1 .. This work is licensed under a Creative Commons Attribution 4.0 International License.
2 .. http://creativecommons.org/licenses/by/4.0
3 .. Copyright 2017 AT&T Intellectual Property. All rights reserved.
6 **VNF Development Requirements**
7 ====================================
12 Services are composed of VNFs and common components and are designed to
13 be agnostic of the location to leverage capacity where it exists in the
14 Network Cloud. VNFs can be instantiated in any location that meets the
15 performance and latency requirements of the service.
17 A key design principle for virtualizing services is decomposition of
18 network functions using NFV concepts into granular VNFs. This enables
19 instantiating and customizing only essential functions as needed for the
20 service, thereby making service delivery more nimble. It provides
21 flexibility of sizing and scaling and also provides flexibility with
22 packaging and deploying VNFs as needed for the service. It enables
23 grouping functions in a common cloud data center to minimize
24 inter-component latency. The VNFs should be designed with a goal of
25 being modular and reusable to enable using best-in-breed vendors.
27 Section 5.a VNF Design in *VNF Guidelines* describes
28 the overall guidelines for designing VNFs from VNF Components (VNFCs).
29 Below are more detailed requirements for composing VNFs.
31 VNF Design Requirements
33 * R-58421 The VNF **SHOULD** be decomposed into granular re-usable VNFCs.
34 * R-82223 The VNF **MUST** be decomposed if the functions have
35 significantly different scaling characteristics (e.g., signaling
36 versus media functions, control versus data plane functions).
37 * R-16496 The VNF **MUST** enable instantiating only the functionality that
38 is needed for the decomposed VNF (e.g., if transcoding is not needed it
39 should not be instantiated).
40 * R-02360 The VNFC **MUST** be designed as a standalone, executable process.
41 * R-34484 The VNF **SHOULD** create a single component VNF for VNFCs
42 that can be used by other VNFs.
43 * R-23035 The VNF **MUST** be designed to scale horizontally (more
44 instances of a VNF or VNFC) and not vertically (moving the existing
45 instances to larger VMs or increasing the resources within a VM)
46 to achieve effective utilization of cloud resources.
47 * R-30650 The VNF **MUST** utilize cloud provided infrastructure and
48 VNFs (e.g., virtualized Local Load Balancer) as part of the VNF so
49 that the cloud can manage and provide a consistent service resiliency
50 and methods across all VNF's.
51 * R-12709 The VNFC **SHOULD** be independently deployed, configured,
52 upgraded, scaled, monitored, and administered by ONAP.
53 * R-37692 The VNFC **MUST** provide API versioning to allow for
54 independent upgrades of VNFC.
55 * R-86585 The VNFC **SHOULD** minimize the use of state within
56 a VNFC to facilitate the movement of traffic from one instance
58 * R-65134 The VNF **SHOULD** maintain state in a geographically
59 redundant datastore that may, in fact, be its own VNFC.
60 * R-75850 The VNF **SHOULD** decouple persistent data from the VNFC
61 and keep it in its own datastore that can be reached by all instances
62 of the VNFC requiring the data.
63 * R-88199 The VNF **MUST** utilize a persistent datastore service that
64 can meet the data performance/latency requirements. (For example:
65 Datastore service could be a VNFC in VNF or a DBaaS in the Cloud
66 execution environment)
67 * R-99656 The VNF **MUST** NOT terminate stable sessions if a VNFC
69 * R-84473 The VNF **MUST** enable DPDK in the guest OS for VNF’s requiring
70 high packets/sec performance. High packet throughput is defined as greater
71 than 500K packets/sec.
72 * R-54430 The VNF **MUST** use the NCSP’s supported library and compute
73 flavor that supports DPDK to optimize network efficiency if using DPDK. [1]_
74 * R-18864 The VNF **MUST** NOT use technologies that bypass virtualization
75 layers (such as SR-IOV) unless approved by the NCSP (e.g., if necessary
76 to meet functional or performance requirements).
77 * R-64768 The VNF **MUST** limit the size of application data packets
78 to no larger than 9000 bytes for SDN network-based tunneling when
79 guest data packets are transported between tunnel endpoints that
80 support guest logical networks.
81 * R-74481 The VNF **MUST** NOT require the use of a dynamic routing
82 protocol unless necessary to meet functional requirements.
85 -------------------------
87 The VNF is responsible for meeting its resiliency goals and must factor
88 in expected availability of the targeted virtualization environment.
89 This is likely to be much lower than found in a traditional data center.
90 Resiliency is defined as the ability of the VNF to respond to error
91 conditions and continue to provide the service intended. A number of
92 software resiliency dimensions have been identified as areas that should
93 be addressed to increase resiliency. As VNFs are deployed into the
94 Network Cloud, resiliency must be designed into the VNF software to
95 provide high availability versus relying on the Network Cloud to achieve
98 Section 5.a Resiliency in *VNF Guidelines* describes
99 the overall guidelines for designing VNFs to meet resiliency goals.
100 Below are more detailed resiliency requirements for VNFs.
103 ^^^^^^^^^^^^^^^^^^^^^^
105 Design the VNF to be resilient to the failures of the underlying
106 virtualized infrastructure (Network Cloud). VNF design considerations
107 would include techniques such as multiple vLANs, multiple local and
108 geographic instances, multiple local and geographic data replication,
109 and virtualized services such as Load Balancers.
112 All Layer Redundancy Requirements
114 * R-52499 The VNF **MUST** meet their own resiliency goals and not rely
115 on the Network Cloud.
116 * R-42207 The VNF **MUST** design resiliency into a VNF such that the
117 resiliency deployment model (e.g., active-active) can be chosen at
119 * R-03954 The VNF **MUST** survive any single points of failure within
120 the Network Cloud (e.g., virtual NIC, VM, disk failure).
121 * R-89010 The VNF **MUST** survive any single points of software failure
122 internal to the VNF (e.g., in memory structures, JMS message queues).
123 * R-67709 The VNF **MUST** be designed, built and packaged to enable
124 deployment across multiple fault zones (e.g., VNFCs deployed in
125 different servers, racks, OpenStack regions, geographies) so that
126 in the event of a planned/unplanned downtime of a fault zone, the
127 overall operation/throughput of the VNF is maintained.
128 * R-35291 The VNF **MUST** support the ability to failover a VNFC
129 automatically to other geographically redundant sites if not
130 deployed active-active to increase the overall resiliency of the VNF.
131 * R-36843 The VNF **MUST** support the ability of the VNFC to be deployable
132 in multi-zoned cloud sites to allow for site support in the event of cloud
133 zone failure or upgrades.
