In general, the present application relates to software defined networks, and more specifically, a data packet forwarding unit in software defined networks.
In conventional networks, network forwarding elements like routers and switches contain data plane (D-plane) functions as well as control plane (C-plane) functions. Software defined networking (SDN) is an approach to network design and management that separates the control plane from the forwarding plane of the network and, thus, enables their independent handling. The control plane can be centralized so that the development of control plane protocols is simpler and faster. Software defined networking defines network devices as flow treatment devices, denoted as switches. On the basis of these switches, SDN can concentrate classical management and control plane intelligence in one logical device, which is also called a controller (also referred to as SDN controller). The common abstraction and the locally available data make developing control and management applications easier. Due to the centralization of the control plane, the network functions are moved to the controller, e.g. they can be implemented as control applications (cAPPs) running on the controller. For example, in routing, conventional switches run both link state distribution protocols and route (path) computation, while SDN enabled switches only distribute their link states to the controller and the controller performs path computation. These paths are used in switches by installing appropriate flow rules.
Software defined networking (more specifically OF-based SDN) is considered as one of the key technologies that can evolve next generation mobile network architecture design due to its simplicity and network programmability features (see, for instance, NGMN Alliance, “5G White Paper”, Feb. 17, 2015). One of the aims of next generation mobile networks is to support a network slicing concept. Network slicing primarily targets a partition of the mobile core network, wherein a network slice is defined as a collection of resources from the SDN infrastructure and a set of control applications (cAPPs) that support the communication service requirements of a particular use, e.g. machine type communications (MTC), vehicle-to-X (V2X), mobile broad band (MBB), etc. For one network slice, there can be one or multiple SDN cAPPs, which can provide different network services. Resources from different slices can share the same SDN enabled infrastructure, and these slices might have different cAPPs with distinct requests to the SDN control plane in order to operate the infrastructure.
However, several problems need to be addressed in the context of network slices. Firstly, it has to be guaranteed that different slices, e.g., slice A and slice B, operating on top of the same infrastructure will have access only to their part of this infrastructure (e.g., flow entries in OpenFlow switches) and that slice A will not change portions of the infrastructure related to slice B. For instance, if the cAPP of slice A configures a flow entry in a switch S1, there should be a guarantee that a cAPP from slice B cannot modify the flow entry of slice A in the same switch S1.
Another problem is to guarantee that, even within the same slice, there can exist a domain of control for each of the cAPPs of the respective slice. For instance, in a scenario with the cAPP #1 (e.g. a mobility management cAPP) and the cAPP #2 (e.g. a connection management cAPP) from slice B cAPP #1 can define a set of flow entries in switch S1 to send events from the data plane to the control plane. There should, however, be mechanisms to guarantee that only cAPP #1 can enforce changes in these configurations (i.e., flow entries), thus not allowing cAPP #2 to change these configurations which may damage the operation of the cAPP #1.
In the document “FlowVisor: A Network Virtualization Layer”, OpenFlow Switch Consortium, Tech. Rep, 2009, a virtualization solution named FlowVisor is suggested for sharing physical switches among different SDN control domains. This solution is based on a hypervisor layer. Each SDN control entity gets a slice of fully isolated network resources. FlowVisor is implemented as an OpenFlow proxy that intercepts and translates messages between the switches and controllers. However, this approach has several problems. Firstly, it does not allow access control among cAPPs within a single slice. Secondly, the additional layer between the controllers and switches adds extra control latency and overhead. Thirdly, it is unavoidable to increase control plane complexity by involving an additional layer in the control layer message processing.
In the document “An SDN virtualization architecture with flexible hypervisor function allocation”, Integrated Network Management (IM), IFIP/IEEE International Symposium on, 11-15 May 2015, Blenk et al. propose a hypervisor to support multi-tenancy of control plane functionalities. This work focuses only on the control plane isolation. However, this approach does not solve the problem of resource sharing among the cAPPs on the same slice, and, similarly to the previously mentioned document, it is not efficient in terms of performance.
In US20150139238 A1, an approach for dynamically creating the flow entries in the switches that are associated with different slices or tenants is disclosed. However, this disclosure does not define which kind of access control is enforced to the deployed flow entries after their deployment. Therefore, there is no guarantee that another slice will override or delete the flow entry defined by another slice. Furthermore, it does not provide any mechanism that solves the problem of flow entry sharing among cAPPs of the same tenant.
