版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
NISTSpecialPublication800NISTSP800-233
ServiceMeshProxyModelsforCloud-NativeApplications
RamaswamyChandramouliZackButcher
JamesCallaghan
Thispublicationisavailablefreeofchargefrom:
/10.6028/NIST.SP.800-233
NISTSpecialPublication800NISTSP800-233
ServiceMeshProxyModelsforCloud-NativeApplications
RamaswamyChandramouli
ComputerSecurityDivisionInformationTechnologyLaboratory
ZackButcher
Tetrate,Inc.
JamesCallaghan
control-plane.io,
Inc.
Thispublicationisavailablefreeofchargefrom:
/10.6028/NIST.SP.800-233
October2024
U.S.DepartmentofCommerce
GinaM.Raimondo,Secretary
NationalInstituteofStandardsandTechnology
LaurieE.Locascio,NISTDirectorandUnderSecretaryofCommerceforStandardsandTechnology
NISTSP800-233ServiceMeshProxyModelsfor
October2024Cloud-NativeApplications
Certaincommercialequipment,instruments,software,ormaterials,commercialornon-commercial,areidentified
inthispaperinordertospecifytheexperimentalprocedureadequately.SuchidentificationdoesnotimplyrecommendationorendorsementofanyproductorservicebyNIST,nordoesitimplythatthematerialsorequipmentidentifiedarenecessarilythebestavailableforthepurpose.
TheremaybereferencesinthispublicationtootherpublicationscurrentlyunderdevelopmentbyNISTin
accordancewithitsassignedstatutoryresponsibilities.Theinformationinthispublication,includingconceptsandmethodologies,maybeusedbyfederalagenciesevenbeforethecompletionofsuchcompanionpublications.
Thus,untileachpublicationiscompleted,currentrequirements,guidelines,andprocedures,wheretheyexist,
remainoperative.Forplanningandtransitionpurposes,federalagenciesmaywishtocloselyfollowthedevelopmentofthesenewpublicationsbyNIST.
OrganizationsareencouragedtoreviewalldraftpublicationsduringpubliccommentperiodsandprovidefeedbacktoNIST.ManyNISTcybersecuritypublications,otherthantheonesnotedabove,areavailableat
/publications.
Authority
ThispublicationhasbeendevelopedbyNISTinaccordancewithitsstatutoryresponsibilitiesundertheFederal
InformationSecurityModernizationAct(FISMA)of2014,44U.S.C.§3551etseq.,PublicLaw(P.L.)113-283.NISTisresponsiblefordevelopinginformationsecuritystandardsandguidelines,includingminimumrequirementsfor
federalinformationsystems,butsuchstandardsandguidelinesshallnotapplytonationalsecuritysystems
withouttheexpressapprovalofappropriatefederalofficialsexercisingpolicyauthorityoversuchsystems.ThisguidelineisconsistentwiththerequirementsoftheOfficeofManagementandBudget(OMB)CircularA-130.
Nothinginthispublicationshouldbetakentocontradictthestandardsandguidelinesmademandatoryand
bindingonfederalagenciesbytheSecretaryofCommerceunderstatutoryauthority.NorshouldtheseguidelinesbeinterpretedasalteringorsupersedingtheexistingauthoritiesoftheSecretaryofCommerce,Directorofthe
OMB,oranyotherfederalofficial.ThispublicationmaybeusedbynongovernmentalorganizationsonavoluntarybasisandisnotsubjecttocopyrightintheUnitedStates.Attributionwould,however,beappreciatedbyNIST.
NISTTechnicalSeriesPolicies
Copyright,Use,andLicensingStatements
NISTTechnicalSeriesPublicationIdentifierSyntax
PublicationHistory
ApprovedbytheNISTEditorialReviewBoardon2024-10-11
HowtoCitethisNISTTechnicalSeriesPublication:
ChandramouliR,ButcherZ,CallaghanJ(2024)ServiceMeshProxyModelsforCloud-NativeApplications.(NationalInstituteofStandardsandTechnology,Gaithersburg,MD),NISTSpecialPublication(SP)NISTSP800-233.
