Topics

VNFREQs for FTPes and NetConf over TLS authentication

Pawel Baniewski (Nokia)
 

Hi,

 

following our yesterday discussion about VNFREQs for mTLS I have checked and FTPes, according to RFC 4217, can support two authentication methods:

1.       Basic authentication -  https://tools.ietf.org/html/rfc4217#page-17

2.       Client certificate authentication - https://tools.ietf.org/html/rfc4217#page-18

Cause we already have client certificate authentication in opposite direction, I think SECCOM should define that:

  • xNF MUST support client certificate authentication when supporting the event-driven bulk transfer of monitoring data
  • xNF SHOULD support basic authentication when supporting the event-driven bulk transfer of monitoring data

 

 

 

 

Also, even if not explicitly mentioned, VNFREQ for mTLS in NetConf over TLS is covered by VNF requirement 997907 cause RFC 7589 chapter 7 enforces that server MUST verify the identity of the client with certificate-based authentication according to local policy to ensure that the incoming client request is legitimate before any configuration or state data is sent to or received from the client.

 

 

@Samuli and @Linda: what do you think?

 

 

Regards

Pawel Baniewski

____________________________________________

Nokia Mobile Networks  BTSOAM Serviceability ARCH Security Architect

 

mobile: +48 728 361 386

 

Horn, Linda (Nokia - US/Murray Hill)
 

Just my opinion, but I would prefer to only support certificate authentication with FTPES.  If you have a xNF that can’t support certificates, then it could use SFTP with username and password.  Then the requirement could be that a xNF MUST support either FTPES or SFTP (or both) for bulk file transfer.

 

If we do allow basic auth with FTPES, at least it should be an option for the xNF to only support certificate auth.  As an xNF vendor, we do not want to be forced to support usernames and passwords.

 

The same is true for NETCONF.  xNF MUST support either SSH or TLS (or both) and if the xNF chooses to only support TLS then it doesn’t need to support usernames and passwords.

 

Linda
-----------------------------------------------------------------------------------
Linda S. Horn, DMTS

Cloud RAN Solution Definition and Architecture

Mobile Networks, Nokia

Phone:  +1-908-679-6580

 

From: onap-seccom@... <onap-seccom@...> On Behalf Of Pawel Baniewski (Nokia) via Lists.Onap.Org
Sent: Wednesday, August 07, 2019 5:32 AM
To: onap-seccom@...
Cc: onap-seccom@...
Subject: [Onap-seccom] VNFREQs for FTPes and NetConf over TLS authentication

 

Hi,

 

following our yesterday discussion about VNFREQs for mTLS I have checked and FTPes, according to RFC 4217, can support two authentication methods:

1.       Basic authentication -  https://tools.ietf.org/html/rfc4217#page-17

2.       Client certificate authentication - https://tools.ietf.org/html/rfc4217#page-18

Cause we already have client certificate authentication in opposite direction, I think SECCOM should define that:

  • xNF MUST support client certificate authentication when supporting the event-driven bulk transfer of monitoring data
  • xNF SHOULD support basic authentication when supporting the event-driven bulk transfer of monitoring data

 

 

 

 

Also, even if not explicitly mentioned, VNFREQ for mTLS in NetConf over TLS is covered by VNF requirement 997907 cause RFC 7589 chapter 7 enforces that server MUST verify the identity of the client with certificate-based authentication according to local policy to ensure that the incoming client request is legitimate before any configuration or state data is sent to or received from the client.

 

 

@Samuli and @Linda: what do you think?

 

 

Regards

 

Pawel Baniewski

____________________________________________

Nokia Mobile Networks  BTSOAM Serviceability ARCH Security Architect

 

mobile: +48 728 361 386

 

Pawel Baniewski (Nokia)
 

Linda, thanks for your opinion. I must submit, that I have wrongly interpreted SHOULD keyword as OPTIONAL, but this is not the true. I 100% agree with you. In such case, rephrased requirements:

  • xNF SHOULD support client certificate authentication when supporting the event-driven bulk transfer of monitoring data
  • If the xNF does not support Certificate Authentication, then the xNF MUST support Basic Authentication when supporting the event-driven bulk transfer of monitoring data

 

BTW: requirement mentioned by you is already defined - https://docs.onap.org/en/dublin/submodules/vnfrqts/requirements.git/docs/Chapter7/Monitoring-And-Management.html#R-440220. Above requirements are consistent with R-440220.  