134 * R-00098 The VNF **MUST NOT** impact the ability of the VNF to provide
135 service/function due to a single container restart.
136 * R-79952 The VNF **SHOULD** support container snapshots if not for rebuild
137 and evacuate for rollback or back out mechanism.
139 Minimize Cross Data-Center Traffic
140 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
142 Avoid performance-sapping data center-to-data center replication delay
143 by applying techniques such as caching and persistent transaction paths
144 - Eliminate replication delay impact between data centers by using a
145 concept of stickiness (i.e., once a client is routed to data center "A",
146 the client will stay with Data center “A” until the entire session is
149 Minimize Cross Data-Center Traffic Requirements
151 * R-92935 The VNF **SHOULD** minimize the propagation of state information
152 across multiple data centers to avoid cross data center traffic.
154 Application Resilient Error Handling
155 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
157 Ensure an application communicating with a downstream peer is equipped
158 to intelligently handle all error conditions. Make sure code can handle
159 exceptions seamlessly - implement smart retry logic and implement
160 multi-point entry (multiple data centers) for back-end system
163 Application Resilient Error Handling Requirements
165 * R-26371 The VNF **MUST** detect communication failure for inter VNFC
166 instance and intra/inter VNF and re-establish communication
167 automatically to maintain the VNF without manual intervention to
168 provide service continuity.
169 * R-18725 The VNF **MUST** handle the restart of a single VNFC instance
170 without requiring all VNFC instances to be restarted.
171 * R-06668 The VNF **MUST** handle the start or restart of VNFC instances
172 in any order with each VNFC instance establishing or re-establishing
173 required connections or relationships with other VNFC instances and/or
174 VNFs required to perform the VNF function/role without requiring VNFC
175 instance(s) to be started/restarted in a particular order.
176 * R-80070 The VNF **MUST** handle errors and exceptions so that they do
177 not interrupt processing of incoming VNF requests to maintain service
178 continuity (where the error is not directly impacting the software
179 handling the incoming request).
180 * R-32695 The VNF **MUST** provide the ability to modify the number of
181 retries, the time between retries and the behavior/action taken after
182 the retries have been exhausted for exception handling to allow the
183 NCSP to control that behavior, where the interface and/or functional
184 specification allows for altering behaviour.
185 * R-48356 The VNF **MUST** fully exploit exception handling to the extent
186 that resources (e.g., threads and memory) are released when no longer
187 needed regardless of programming language.
188 * R-67918 The VNF **MUST** handle replication race conditions both locally
189 and geo-located in the event of a data base instance failure to maintain
191 * R-36792 The VNF **MUST** automatically retry/resubmit failed requests
192 made by the software to its downstream system to increase the success rate.
193 * R-70013 The VNF **MUST NOT** require any manual steps to get it ready for
194 service after a container rebuild.
195 * R-65515 The VNF **MUST** provide a mechanism and tool to start VNF
196 containers (VMs) without impacting service or service quality assuming
197 another VNF in same or other geographical location is processing service
199 * R-94978 The VNF **MUST** provide a mechanism and tool to perform a graceful
200 shutdown of all the containers (VMs) in the VNF without impacting service
201 or service quality assuming another VNF in same or other geographical
202 location can take over traffic and process service requests.
205 System Resource Optimization
206 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
208 Ensure an application is using appropriate system resources for the task
209 at hand; for example, do not use network or IO operations inside
210 critical sections, which could end up blocking other threads or
211 processes or eating memory if they are unable to complete. Critical
212 sections should only contain memory operation, and should not contain
213 any network or IO operation.
216 System Resource Optimization Requirements
218 * R-22059 The VNF **MUST NOT** execute long running tasks (e.g., IO,
219 database, network operations, service calls) in a critical section
220 of code, so as to minimize blocking of other operations and increase
221 concurrent throughput.
222 * R-63473 The VNF **MUST** automatically advertise newly scaled
223 components so there is no manual intervention required.
224 * R-74712 The VNF **MUST** utilize FQDNs (and not IP address) for
225 both Service Chaining and scaling.
226 * R-41159 The VNF **MUST** deliver any and all functionality from any
227 VNFC in the pool (where pooling is the most suitable solution). The
228 VNFC pool member should be transparent to the client. Upstream and
229 downstream clients should only recognize the function being performed,
230 not the member performing it.
231 * R-85959 The VNF **SHOULD** automatically enable/disable added/removed
232 sub-components or component so there is no manual intervention required.
233 * R-06885 The VNF **SHOULD** support the ability to scale down a VNFC pool
234 without jeopardizing active sessions. Ideally, an active session should
235 not be tied to any particular VNFC instance.
236 * R-12538 The VNF **SHOULD** support load balancing and discovery
237 mechanisms in resource pools containing VNFC instances.
238 * R-98989 The VNF **SHOULD** utilize resource pooling (threads,
239 connections, etc.) within the VNF application so that resources
240 are not being created and destroyed resulting in resource management
242 * R-55345 The VNF **SHOULD** use techniques such as “lazy loading” when
243 initialization includes loading catalogues and/or lists which can grow
244 over time, so that the VNF startup time does not grow at a rate
245 proportional to that of the list.
246 * R-35532 The VNF **SHOULD** release and clear all shared assets (memory,
247 database operations, connections, locks, etc.) as soon as possible,
248 especially before long running sync and asynchronous operations, so as
249 to not prevent use of these assets by other entities.
252 Application Configuration Management
253 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
255 Leverage configuration management audit capability to drive conformity
256 to develop gold configurations for technologies like Java, Python, etc.
258 Application Configuration Management Requirements
260 * R-77334 The VNF **MUST** allow configurations and configuration parameters
261 to be managed under version control to ensure consistent configuration
262 deployment, traceability and rollback.
263 * R-99766 The VNF **MUST** allow configurations and configuration parameters
264 to be managed under version control to ensure the ability to rollback to
265 a known valid configuration.
266 * R-73583 The VNF **MUST** allow changes of configuration parameters
267 to be consumed by the VNF without requiring the VNF or its sub-components
268 to be bounced so that the VNF availability is not effected.
271 Intelligent Transaction Distribution & Management
272 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
274 Leverage Intelligent Load Balancing and redundant components (hardware
275 and modules) for all transactions, such that at any point in the
276 transaction: front end, middleware, back end -- a failure in any one
277 component does not result in a failure of the application or system;
278 i.e., transactions will continue to flow, albeit at a possibly reduced
279 capacity until the failed component restores itself. Create redundancy
280 in all layers (software and hardware) at local and remote data centers;
281 minimizing interdependencies of components (i.e. data replication,
282 deploying non-related elements in the same container).