Thus, in light of the above there is a need for improved devices and methods for software defined networks.
It is an object of the disclosure to provide improved devices and methods for software defined networks.
The foregoing and other objects are achieved by the subject matter of the independent claims. Further implementation forms are apparent from the dependent claims, the description and the figures.
According to a first aspect, the disclosure relates to a data packet forwarding unit, in particular a switch, configured to forward data packets within a software defined network managed by an SDN controller on the basis of a set of data packet forwarding rules. The data packet forwarding unit comprises a storage unit, e.g., a memory configured to store the set of data packet forwarding rules and a set of access rules and an access control entity configured to control the access to the set of data packet forwarding rules on the basis of the set of access rules.
In a first possible implementation form of the data packet forwarding unit according to the first aspect as such, the access control entity is configured to control the access to the set of data packet forwarding rules by controlling the process of reading a data packet forwarding rule, writing a data packet forwarding rule and/or using a data packet forwarding rule of the set of data packet forwarding rules.
In a second possible implementation form of the data packet forwarding unit according to the first aspect as such or the first implementation form thereof, the data packet forwarding unit is configured to receive an SDN control message from an SDN controller for accessing the set of data packet forwarding rules, wherein the access control entity is configured to extract an identifier from the SDN control message, which identifies a control entity, and to control the access to the set of data packet forwarding rules on the basis of the set of access rules and the identifier.
In a third possible implementation form of the data packet forwarding unit according to the first aspect as such or the first or second implementation form thereof, the data packet forwarding unit is a switch implemented in accordance with the OpenFlow standard, wherein the set of data packet forwarding rules are stored in the storage unit in the form of a flow table, a group table, and/or a meter table.
In a fourth possible implementation form of the data packet forwarding unit according to the third implementation form of the first aspect, the set of access rules is stored in the form of extensions of the flow table, the group table, and/or the meter table.
In a fifth possible implementation form of the data packet forwarding unit according to the third or fourth implementation form of the first aspect, the access control entity is configured to check that a data packet forwarding rule stored in a flow table does not redirect a data packet to another data packet forwarding rule stored in a group table or a meter table, in case the data packet forwarding rule stored in the flow table and the other data packet forwarding rule stored in the group table or the meter table have conflicting access rules.
In a sixth possible implementation form of the data packet forwarding unit according to any one of the third to fifth implementation form of the first aspect, the access control entity is configured to control the access to the set of data packet forwarding rules by controlling the process of adding a new data packet forwarding rule to the set of data packet forwarding rules by checking whether the access rules of stored in the form of extensions of the flow table allow adding the new data packet forwarding rule to the set of data packet forwarding rules.
In a seventh possible implementation form of the data packet forwarding unit according to the sixth implementation form of the first aspect, the access control entity is configured to control the access to the set of data packet forwarding rules by controlling the process of adding a new data packet forwarding rule to the set of data packet forwarding rules by further checking whether the access rules stored in the form of extensions of the group table and/or the meter table allow adding the new data packet forwarding rule to the set of data packet forwarding rules, in case the access rules of stored in the form of extensions of the flow table allow adding the new data packet forwarding rule to the set of data packet forwarding rules.
In a eight possible implementation form of the data packet forwarding unit according to the first aspect as such or any one of the first to seven implementation form thereof, the set of access rules define for a respective data packet forwarding rule of the set of data packet forwarding rules a control entity as the owner of the respective data packet forwarding rule, other control entities, which are allowed to access the respective data packet forwarding rule, and/or access rights of the other control entities, which are allowed to access the respective data packet forwarding rule.
In an ninth possible implementation form of the data packet forwarding unit according to the eighth implementation form of the first aspect, the data packet forwarding unit is configured to receive an SDN control message from an SDN controller for creating a new data packet forwarding rule of the set of data packet forwarding rules and wherein the access control entity is configured to extract an identifier from the SDN control message, which identifies a control entity to be the owner of the new data packet forwarding rule.
In a tenth possible implementation form of the data packet forwarding unit according to the ninth implementation form of the first aspect, the access control entity is configured to decide whether to add a new data packet forwarding rule to the set of data packet forwarding rules or modify an existing data packet forwarding rule on the basis of the extracted identifier, which identifies the control entity.
In a eleventh possible implementation form of the data packet forwarding unit according to the first aspect as such or any one of the first to tenth implementation form thereof, the access control entity is configured to allow a predefined super control entity to access the whole set of data packet forwarding rules.
