Versions Compared

Old Version 3

changes.mady.by.user Keong Lim

Saved on

compared with

New Version 4

changes.mady.by.user Keong Lim

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Ability to secure the intra-ONAP communications, i.e. between ONAP projects, such as SO-to-AAI, UUI-to-MSB, OOF-to-VID, etc.
  • Ability to secure the ONAP-to-external-system communications, i.e. ONAP-to-database-cluster, ONAP-to-NetworkFunctions, ONAP-to-other-ONAP, etc.
  • Ability to scale with the defined ONAP projects (static per ONAP release)
  • Ability to scale with the number of deployed instances of ONAP VMs (dynamic)
  • Ability to scale with the number of deployed instances of ONAP pods (dynamic)
  • Ability to scale with the number of deployed instances of ONAP /pods/ microservices (dynamic)
  • Ability to scale with the number of external-system connections (configurable)
  • Ability to work with HEAT-based deployment
  • Ability to work with OOM-based deployment
  • Ability to work with other (non-HEAT, non-OOM) deployment
  • Ability to operate with other layers of security
  • Ability to securely upgrade ONAP in-the-field
  • Ability for resilient and fault-tolerant ONAP communications in-the-field
  • Minimal efforts to implement across all ONAP projects
  • Minimal impact on resource usage and performance across ONAP

...

  • There has already been discussion and recommendation for using Istio https://istio.io/
  • This page is gathering thoughts for alternative solutions

Discussion of Istio

  • tbc

Discussion of Tinc

...

VPN


  • VPN appears to the IP level network code as a normal network device
  • Automatic full mesh routing. Regardless of how you set up the tinc daemons to connect to each other, VPN traffic is always (if possible) sent directly to the destination, without going through intermediate hops.
  • Easily expand your VPN. When you want to add nodes to your VPN, all you have to do is add an extra configuration file, there is no need to start new daemons or create and configure new devices or network interfaces
  • Ability to bridge ethernet segmentsYou can link multiple ethernet segments together to work like a single segment, allowing you to run applications and games that normally only work on a LAN over the Internet.
  • Runs on many operating systems and supports IPv6. Currently Linux, FreeBSD, OpenBSD, NetBSD, OS X, Solaris, Windows 2000, XP, Vista and Windows 7 and 8 platforms are supported. tinc has also full support for IPv6.

From https://www.tinc-vpn.org/pipermail/tinc/2017-May/004864.html:

In general however, I would advise against trusting other nodes, even with
StrictSubnets=yes. tinc is not currently designed to provide strong
protection against insider attacks - for the most part it assumes that
every node inside the metaconnection graph can be trusted. In my opinion
tinc will do poorly in a scenario where a "compromised node" is part of
your threat model.

...

Discussion of ZeroTier
  • tbc
...