284 Intelligent Transaction Distribution & Management Requirements
286 * R-21558 The VNF **SHOULD** use intelligent routing by having knowledge
287 of multiple downstream/upstream endpoints that are exposed to it, to
288 ensure there is no dependency on external services (such as load balancers)
289 to switch to alternate endpoints.
290 * R-08315 The VNF **SHOULD** use redundant connection pooling to connect
291 to any backend data source that can be switched between pools in an
292 automated/scripted fashion to ensure high availability of the connection
294 * R-27995 The VNF **SHOULD** include control loop mechanisms to notify
295 the consumer of the VNF of their exceeding SLA thresholds so the consumer
296 is able to control its load against the VNF.
298 Deployment Optimization
299 ^^^^^^^^^^^^^^^^^^^^^^^^^^
301 Reduce opportunity for failure, by human or by machine, through smarter
302 deployment practices and automation. This can include rolling code
303 deployments, additional testing strategies, and smarter deployment
304 automation (remove the human from the mix).
306 Deployment Optimization Requirements
308 * R-73364 The VNF **MUST** support at least two major versions of the
309 VNF software and/or sub-components to co-exist within production
310 environments at any time so that upgrades can be applied across
311 multiple systems in a staggered manner.
312 * R-02454 The VNF **MUST** support the existence of multiple major/minor
313 versions of the VNF software and/or sub-components and interfaces that
314 support both forward and backward compatibility to be transparent to
315 the Service Provider usage.
316 * R-57855 The VNF **MUST** support hitless staggered/rolling deployments
317 between its redundant instances to allow "soak-time/burn in/slow roll"
318 which can enable the support of low traffic loads to validate the
319 deployment prior to supporting full traffic loads.
320 * R-64445 The VNF **MUST** support the ability of a requestor of the
321 service to determine the version (and therefore capabilities) of the
322 service so that Network Cloud Service Provider can understand the
323 capabilities of the service.
324 * R-56793 The VNF **MUST** test for adherence to the defined performance
325 budgets at each layer, during each delivery cycle with delivered
326 results, so that the performance budget is measured and the code
327 is adjusted to meet performance budget.
328 * R-77667 The VNF **MUST** test for adherence to the defined performance
329 budget at each layer, during each delivery cycle so that the performance
330 budget is measured and feedback is provided where the performance budget
332 * R-49308 The VNF **SHOULD** test for adherence to the defined resiliency
333 rating recommendation at each layer, during each delivery cycle with
334 delivered results, so that the resiliency rating is measured and the
335 code is adjusted to meet software resiliency requirements.
336 * R-16039 The VNF **SHOULD** test for adherence to the defined
337 resiliency rating recommendation at each layer, during each
338 delivery cycle so that the resiliency rating is measured and
339 feedback is provided where software resiliency requirements are
342 Monitoring & Dashboard
343 ^^^^^^^^^^^^^^^^^^^^^^^^^
345 Promote dashboarding as a tool to monitor and support the general
346 operational health of a system. It is critical to the support of the
347 implementation of many resiliency patterns essential to the maintenance
348 of the system. It can help identify unusual conditions that might
349 indicate failure or the potential for failure. This would contribute to
350 improve Mean Time to Identify (MTTI), Mean Time to Repair (MTTR), and
351 post-incident diagnostics.
353 Monitoring & Dashboard Requirements
355 * R-34957 The VNF **MUST** provide a method of metrics gathering for each
356 layer's performance to identify/document variances in the allocations so
357 they can be addressed.
358 * R-49224 The VNF **MUST** provide unique traceability of a transaction
359 through its life cycle to ensure quick and efficient troubleshooting.
360 * R-52870 The VNF **MUST** provide a method of metrics gathering
361 and analysis to evaluate the resiliency of the software from both
362 a granular as well as a holistic standpoint. This includes, but is
363 not limited to thread utilization, errors, timeouts, and retries.
364 * R-92571 The VNF **MUST** provide operational instrumentation such as
365 logging, so as to facilitate quick resolution of issues with the VNF to
366 provide service continuity.
367 * R-48917 The VNF **MUST** monitor for and alert on (both sender and
368 receiver) errant, running longer than expected and missing file transfers,
369 so as to minimize the impact due to file transfer errors.
370 * R-28168 The VNF **SHOULD** use an appropriately configured logging
371 level that can be changed dynamically, so as to not cause performance
372 degradation of the VNF due to excessive logging.
373 * R-87352 The VNF **SHOULD** utilize Cloud health checks, when available
374 from the Network Cloud, from inside the application through APIs to check
375 the network connectivity, dropped packets rate, injection, and auto failover
376 to alternate sites if needed.
377 * R-16560 The VNF **SHOULD** conduct a resiliency impact assessment for all
378 inter/intra-connectivity points in the VNF to provide an overall resiliency
379 rating for the VNF to be incorporated into the software design and
380 development of the VNF.
383 ----------------------
385 The objective of this section is to provide the key security
386 requirements that need to be met by VNFs. The security requirements are
387 grouped into five areas as listed below. Other security areas will be
388 addressed in future updates. These security requirements are applicable
389 to all VNFs. Additional security requirements for specific types of VNFs
390 will be applicable and are outside the scope of these general
393 Section 5.a Security in *VNF Guidelines* outlines
394 the five broad security areas for VNFs that are detailed in the
397 - **VNF General Security**: This section addresses general security
398 requirements for the VNFs that the VNF provider will need to address.
400 - **VNF Identity and Access Management**: This section addresses
401 security requirements with respect to Identity and Access Management
402 as these pertain to generic VNFs.
404 - **VNF API Security**: This section addresses the generic security
405 requirements associated with APIs. These requirements are applicable
406 to those VNFs that use standard APIs for communication and data
409 - **VNF Security Analytics**: This section addresses the security
410 requirements associated with analytics for VNFs that deal with
411 monitoring, data collection and analysis.
413 - **VNF Data Protection**: This section addresses the security
414 requirements associated with data protection.
416 VNF General Security Requirements
417 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
419 This section provides details on the VNF general security requirements
420 on various security areas such as user access control, network security,
421 ACLs, infrastructure security, and vulnerability management. These
422 requirements cover topics associated with compliance, security patching,
423 logging/accounting, authentication, encryption, role-based access
424 control, least privilege access/authorization. The following security
425 requirements need to be met by the solution in a virtual environment:
427 General Security Requirements
429 Integration and operation within a robust security environment is necessary
430 and expected. The security architecture will include one or more of the
431 following: IDAM (Identity and Access Management) for all system and
432 applications access, Code scanning, network vulnerability scans, OS,
433 Database and application patching, malware detection and cleaning,
434 DDOS prevention, network security gateways (internal and external)
435 operating at various layers, host and application based tools for
436 security compliance validation, aggressive security patch application,
437 tightly controlled software distribution and change control processes
438 and other state of the art security solutions. The VNF is expected to
439 function reliably within such an environment and the developer is
440 expected to understand and accommodate such controls and can expected
441 to supply responsive interoperability support and testing throughout
442 the product’s lifecycle.