/10.6028/NIST.SP.800-233
AuthorORCIDiDs
RamaswamyChandramouli:0000-0002-7387-5858
NISTSP800-233ServiceMeshProxyModelsfor
October2024Cloud-NativeApplications
ContactInformation
sp800-233-comments@
NationalInstituteofStandardsandTechnology
Attn:ComputerSecurityDivision,InformationTechnologyLaboratory
100BureauDrive(MailStop8930)Gaithersburg,MD20899-8930
AdditionalInformation
Additionalinformationaboutthispublicationisavailableat
/pubs/sp/800/233/final,
includingrelatedcontent,potentialupdates,anddocumenthistory.
AllcommentsaresubjecttoreleaseundertheFreedomofInformationAct(FOIA).
NISTSP800-233ServiceMeshProxyModelsfor
October2024Cloud-NativeApplications
i
Abstract
Theservicemeshhasbecomethedefactoapplicationservicesinfrastructureforcloud-nativeapplications.Itenablesthevariousruntimefunctionsofanapplicationthroughproxiesthat
formthedataplaneoftheservicemesh.Dependingonthedistributionofthenetworklayer
functionsandthegranularityofassociationoftheproxiestoindividualservicesandcomputingnodes,differentproxymodelsordataplanearchitectureshaveemerged.Thisdocument
describesathreatprofileforeachofthedataplanearchitectureswithadetailedthreatanalysistomakerecommendationsontheirapplicabilityforcloud-nativeapplicationswithdifferent
securityriskprofiles.
Keywords
cloud-nativeapplication;dataplanearchitecture;proxymodel;servicemesh;threatprofile.
ReportsonComputerSystemsTechnology
TheInformationTechnologyLaboratory(ITL)attheNationalInstituteofStandardsandTechnology(NIST)promotestheU.S.economyandpublicwelfarebyprovidingtechnical
leadershipfortheNation’smeasurementandstandardsinfrastructure.ITLdevelopstests,testmethods,referencedata,proofofconceptimplementations,andtechnicalanalysestoadvance
thedevelopmentandproductiveuseofinformationtechnology.ITL’sresponsibilitiesincludethedevelopmentofmanagement,administrative,technical,andphysicalstandardsand
guidelinesforthecost-effectivesecurityandprivacyofotherthannationalsecurity-related
informationinfederalinformationsystems.TheSpecialPublication800-seriesreportsonITL’sresearch,guidelines,andoutreacheffortsininformationsystemsecurity,anditscollaborativeactivitieswithindustry,government,andacademicorganizations.
NISTSP800-233ServiceMeshProxyModelsfor
October2024Cloud-NativeApplications
ii
PatentDisclosureNotice
NOTICE:ITLhasrequestedthatholdersofpatentclaimswhoseusemayberequiredfor
compliancewiththeguidanceorrequirementsofthispublicationdisclosesuchpatentclaimstoITL.However,holdersofpatentsarenotobligatedtorespondtoITLcallsforpatentsandITLhasnotundertakenapatentsearchinordertoidentifywhich,ifany,patentsmayapplytothis
publication.
Asofthedateofpublicationandfollowingcall(s)fortheidentificationofpatentclaimswhoseusemayberequiredforcompliancewiththeguidanceorrequirementsofthispublication,nosuchpatentclaimshavebeenidentifiedtoITL.
NorepresentationismadeorimpliedbyITLthatlicensesarenotrequiredtoavoidpatentinfringementintheuseofthispublication.
