You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

References

Survey of Options

Expectations

  • Ability to secure the intra-ONAP communications, i.e. between ONAP projects, such as SO-to-AAI, UUI-to-MSB, OOF-to-VID, etc.
  • Ability to secure the ONAP-to-external-system communications, i.e. ONAP-to-database-cluster, ONAP-to-NetworkFunctions, ONAP-to-other-ONAP, etc.
  • Ability to scale with the defined ONAP projects (static per ONAP release)
  • Ability to scale with the number of deployed instances of ONAP VMs/pods/microservices (dynamic)
  • Ability to scale with the number of external-system connections (configurable)
  • Ability to work with HEAT-based deployment
  • Ability to work with OOM-based deployment
  • Ability to work with other (non-HEAT, non-OOM) deployment
  • Ability to operate with other layers of security
  • Ability to securely upgrade ONAP in-the-field
  • Ability for resilient and fault-tolerant ONAP communications in-the-field
  • Minimal efforts to implement across all ONAP projects
  • Minimal impact on resource usage and performance across ONAP

Threat Models

  1. External attacker analyzes the captured traffic among services to steal secrets such as passwords and certificates
  2. Internal attacker analyzes the captured traffic among services to steal secrets such as passwords and certificates
  3. External attacker bombards the container services with new connections, leading to large number forked processes and threads leading to resource issues on other workloads (containers) in the system
  4. Internal attacker bombards the container services with new connections, leading to large number forked processes and threads leading to resource issues on other workloads (containers) in the system
  5. External attacker exploits downloads of containers from repositories to tamper with them and inject malicious code
  6. Internal attacker exploits downloads of containers from repositories to tamper with them and inject malicious code
  7. External attacker introduces malicious VM into ONAP environment to steal data and subvert operations
  8. Internal attacker introduces malicious VM into ONAP environment to steal data and subvert operations
  9. External attacker introduces malicious pod into ONAP environment to steal data and subvert operations
  10. Internal attacker introduces malicious pod into ONAP environment to steal data and subvert operations
  11. External attacker introduces malicious microservice into ONAP environment to steal data and subvert operations
  12. Internal attacker introduces malicious microservice into ONAP environment to steal data and subvert operations
  13. External attacker introduces malicious external-system into ONAP environment to steal data and subvert operations
  14. Internal attacker introduces malicious external-system into ONAP environment to steal data and subvert operations

Discussion

  • There has already been discussion and recommendation for using Istio https://istio.io/
  • This page is gathering thoughts for alternative solutions

Discussion of Istio

  • tbc

Discussion of Tinc Vpn

  • tbc

Discussion of ZeroTier

  • tbc

Discussion of WireGuard

  • tbc

Discussion of vpncloud.rs

  • tbc

Discussion of PeerVpn

  • tbc

Discussion of OpenVpn

  • tbc


  • No labels