...
- Suggestion on VNF integration, in a manner logically similar to legacy eNB/gNB autointegration (plug and play). Also discussion on VNF root of trust. PNF autointegration and root of trust are included as reference info. The suggestions are in line with ETSI and 3GPP. See presentation below.
- Initial PNF Certificate Enrollment
- Occurs during Plug-n-Play (PnP) according to 3GPP TS 32.508.
- PNF uses its vendor certificate for identity, authentication and authorization to the CA.
- Vendor Root certificate must be pre-provisioned in the CA.
- This procedure is outside of ONAP (unless the CA is the ONAP CA used for development and testing).
- Initial VNF Certificate Enrollment
- Follows ETSI standards: SOL002, SOL003, SOL005, IFA006, IFA007.
- Two options are supported.
Option 1: PKCS#12 container can be installed on the VNF at instantiation time.
Out-of-band pre-provisioning with the CA is necessary to generate the PKCS#12 bundle before the VNF is instantiated.
- Option 2: VNF can perform certificate enrollment with a One Time Password (OTP).
The OTP, which is a Pre-Shared Key (PSK), is generated by the CA, along with a Reference Number (REFNUM) and provisioned on the VNF at instantiation.
- After instantiation, VNF performs certificate enrollment via CMPv2; VNF includes the REFNUM in the Certificate Signing Request (CSR); PSK is used to sign the CSR. See RFC4210 Appendix D.4
- Out-of-band pre-provisioning with the CA is necessary to generate the PSK and REFNUM before the VNF is instantiated. This is just one part of the larger network planning exercise that must be completed before a gNB is deployed.
| View file | ||||
|---|---|---|---|---|
|
Meeting Minutes:
May 31, 2018
...