Re: VNF Security Requirements Refresh for El Alto - 2019/9/5 Meeting Minutes

Tony Hansen

And there’s a general requirement that non-secure protocols (e.g. HTTP) MUST be disabled by default.




From: "Horn, Linda (Nokia - US/Murray Hill)" <linda.horn@...>
Date: Thursday, September 12, 2019 at 11:36 AM
To: "natacha.mach@..." <natacha.mach@...>, Hampus Tjäder <hampus.tjader@...>, "ZWARICO, AMY" <az9121@...>, "onap-seccom@..." <onap-seccom@...>, "LOVETT, TREVOR J" <tl2972@...>, "THORPE, HENRY E" <ht1659@...>, "Nowak, Damian (Nokia - PL/Wroclaw)" <damian.nowak@...>, 'Krzysztof Opasiak' <k.opasiak@...>, "HANSEN, TONY L" <tony@...>, "'Harald.Fuchs@...'" <Harald.Fuchs@...>, PAWLAK Pawel O-PL <pawel.pawlak3@...>, "'Parayil, Shiby'" <sparayil@...>, 'Zygmunt Lozinski' <zygmunt_lozinski@...>, Samuli Kuusela <samuli.kuusela@...>, "Baniewski, Pawel (Nokia - PL/Wroclaw)" <pawel.baniewski@...>, "MCCRAY, CHRISTOPHER" <cm6826@...>, 'Jason Hunt' <djhunt@...>
Subject: RE: [Onap-seccom] VNF Security Requirements Refresh for El Alto - 2019/9/5 Meeting Minutes


Yes, there is a separate requirement that the VNF and PNF MUST support HTTPS to DCAE.  VNFRQTS-687



Linda S. Horn, DMTS

Cloud RAN Solution Definition and Architecture

Mobile Networks, Nokia

Phone:  +1-908-679-6580


From: natacha.mach@... <natacha.mach@...>
Sent: Thursday, September 12, 2019 11:07 AM
To: Hampus Tjäder <hampus.tjader@...>; amy.zwarico@...; onap-seccom@...; LOVETT, TREVOR J <tl2972@...>; THORPE, HENRY E <ht1659@...>; Nowak, Damian (Nokia - PL/Wroclaw) <damian.nowak@...>; 'Krzysztof Opasiak' <k.opasiak@...>; HANSEN, TONY L <tony@...>; 'Harald.Fuchs@...' <Harald.Fuchs@...>; PAWLAK Pawel O-PL <pawel.pawlak3@...>; 'Parayil, Shiby' <sparayil@...>; 'Zygmunt Lozinski' <zygmunt_lozinski@...>; Samuli Kuusela <samuli.kuusela@...>; Baniewski, Pawel (Nokia - PL/Wroclaw) <pawel.baniewski@...>; MCCRAY, CHRISTOPHER <cm6826@...>; 'Jason Hunt' <djhunt@...>; Horn, Linda (Nokia - US/Murray Hill) <linda.horn@...>
Subject: RE:[Onap-seccom] VNF Security Requirements Refresh for El Alto - 2019/9/5 Meeting Minutes


Hi all,


As agreed i come back to you regarding the statements above.

Do you confirm that the basic authentication relies on HTTPS?

If confirmed, it is OK for us.



Natacha Mach


De : Hampus Tjäder [hampus.tjader@...]
Envoyé : mardi 10 septembre 2019 09:44
À : amy.zwarico@...; onap-seccom@...; LOVETT, TREVOR J; THORPE, HENRY E; 'Nowak, Damian (Nokia - PL/Wroclaw)'; 'Krzysztof Opasiak'; HANSEN, TONY L; 'Harald.Fuchs@...'; PAWLAK Pawel O-PL; 'Parayil, Shiby'; 'Zygmunt Lozinski'; MACH Natacha TGI/OLS; Samuli Kuusela; 'Baniewski, Pawel (Nokia - PL/Wroclaw)'; MCCRAY, CHRISTOPHER; 'Jason Hunt'; Horn, Linda (Nokia - US/Murray Hill)
Objet : RE: [Onap-seccom] VNF Security Requirements Refresh for El Alto - 2019/9/5 Meeting Minutes

Dear Seccom,



After initial community feedback, we have decided to take a softer position on these three HTTPS requirements. This for faster reaching an alignment in the community. For not using too much time of the SECCOM meeting today, I will instead send this suggested updates over mail prior to the meeting.



·       VNFRQTS-692

o  Proposed modification:

§ VNF or PNF MUST support one of the following authentication methods for authenticating HTTPS connections to the DCAE VES Event Listener:
- The preferred method is certificate authentication
- The non-preferred option is Basic authentication

o  Reason: In the current formulation of the HTTPS requirements it is not clear that certificate authentication is the primary solution. We are suggesting a clearer formulation that Basic Auth or Certificate Auth must be supported.