In an twelfth possible implementation form of the data packet forwarding unit according to the first aspect as such or any one of the first to eleventh implementation form thereof, the access control entity is further configured to discard an access request to the set of data packet forwarding rules which would result in an additional or modified data packet forwarding rule that overwrites an existing data packet forwarding rule.
According to a second aspect the disclosure relates to an SDN controller configured to control forwarding of data packets within a software defined network by providing a control message to a data packet forwarding unit, wherein the control message comprises a data packet forwarding rule and an identifier for identifying a control entity associated with the data packet forwarding unit.
In a first possible implementation form of the SDN controller according to the second aspect, the control message defines at least one other control entity, which is allowed to access the data packet forwarding rule, and/or access rights of the at least one other control entity.
According to a third aspect the disclosure relates to a method of operating a data packet forwarding unit configured to forward data packets within a software defined network on the basis of a set of data packet forwarding rules, wherein the method comprises the steps of: accessing a set of access rules in a memory of the data packet forwarding unit; and controlling the access to the set of data packet forwarding rules in the memory of the data packet forwarding unit on the basis of the set of access rules.
Further implementation forms of the method of operating a data packet forwarding unit according to the third aspect follow directly from the corresponding further implementation forms of the data packet forwarding unit according to the first aspect.
According to a fourth aspect the disclosure relates to a method of operating an SDN controller configured to control forwarding of data packets within a software defined network on the basis of a set of data packet forwarding rules, wherein the method comprises the step of sending a control message to a data packet forwarding unit, wherein the control message comprises a data packet forwarding rule and an identifier for identifying a control entity which generates the control message.
In a first possible implementation form of the method of operating an SDN controller according to the fourth aspect, the control message comprises an authorization filed which identifies control entities which are authorized to access the data packet forwarding rule.
Further, the control message may specify access right of each control identified entity.
According to a fifth aspect the disclosure relates to a method of operating a data packet forwarding unit configured to forward data packets within a software defined network on the basis of a set of data packet forwarding rules, wherein the method comprises the step of receiving a control message from a data packet forwarding unit, wherein the control message comprises a data packet forwarding rule and an identifier for identifying a control entity which generates the control message.
In a first possible implementation form of the method of operating data packet forwarding unit according to the fifth aspect, the control message comprises an authorization filed which identifies control entities which are authorized to access the data packet forwarding rule.
Further, the control message may specify access right of each control identified entity.
According to a sixth aspect, the disclosure relates to a computer program comprising program code for performing the method of the third aspect, the method of the fourth aspect, the method of the fifth aspect and/or any one of the further implementation forms thereof when executed on a computer.
Further embodiments of the disclosure will be described with respect to the following figures, wherein:
In the figures, identical reference signs will be used for identical or functionally equivalent features.
In the following description, reference is made to the accompanying drawings, which form part of the disclosure, and in which are shown, by way of illustration, specific aspects in which the present disclosure may be placed. It will be appreciated that the disclosure may be placed in other aspects and that structural or logical changes may be made without departing from the scope of the disclosure. The following detailed description, therefore, is not to be taken in a limiting sense, as the scope of the disclosure is defined by the appended claims.
For instance, it will be appreciated that a disclosure in connection with a described method will generally also hold true for a corresponding device or system configured to perform the method and vice versa. For example, if a specific method step is described, a corresponding device may include a unit to perform the described method step, even if such unit is not explicitly described or illustrated in the figures.
Moreover, in the following detailed description as well as in the claims, embodiments with functional blocks or processing units are described, which are connected with each other or exchange signals. It will be appreciated that the disclosure also covers embodiments which include additional functional blocks or processing units that are arranged between the functional blocks or processing units of the embodiments described below.
Finally, it is understood that the features of the various exemplary aspects described herein may be combined with each other, unless specifically noted otherwise.
Two control applications 204a (Control App a) and 204b (Control App b), which can define at least part of a Slice A and/or a network function thereof, are implemented on the SDN controller A 208a. A control application 204c (Control App c), which can define at least part of a Slice B and/or a network function thereof, is implemented on the SDN controller B 208b.