444 * R-23740 The VNF **MUST** accommodate the security principle of
445 “least privilege” during development, implementation and operation.
446 The importance of “least privilege” cannot be overstated and must be
447 observed in all aspects of VNF development and not limited to security.
448 This is applicable to all sections of this document.
449 * R-61354 The VNF **MUST** implement access control list for OA&M
450 services (e.g., restricting access to certain ports or applications).
451 * R-85633 The VNF **MUST** implement Data Storage Encryption
452 (database/disk encryption) for Sensitive Personal Information (SPI)
453 and other subscriber identifiable data. Note: subscriber’s SPI/data
454 must be encrypted at rest, and other subscriber identifiable data
455 should be encrypted at rest. Other data protection requirements exist
456 and should be well understood by the developer.
457 * R-92207 The VNF **SHOULD** implement a mechanism for automated and
458 frequent "system configuration (automated provisioning / closed loop)"
460 * R-23882 The VNF **SHOULD** be scanned using both network scanning
461 and application scanning security tools on all code, including underlying
462 OS and related configuration. Scan reports shall be provided. Remediation
463 roadmaps shall be made available for any findings.
464 * R-46986 The VNF **SHOULD** have source code scanned using scanning
465 tools (e.g., Fortify) and provide reports.
466 * R-55830 The VNF **MUST** distribute all production code from NCSP
467 internal sources only. No production code, libraries, OS images, etc.
468 shall be distributed from publically accessible depots.
469 * R-99771 The VNF **MUST** provide all code/configuration files in a
470 "Locked down" or hardened state or with documented recommendations for
471 such hardening. All unnecessary services will be disabled. VNF provider
472 default credentials, community strings and other such artifacts will be
473 removed or disclosed so that they can be modified or removed during
475 * R-19768 The VNF **SHOULD** support L3 VPNs that enable segregation of
476 traffic by application (dropping packets not belonging to the VPN) (i.e.,
477 AVPN, IPSec VPN for Internet routes).
478 * R-33981 The VNF **SHOULD** interoperate with various access control
479 mechanisms for the Network Cloud execution environment (e.g.,
480 Hypervisors, containers).
481 * R-40813 The VNF **SHOULD** support the use of virtual trusted platform
482 module, hypervisor security testing and standards scanning tools.
483 * R-56904 The VNF **MUST** interoperate with the ONAP (SDN) Controller so that
484 it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual
485 routing and forwarding rules.
486 * R-26586 The VNF **SHOULD** support the ability to work with aliases
487 (e.g., gateways, proxies) to protect and encapsulate resources.
488 * R-49956 The VNF **MUST** pass all access to applications (Bearer,
489 signaling and OA&M) through various security tools and platforms from
490 ACLs, stateful firewalls and application layer gateways depending on
491 manner of deployment. The application is expected to function (and in
492 some cases, interwork) with these security tools.
493 * R-69649 The VNF **MUST** have all vulnerabilities patched as soon
494 as possible. Patching shall be controlled via change control process
495 with vulnerabilities disclosed along with mitigation recommendations.
496 * R-78010 The VNF **MUST** use the NCSP’s IDAM API for Identification,
497 authentication and access control of customer or VNF application users.
498 * R-42681 The VNF **MUST** use the NCSP’s IDAM API or comply with
499 the requirements if not using the NCSP’s IDAM API, for identification,
500 authentication and access control of OA&M and other system level
502 * R-68589 The VNF **MUST**, if not using the NCSP’s IDAM API, support
503 User-IDs and passwords to uniquely identify the user/application. VNF
504 needs to have appropriate connectors to the Identity, Authentication
505 and Authorization systems that enables access at OS, Database and
506 Application levels as appropriate.
507 * R-52085 The VNF **MUST**, if not using the NCSP’s IDAM API, provide
508 the ability to support Multi-Factor Authentication (e.g., 1st factor =
509 Software token on device (RSA SecureID); 2nd factor = User Name+Password,
511 * R-98391 The VNF **MUST**, if not using the NCSP’s IDAM API, support
512 Role-Based Access Control to permit/limit the user/application to
513 performing specific activities.
514 * R-63217 The VNF **MUST**, if not using the NCSP’s IDAM API, support
515 logging via ONAP for a historical view of “who did what and when”.
516 * R-62498 The VNF **MUST**, if not using the NCSP’s IDAM API, encrypt
517 OA&M access (e.g., SSH, SFTP).
518 * R-79107 The VNF **MUST**, if not using the NCSP’s IDAM API, enforce
519 a configurable maximum number of Login attempts policy for the users.
520 VNF provider must comply with "terminate idle sessions" policy.
521 Interactive sessions must be terminated, or a secure, locking screensaver
522 must be activated requiring authentication, after a configurable period
523 of inactivity. The system-based inactivity timeout for the enterprise
524 identity and access management system must also be configurable.
525 * R-35144 The VNF **MUST**, if not using the NCSP’s IDAM API, comply
526 with the NCSP’s credential management policy.
527 * R-75041 The VNF **MUST**, if not using the NCSP’s IDAM API, expire
528 passwords at regular configurable intervals.
529 * R-46908 The VNF **MUST**, if not using the NCSP’s IDAM API, comply
530 with "password complexity" policy. When passwords are used, they shall
531 be complex and shall at least meet the following password construction
532 requirements: (1) be a minimum configurable number of characters in
533 length, (2) include 3 of the 4 following types of characters:
534 upper-case alphabetic, lower-case alphabetic, numeric, and special,
535 (3) not be the same as the UserID with which they are associated or
536 other common strings as specified by the environment, (4) not contain
537 repeating or sequential characters or numbers, (5) not to use special
538 characters that may have command functions, and (6) new passwords must
539 not contain sequences of three or more characters from the previous
541 * R-39342 The VNF **MUST**, if not using the NCSP’s IDAM API, comply
542 with "password changes (includes default passwords)" policy. Products
543 will support password aging, syntax and other credential management
544 practices on a configurable basis.
