Re: VNF Security Requirements Refresh for El Alto - 2019/9/5 Meeting Minutes


Tony Hansen
 

Yes, these are better. +1

 

                Tony

 

From: <onap-seccom@...> on behalf of "Horn, Linda (Nokia - US/Murray Hill)" <linda.horn@...>
Date: Tuesday, September 10, 2019 at 8:47 AM
To: Hampus Tjäder <hampus.tjader@...>, "ZWARICO, AMY" <az9121@...>, "onap-seccom@..." <onap-seccom@...>, "LOVETT, TREVOR J" <tl2972@...>, "THORPE, HENRY E" <ht1659@...>, "Nowak, Damian (Nokia - PL/Wroclaw)" <damian.nowak@...>, 'Krzysztof Opasiak' <k.opasiak@...>, "HANSEN, TONY L" <tony@...>, "'Harald.Fuchs@...'" <Harald.Fuchs@...>, 'Pawlak Pawel 3 - Korpo' <Pawel.Pawlak3@...>, "'Parayil, Shiby'" <sparayil@...>, 'Zygmunt Lozinski' <zygmunt_lozinski@...>, "'natacha.mach@...'" <natacha.mach@...>, Samuli Kuusela <samuli.kuusela@...>, "Baniewski, Pawel (Nokia - PL/Wroclaw)" <pawel.baniewski@...>, "MCCRAY, CHRISTOPHER" <cm6826@...>, 'Jason Hunt' <djhunt@...>
Subject: Re: [Onap-seccom] VNF Security Requirements Refresh for El Alto - 2019/9/5 Meeting Minutes

 

These wording changes are fine for me.

 

Linda
-----------------------------------------------------------------------------------
Linda S. Horn, DMTS

Cloud RAN Solution Definition and Architecture

Mobile Networks, Nokia

Phone:  +1-908-679-6580

 

From: Hampus Tjäder <hampus.tjader@...>
Sent: Tuesday, September 10, 2019 3:45 AM
To: amy.zwarico@...; onap-seccom@...; LOVETT, TREVOR J <tl2972@...>; THORPE, HENRY E <ht1659@...>; Nowak, Damian (Nokia - PL/Wroclaw) <damian.nowak@...>; 'Krzysztof Opasiak' <k.opasiak@...>; HANSEN, TONY L <tony@...>; 'Harald.Fuchs@...' <Harald.Fuchs@...>; 'Pawlak Pawel 3 - Korpo' <Pawel.Pawlak3@...>; 'Parayil, Shiby' <sparayil@...>; 'Zygmunt Lozinski' <zygmunt_lozinski@...>; 'natacha.mach@...' <natacha.mach@...>; Samuli Kuusela <samuli.kuusela@...>; Baniewski, Pawel (Nokia - PL/Wroclaw) <pawel.baniewski@...>; MCCRAY, CHRISTOPHER <cm6826@...>; 'Jason Hunt' <djhunt@...>; Horn, Linda (Nokia - US/Murray Hill) <linda.horn@...>
Subject: RE: [Onap-seccom] VNF Security Requirements Refresh for El Alto - 2019/9/5 Meeting Minutes

 

Dear Seccom,

 

 

After initial community feedback, we have decided to take a softer position on these three HTTPS requirements. This for faster reaching an alignment in the community. For not using too much time of the SECCOM meeting today, I will instead send this suggested updates over mail prior to the meeting.

 

 

o   Proposed modification:

§  VNF or PNF MUST support one of the following authentication methods for authenticating HTTPS connections to the DCAE VES Event Listener:
- The preferred method is certificate authentication
- The non-preferred option is Basic authentication

o   Reason: In the current formulation of the HTTPS requirements it is not clear that certificate authentication is the primary solution. We are suggesting a clearer formulation that Basic Auth or Certificate Auth must be supported.

o   Proposed modification:

§  If the VNF or PNF is using Certificate Authentication, the VNF or PNF MUST support mutual TLS authentication and the Subject Name in the end-entity certificate MUST be used according to RFC 5280.

o   Reason: Removal of conditional related to DCAE VES Event Listener as it should also be the case for interacting with other ONAP components. New proposal is to keep that it does only apply if certificate auth. is used.

o   Proposed modification

§  If VNF or PNF is using Basic Authentication, then the VNF or PNF MUST be in compliance with RFC 7617 for authenticating HTTPS connections to the DCAE VES Event Listener.

o   Reason: Initial proposal was to remove this requirement. Removal seems not to be an option in the community. Suggestion is instead to modify this requirement as above, hence it does only apply if basic auth. is supported by the xNF. This is a similar formulation as in 693.