NISTSP800-233ServiceMeshProxyModelsfor
October2024Cloud-NativeApplications
iii
TableofContents
ExecutiveSummary 1
1.Introduction 2
1.1.L4andI7Functionsofproies…3
12.0bectieandTargetAudience.…………3
13.elationshiptootherNISTDocuments………………4
1.4.Documentstucture…4
2.TypicalServiceMeshDataPlaneCapabilitiesandAssociatedProxyFunctions 5
3.ProxyModels(DataPlaneArchitectures)inServiceMeshImplementations 7
31.L4and17proxypersericelnstance(OPA-)-sidecarModel…7
32.sharedL4-L7perseniceModel(OPA.2h……….8
3.3.sharedL4andL7Model(DPA-3).........9
3.A,L4andL7aspartoftheApplicationModel(OPA-4)l………10
4.DataPlaneArchitectureThreatScenariosandAnalysisMethodology 12
4.1.ThreatAnalsiMethodology….13
5.DetailedThreatAnalysisforDataPlaneArchitectures 14
5.1.ThreatAnalysisforL4andL7proxyperserviceInstance(DPA-1)—sidecarModel...........14
5.1.1.CompromisedL4Proxy(TR-1) 14
5.1.2.CompromisedApplicationContainer(TR-2) 14
5.1.3.CompromiseofBusinessData(TR-3) 15
5.1.4.CompromisedL7Proxy(TR-4) 15
5.1.5.CompromiseofSharedL7Proxy(TR-5) 15
5.1.6.OutdatedClientLibrariesinApplications(TR-6) 16
5.1.7.DenialofService(TR-7) 16
5.1.8.ResourceConsumption(TR-8) 17
5.1.9.PrivilegedL4Proxy(TR-9) 17
5.1.10.DataPlane(ServiceMesh)Bypassed(TR-10) 17
5.1.11OverallThreatScore 18
52.ThreatAnalysisforsharedL4-L7perseniceModel(OPA-2)……18
5.2.1.CompromisedL4Proxy(TR-1) 18
5.2.2.CompromisedApplicationContainer(TR-2) 18
5.2.3.CompromiseofBusinessData(TR-3) 18
5.2.4.CompromisedL7Proxy(TR-4) 19
5.2.5.CompromiseofSharedL7Proxy(TR-5) 19
5.2.6.OutdatedClientLibrariesinApplications(TR-6) 19
NISTSP800-233ServiceMeshProxyModelsfor
October2024Cloud-NativeApplications
iv
5.2.7.DenialofService(TR-7) 19
5.2.8.ResourceConsumption(TR-8) 20
5.2.9PrivilegedL4Proxy(TR-9) 20
5.2.10DataPlane(ServiceMesh)Bypassed(TR-10) 21
5.2.11OverallThreatScore 21
5.3.1.CompromisedL4Proxy(TR-1) 21
5.3.2.CompromisedApplicationContainer(TR-2) 22
5.3.3.CompromiseofBusinessData(TR-3) 22
5.3.4.CompromisedL7Proxy(TR-4) 22
5.3.5.CompromiseofSharedL7Proxy(TR-5) 23
5.3.6.OutdatedClientLibrariesinApplications(TR-6) 23
5.3.7.DenialofService(TR-7) 23
5.3.8.ResourceConsumption(TR-8) 23
5.3.9.PrivilegedL4Proxy(TR-9) 24
5.3.10.DataPlane(ServiceMesh)Bypassed(TR-10) 24
5.3.11OverallThreatScore 24
5.4.ThreatAnalysisforL4andL7aspartoftheApplicationModel(gRpcproxylessModel(DPA-4))
25
5.4.1.CompromisedL4Proxy(TR-1) 25
5.4.2.CompromisedApplicationContainer(TR-2) 25
5.4.3.CompromiseofBusinessData(TR-3) 25
5.4.4.CompromisedL7Proxy(TR-4) 25
5.4.5.CompromiseofSharedL7Proxy(TR-5) 26
5.4.6.OutdatedClientLibrariesinApplications(TR-6) 26
5.4.7.DenialofService(TR-7) 26
5.4.8.ResourceConsumption(TR-8) 27
5.4.9PrivilegedL4Proxy(TR-9) 27
5.4.10DataPlane(ServiceMesh)Bypassed(TR-10) 27
5.4.11OverallThreatScore 28
6.RecommendationsBasedontheApplicationSecurityRiskProfile 29
7.SummaryandConclusions............................................................................................................32
NISTSP800-233ServiceMeshProxyModelsfor
October2024Cloud-NativeApplications
v
References.......................................................................................................................................33
NISTSP800-233ServiceMeshProxyModelsfor
October2024Cloud-NativeApplications
vi
Acknowledgments
TheauthorswouldliketoexpresstheirthankstoFrancescoBeltraminiofcontrol-plane.ioforparticipatingindiscussionsandprovidinghisvaluableperspective.TheauthorswouldalsoliketoexpresstheirthankstoIsabelVanWykofNISTforherdetailededitorialreview,bothforthepubliccommentversionaswellasforthefinalpublication
1
ExecutiveSummary
Acentralizedinfrastructurecalledaservicemeshcanproviderun-timeservicesforcloud-nativeapplicationsthatconsistofmultiplelooselycoupledcomponentscalledmicroservices.These
servicesincludesecurecommunication,servicediscovery,resiliency,andauthorizationof
applicationcommunication.Theseservicesaremainlyprovidedthroughproxiesthatformthedataplaneoftheservicemesh,whichisthelayerthathandlesapplicationtrafficatruntime
andenforcespolicy.