545 * R-40521 The VNF **MUST**, if not using the NCSP’s IDAM API, support
546 use of common third party authentication and authorization tools such
548 * R-41994 The VNF **MUST**, if not using the NCSP’s IDAM API, comply
549 with "No Self-Signed Certificates" policy. Self-signed certificates
550 must be used for encryption only, using specified and approved
551 encryption protocols such as TLS 1.2 or higher or equivalent security
552 protocols such as IPSec, AES.
553 * R-23135 The VNF **MUST**, if not using the NCSP’s IDAM API,
554 authenticate system to system communications where one system
555 accesses the resources of another system, and must never conceal
556 individual accountability.
558 VNF Identity and Access Management Requirements
559 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
561 The following security requirements for logging, identity, and access
562 management need to be met by the solution in a virtual environment:
565 Identity and Access Management Requirements
567 * R-95105 The VNF **MUST** host connectors for access to the application
569 * R-45496 The VNF **MUST** host connectors for access to the OS
570 (Operating System) layer.
571 * R-05470 The VNF **MUST** host connectors for access to the database layer.
572 * R-99174 The VNF **MUST** comply with Individual Accountability
573 (each person must be assigned a unique ID) when persons or non-person
574 entities access VNFs.
575 * R-42874 The VNF **MUST** comply with Least Privilege (no more
576 privilege than required to perform job functions) when persons
577 or non-person entities access VNFs.
578 * R-71787 The VNF **MUST** comply with Segregation of Duties (access to a
579 single layer and no developer may access production without special
580 oversight) when persons or non-person entities access VNFs.
581 * R-86261 The VNF **MUST NOT** allow VNF provider access to VNFs remotely.
582 * R-49945 The VNF **MUST** authorize VNF provider access through a
583 client application API by the client application owner and the resource
584 owner of the VNF before provisioning authorization through Role Based
585 Access Control (RBAC), Attribute Based Access Control (ABAC), or other
586 policy based mechanism.
587 * R-31751 The VNF **MUST** subject VNF provider access to privilege
588 reconciliation tools to prevent access creep and ensure correct
589 enforcement of access policies.
590 * R-34552 The VNF **MUST** provide or support the Identity and Access
591 Management (IDAM) based threat detection data for OWASP Top 10.
592 * R-29301 The VNF **MUST** provide or support the Identity and Access
593 Management (IDAM) based threat detection data for Password Attacks.
594 * R-72243 The VNF **MUST** provide or support the Identity and Access
595 Management (IDAM) based threat detection data for Phishing / SMishing.
596 * R-58998 The VNF **MUST** provide or support the Identity and Access
597 Management (IDAM) based threat detection data for Malware (Key Logger).
598 * R-14025 The VNF **MUST** provide or support the Identity and Access
599 Management (IDAM) based threat detection data for Session Hijacking.
600 * R-31412 The VNF **MUST** provide or support the Identity and Access
601 Management (IDAM) based threat detection data for XSS / CSRF.
602 * R-51883 The VNF **MUST** provide or support the Identity and Access
603 Management (IDAM) based threat detection data for Replay.
604 * R-44032 The VNF **MUST** provide or support the Identity and Access
605 Management (IDAM) based threat detection data for Man in the Middle (MITM).
606 * R-58977 The VNF **MUST** provide or support the Identity and Access
607 Management (IDAM) based threat detection data for Eavesdropping.
608 * R-24825 The VNF **MUST** provide Context awareness data (device,
609 location, time, etc.) and be able to integrate with threat detection system.
610 * R-59391 The VNF provider **MUST**, where a VNF provider requires
611 the assumption of permissions, such as root or administrator, first
612 log in under their individual user login ID then switch to the other
613 higher level account; or where the individual user login is infeasible,
614 must login with an account with admin privileges in a way that
615 uniquely identifies the individual performing the function.
616 * R-85028 The VNF **MUST** authenticate system to system access and
617 do not conceal a VNF provider user’s individual accountability for
619 * R-80335 The VNF **MUST** make visible a Warning Notice: A formal
620 statement of resource intent, i.e., a warning notice, upon initial
621 access to a VNF provider user who accesses private internal networks
622 or Company computer resources, e.g., upon initial logon to an internal
623 web site, system or application which requires authentication.
624 * R-73541 The VNF **MUST** use access controls for VNFs and their
625 supporting computing systems at all times to restrict access to
626 authorized personnel only, e.g., least privilege. These controls
627 could include the use of system configuration or access control
629 * R-64503 The VNF **MUST** provide minimum privileges for initial
630 and default settings for new user accounts.
631 * R-86835 The VNF **MUST** set the default settings for user access
632 to sensitive commands and data to deny authorization.
633 * R-77157 The VNF **MUST** conform to approved request, workflow
634 authorization, and authorization provisioning requirements when
635 creating privileged users.
636 * R-81147 The VNF **MUST** have greater restrictions for access and
637 execution, such as up to 3 factors of authentication and restricted
638 authorization, for commands affecting network services, such as
639 commands relating to VNFs.
640 * R-49109 The VNF **MUST** encrypt TCP/IP--HTTPS (e.g., TLS v1.2)
641 transmission of data on internal and external networks.
642 * R-39562 The VNF **MUST** disable unnecessary or vulnerable cgi-bin programs.
643 * R-15671 The VNF **MUST NOT** provide public or unrestricted access
644 to any data without the permission of the data owner. All data
645 classification and access controls must be followed.
646 * R-89753 The VNF **MUST NOT** install or use systems, tools or
647 utilities capable of capturing or logging data that was not created
648 by them or sent specifically to them in production, without
649 authorization of the VNF system owner.
650 * R-19082 The VNF **MUST NOT** run security testing tools and
651 programs, e.g., password cracker, port scanners, hacking tools
652 in production, without authorization of the VNF system owner.
653 * R-19790 The VNF **MUST NOT** include authentication credentials
654 in security audit logs, even if encrypted.
655 * R-85419 The VNF **SHOULD** use REST APIs exposed to Client
656 Applications for the implementation of OAuth 2.0 Authorization
657 Code Grant and Client Credentials Grant, as the standard interface
659 * R-86455 The VNF **SHOULD** support hosting connectors for OS
660 Level and Application Access.
661 * R-48080 The VNF **SHOULD** support SCEP (Simple Certificate
662 Enrollment Protocol).
665 VNF API Security Requirements
666 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
668 This section covers API security requirements when these are used by the
669 VNFs. Key security areas covered in API security are Access Control,
670 Authentication, Passwords, PKI Authentication Alarming, Anomaly
671 Detection, Lawful Intercept, Monitoring and Logging, Input Validation,
672 Cryptography, Business continuity, Biometric Authentication,
673 Identification, Confidentiality and Integrity, and Denial of Service.
675 The solution in a virtual environment needs to meet the following API
676 security requirements:
681 * R-37608 The VNF **MUST** provide a mechanism to restrict access based
682 on the attributes of the VNF and the attributes of the subject.
