1S
C8x
1Lu / uomaln .gprs
CulLe monollLhlc:
An
8Al
ral<8Al>. mnc08. mcc204.gprs
Cnly Ans and some" neLwork elemenL
39
lMS unS
3gppneLwork.org
SupporLs and llsLs all neLwork LlemenL
LAC
8AC
Lxamples
rac<8AC>.lac<LAC>.mnc08.mcc204.gprs
40
L1L LC unS
Same as lMS unS buL exLended
SupporLs and llsLs mosL SAL LC neLwork LlemenLs
MML
SCW
Lxamples
mmec<MMEC>.mmegi<MMEGI>.mme.epc.mnc99.mcc208.3gppnetwork.org

41
wnlng from L1L moblle
lnfrasLrucLure 8everse paLh proLecuon
L1L Moblle daLa access
8lC1918 leaks (Someume)
uaLacom l lnfrasLrucLure access (now more oen)
42
NAT
CGNAT
wnlng from exLernal:
ulrecL MML access from lnLerneL
wnlng from exLernal wlLhouL any reverse paLh
Lrlck.
Shodan doesn'L work on Lhese
MML auack surface exposed
43
NAT
CGNAT
AudlLor blas #4:
1esLbed ls always more secure
1esLbed ls more secure Lhan producuon
Legacy lmpacL
ScalablllLy lmpacL
AudlL ls oen only permlued ln LesLbed
LlablllLy
oLenual for uenlal of Servlce
8esulL
Auackers advanLage
roducuon goes unLesLed
44
AudlLor blas #4:
1esLbed ls always more secure
1esLbed ls more secure Lhan producuon
Legacy lmpacL
ScalablllLy lmpacL
1here's always someLhlng more on Lhe prod neLwork
AudlL ls oen only permlued ln LesLbed
LlablllLy
oLenual for uenlal of Servlce
8esulL
Auackers advanLage
roducuon goes unLesLed
45
1echnlcal CapaclLy & knowledge lssue
Who
Can audlL all new L1L proLocols and legacy proLocols
Pas experuse on Lhe archlLecLures & vendors equlpmenL
CuaranLee
Scannlng quallLy
Coverage on all proLocols & arch (CSl8, lMS, Pybrld,
SCharge)
Cover all perlmeLers and accesses
Ans
C8x & lx accesses
SpllL unS
user plane and conLrol plane
46
Concluslon
L1L ls supposed Lo be bullL wlLh securlLy
ulerence beLween sLandardlzauon and real securlLy
neLwork LqulpmenL vendors are sull lagglng
Cpenlng up of Lhe Lechnology
Cood: deeper lndependenL securlLy research
CperaLors
Sull dlslnformed by vendors
SecurlLy Lhrough obscurlLy ln 2013! unbellevable!
Some are gemng proacuve
47
"./%012

1## 3)4 /"5
./60'") #(,) 14* 7 */3 +89 +:;-
</('1= >(/%6#
ConLacL:
hlllppe.Langlols[p1sec.com
hup://www.p1sec.com
48
?/604< 1!'@#1
49
lnLerfaces
50
L1L neLwork
51
revlous L1L servlces & mlsslons
L1L CompleLe lnfrasLrucLure audlL
Puawel L1L LC Core neLwork audlL &
vulnerablllLy research
L1L CSl8 lnfrasLrucLure lnLegrauon wlLh legacy
audlL
boLh ulameLer, S1, x2 and SS7 lnLegrauon for CS
lall8ack
Lrlcsson enode8 audlL and producL securlLy
revlew
ulameLer securlLy audlL on L1L & lMS Core
52
L1L audlL mllesLones
1. LxLernal L1L Lesung, scan & audlL (blackbox)
L1L new elemenLs
lnLegrauon wlLh legacy
2. L1L e8An onslLe audlL
enode8, enrollmenL, congurauon & S8/v8
CSS & CAM
3. L1L LC Core neLwork audlL
MML
S-CW & un CW
PSS
C8l
4. M8SS - Mlnlmum 8asellne SecurlLy SLandard
L1L e8An: enode8, SeCW, CSS & enrollmenL servers
L1L LC: MML, S-CW, C8l, PSS, un CW, MSC roxy
53
'%"#(>/6#1
54
lnLerfaces
55
/@@(#11'%, '% !"#
56
Core neLwork: l addresses everywhere
LveryLhlng uses l addresses
user: uL,
8An: enode8, SeCW
LC: MML, PSS, SCW, CW
lv4
lv6 ls acLually really belng supporLed
57
1elecom-speclc addresslng
Lnd user addresses:
Cu1l,
lMSl,
.