ThefunctionsthattheproxiesprovidecanbebroadlycategorizedintotwogroupsbasedontheOpenSystemsInterconnection(OSI)model’snetworklayertowhichthosefunctionspertain:
Layer4(“L4”)andLayer7(“L7”).Inmostservicemeshdeploymentsinproduction
environmentstoday,allproxyfunctionsthatprovideservicesinbothL4andL7layersare
packedintoasingleproxythatisassignedtoasinglemicroservice.Thisservicemeshproxy
modeliscalledasidecarproxymodelsincetheproxyisnotonlyassociatedwithasingleservicebutisimplementedtoexecuteinthesamenetworkspaceastheservice.
However,performanceandresourceconsiderationshaveledtotheexplorationofalternate
proxymodelsthatinvolvesplittingL4andL7functionsintodifferentproxiesandthe
associationorassignmentsoftheseproxiestoeitherasingleserviceoragroupofservices.Thisenablestheproxiestobeimplementedatdifferentlocationsatthegranularityofanoderatherthanatthelevelofservices.Thoughdifferentmodelsaretheoreticallypossible,thisdocumentonlyconsidersservicemeshproxymodelsinthedataplaneimplementationofcommonlyusedservicemeshofferingsatdifferentstages.
Variouspotentialorlikelythreatstoproxyfunctionsmayresultindifferenttypesofexploitsindifferentproxymodels.Thisvariationisduetoseveralfactors,suchastheattacksurface(i.e.,
communicationpatternstowhichaparticularproxyisexposed),thenumberofclients
(services)served,andtheOSIlayerfunctionsthattheyprovide(e.g.,L7functionsaremorecomplicatedandlikelytohavemorevulnerabilitiesthanL4functions).Thetwomain
contributionsofthisdocumentarethefollowing:
1.Thenatureoftheexploitsthatarepossibleforeachthreatineachoftheproxymodelsischaracterizedbyassigningscorestotheimpactandlikelihoodofeachofthethreatsineachoftheproxymodelsorarchitecturalpatterns,resultinginathreatprofilethatis
associatedwitheacharchitecturalpatternorproxymodelofservicemesh.
2.Eachthreatprofilehasaninherentsetofsecuritytrade-offsatanarchitecturallevel.
Theimplicationsofthesetrade-offsinmeetingtherequirementsassociatedwiththe
securityriskprofilesofdifferentcloud-nativeapplicationsareanalyzedtomakeabroadsetofrecommendationstowardspecificarchitecturalpatternsthatareappropriateforapplicationswithdifferentsecurityriskprofiles.
NISTSP800-233ServiceMeshProxyModelsfor
October2024Cloud-NativeApplications
2
1.Introduction
“Cloud-native”referstoanarchitecturalphilosophyforbuildingscalable,resilientsystemsthat
aredesignedtoleveragetheadvantagesofcloudcomputingenvironments.Cloud-native
applicationscanrunbothon-premisesandinpubliccloudplatformsandarenormallybuilt
usingagiledevelopmentmethodologies,suchascontinuousintegration/continuousdelivery(CI/CD).Typically,technologiessuchascontainerizationandvirtualmachines(VMs)areused,andresilienceandfail-safefeatureswillbebuiltin.
Microservices-basedapplicationsuseanarchitecturalapproachinwhichtheentireapplicationisbrokenintolooselycoupledcomponentsthatcanbeindependentlyupdatedandscaled.Theimplementationofmicroservicesisenabledusingcontainersthatinturnrequireorchestrationtoolsandoftenemployacentralizedservicesinfrastructure(e.g.,servicemesh)toprovideallruntimeapplicationservices,includingnetworkconnectivity,security,resiliency,and
monitoringcapabilities.Microservices-basedapplicationscanbeimplementedanddeployedascloud-native,thoughtheyrepresentanindependentarchitecturalapproach.
Theinfrastructureservicesorfunctionsprovidedbyaservicemeshduringapplicationruntimeareprovidedbyentitiescalledproxies,whichconstitutethedataplaneoftheservicemesh.Inaddition,theservicemeshconsistsofanotherarchitecturalcomponentcalledthecontrol
plane,whichsupportsthefunctionsofthedataplanethroughinterfacestodefine
configurations,injectsoftwareprograms,andprovidesecurityartifacts(e.g.,certificates).