683 * R-43884 The VNF **MUST** integrate with external authentication
684 and authorization services (e.g., IDAM).
685 * R-25878 The VNF **MUST** use certificates issued from publicly
686 recognized Certificate Authorities (CA) for the authentication process
687 where PKI-based authentication is used.
688 * R-19804 The VNF **MUST** validate the CA signature on the certificate,
689 ensure that the date is within the validity period of the certificate,
690 check the Certificate Revocation List (CRL), and recognize the identity
691 represented by the certificate where PKI-based authentication is used.
692 * R-47204 The VNF **MUST** protect the confidentiality and integrity of
693 data at rest and in transit from unauthorized access and modification.
694 * R-33488 The VNF **MUST** protect against all denial of service
695 attacks, both volumetric and non-volumetric, or integrate with external
696 denial of service protection tools.
697 * R-21652 The VNF **MUST** implement the following input validation
698 control: Check the size (length) of all input. Do not permit an amount
699 of input so great that it would cause the VNF to fail. Where the input
700 may be a file, the VNF API must enforce a size limit.
701 * R-54930 The VNF **MUST** implement the following input validation
702 control: Do not permit input that contains content or characters
703 inappropriate to the input expected by the design. Inappropriate input,
704 such as SQL insertions, may cause the system to execute undesirable
705 and unauthorized transactions against the database or allow other
706 inappropriate access to the internal network.
707 * R-21210 The VNF **MUST** implement the following input validation
708 control: Validate that any input file has a correct and valid
709 Multipurpose Internet Mail Extensions (MIME) type. Input files
710 should be tested for spoofed MIME types.
711 * R-23772 The VNF **MUST** validate input at all layers implementing VNF APIs.
712 * R-87135 The VNF **MUST** comply with NIST standards and industry
713 best practices for all implementations of cryptography.
714 * R-02137 The VNF **MUST** implement all monitoring and logging as
715 described in the Security Analytics section.
716 * R-15659 The VNF **MUST** restrict changing the criticality level of
717 a system security alarm to administrator(s).
718 * R-19367 The VNF **MUST** monitor API invocation patterns to detect
719 anomalous access patterns that may represent fraudulent access or
720 other types of attacks, or integrate with tools that implement anomaly
722 * R-78066 The VNF **MUST** support requests for information from law
723 enforcement and government agencies.
726 VNF Security Analytics Requirements
727 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
729 This section covers VNF security analytics requirements that are mostly
730 applicable to security monitoring. The VNF Security Analytics cover the
731 collection and analysis of data following key areas of security
734 - Anti-virus software
744 - API based monitoring
746 - Detection and notification
748 - Resource exhaustion detection
750 - Proactive and scalable monitoring
752 - Mobility and guest VNF monitoring
754 - Closed loop monitoring
756 - Interfaces to management and orchestration
758 - Malformed packet detections
762 - Dynamic security control
764 - Dynamic load balancing
766 - Connection attempts to inactive ports (malicious port scanning)
768 The following requirements of security monitoring need to be met by the
769 solution in a virtual environment.
771 Security Analytics Requirements
773 * R-48470 The VNF **MUST** support Real-time detection and
774 notification of security events.
775 * R-22286 The VNF **MUST** support Integration functionality via
776 API/Syslog/SNMP to other functional modules in the network (e.g.,
777 PCRF, PCEF) that enable dynamic security control by blocking the
778 malicious traffic or malicious end users
779 * R-32636 The VNF **MUST** support API-based monitoring to take care of
780 the scenarios where the control interfaces are not exposed, or are
781 optimized and proprietary in nature.
782 * R-61648 The VNF **MUST** support event logging, formats, and delivery
783 tools to provide the required degree of event data to ONAP
784 * R-22367 The VNF **MUST** support detection of malformed packets due to
785 software misconfiguration or software vulnerability.
786 * R-31961 The VNF **MUST** support integrated DPI/monitoring functionality
787 as part of VNFs (e.g., PGW, MME).
788 * R-20912 The VNF **MUST** support alternative monitoring capabilities
789 when VNFs do not expose data or control traffic or use proprietary and
790 optimized protocols for inter VNF communication.
791 * R-73223 The VNF **MUST** support proactive monitoring to detect and
792 report the attacks on resources so that the VNFs and associated VMs can
793 be isolated, such as detection techniques for resource exhaustion, namely
794 OS resource attacks, CPU attacks, consumption of kernel memory, local
796 * R-58370 The VNF **MUST** coexist and operate normally with commercial
797 anti-virus software which shall produce alarms every time when there is a
799 * R-56920 The VNF **MUST** protect all security audit logs (including
800 API, OS and application-generated logs), security audit software, data,
801 and associated documentation from modification, or unauthorized viewing,
802 by standard OS access control mechanisms, by sending to a remote system,
804 * R-54520 The VNF **MUST** log successful and unsuccessful login attempts.
805 * R-55478 The VNF **MUST** log logoffs.
806 * R-08598 The VNF **MUST** log successful and unsuccessful changes to
808 * R-13344 The VNF **MUST** log starting and stopping of security
810 * R-07617 The VNF **MUST** log creating, removing, or changing the
811 inherent privilege level of users.
812 * R-94525 The VNF **MUST** log connections to a network listener of the
814 * R-31614 The VNF **MUST** log the field “event type” in the security
816 * R-97445 The VNF **MUST** log the field “date/time” in the security
818 * R-25547 The VNF **MUST** log the field “protocol” in the security audit logs.
819 * R-06413 The VNF **MUST** log the field “service or program used for
820 access” in the security audit logs.
821 * R-15325 The VNF **MUST** log the field “success/failure” in the
823 * R-89474 The VNF **MUST** log the field “Login ID” in the security audit logs.
824 * R-04982 The VNF **MUST NOT** include an authentication credential,
825 e.g., password, in the security audit logs, even if encrypted.
826 * R-63330 The VNF **MUST** detect when the security audit log storage
827 medium is approaching capacity (configurable) and issue an alarm via
828 SMS or equivalent as to allow time for proper actions to be taken to
829 pre-empt loss of audit data.