·       VNFRQTS-693

o  Proposed modification:

§ If the VNF or PNF is using Certificate Authentication, the VNF or PNF MUST support mutual TLS authentication and the Subject Name in the end-entity certificate MUST be used according to RFC 5280.

o  Reason: Removal of conditional related to DCAE VES Event Listener as it should also be the case for interacting with other ONAP components. New proposal is to keep that it does only apply if certificate auth. is used.

·       VNFRQTS-694

o  Proposed modification

§ If VNF or PNF is using Basic Authentication, then the VNF or PNF MUST be in compliance with RFC 7617 for authenticating HTTPS connections to the DCAE VES Event Listener.

o  Reason: Initial proposal was to remove this requirement. Removal seems not to be an option in the community. Suggestion is instead to modify this requirement as above, hence it does only apply if basic auth. is supported by the xNF. This is a similar formulation as in 693.



Best regards,

Hampus Tjäder




Datalinjen 4

58330, Linköping, Sweden

Mobile: +46 107113292





From: onap-seccom@... <onap-seccom@...> On Behalf Of Amy Zwarico via Lists.Onap.Org
Sent: den 8 september 2019 21:35
To: onap-seccom@...; LOVETT, TREVOR J <tl2972@...>; THORPE, HENRY E <ht1659@...>; 'Nowak, Damian (Nokia - PL/Wroclaw)' <damian.nowak@...>; 'Krzysztof Opasiak' <k.opasiak@...>; HANSEN, TONY L <tony@...>; 'Harald.Fuchs@...' <Harald.Fuchs@...>; 'Pawlak Pawel 3 - Korpo' <Pawel.Pawlak3@...>; 'Parayil, Shiby' <sparayil@...>; 'Zygmunt Lozinski' <zygmunt_lozinski@...>; 'natacha.mach@...' <natacha.mach@...>; Samuli Kuusela <samuli.kuusela@...>; 'Baniewski, Pawel (Nokia - PL/Wroclaw)' <pawel.baniewski@...>; MCCRAY, CHRISTOPHER <cm6826@...>; 'Jason Hunt' <djhunt@...>
Cc: onap-seccom@...
Subject: Re: [Onap-seccom] VNF Security Requirements Refresh for El Alto - 2019/9/5 Meeting Minutes


Linda Horn provided a status update for the VNF certificate requirements

1.      The review period is over

2.      Many have added +1 to the comments for  VNFRQTS-687, VNFRQTS-688, VNFRQTS-689, VNFRQTS-690, VNFRQTS-691

3.      The requirements allow both certificate and basic authentication

VNFRQTS-692: Ericsson position is that VNF MUST support certification authentication (currently a SHOULD)
VNFRQTS-693: Ericsson position is that the conditional should be removed
VNFRQTS-694: Ericsson asked to remove and have no requirement to support basic auth
This will be taken to the larger SECCOM meeting on 9/10

Configuration and monitoring requirements

1.      We completed a revision of the requirements for monitoring the configuration of a VNF

2.      Review the Jiras attached to VNFRQTS-456 (parent jira) and provide comments and +/-1 by 13 Sept.



-----Original Appointment-----
Sent: Monday, September 02, 2019 1:15 PM
To: ZWARICO, AMY; onap-seccom@...; LOVETT, TREVOR J; THORPE, HENRY E; 'Nowak, Damian (Nokia - PL/Wroclaw)'; 'Krzysztof Opasiak'; HANSEN, TONY L; 'Harald.Fuchs@...'; 'Pawlak Pawel 3 - Korpo'; 'Parayil, Shiby'; 'Zygmunt Lozinski'; 'natacha.mach@...'; 'Samuli Kuusela'; 'Baniewski, Pawel (Nokia - PL/Wroclaw)'; MCCRAY, CHRISTOPHER; 'Jason Hunt'
Cc: MAY, JOHN; Horn, Linda (Nokia - US/Murray Hill)
Subject: VNF Security Requirements Refresh for El Alto
When: Thursday, September 05, 2019 8:00 AM-9:00 AM (UTC-06:00) Central Time (US & Canada).
Where: webex



Scheduling a series of recurring meetings to refresh the VNF security requirements as part of the El Alto release. Please forward the invitation to others in your organization who should participate.

-- Do not delete or change any of the following text. --  
Join Webex meeting  
Meeting number (access code): 735 282 790
Meeting password: wmUJCe7* 

Join from a video system or application
Dial 735282790@... 
You can also dial and enter your meeting number.  
Join by phone 
Tap to call in from a mobile device (attendees only) 
1-844-517-1415 United States Toll Free 
1-618-230-6039 United States Toll 
Global call-in numbers  |  Toll-free calling restrictions  
Accessibility and Assistive Technologies  
Select this job aid for tips and guides to make Webex Meetings accessible to persons with disabilities who may rely on assistive technologies.
Can't join the meeting?
If you are a host, go here to view host information.

IMPORTANT NOTICE: Please note that this Webex service allows audio and other information sent during the session to be recorded, which may be discoverable in a legal matter. By joining this session, you automatically consent to such recordings. If you do not consent to being recorded, discuss your concerns with the host or do not join the session.



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

Join to automatically receive all group messages.