Versions Compared

Old Version 38

changes.mady.by.user Marek Kukulski

Saved on

compared with

New Version Current

changes.mady.by.user Linda Horn

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Assumptions on cert management
  • Communication between the network function and DCAE
  • Communication between the network function and the controllers
  • SSH
  • Requirements on projects

Recommendation Status:

Recommended security enhancements for Dublin, presented at PTL meeting Jan 14, 2019.

View file
nameSecurity Enhancements for Dublin v3.pptx
height250


Recommended security enhancements for Dublin to improve secure communications between NFs and ONAP.

View file
nameSecurity Enhancements for Dublin v1.pptx
height250
Draft

Assumptions:

May 17, 2018 Agreed to the following Assumptions:

...

  • Initial VNF Certificate Enrollment
    • Follows ETSI standards: SOL002, SOL003, SOL005, IFA006, IFA007.
    • Two options are supported.

    • Option 1:  PKCS#12 container can be installed on the VNF at instantiation time.

      • Out-of-band pre-provisioning with the CA is necessary to generate the PKCS#12 bundle before the VNF is instantiated.

    • Option 2:  VNF can perform certificate enrollment with a One Time Password (OTP).

      • The OTP, which is a Pre-Shared Key (PSK), is generated by the CA, along with a Reference Number (REFNUM) and provisioned on the VNF at instantiation.

      • After instantiation, VNF performs certificate enrollment via CMPv2; VNF includes the REFNUM in the Certificate Signing Request (CSR); PSK is used to sign the CSR.  See RFC4210 Appendix D.4
      • Out-of-band pre-provisioning with the CA is necessary to generate the PSK and REFNUM before the VNF is instantiated.  This is just one part of the larger network planning exercise that must be completed before a gNB is deployed.

Oct 5: VNF Activation with updates to remove roles/permissions and perform cert enroll after instantiation - version 20

View file
nameVNF Initial Certificate Enrollment v20.pptx
height250


Aug 29: VNF Activation with updates to instantiation scenario - version 18

View file
nameVNF Initial Certificate Enrollment v18.pptx
height250


Aug 23:  PNF Registration Scenario with Security Enhancements added

...

Expand
titlePast meeting archive


Aug 16, 2018

View file
nameSecurity Enhancements for 5G Use Case 2018 08 16.pptx
height250


Aug 9, 2018

View file
nameSecurity Enhancements for 5G Use Case 2018 08 09.pptx
height250


Aug 2, 2018

View file
nameSecurity Enhancements for 5G Use Case 2018 08 02.pptx
height250


July 26, 2018

View file
nameSecurity Enhancements for 5G Use Case 2018 07 26.pptx
height250


July 19, 2018

View file
nameCasablanca Security Enhancements for 5G Use Case 2018 07 19.pptx
height250


July 12, 2018

View file
nameCasablanca Security Enhancements for 5G Use Case 2018 07 12.pptx
height250



June 28, 2018

View file
nameCasablanca Security Enhancements for 5G Use Case 2018 06 28.pptx
height250


View file
nameVNF Initial Certificate Enrollment v2.pptx
height250

VNF Initial Certificate Enrollment v2


June 14, 2018

View file
nameCasablanca Security Enhancements for 5G Use Case 2018 06 14.pptx
height250


View file
nameVNF Initial Certificate Enrollment v1.pptx
height250

VNF Initial Certificate Enrollment v1


Jun 7, 2018

View file
nameCasablanca Security Enhancements for 5G Use Case 2018 06 07.pptx
height250


View file
nameAAF high level flow.pptx
height250

May 31, 2018

View file
nameCasablanca Security Enhancements for 5G Use Case 2018 05 31.pdf
height250

May 24, 2018

View file
nameCasablanca Security Enhancements for 5G Use Case 2018 05 24.pdf
height250


May 21, 2018

View file
nameCasablanca Security Enhancements for 5G Use Case 2018 05 21.pdf
height250


May 17, 2018

View file
nameCasablanca Security Enhancements for 5G Use Case 2018 05 17.pdf
height250


Security Requirements for HTTPS Authentication Enhancements:

Aug 6 2019 v4

v4 of the xNF and DCAE security requirements for HTTPS authentication are below.  There were no significant changes from v3.  These requirements are ready for formal review and have been entered into JIRA.  The excel spreadsheet below contains the requirement wording and a link to the JIRA ticket.  Please review the JIRA tickets and provide comments or a +1 if you approve.  These requirements are targeted for El Alto, so please review by Sep 3, 2019.  Thank you!

El Alto Security Requirements for HTTPS.xlsx


July 29 2019 v3

v3 of xNF and ONAP security requirements for HTTPS authentication.  Modified based on decisions from the July 29 review meeting.

  1. Add requirement for one-way TLS authentication when using Basic Authentication.
  2. Add reference to RFC 5280 to specify how to validate a certificate.
  3. Eliminate certOnly and basicAuthOnly and noAuth options and support only certBasicAuth in DCAE.


Security VNFRQTS updates for HTTPS Authentication v3.docx


July 23 2019 v2

Updated version of the xNF and ONAP security requirements for HTTPS authentication enhancements from the July 23 review meeting.


Security VNFRQTS updates for HTTPS Authentication v2.docx


July 16 2019 v1

This is the latest version of the xNF and ONAP security requirements for the HTTPS authentication enhancements to support certificate authentication for HTTPS.

At the last review meeting on July 16, SECCOM decided that only HTTP/TLS is supported.  HTTP would not be supported.

Security VNFRQTS updates for HTTPS Authentication.docx