830 * R-41252 The VNF **MUST** support the capability of online storage of
832 * R-41825 The VNF **MUST** activate security alarms automatically when
833 the following event is detected: configurable number of consecutive
834 unsuccessful login attempts
835 * R-43332 The VNF **MUST** activate security alarms automatically when
836 the following event is detected: successful modification of critical
837 system or application files
838 * R-74958 The VNF **MUST** activate security alarms automatically when
839 the following event is detected: unsuccessful attempts to gain permissions
840 or assume the identity of another user
841 * R-15884 The VNF **MUST** include the field “date” in the Security alarms
842 (where applicable and technically feasible).
843 * R-23957 The VNF **MUST** include the field “time” in the Security alarms
844 (where applicable and technically feasible).
845 * R-71842 The VNF **MUST** include the field “service or program used for
846 access” in the Security alarms (where applicable and technically feasible).
847 * R-57617 The VNF **MUST** include the field “success/failure” in the
848 Security alarms (where applicable and technically feasible).
849 * R-99730 The VNF **MUST** include the field “Login ID” in the Security
850 alarms (where applicable and technically feasible).
851 * R-29705 The VNF **MUST** restrict changing the criticality level of a
852 system security alarm to administrator(s).
853 * R-13627 The VNF **MUST** monitor API invocation patterns to detect
854 anomalous access patterns that may represent fraudulent access or other
855 types of attacks, or integrate with tools that implement anomaly and
857 * R-21819 The VNF **MUST** support requests for information from law
858 enforcement and government agencies.
859 * R-56786 The VNF **MUST** implement “Closed Loop” automatic implementation
860 (without human intervention) for Known Threats with detection rate in low
862 * R-25094 The VNF **MUST** perform data capture for security functions.
863 * R-04492 The VNF **MUST** generate security audit logs that must be sent
864 to Security Analytics Tools for analysis.
865 * R-19219 The VNF **MUST** provide audit logs that include user ID, dates,
866 times for log-on and log-off, and terminal location at minimum.
867 * R-30932 The VNF **MUST** provide security audit logs including records
868 of successful and rejected system access data and other resource access
870 * R-54816 The VNF **MUST** support the storage of security audit logs
871 for agreed period of time for forensic analysis.
872 * R-57271 The VNF **MUST** provide the capability of generating security
873 audit logs by interacting with the operating system (OS) as appropriate.
874 * R-84160 The VNF **MUST** have security logging for VNFs and their
875 OSs be active from initialization. Audit logging includes automatic
876 routines to maintain activity records and cleanup programs to ensure
877 the integrity of the audit/logging systems.
879 VNF Data Protection Requirements
880 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
882 This section covers VNF data protection requirements that are mostly
883 applicable to security monitoring.
886 Data Protection Requirements
888 * R-58964 The VNF **MUST** provide the capability to restrict read
889 and write access to data.
890 * R-99112 The VNF **MUST** provide the capability to restrict access
891 to data to specific users.
892 * R-83227 The VNF **MUST** Provide the capability to encrypt data in
893 transit on a physical or virtual network.
894 * R-32641 The VNF **MUST** provide the capability to encrypt data on
896 * R-13151 The VNF **SHOULD** disable the paging of the data requiring
897 encryption, if possible, where the encryption of non-transient data is
898 required on a device for which the operating system performs paging to
899 virtual memory. If not possible to disable the paging of the data
900 requiring encryption, the virtual memory should be encrypted.
901 * R-93860 The VNF **MUST** provide the capability to integrate with an
902 external encryption service.
903 * R-73067 The VNF **MUST** use industry standard cryptographic algorithms
904 and standard modes of operations when implementing cryptography.
905 * R-22645 The VNF **SHOULD** use commercial algorithms only when there
906 are no applicable governmental standards for specific cryptographic
907 functions, e.g., public key cryptography, message digests.
908 * R-12467 The VNF **MUST NOT** use the SHA, DSS, MD5, SHA-1 and
909 Skipjack algorithms or other compromised encryption.
910 * R-02170 The VNF **MUST** use, whenever possible, standard implementations
911 of security applications, protocols, and format, e.g., S/MIME, TLS, SSH,
912 IPSec, X.509 digital certificates for cryptographic implementations.
913 These implementations must be purchased from reputable vendors and must
914 not be developed in-house.
915 * R-70933 The VNF **MUST** provide the ability to migrate to newer
916 versions of cryptographic algorithms and protocols with no impact.
917 * R-44723 The VNF **MUST** use symmetric keys of at least 112 bits in length.
918 * R-25401 The VNF **MUST** use asymmetric keys of at least 2048 bits in length.
919 * R-95864 The VNF **MUST** use commercial tools that comply with X.509
920 standards and produce x.509 compliant keys for public/private key generation.
921 * R-12110 The VNF **MUST NOT** use keys generated or derived from
922 predictable functions or values, e.g., values considered predictable
923 include user identity information, time of day, stored/transmitted data.
924 * R-52060 The VNF **MUST** provide the capability to configure encryption
925 algorithms or devices so that they comply with the laws of the jurisdiction
926 in which there are plans to use data encryption.
927 * R-69610 The VNF **MUST** provide the capability of using certificates
928 issued from a Certificate Authority not provided by the VNF provider.
929 * R-83500 The VNF **MUST** provide the capability of allowing certificate
930 renewal and revocation.
931 * R-29977 The VNF **MUST** provide the capability of testing the validity
932 of a digital certificate by validating the CA signature on the certificate.
933 * R-24359 The VNF **MUST** provide the capability of testing the validity
934 of a digital certificate by validating the date the certificate is being
935 used is within the validity period for the certificate.
936 * R-39604 The VNF **MUST** provide the capability of testing the
937 validity of a digital certificate by checking the Certificate Revocation
938 List (CRL) for the certificates of that type to ensure that the
939 certificate has not been revoked.
940 * R-75343 The VNF **MUST** provide the capability of testing the
941 validity of a digital certificate by recognizing the identity represented
942 by the certificate — the "distinguished name".
945 ---------------------------
947 ONAP Heat Orchestration Templates: Overview
948 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
950 ONAP supports a modular Heat Orchestration Template design pattern,
951 referred to as *VNF Modularity.*
953 ONAP VNF Modularity Overview
954 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
956 With VNF Modularity, a single VNF may be composed from one or more Heat
957 Orchestration Templates, each of which represents a subset of the
958 overall VNF. These component parts are referred to as “\ *VNF
959 Modules*\ ”. During orchestration, these modules are deployed
960 incrementally to create the complete VNF.
962 A modular Heat Orchestration Template can be either one of the following
967 2. Incremental Module
969 3. Cinder Volume Module
971 * R-37028 The VNF **MUST** be composed of one “base” module.
972 * R-41215 The VNF **MAY** have zero to many “incremental” modules.