 

 

Best regards,

Hampus Tjäder

 

 

Ericsson

Datalinjen 4

58330, Linköping, Sweden

Mobile: +46 107113292

ericsson.com

 

 

 

 

 

From: onap-seccom@... <onap-seccom@...> On Behalf Of Amy Zwarico via Lists.Onap.Org
Sent: den 8 september 2019 21:35
To: onap-seccom@...; LOVETT, TREVOR J <tl2972@...>; THORPE, HENRY E <ht1659@...>; 'Nowak, Damian (Nokia - PL/Wroclaw)' <damian.nowak@...>; 'Krzysztof Opasiak' <k.opasiak@...>; HANSEN, TONY L <tony@...>; 'Harald.Fuchs@...' <Harald.Fuchs@...>; 'Pawlak Pawel 3 - Korpo' <Pawel.Pawlak3@...>; 'Parayil, Shiby' <sparayil@...>; 'Zygmunt Lozinski' <zygmunt_lozinski@...>; 'natacha.mach@...' <natacha.mach@...>; Samuli Kuusela <samuli.kuusela@...>; 'Baniewski, Pawel (Nokia - PL/Wroclaw)' <pawel.baniewski@...>; MCCRAY, CHRISTOPHER <cm6826@...>; 'Jason Hunt' <djhunt@...>
Cc: onap-seccom@...
Subject: Re: [Onap-seccom] VNF Security Requirements Refresh for El Alto - 2019/9/5 Meeting Minutes

 

Linda Horn provided a status update for the VNF certificate requirements

1.       The review period is over

2.       Many have added +1 to the comments for  VNFRQTS-687, VNFRQTS-688, VNFRQTS-689, VNFRQTS-690, VNFRQTS-691

3.       The requirements allow both certificate and basic authentication

VNFRQTS-692: Ericsson position is that VNF MUST support certification authentication (currently a SHOULD)
VNFRQTS-693: Ericsson position is that the conditional should be removed
VNFRQTS-694: Ericsson asked to remove and have no requirement to support basic auth
This will be taken to the larger SECCOM meeting on 9/10

Configuration and monitoring requirements

1.       We completed a revision of the requirements for monitoring the configuration of a VNF

2.       Review the Jiras attached to VNFRQTS-456 (parent jira) and provide comments and +/-1 by 13 Sept.

 

 

-----Original Appointment-----
From: ZWARICO, AMY
Sent: Monday, September 02, 2019 1:15 PM
To: ZWARICO, AMY; onap-seccom@...; LOVETT, TREVOR J; THORPE, HENRY E; 'Nowak, Damian (Nokia - PL/Wroclaw)'; 'Krzysztof Opasiak'; HANSEN, TONY L; 'Harald.Fuchs@...'; 'Pawlak Pawel 3 - Korpo'; 'Parayil, Shiby'; 'Zygmunt Lozinski'; 'natacha.mach@...'; 'Samuli Kuusela'; 'Baniewski, Pawel (Nokia - PL/Wroclaw)'; MCCRAY, CHRISTOPHER; 'Jason Hunt'
Cc: MAY, JOHN; Horn, Linda (Nokia - US/Murray Hill)
Subject: VNF Security Requirements Refresh for El Alto
When: Thursday, September 05, 2019 8:00 AM-9:00 AM (UTC-06:00) Central Time (US & Canada).
Where: webex

 

 

Scheduling a series of recurring meetings to refresh the VNF security requirements as part of the El Alto release. Please forward the invitation to others in your organization who should participate.

 
-- Do not delete or change any of the following text. --  
 
 
Join Webex meeting  
Meeting number (access code): 735 282 790
Meeting password: wmUJCe7* 
 

Join from a video system or application
Dial 735282790@... 
You can also dial 173.243.2.68 and enter your meeting number.  
 
Join by phone 
Tap to call in from a mobile device (attendees only) 
1-844-517-1415 United States Toll Free 
1-618-230-6039 United States Toll 
Global call-in numbers  |  Toll-free calling restrictions  
 
 
Accessibility and Assistive Technologies  
Select this job aid for tips and guides to make Webex Meetings accessible to persons with disabilities who may rely on assistive technologies.
 
 
Can't join the meeting?
 
If you are a host, go here to view host information.

IMPORTANT NOTICE: Please note that this Webex service allows audio and other information sent during the session to be recorded, which may be discoverable in a legal matter. By joining this session, you automatically consent to such recordings. If you do not consent to being recorded, discuss your concerns with the host or do not join the session.

 

 

Join onap-seccom@lists.onap.org to automatically receive all group messages.