 

 

 

Regards

 

Pawel Baniewski

____________________________________________

Nokia Mobile Networks  BTSOAM Serviceability ARCH Tribe Architect

 

mobile: +48 728 361 386

 

From: Horn, Linda (Nokia - US/Murray Hill) <linda.horn@...>
Sent: Wednesday, August 07, 2019 2:16 PM
To: Baniewski, Pawel (Nokia - PL/Wroclaw) <pawel.baniewski@...>; onap-seccom@...
Subject: RE: VNFREQs for FTPes and NetConf over TLS authentication

 

Just my opinion, but I would prefer to only support certificate authentication with FTPES.  If you have a xNF that can’t support certificates, then it could use SFTP with username and password.  Then the requirement could be that a xNF MUST support either FTPES or SFTP (or both) for bulk file transfer.

 

If we do allow basic auth with FTPES, at least it should be an option for the xNF to only support certificate auth.  As an xNF vendor, we do not want to be forced to support usernames and passwords.

 

The same is true for NETCONF.  xNF MUST support either SSH or TLS (or both) and if the xNF chooses to only support TLS then it doesn’t need to support usernames and passwords.

 

Linda
-----------------------------------------------------------------------------------
Linda S. Horn, DMTS

Cloud RAN Solution Definition and Architecture

Mobile Networks, Nokia

Phone:  +1-908-679-6580

 

From: onap-seccom@... <onap-seccom@...> On Behalf Of Pawel Baniewski (Nokia) via Lists.Onap.Org
Sent: Wednesday, August 07, 2019 5:32 AM
To: onap-seccom@...
Cc: onap-seccom@...
Subject: [Onap-seccom] VNFREQs for FTPes and NetConf over TLS authentication

 

Hi,

 

following our yesterday discussion about VNFREQs for mTLS I have checked and FTPes, according to RFC 4217, can support two authentication methods:

1.       Basic authentication -  https://tools.ietf.org/html/rfc4217#page-17

2.       Client certificate authentication - https://tools.ietf.org/html/rfc4217#page-18

Cause we already have client certificate authentication in opposite direction, I think SECCOM should define that:

  • xNF MUST support client certificate authentication when supporting the event-driven bulk transfer of monitoring data
  • xNF SHOULD support basic authentication when supporting the event-driven bulk transfer of monitoring data

 

 

 

 

Also, even if not explicitly mentioned, VNFREQ for mTLS in NetConf over TLS is covered by VNF requirement 997907 cause RFC 7589 chapter 7 enforces that server MUST verify the identity of the client with certificate-based authentication according to local policy to ensure that the incoming client request is legitimate before any configuration or state data is sent to or received from the client.

 

 

@Samuli and @Linda: what do you think?

 

 

Regards

 

Pawel Baniewski

____________________________________________

Nokia Mobile Networks  BTSOAM Serviceability ARCH Security Architect

 

mobile: +48 728 361 386

 

Horn, Linda (Nokia - US/Murray Hill)
 

Pawel,

 

I agree with you on the wording of the 2 new proposed security requirements.

 

SECCOM,

 

On a different but related topic, in looking at the existing Bulk Performance Measurement requirements, I have a few comments/questions for SECCOM:

 

R-841740:  The VNF or PNF SHOULD support FileReady VES event for event-driven bulk transfer of monitoring data.

Comment:  Why isn’t this event a MUST if bulk transfer is used?  Shouldn’t this be reworded as follows:

The VNF or PNF MUST support FileReady VES event when supporting the event-driven bulk transfer of monitoring data.

 

R-440220:  The VNF or PNF SHOULD support File transferring protocol, such as FTPES or SFTP, when supporting the event-driven bulk transfer of monitoring data. 

Comment:  Why isn’t this a MUST?  If the xNF is supporting bulk transfer, isn’t it a requirement to use either FTPES or SFTP?  Shouldn’t this be reworded as follows:

The VNF or PNF MUST support File transferring protocol, such as FTPES or SFTP, when supporting the event-driven bulk transfer of monitoring data. 

 

R-75943:  The VNF or PNF SHOULD support the data schema defined in 3GPP TS 32.435, when supporting the event-driven bulk transfer of monitoring data.