Variousconfigurationsforproxiesarebeingdevelopedandtestedbasedontheperformanceandsecurityassurancedataobtainedduringthedeploymentofservicemeshoverthelast
severalyears.Theseconfigurationsareproxy(implementation)modelsthatarebasedontheOSIlayerfunctionsthattheyprovide(describedinthefollowingparagraphs)andthe
granularityofassociationbetweenaproxyandservices.Sinceproxiesarethepredominantentitiesofthedataplaneofaservicemesh,thesevariousproxymodelsarealsocalleddataplanearchitectures.
TheOSImodel
[1]
isausefulabstractionforthinkingaboutthefunctionsrequiredtoserveanapplicationoverthenetwork.Itdescribesseven“layers,”fromthephysicalwiresthatconnecttwomachines(i.e.,Layer1–L1,thephysicallayer)totheapplicationitself(i.e.,Layer7–L7,theapplicationlayer).
Layers3,4,and7arekeytofacilitatingcommunicationbetweencloud-nativeapplications(e.g.,twomicroservicesmakingHypertextTransferProtocol(HTTP)/RESTcallstoeachother):
•Layer3(“L3”),thenetworklayer,facilitatesbaselineconnectivitybetweentwo
workloadsorserviceinstances.Innearlyallcases,theInternetProtocol(IP)isusedastheL3implementation.
•Layer4(“L4”),thetransportlayer,facilitatesthereliabletransmissionofdatabetweenworkloadsonthenetwork.Italsoincludescapabilitieslikeencryption.TransportControlProtocol(TCP)andUserDatagramProtocol(UDP)arecommonlyusedL4
implementations,wheretransportlayersecurity(TLS)providesencryption.
NISTSP800-233ServiceMeshProxyModelsfor
October2024Cloud-NativeApplications
3
•Layer7(“L7”),theapplicationlayer,iswhereprotocolslikeHTTPoperate—inuserapplicationsthemselves(e.g.,HTTPwebservers,SecureShell(SSH)servers).
Withrespecttothelayersabove,aservicemesh’sproxiesincloud-nativeenvironmentsare:
•AgnostictoL3ifthemicroserviceinstancescancommunicateatL3andtheproxycancommunicatewiththemesh’scontrolplane.
•AtLayer4(L4):Connectionestablishment,management,andresiliency(e.g.,
connection-levelretries);TLS(encryptionintransit);applicationidentity,authentication,andauthorization;accesspolicybasedonnetwork5-tuple(e.g.,sourceIPaddressand
port,destinationIPaddressandport,andtransportprotocol).
•AtLayer7(L7):Servicediscovery,request-levelresiliency(e.g.,retries,circuitbreakers,
outlierdetection);andapplicationobservability.
1.1.L4andL7FunctionsofProxies
Therearetwokeyaspectsofproxymodels:
1.Proxyfunctions:Thefunctionsthataservicemesh’sproxiesprovidecanbebroadly
categorizedintotwogroupsbasedontheOSImodel’slayer
[1]
towhichthosefunctionspertain:Layer4(“L4”)andLayer7(“L7”).TheassociatedproxiesarecalledL4proxies
andL7proxies,respectively.ThestudyofproxyfunctionsrequiresanunderstandingoftheOSI’sL4andL7layersfromthenetworkstackpointofviewandthespecificnetworkservicesprovidedbythoselayers.
2.Granularityofassociation:Aproxycanbeassociatedwithasinglemicroserviceinstance,anentireservice,ordeployedtoprovidefunctionsforagroupofservices.Dependingonthenatureofthisassociation,aproxymayexecutewithinthesamenetworkspaceas
theservice,atthesamenodewherethegroupofservicestowhichitcatersrun,orinanindependentnodededicatedtoproxieswherenoapplicationservicesrun.
1.2.ObjectiveandTargetAudience
Thisdocumentwillgiveabriefoverviewofthefourdataplanearchitectures(proxymodels)beingpursuedbyarangeofservicemeshimplementationstoday.Itwillalsoprovidethreatprofilesfordifferentproxymodelswithadetailedthreatanalysisthatinvolves10typesofcommonthreats.Thesethreatprofileswillinformrecommendationsregardingtheir
applicability(usage)forcloud-nativeapplicationswithdifferentsecurityriskprofiles.Thetargetaudiencefortheserecommendationsincludes:
•Infrastructureowners,platform/infrastructureengineers,andtheirteamleaderswhobuildanddeploysecureruntimeenvironmentsforapplicationsbychoosingtherightarchitecturefortheirenvironmentgiventheriskfactorsoftheapplicationsthattheywillberunningandtheresultingsecurityriskprofile.