58
Cu1l
Clobally unlque 1emporary ldenuLy (Cu1l)
AllocaLed by Lhe MML Lo Lhe uL
Cu1l = CuMMLl + M-1MSl
CuMMLl = Clobally unlque MML lu
CuMMLl = MnC + MCC + MMLl
MMLl = MMLCl + MMLC
MMLCl = MML Croup lu
MMLC = MML Code
M-1MSl == MML 1MSl
C8S/uM1S -1MSl -> L1L M-1MSl
S-1MSl = MMLC + M-1MSl
59
Cu1l ln lcLures
60
8Al/-1MSl mapplng Lo Cu1l
61

Cu1l mapplng Lo -1MSl
62

1AC and 8nC lu
63

/@(#11 */<<'%, '% @%1
64
Legacy C8S / uM1S
C8x
1Lu / uomaln .gprs
CulLe monollLhlc:
An
8Al
ral<8Al>. mnc08. mcc204.gprs
65
lMS unS
3gppneLwork.org
SupporLs
LAC
8AC
Lxamples
rac<8AC>.lac<LAC>.mnc08.mcc204.gprs
66
L1L LC unS
Same as lMS unS buL exLended
SupporLs
MML
SCW
Lxamples

mmec<MMLC>.mmegl<MMLCl>.mme.epc.mnc99.mcc
208.3gppneLwork.org
67
"#6.%)!),3 ?/60,()4%@#(
68
L1L uaLa 1ermlnology
C1 = C8S 1unnellng roLocol
LS = Lvolved ackeL Servlce, L1L daLa sesslons
LC = Lvolved ackeL Core, Lhe L1L core neLwork
An = Access olnL name (same as 2C/3C)
8earer = u sesslon, C1 1unnel for a glven used
SeCW = SecurlLy CaLeway, segmenLs en8 / LC
SCW = Servlng CaLeway, llke CCSn, connecLs Lo
lnLerneL
69
u ConLexL vs. LS 8earer
uM1S and C8S daLa sesslon
ackeL uaLa roLocol (u) ConLexL
Auach (AlerL SCSn) -> u ConLexL Acuvauon procedure
L1L daLa sesslon
Lvolved ackeL SysLem (LS) 8earer
uefaulL LS 8earer
uedlcaLed LS 8earer
8oLh use parameLers:
Access olnL name (An),
l address Lype,
CoS parameLers
70
L1L C1 = eC1
C1-u
lrom enode8 Lo
un CW
CW
aka lnLerneL exlL
node
used Lo be Lhe CCSn
71
C1-u
udp/!"#!