Embodiments of the disclosure are based on an SDN based access-control model, wherein an SDN control entity (also referred to as a subject) can be an SDN controller X or the combination of an SDN controller X and an SDN cAPP y, which is herein denoted as X.y. For instance, in the embodiment shown in
Moreover, in an embodiment an object can be defined as one or more of the data packet forwarding rules, for instance, entries of flow/group/meter table of the switch 202, which can be accessed and specified by subjects. In an embodiment, a subject that first accesses and uses certain objects from the switch 202 has the ownership of this object. In an embodiment, the subject that has the ownership of an object can also authorize the access rights for other subjects.
In an embodiment, both the switch 202 and the SDN controller A 208a are configured to utilize the access control entity 202a of the switch 202. In an embodiment, a corresponding interface can be implemented between the SDN controller 208a and the OF switch 202, which can be used to specify access rules for the access control entity 202a. For instance, according to a set of access rules defining an access control policy all SDN cAPPs from slice A cannot use and/or modify the objects which belong to slice B.
In the embodiment shown in
According to an embodiment, the following sequence of operation steps can be performed, which are indicated by the circled numbers in
If this is the case, the data packet forwarding rule provided by the cAPP a 204a is installed on the switch 202 (i.e. stored on its memory 202b). Otherwise, the data packet forwarding rule provided by the cAPP a 204a is rejected by the access control entity 202a of the switch 202 and an error can be reported to the cAPP a 204a. In step 3, the cAPP c 204c generates another data packet forwarding rule and sends it to the switch 202 that may modify or delete the previous rule specified by the control entity A.a 204a. In step 4, the access control entity 202a of the switch 202 checks whether the control entity A.c 204c is authorized by the control entity A.a 204a for doing so. If this is not the case, the access control entity 202a of the of the switch 202 can reject the additional rule provided by the cAPP c 204c and returns an error message to the cAPP c 204c. An exemplary combination of data packet forwarding rules and access rules, which could be stored in the storage unit 202b of the switch, is shown in in a detailed view in the lower right of
Advantageously, the embodiment shown in
Furthermore, the embodiment shown in
The owner field 401 defines the ownership of this object, which is pre-empted by a control entity related subject. For instance, a control entity that creates a table entry can be considered as the owner of this entry. Furthermore, a “super controller account” or super control entity can exist, which can modify all resources to recover the switch 202 in case of a faulty configuration, which is also called a root ownership. For example, a controller belonging to the infrastructure provider can have the root ownership. The root controller may also initially specify the list of controllers that are allowed to write to the switch 202. The ownership can be expressed as an ID, which can be composed in various ways. In one embodiment, the ID contains two fields, namely the controller ID and the cAPP ID. As already mentioned above, the ID for a cAPP x on the controller A 208a can be denoted as A.x. Control application IDs may be ignored (or using wildcard) to give rights to all control applications on top of a specific controller, e.g. A.*. By default, the owner is the control entity that installs the resource for the first time. This can be altered by the “super controller account” if it is necessary.
By using the authorization field 403, the owner of one table entry can authorize other control entities with certain access rights, as it will be explained in the following. The authorization can be done between different controllers (e.g. all the cAPPs implemented on the same controller have authorization amongst each other), or different slices (e.g. all the cAPPs belonging to the same slice have authorization amongst each other), or different cAPPs (e.g. authorization is done for individual pair of cAPPs). These two extension fields 401 and 403 are used to verify the access right of an SDN control message and it does not impact the data-plane packet processing.
As already mentioned above, in an embodiment the switch 202 is implemented as an OpenFlow (OF) switch. In the OF switch 202 there are three main tables that can be configured by the control entities and that can be extended using the extension fields 401, 403, namely a flow table, a group table, and/or a meter table.
A group table consists of group entries. Group table enables the ability for a flow entry to point to a group of ports which enables OpenFlow to represent additional methods of forwarding. A meter table consists of meter entries, which defines per-flow meters. Per-flow meters enable OpenFlow to implement various QoS operations, such as rate-limiting. It can also be combined with per-port queues to implement QoS frameworks (e.g. DiffServ). A meter measures the rate of packets assigned to it, therefore, it enables controlling the flow packet rate.