Comment:  Shouldn’t this be reworded as follows:

The VNF or PNF MUST support the data schema defined in 3GPP TS 32.435, when supporting the event-driven bulk transfer of 3GPP 4G monitoring data.  The VNF or PNF MUST support the data schema defined in 3GPP TS 28.550, when supporting the event-driven bulk transfer of 3GPP 5G monitoring data.

 

Linda
-----------------------------------------------------------------------------------
Linda S. Horn, DMTS

Cloud RAN Solution Definition and Architecture

Mobile Networks, Nokia

Phone:  +1-908-679-6580

 

From: Baniewski, Pawel (Nokia - PL/Wroclaw)
Sent: Thursday, August 08, 2019 4:53 AM
To: Horn, Linda (Nokia - US/Murray Hill) <linda.horn@...>; onap-seccom@...
Subject: RE: VNFREQs for FTPes and NetConf over TLS authentication

 

Linda, thanks for your opinion. I must submit, that I have wrongly interpreted SHOULD keyword as OPTIONAL, but this is not the true. I 100% agree with you. In such case, rephrased requirements:

  • xNF SHOULD support client certificate authentication when supporting the event-driven bulk transfer of monitoring data
  • If the xNF does not support Certificate Authentication, then the xNF MUST support Basic Authentication when supporting the event-driven bulk transfer of monitoring data

 

BTW: requirement mentioned by you is already defined - https://docs.onap.org/en/dublin/submodules/vnfrqts/requirements.git/docs/Chapter7/Monitoring-And-Management.html#R-440220. Above requirements are consistent with R-440220.  

 

 

 

Regards

 

Pawel Baniewski

____________________________________________

Nokia Mobile Networks  BTSOAM Serviceability ARCH Tribe Architect

 

mobile: +48 728 361 386

 

From: Horn, Linda (Nokia - US/Murray Hill) <linda.horn@...>
Sent: Wednesday, August 07, 2019 2:16 PM
To: Baniewski, Pawel (Nokia - PL/Wroclaw) <pawel.baniewski@...>; onap-seccom@...
Subject: RE: VNFREQs for FTPes and NetConf over TLS authentication

 

Just my opinion, but I would prefer to only support certificate authentication with FTPES.  If you have a xNF that can’t support certificates, then it could use SFTP with username and password.  Then the requirement could be that a xNF MUST support either FTPES or SFTP (or both) for bulk file transfer.

 

If we do allow basic auth with FTPES, at least it should be an option for the xNF to only support certificate auth.  As an xNF vendor, we do not want to be forced to support usernames and passwords.

 

The same is true for NETCONF.  xNF MUST support either SSH or TLS (or both) and if the xNF chooses to only support TLS then it doesn’t need to support usernames and passwords.

 

Linda
-----------------------------------------------------------------------------------
Linda S. Horn, DMTS

Cloud RAN Solution Definition and Architecture

Mobile Networks, Nokia

Phone:  +1-908-679-6580

 

From: onap-seccom@... <onap-seccom@...> On Behalf Of Pawel Baniewski (Nokia) via Lists.Onap.Org
Sent: Wednesday, August 07, 2019 5:32 AM
To: onap-seccom@...
Cc: onap-seccom@...
Subject: [Onap-seccom] VNFREQs for FTPes and NetConf over TLS authentication

 

Hi,

 

following our yesterday discussion about VNFREQs for mTLS I have checked and FTPes, according to RFC 4217, can support two authentication methods:

1.       Basic authentication -  https://tools.ietf.org/html/rfc4217#page-17

2.       Client certificate authentication - https://tools.ietf.org/html/rfc4217#page-18

Cause we already have client certificate authentication in opposite direction, I think SECCOM should define that:

  • xNF MUST support client certificate authentication when supporting the event-driven bulk transfer of monitoring data
  • xNF SHOULD support basic authentication when supporting the event-driven bulk transfer of monitoring data

 

 

 

 

Also, even if not explicitly mentioned, VNFREQ for mTLS in NetConf over TLS is covered by VNF requirement 997907 cause RFC 7589 chapter 7 enforces that server MUST verify the identity of the client with certificate-based authentication according to local policy to ensure that the incoming client request is legitimate before any configuration or state data is sent to or received from the client.

 

 

@Samuli and @Linda: what do you think?

 

 

Regards

 

Pawel Baniewski

____________________________________________

Nokia Mobile Networks  BTSOAM Serviceability ARCH Security Architect

 

mobile: +48 728 361 386