You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 17
Next »
Communication patterns
- Intra-Component communication (e.g. between so-bpmn-infra and so-sdnc-adapter)
- Inter-Component communication (e.g. between onap-cli and so)
- External communication (e.g. user → sdc-ui)
Assumptions (to be agreed)
- AAF will be removed
- → No Container port encryption
- Services must not use NodePorts
- → external communication only via Ingress
- Ingress is the default for external communication
- Istio IngressGateway
- Nginx Ingress ?
- Inter-component communication can be
- directly (as today)
- via Ingress (Seshu's proposal) ?
- Communication encryption can be done:
- on Ingress level (adding certificate to Gateway)
- on SM (e.g. Istio sidecars)
- on Kernel Level (using eBPF via Cilium)
To be supported options in ONAP
No ONAP internal encryption:
- Intra-Component: unencrypted
- Inter-Component: unencrypted
- External: unencrypted/encrypted
- Inter-Component encryption:
- Intra-Component: unencrypted
- Inter-Component: encrypted
- External: unencrypted/encrypted
- Full encryption:
- Intra-Component: encrypted
- Inter-Component: encrypted
- External: unencrypted/encrypted
Implementation proposals
Option 1 (no ONAP internal Encryption)
- External communication:
- Components expose (external) interfaces to Ingress
- Encryption on Ingress (optional)
- Internal communication:
- No service Mesh
- No TLS port encryption on pods
- Direct unencrypted inter-component communication
eyJleHRTcnZJbnRlZ1R5cGUiOiIiLCJnQ2xpZW50SWQiOiIiLCJjcmVhdG9yTmFtZSI6IkFuZHJlYXMgR2Vpc3NsZXIiLCJvdXRwdXRUeXBlIjoiYmxvY2siLCJsYXN0TW9kaWZpZXJOYW1lIjoiQW5kcmVhcyBHZWlzc2xlciIsImxhbmd1YWdlIjoiZW4iLCJkaWFncmFtRGlzcGxheU5hbWUiOiIiLCJzRmlsZUlkIjoiIiwiYXR0SWQiOiIxMzg4NzMxNjciLCJkaWFncmFtTmFtZSI6IlVuYmVuYW5udGVzIERpYWdyYW1tIiwiYXNwZWN0IjoiIiwibGlua3MiOiJhdXRvIiwiY2VvTmFtZSI6Ik9OQVAgXCJOZXR3b3JraW5nXCIgT3B0aW9ucyAoXHUwMDNlXHUwMDNkS29obikiLCJ0YnN0eWxlIjoidG9wIiwiY2FuQ29tbWVudCI6ZmFsc2UsImRpYWdyYW1VcmwiOiIiLCJjc3ZGaWxlVXJsIjoiIiwiYm9yZGVyIjp0cnVlLCJtYXhTY2FsZSI6IjEiLCJvd25pbmdQYWdlSWQiOjEzODg3MzEwOSwiZWRpdGFibGUiOmZhbHNlLCJjZW9JZCI6MTM4ODczMjY0LCJwYWdlSWQiOiIiLCJsYm94Ijp0cnVlLCJzZXJ2ZXJDb25maWciOnsiZW1haWxwcmV2aWV3IjoiMSJ9LCJvZHJpdmVJZCI6IiIsInJldmlzaW9uIjo0LCJtYWNyb0lkIjoiZTUzYjZiOGUtODM2Yy00Y2I1LWEzMTgtZDdkNzAxMWIyNjY0IiwicHJldmlld05hbWUiOiJVbmJlbmFubnRlcyBEaWFncmFtbS5wbmciLCJsaWNlbnNlU3RhdHVzIjoiT0siLCJzZXJ2aWNlIjoiIiwiaXNUZW1wbGF0ZSI6IiIsIndpZHRoIjoiNDAwIiwic2ltcGxlVmlld2VyIjpmYWxzZSwibGFzdE1vZGlmaWVkIjoxNjU4MzI4MzM0MDAwLCJleGNlZWRQYWdlV2lkdGgiOmZhbHNlLCJvQ2xpZW50SWQiOiIifQ==
Option 2 (inter-component encryption)
- External communication:
- Components expose (external) interfaces to Ingress
- Encryption on Ingress (optional)
- Internal communication:
- No service Mesh
- No TLS port encryption on pods
- Inter-component communication via Ingress (encrypted)
eyJleHRTcnZJbnRlZ1R5cGUiOiIiLCJnQ2xpZW50SWQiOiIiLCJjcmVhdG9yTmFtZSI6IkFuZHJlYXMgR2Vpc3NsZXIiLCJvdXRwdXRUeXBlIjoiYmxvY2siLCJsYXN0TW9kaWZpZXJOYW1lIjoiQW5kcmVhcyBHZWlzc2xlciIsImxhbmd1YWdlIjoiZW4iLCJkaWFncmFtRGlzcGxheU5hbWUiOiIiLCJzRmlsZUlkIjoiIiwiYXR0SWQiOiIxMzg4NzMxODQiLCJkaWFncmFtTmFtZSI6IkRpYTMiLCJhc3BlY3QiOiIiLCJsaW5rcyI6ImF1dG8iLCJjZW9OYW1lIjoiT05BUCBcIk5ldHdvcmtpbmdcIiBPcHRpb25zIChcdTAwM2VcdTAwM2RLb2huKSIsInRic3R5bGUiOiJ0b3AiLCJjYW5Db21tZW50IjpmYWxzZSwiZGlhZ3JhbVVybCI6IiIsImNzdkZpbGVVcmwiOiIiLCJib3JkZXIiOnRydWUsIm1heFNjYWxlIjoiMSIsIm93bmluZ1BhZ2VJZCI6MTM4ODczMTA5LCJlZGl0YWJsZSI6ZmFsc2UsImNlb0lkIjoxMzg4NzMyNjQsInBhZ2VJZCI6IiIsImxib3giOnRydWUsInNlcnZlckNvbmZpZyI6eyJlbWFpbHByZXZpZXciOiIxIn0sIm9kcml2ZUlkIjoiIiwicmV2aXNpb24iOjEsIm1hY3JvSWQiOiJjYTEzYTRhMi05ODllLTQ3NWQtOWZmZi1kYTliMmI5MWVhNmMiLCJwcmV2aWV3TmFtZSI6IkRpYTMucG5nIiwibGljZW5zZVN0YXR1cyI6Ik9LIiwic2VydmljZSI6IiIsImlzVGVtcGxhdGUiOiIiLCJ3aWR0aCI6IjQwMCIsInNpbXBsZVZpZXdlciI6ZmFsc2UsImxhc3RNb2RpZmllZCI6MTY1ODMyODM5MTAwMCwiZXhjZWVkUGFnZVdpZHRoIjpmYWxzZSwib0NsaWVudElkIjoiIn0=
Option 3 (full encryption)
- External communication:
- Components expose (external) interfaces to Ingress
- Encryption on Ingress (optional)
- Internal communication:
- Service Mesh enabled
- No TLS port encryption on pods
- Direct encrypted inter-component communication (via sidecars)
Solution using Istio:
eyJleHRTcnZJbnRlZ1R5cGUiOiIiLCJnQ2xpZW50SWQiOiIiLCJjcmVhdG9yTmFtZSI6IkFuZHJlYXMgR2Vpc3NsZXIiLCJvdXRwdXRUeXBlIjoiYmxvY2siLCJsYXN0TW9kaWZpZXJOYW1lIjoiQW5kcmVhcyBHZWlzc2xlciIsImxhbmd1YWdlIjoiZW4iLCJkaWFncmFtRGlzcGxheU5hbWUiOiIiLCJzRmlsZUlkIjoiIiwiYXR0SWQiOiIxMzg4NzMyMzMiLCJkaWFncmFtTmFtZSI6ImRpYS00IiwiYXNwZWN0IjoiIiwibGlua3MiOiJhdXRvIiwiY2VvTmFtZSI6Ik9OQVAgXCJOZXR3b3JraW5nXCIgT3B0aW9ucyAoXHUwMDNlXHUwMDNkS29obikiLCJ0YnN0eWxlIjoidG9wIiwiY2FuQ29tbWVudCI6ZmFsc2UsImRpYWdyYW1VcmwiOiIiLCJjc3ZGaWxlVXJsIjoiIiwiYm9yZGVyIjp0cnVlLCJtYXhTY2FsZSI6IjEiLCJvd25pbmdQYWdlSWQiOjEzODg3MzEwOSwiZWRpdGFibGUiOmZhbHNlLCJjZW9JZCI6MTM4ODczMjY0LCJwYWdlSWQiOiIiLCJsYm94Ijp0cnVlLCJzZXJ2ZXJDb25maWciOnsiZW1haWxwcmV2aWV3IjoiMSJ9LCJvZHJpdmVJZCI6IiIsInJldmlzaW9uIjoyLCJtYWNyb0lkIjoiMDNmNmMxZWYtMDY4NC00OTczLTg5NDktNWQ4NmFjMjk2YTJjIiwicHJldmlld05hbWUiOiJkaWEtNC5wbmciLCJsaWNlbnNlU3RhdHVzIjoiT0siLCJzZXJ2aWNlIjoiIiwiaXNUZW1wbGF0ZSI6IiIsIndpZHRoIjoiNDAwIiwic2ltcGxlVmlld2VyIjpmYWxzZSwibGFzdE1vZGlmaWVkIjoxNjU4MzI4MjI3MDAwLCJleGNlZWRQYWdlV2lkdGgiOmZhbHNlLCJvQ2xpZW50SWQiOiIifQ==
Solution using eBPF via Cilium:
https://cilium.io/blog/2020/11/10/ebpf-future-of-networking/
https://ebpf.io/
eyJleHRTcnZJbnRlZ1R5cGUiOiIiLCJnQ2xpZW50SWQiOiIiLCJjcmVhdG9yTmFtZSI6IkFuZHJlYXMgR2Vpc3NsZXIiLCJvdXRwdXRUeXBlIjoiYmxvY2siLCJsYXN0TW9kaWZpZXJOYW1lIjoiQW5kcmVhcyBHZWlzc2xlciIsImxhbmd1YWdlIjoiZW4iLCJkaWFncmFtRGlzcGxheU5hbWUiOiIiLCJzRmlsZUlkIjoiIiwiYXR0SWQiOiIxMzg4NzMyNDkiLCJkaWFncmFtTmFtZSI6IkRpYTUiLCJhc3BlY3QiOiIiLCJsaW5rcyI6ImF1dG8iLCJjZW9OYW1lIjoiT05BUCBcIk5ldHdvcmtpbmdcIiBPcHRpb25zIChcdTAwM2VcdTAwM2RLb2huKSIsInRic3R5bGUiOiJ0b3AiLCJjYW5Db21tZW50IjpmYWxzZSwiZGlhZ3JhbVVybCI6IiIsImNzdkZpbGVVcmwiOiIiLCJib3JkZXIiOnRydWUsIm1heFNjYWxlIjoiMSIsIm93bmluZ1BhZ2VJZCI6MTM4ODczMTA5LCJlZGl0YWJsZSI6ZmFsc2UsImNlb0lkIjoxMzg4NzMyNjQsInBhZ2VJZCI6IiIsImxib3giOnRydWUsInNlcnZlckNvbmZpZyI6eyJlbWFpbHByZXZpZXciOiIxIn0sIm9kcml2ZUlkIjoiIiwicmV2aXNpb24iOjEsIm1hY3JvSWQiOiJiMWE2ZDI5NC0zMTlmLTRlYmQtOTFkNi1kNTE0MDg4ZTQwODkiLCJwcmV2aWV3TmFtZSI6IkRpYTUucG5nIiwibGljZW5zZVN0YXR1cyI6Ik9LIiwic2VydmljZSI6IiIsImlzVGVtcGxhdGUiOiIiLCJ3aWR0aCI6IjAiLCJzaW1wbGVWaWV3ZXIiOmZhbHNlLCJsYXN0TW9kaWZpZWQiOjE2NTgzMjgyODUwMDAsImV4Y2VlZFBhZ2VXaWR0aCI6ZmFsc2UsIm9DbGllbnRJZCI6IiJ9