According to the OF standard the group and meter table are related to the flow table. In fact, when a data traffic packet arrives at the OF switch 202, it is first processed by the flow table, and instructions in this table can redirect the packet to the group table and/or to the meter table, as well as instructions in the group table can also redirect the data packet to the meter table. Thus, in an embodiment the access control entity 202a is configured to guarantee that an instruction of a flow table (or group table) can only redirect a packet to a group table or meter table with the same type of ownership and authorizations as the flow entry (or group entry) that started the redirection of a data packet. This is important to avoid that a flow entry of a slice A redirects the traffic to the meter entry of a slice B. Thus, in one embodiment, the access control for changing information in flow tables can be implemented in the following straightforward manner. If a first control entity is the owner of a flow entry in the switch 202 and a second control entity, which is neither the owner of this flow entry nor authorized to change it, tries to change the flow entry of the first control entity, this attempt can be detected and the second control entity can be stopped.
In the case of a group table and a meter table, it can happen that a control entity tries to reconfigure the entry and also that the access control for the usage of the group table and the meter table can be defined. In this case, if a first control entity owns a group table or meter table entry, it can use both group table and meter table entries. It can also authorize a second control entity to use the same group table or meter table entry. That is, in an embodiment a flow entry of the second control entity can only be linked to the group table or meter table entry of the first control entity if the second control entity also shares the ownership or is authorized (by the first control entity) to use the same group table or meter table entry.
Possible access rights for differently defined OF types of tables are listed in the following table 1.
“READ” represents the access right that a subject can read the content of an entry from a flow, group and/or meter table, but it cannot modify the entry. “WRITE” represents the access right that a subject can read as well as modify or delete the content of an entry from a flow, group and/or meter table. For instance, if a control entity wants to install a new flow entry in a flow table of a switch, the access control entity checks if such entry (e.g. same matching field) already exists in the flow table. If yes, the access control entity checks if the control entity is the owner of the flow entry, and then the existing flow entry is updated based on the new flow entry. If the control entity is not the owner, but it is authorized by the owner with access right (WRITE), then the existing flow entry is updated based on the new flow entry.
“USE” represents the access right that a subject can use a group and/or meter table entry as indicated by the actions defined in a flow table entry. Therefore, “USE” does not apply to a flow table entry.
The combination of owner and authorization fields defines the access rule. Example usage could be, the owner of a flow entry is control entity 1, it authorizes control entity 2 with access right WRITE and control entity 3 with access right WRITE. Therefore, the access rule can be defined as [1, 2(WRITE), 3(WRITE)]. If this flow entry defines the actions, which use a group table entry. The owner of this group table entry is control entity 1, and 1 authorizes that control entity 3 with access right USE and control entity 4 with access right USE. Therefore, the access rule for this group table entry is [1, 3(WRITE, USE), 4(USE)]. If control entity 3 sends a control message to modify the above mentioned flow table entry, the access control entity first checks the access rule [1, 2(WRITE), 3(WRITE)], and then checks access rule [1, 3(WRITE, USE), 4(USE)]. These two access rules do not conflict with each other and, therefore, the control message from control entity 3 can be installed on the switch.
In case the group entry has access rule [1, 4(WRITE, USE), 6(USE)] and the following control message is received from the from control entity 3, [1, 2(WRITE), 3(WRITE)] and [1, 4(WRITE, USE), 6(USE)], then these access rules conflict with each other. Therefore, the control message from control entity 3 cannot be installed on the switch 202.
If control entity 5 sends a control message to modify the above mentioned flow table entry, the access control entity first checks the access rule [1, 2(WRITE), 3(WRITE)]. Control entity 5 is not authorized, therefore its rule cannot be installed on the switch.
For group/meter table, the possible combination of access rights could be:
[READ]: the authorized control entity can only read the group/meter table entry.
[WRITE]: the authorized control entity can modify the group/meter table entry. WRITE contains READ access right.
[USE]: the authorized control entity defined flow table entry can use the corresponding group/meter table entry. USE contains READ access right.
[WRITE, USE]: the authorized control entity defined flow table entry can use the corresponding group/meter table entry and the authorized control entity can modify the group/meter table entry.
In an embodiment, the owner of a group table entry can authorize a control entity to use the group table entry. This means that, if an instruction of a flow entry defines the action to process packets via a certain group entry, such group entry can only be used if the control entity (who owns the flow entry or is authorized therefor) is also authorized for the corresponding group entry. The same applies for the meter table. That is, only flow entries and group entries with the same access control can use (i.e., redirect data traffic) to the meter table. Checking the compatibility between flow entry and group or meter entry is done when a flow entry, i.e. data packet forwarding rule, is inserted in the switch 202. If the owner of the flow entry is not the owner or authorized by the owner to use the group or meter entry of the instruction set, the access control entity 202a rejects to add this flow entry and returns an error message.