72
L1L ConLrol lane: enode8-MML
73
S1A
scLp/36412
74
L1L ConLrol lane: enode8-enode8
75
x2A
scLp/36422
76
roLocol and porL maLrlx
77
Communicating nodes
Protocol
Protocol ports
Source Destination Source Destination
eNodeB S-GW GTP-U/UDP 2152 2152
S-GW eNodeB GTP-U/UDP 2152 2152
eNodeB eNodeB GTP-U/UDP 2152 2152
eNodeB MME S1AP/SCTP 36422 36412
MME eNodeB S1AP/SCTP 36412 36422
eNodeB eNodeB X2AP/SCTP 36422 36422
All ls ASn1
All proLocols descrlbed ln ASn1
ulerenL klnd of Lncodlng
8L8 - 8aslc, sLandard 1Lv
L8 - acked,
Allgned (AL8)
unallgned (uL8)
uescrlbed ln l1u and 3C sLandards
8equlre ASn1 CLASS" keywords
78
!"# 1',%/!'%,
79
ulameLer Lverywhere
ulameLer replaces SS7 MA
uS8
ulameLer Slgnallng 8ouLer
80
81
82
83
SecurlLy lmpllcauon
SC1 lLerlng Lo be generallzed
8eneL
SC1 ls cong rsL" mosL of Lhe ume
1hreaL
l cloud ls much more explolLauon frlendly
Auack Lechnlques are known Lo many people
Compromlse consequences are more far-reachlng Lhan
SS7
84
ulameLer 8oamlng
85
SecurlLy rouung and lLerlng ln ulameLer
uS8
uene rouung & lLerlng rules
ulscrlmlnanLs lndlcaLors
uesunauon-based:
8ealm, PosL, Appllcauon-lu
Crlglnauon-based:
8ealm, PosL, Appllcauon-lu
Command-Code
lMSlAddress
86
luLure ulameLer 8ouung & lllLerlng
87
SecurlLy & vulnerablllLy of LC 8oamlng
lllLerlng even more lmporLanL
uS8 lLerlng ls noL maLure
C8x problems amplled
lmpacL of Lhe C8x/lx/lMS/SAL LC unS lnfrasLrucLure
ln lnformauon CaLherlng
unlque ldenuer leaks much easler
rlvacy consequences
88
"#1"'%,
89
1esung SecurlLy ln an L1L LnvlronmenL
1wo klnd of envlronmenL
1esLbed
Llve (also called roducuon, Creeneld, Acuve)
90
L1L 1esLbed SecurlLy Lesung
Shlelded Lesung
enode8 anLenna ouLpuL connecLed Lo a cable
Cable arrlves ln LesL room
A Shlelded box" ln LesL room ls connecLed Lo cable
hone / uS8 dongle ls puL lnslde Lhe box for LesLs
uS8 cable goes ouL of Lhe box Loward Lhe LesL C
no 8l ls polluung Lhe specLrum
Lnables pre-aucuon Lesung
91
8elauonshlp Lo vendors
vendor usually prevenL audlL
8y llmlung lnformauon
8y llmlung access Lo uevlce under 1esL
8y llmlung access Lo LesLbed
8y LhreaLenlng of poLenual problems, delays,
responslblllLy, llablllLy
MosL of Lhe L1L Lesung can happen LransparenLly
1he vendor doesn'L see Lhe securlLy audlL Leam
resenLed as normal operaLor quallcauon
noL presenLed as securlLy audlL
8esulL only ls presenLed when audlL ls nlshed
92
/4@'"1
93
C1
LndpolnL dlscovery
lllegal connecuon/assoclauon esLabllshmenL
user ldenuLy lmpersonauon
luzzlng
Leak of user Lramc
Lo Core neLwork (LC)
Lo L1L 8An
94
x2A AudlL
LndpolnL dlscovery
lllegal connecuon/assoclauon esLabllshmenL
luzzlng
8everse englneerlng of proprleLary exLenslons
Ml1M
95
S1A AudlL
LndpolnL dlscovery
lllegal connecuon/assoclauon esLabllshmenL
luzzlng
8everse englneerlng of proprleLary exLenslons
Ml1M
nAS ln[ecuon
96
L1L LC unS AudlL
LC unS ls lmporLanL
LC unS scanner
Close Lo C8x / lMS
97
/""/601
98
user auacks: LS 8earer SecurlLy Auacks
An 8ruLeforclng
l SegmenLauon
accesslng operaLors' 8lC1918 lnLernal neLworks
C1 endpolnL dlscovery
from wlLhln 8earer uaLa Sesslon
Secondary LS 8earer Lxhausuon/llood load uoS
Max 11 Lo be LesLed
8epeaL seLup/Leardown of connecuons
CW ulServ Lesung
Scans Lhe l header uS blLs (ulerenuaLed Servlces) Lo see
dlerence ln LreaLmenL by CW
99
"))!1
100
8aslc audlL Lools
L1L SlM card
L1L uS8 uongle
L1L uL (user LqulpmenL) = hone
8!43 for LLherneL connecuon Lo LC/Lu18An
Wlreshark
Sakls3C and evoluuons for L1L supporL
lsec audlL Lool
101
ldeal audlL Lools
C1 proLocol sLack & fuzzer
SC1 Ml1M Lool & fuzzer
LLherneL/A8 Ml1M Lool (euercap)
S1A proLocol sLack & fuzzer
nAS proLocol sLack & fuzzer
x2A proLocol sLack & fuzzer
ulameLer proLocol sLack & fuzzer
C8x, lMS, LC unS scanner
102
vlrLuallzauon LargeLs
Puawel
ln progress
PSS
MSC roxy
oLenual
uSn, Servlng CW, un CW, MML
eP8S lnLegraLed node (MML, PSS, SCW, CW, .)
