The scope of this recommendation is to cover how ONAP achieves secure communication to the network functions. The network functions could be VNFs, PNFs. This includes:
Recommended security enhancements for Dublin, presented at PTL meeting Jan 14, 2019.
Recommended security enhancements for Dublin to improve secure communications between NFs and ONAP.
May 17, 2018 Agreed to the following Assumptions:
May 17, 2018 Agreed to the following Recommendations:
May 21, 2018 Agreed to the following Recommendation:
May 24, 2018 Agreed to the following Recommendations:
When certificates are used, LDAPv3 shall be supported as the primary method of authorization of a NF in ONAP.
When certificates are used, HTTP shall be used as an alternative method of authorization of an NF when LDAP is not available.
LDAPv3 format or HTTP format shall be used to access file repositories of TLS certificates.
LDAPv3 and HTTP formats shall be supported for checking the revocation status of TLS certificates.
ONAP shall support both TLS and SSH as the transport protocol for NetConf.
TLS shall be the preferred transport protocol for NetConf.
May 31, 2018 Agreed to the following Recommendations:
Option 1: PKCS#12 container can be installed on the VNF at instantiation time.
Out-of-band pre-provisioning with the CA is necessary to generate the PKCS#12 bundle before the VNF is instantiated.
The OTP, which is a Pre-Shared Key (PSK), is generated by the CA, along with a Reference Number (REFNUM) and provisioned on the VNF at instantiation.
Oct 5: VNF Activation with updates to remove roles/permissions and perform cert enroll after instantiation - version 20
Aug 29: VNF Activation with updates to instantiation scenario - version 18
Aug 23: PNF Registration Scenario with Security Enhancements added
Aug 23: Final VNF Activation presentation - version 16
Aug 16: Update to show SO calling OpenStack directly, no M-VIM - version 14 Aug 9: Update which data is sent during instantiation vs configuration - version 13 Aug 6: Update CA signing chain to CA root certificate - version 12 Aug 2: Update to last slide for CADI - version 11 July 28: Updated use case document - version 10
July 24: Updated use case document - version 8 July 18: Use case document - version 6 |
Aug 23, 2018
Aug 16, 2018 Aug 9, 2018 Aug 2, 2018 |
Aug 23, 2018
Aug 16, 2018 Aug 9, 2018 Aug 2, 2018 July 26, 2018 July 19, 2018 July 12, 2018 June 28, 2018 VNF Initial Certificate Enrollment v2 June 14, 2018 VNF Initial Certificate Enrollment v1 Jun 7, 2018 May 31, 2018 May 24, 2018 May 21, 2018 May 17, 2018 |
Aug 6 2019 v4
v4 of the xNF and DCAE security requirements for HTTPS authentication are below. There were no significant changes from v3. These requirements are ready for formal review and have been entered into JIRA. The excel spreadsheet below contains the requirement wording and a link to the JIRA ticket. Please review the JIRA tickets and provide comments or a +1 if you approve. These requirements are targeted for El Alto, so please review by Sep 3, 2019. Thank you!
El Alto Security Requirements for HTTPS.xlsx
July 29 2019 v3
v3 of xNF and ONAP security requirements for HTTPS authentication. Modified based on decisions from the July 29 review meeting.
Security VNFRQTS updates for HTTPS Authentication v3.docx
July 23 2019 v2
Updated version of the xNF and ONAP security requirements for HTTPS authentication enhancements from the July 23 review meeting.
Security VNFRQTS updates for HTTPS Authentication v2.docx
July 16 2019 v1
This is the latest version of the xNF and ONAP security requirements for the HTTPS authentication enhancements to support certificate authentication for HTTPS.
At the last review meeting on July 16, SECCOM decided that only HTTP/TLS is supported. HTTP would not be supported.
Security VNFRQTS updates for HTTPS Authentication.docx