NISTSP800-233ServiceMeshProxyModelsfor
October2024Cloud-NativeApplications
4
•Personnelinchargeofinfrastructureoperationswhoneedtobefamiliarwiththe
variousbuildingblocksoftheproxymodelsordataplanearchitectures(andtheir
associatedfunctionsandinteractions)totroubleshootintheeventofperformance(i.e.,availability)andsecurityissues
1.3.RelationshiptoOtherNISTDocuments
ThisdocumentcanbeusedasanadjuncttotheNISTSpecialPublication(SP)800-204seriesofpublications
[2][3][4][5],
whichofferguidanceonprovidingsecurityassuranceforcloud-native
applicationsintegratedwithaservicemeshfromthefollowingperspectives:strategy,
configuration,anddevelopment/deploymentparadigm.However,thisdocumentfocuseson
thevariousconfigurationsoftheapplicationserviceinfrastructureelements(i.e.,proxies)andtheresultingarchitectures(i.e.,dataplanearchitectureoftheservicemesh)thathavedifferent
securityimplicationsfortheapplicationthatishostedundereachoftheseconfigurations.
1.4.DocumentStructure
Thisdocumentisorganizedasfollows:
•
•
•
•
•
•
Section
2
liststhetypicalcapabilitiesofthedataplaneoftheservicemeshunderthreeheadings(i.e.,security,observability,andtrafficmanagement)andthecorrespondingL4andL7proxyfunctionsimplementedunderthosecapabilities.
Section
3
providesabriefoverviewofthefourproxymodelsordataplanearchitectures.Section
4
discussesproxymodelthreatscenariosandthethreatanalysismethodologyadoptedinthisdocumentforevaluatingthethreatprofilescoreforthefourdataplanearchitectures.
Section
5
providesadetailedthreatanalysisforthefourdataplanearchitecturesbyassigningscorestotheimpactandlikelihoodfactorsassociatedwitheachthreatandusingthemtoarriveatanoverallthreatscore.
Section
0
providesrecommendationsontheapplicability(usage)ofeachofthefourdataplanearchitecturesforcloud-nativeapplicationsofdifferentsecurityriskprofilesbasedontheirsecurityrequirements.
Section
0
providesthesummaryandconclusions.
NISTSP800-233ServiceMeshProxyModelsfor
October2024Cloud-NativeApplications
5
2.TypicalServiceMeshDataPlaneCapabilitiesandAssociatedProxyFunctions
Thisdocument’smethodologyexaminesthesecuritytrade-offsoftheproxymodels(i.e.,data
planearchitectures)andtheimplementationsofthevariouscapabilitiesthatresultasL4andL7functionsinproxies.Determiningthetotalityofproxyfunctionsrequiresananalysisofeach
capability,thecategoryitfallsunder,andthegranularityofthefunctionthatitprovidesatL4andL7levels.
Table1-SecurityCapabilities[15]
Capability
L4Function(s)
L7Function(s)
Service-to-serviceauthentication
SPIFFE,
viamTLScerts.Control
planeissuesashort-livedX.509
encodingt
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 离岗休养协议书范文
- 影楼竞业禁止协议书
- 泥砂清运协议书范本
- 科普实践基地协议书
- 企业赔偿协议书模板
- 装修工人戒烟协议书
- 门市租房协议书范文
- 考证培训归属协议书
- 食物过敏安全协议书
- 汽车接送学生协议书
- 食品安全案例-课件-案例十二-苏丹红事件
- 肝硬化失代偿期
- 2023年非车险核保考试真题模拟汇编(共396题)
- 2024年中国分析仪器市场调查研究报告
- “龙岗青年”微信公众号代运营方案
- DB11-T 478-2022 古树名木评价规范
- 施工现场扬尘控制专项方案
- 年度固定污染源排污许可证质量审核、执行报告审核技术支持服务 投标方案(技术标 )
- 五年级科学上册(冀人版)第17课 彩虹的形成(教学设计)
- 科学与文化的足迹学习通超星期末考试答案章节答案2024年
- 医院培训课件:《病区药品安全管理与使用》
评论
0/150
提交评论