Lasler because one slngle node
P opporLunlLy?
103
L1L neLwork vlrLuallzauon
104
Puawel A1CA vs. C
CS1A 2.0
Llnux based
CpenSuse 10.x or 11.x
Cld, unpaLched kernel
roprleLary exLenslons and SM
Some lCA based boards
Some CLM based lnLegrauon (SwlLches A840, 8ouLers, .)
C
Clder archlLecLure
More monollLhlc
Parder Lo repllcaLe
105
Pard problems
use same kernel (medlum)
use llcenslng (medlum)
Load slgned kernel modules (medlum hard)
LmulaLe lCA and CLM lnLegrauon (hard)
8epllcaLe neLwork servlces / oLher nLs (hard)
106
PSS
A1CA / CS1A 2.0
lew exLernal hardware
ModeraLely easy
Cperauon ln progress
8ased on PSS_v9008003
107
vlrLuallzlng ln conLexL (CSl8)
108
8An
LC
MSC roxy
A1CA / CS1A 2.0
no exLernal hardware
ModeraLely easy
Congurauon wlLh
exlsung SS7 SlC18An lnfrasLrucLure
ulameLer LesLbed
109
uSn
uSn_v9008011C02SC100
Parder
110
Lrlcsson
ulmculL Lo deal wlLh Lhem
very proLecuve
Access
Llcenslng
uocumenLauon
111
nSn
oLenually easler Lhan Lrlcsson
Llnux based (SCSn, .)
MonLavlsLa
Some securlLy feaLures
112
Clsco
Some vlrLuallzauon done
lCS 12.x
Some vlrLuallzauon needs hardware
Clsco 7200
Clsco l1
Clsco CCSn
vlrLual neLworklng
Cur Lechnology for adapLed vlrLuallzauon
113
Cur advanLage so far
vlrLuallze x86 wlLh speclc/slgned kernels and
modules
vlrLuallze MlS
Lmulauon of speclc hardware supporL
kernel modules developmenL
vlrLuallze A8M Androld based devlce
for cusLomer slmulauon
114
Moblle + vAS vlrLuallzauon
Speclc demand from cusLomer
vlrLuallze x86 based server
vlrLuallze 10-20 Androld cllenLs
SlmulaLe fraudulenL Lransacuon wlLhln Lhls ow
ln[ecL faulLs wlLhln repeaLed Lramc
115
&'("4/!'A#@ 1',%/!'%, >4AA'%,
116
rlnclple
roxles
M3uA roxy
S1/x2 roxy
ulameLer roxy
Made LransparenL
SC1 Man ln Lhe Mlddle
ackeL forwardlng
117
L1L lncreases rlsks
llnanclal Lhe
rlvacy Lhe
Packlng of corporaLe users
M2M lmpacL of worms and auacks
L1L Moblle broadband usage as maln lnLerneL
connecuon
roLocols are unLesLed and Lradluonal fuzzer coverage
ls weak and shallow
neLwork equlpmenL ls new and noL as rellable as
Lradluonal neLwork elemenLs
118
Questions ?
119