If the FLOW_MOD message is used to modify a flow entry, the access control entity 202a checks if the SDN cAPP that generates this FLOW_MOD message has the ownership or is authorized by the owner of this flow (step 1013). If yes, then this flow will be modified (step 1015), otherwise, an error message is reported back to the SDN cAPP (step 1017). If the control packet is a GROUP_MOD or a METER_MOD message, the access control entity 202a checks the ownership field or the authentication field (O|A) in the corresponding entry of the group table or meter table, to see if the SDN cAPP that has generated the control message has the ownership or is authorized by the owner of this group or meter table entry that it intends to modify (step 1019). If this is the case, this set of flow rules will be modified (step 1015), otherwise, an error is reported back to the SDN cAPP (step 1017).
As illustrated by note 1 in the figure, the sequence of control packet type determination or the way to determine the type of control packet can be flexible. As illustrated by note 2, in an embodiment a rule shadowing can be further tested here before to install on the switch 102a, wherein the rule shadowing denotes the process by which an application could write a subset of match rules, in case it cannot directly write to the superset match. For example, an application “A” does not have the right to write matching rules in the address spaces 192.168.155.0/24. However, it can theoretically overcome this restriction by writing a large number of rules for the address space 192.168.155.XXX, where XXX is from 1 to 254. Since normal functioning of OF prioritizes the longest match, these subsets of flow rules would hide the overall set of flow rules.
An advantage of this disclosure is that the mechanisms to guarantee access rights to configure the switch 202 itself are enforced inside the switch 202, which is the object managed by the access control entity 202a. As a consequence, even if the controller 208a and the hypervisor have security mechanisms to check if cAPPs can submit OF messages to change the flow entries of the switches (i.e., send OF FLOW_MOD messages), current OF switches themselves have no mechanism to double check if a flow entry should really be changed by a received OF message. This disclosure introduces this double checking security capability inside the OF switch 202. Once a flow entry is installed by the first time inside a OF switch 202 using the above mentioned approach, then it can be guaranteed that only FLOW_MOD messages which conform to the access control rights inside the installed flow entry will be actually allowed to reconfigure such flow entry. Therefore, this disclosure adds an extra security mechanism inside the switch 202 to guarantee the access control to the switch resources of each network slice and within such slices.
In the embodiment of
While a particular feature or aspect of the disclosure may have been disclosed with respect to only one of several implementations or embodiments, such feature or aspect may be combined with one or more other features or aspects of the other implementations or embodiments as may be desired and advantageous for any given or particular application. Furthermore, to the extent that the terms “include”, “have”, “with”, or other variants thereof are used in either the detailed description or the claims, such terms are intended to be inclusive in a manner similar to the term “comprise”. Also, the terms “exemplary”, “for example” and “e.g.” are merely meant as an example, rather than the best or optimal. The terms “coupled” and “connected”, along with derivatives may have been used. It should be understood that these terms may have been used to indicate that two elements cooperate or interact with each other regardless whether they are in direct physical or electrical contact, or they are not in direct contact with each other.
Although specific aspects have been illustrated and described herein, it will be appreciated by those of ordinary skill in the art that a variety of alternate and/or equivalent implementations may be substituted for the specific aspects shown and described without departing from the scope of the present disclosure. This application is intended to cover any adaptations or variations of the specific aspects discussed herein.
Although the elements in the following claims are recited in a particular sequence with corresponding labeling, unless the claim recitations otherwise imply a particular sequence for implementing some or all of those elements, those elements are not necessarily intended to be limited to being implemented in that particular sequence.
Many alternatives, modifications, and variations will be apparent to those skilled in the art in light of the above teachings. Of course, those skilled in the art readily recognize that there are numerous applications of the disclosure beyond those described herein. While the present disclosure has been described with reference to one or more particular embodiments, those skilled in the art recognize that many changes may be made thereto without departing from the scope of the present disclosure. It is therefore to be understood that within the scope of the appended claims and their equivalents, the disclosure may be practiced otherwise than as specifically described herein.
This application is a continuation of International Application No. PCT/EP2016/067925, filed on Jul. 27, 2016, the disclosure of which is hereby incorporated by reference in its entirety.
Number | Date | Country | |
---|---|---|---|
Parent | PCT/EP2016/067925 | Jul 2016 | US |
Child | 16257428 | US |