973 * R-20974 The VNF **MUST** deploy the base module first, prior to
974 the incremental modules.
976 ONAP also supports the concept of an optional, independently deployed
977 Cinder volume via a separate Heat Orchestration Templates, referred to
978 as a Cinder Volume Module. This allows the volume to persist after a
979 Virtual Machine (VM) (i.e., OS::Nova::Server) is deleted, allowing the
980 volume to be reused on another instance (e.g., during a failover
983 * R-11200 The VNF **MUST** keep the scope of a Cinder volume module,
984 when it exists, to be 1:1 with the VNF Base Module or Incremental Module.
986 * R-38474 The VNF **MUST** have a corresponding environment file for
988 * R-81725 The VNF **MUST** have a corresponding environment file for
989 an Incremental Module.
990 * R-53433 The VNF **MUST** have a corresponding environment file for
991 a Cinder Volume Module.
993 These concepts will be described in more detail throughout the document.
994 This overview is provided to set the stage and help clarify the concepts
995 that will be introduced.
999 ^^^^^^^^^^^^^^^^^^^^^^
1001 ONAP supports a modular Heat Orchestration Template design pattern,
1002 referred to as *VNF Modularity.* With this approach, a single VNF may be
1003 composed from one or more Heat Orchestration Templates, each of which
1004 represents a subset of the overall VNF. These component parts are
1005 referred to as “\ *VNF Modules*\ ”. During orchestration, these modules
1006 are deployed incrementally to create the complete VNF.
1008 A modular Heat Orchestration Template can be either one of the following
1013 2. Incremental Module
1015 3. Cinder Volume Module
1017 A VNF must be composed of one “base” module and may be composed of zero
1018 to many “incremental” modules. The base module must be deployed first,
1019 prior to the incremental modules.
1021 ONAP also supports the concept of an optional, independently deployed
1022 Cinder volume via a separate Heat Orchestration Templates, referred to
1023 as a Cinder Volume Module. This allows the volume to persist after a VM
1024 (i.e., OS::Nova::Server) is deleted, allowing the volume to be reused on
1025 another instance (e.g., during a failover activity).
1027 The scope of a Cinder volume module, when it exists, must be 1:1 with a
1028 Base module or Incremental Module.
1030 A Base Module must have a corresponding environment file.
1032 An Incremental Module must have a corresponding environment file.
1034 A Cinder Volume Module must have a corresponding environment file.
1036 A VNF module (base, incremental, cinder) may support nested templates.
1038 A shared Heat Orchestration Template resource must be defined in the
1039 base module. A shared resource is a resource that that will be
1040 referenced by another resource that is defined in the Base Module and/or
1041 one or more incremental modules.
1043 When the shared resource needs to be referenced by a resource in an
1044 incremental module, the UUID of the shared resource must be exposed by
1045 declaring an ONAP Base Module Output Parameter.
1047 Note that a Cinder volume is *not* a shared resource. A volume template
1048 must correspond 1:1 with a base module or incremental module.
1050 An example of a shared resource is the resource
1051 OS::Neutron::SecurityGroup. Security groups are sets of IP filter rules
1052 that are applied to a VNF’s networking. The resource OS::Neutron::Port
1053 has a property security\_groups which provides the security groups
1054 associated with port. The value of parameter(s) associated with this
1055 property must be the UUIDs of the resource(s)
1056 OS::Neutron::SecurityGroup.
1058 *Note:* A Cinder volume is *not* considered a shared resource. A volume
1059 template must correspond 1:1 with a base template or add-on module
1062 Suggested Patterns for Modular VNFs
1063 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1065 There are numerous variations of VNF modularity. Below are two suggested
1068 **Option 1: Modules per VNFC type**
1070 a. Base module contains only the shared resources.
1072 b. Group all VMs (e.g., VNFCs) of a given type (i.e. {vm-type}) into its
1073 own incremental module. That is, the VNF has an incremental module
1076 c. For a given {vm-type} incremental module, the VNF may have
1078 i. One incremental module used for both initial turn up and re-used
1079 for scaling. This approach is used when the number of VMs
1080 instantiated will be the same for initial deployment and scaling.
1082 ii. Two incremental modules, where one is used for initial turn up
1083 and one is used for scaling. This approach is used when the
1084 number of VMs instantiated will be different for initial
1085 deployment and scaling.
1087 **Option 2: Base VNF with Incremental Growth Modules**
1089 a. Base module contains a complete initial VNF instance
1091 b. Incremental modules for incremental scaling units
1093 i. May contain VMs of multiple types in logical scaling combinations
1095 ii. May be separated by VM type for multi-dimensional scaling
1097 With no growth units, Option 2 is equivalent to the “One Heat Template
1100 Note that modularization of VNFs is not required. A single Heat
1101 Orchestration Template (a base module) may still define a complete VNF,
1102 which might be appropriate for smaller VNFs that do not have any scaling
1108 There are some rules to follow when building modular VNF templates:
1110 1. All VNFs must have one Base VNF Module (template) that must be the
1111 first one deployed. The base template:
1113 a. Must include all shared resources (e.g., private networks, server
1114 groups, security groups)
1116 b. Must expose all shared resources (by UUID) as “outputs” in its
1117 associated Heat template (i.e., ONAP Base Module Output
1120 c. May include initial set of VMs
1122 d. May be operational as a stand-alone “minimum” configuration of the
1125 2. VNFs may have one or more incremental modules which:
1127 a. Defines additional resources that can be added to an existing VNF
1129 b. Must be complete Heat templates
1131 i. i.e. not snippets to be incorporated into some larger template
1133 c. Should define logical growth-units or sub-components of an overall
1136 d. On creation, receives appropriate Base Module outputs as
1139 i. Provides access to all shared resources (by UUID)
1141 ii. must not be dependent on other Add-On VNF Modules
1143 e. Multiple instances of an incremental Module may be added to the
1144 same VNF (e.g., incrementally grow a VNF by a fixed “add-on”
1147 3. Each VNF Module (base or incremental) may have (optional) an
1148 associated Cinder Volume Module (see Cinder Volume Templates)
1150 a. Volume modules must correspond 1:1 with a base module or
1153 b. A Cinder volume may be embedded within the base module or
1154 incremental module if persistence is not required
1156 4. Shared resource UUIDs are passed between the base module and
1157 incremental modules via Heat Outputs Parameters (i.e., Base Module
1160 a. The output parameter name in the base must match the parameter
1161 name in the add-on module
1163 VNF Modularity Examples
1164 ^^^^^^^^^^^^^^^^^^^^^^^^^^
1166 *Example: Base Module creates SecurityGroup*
1168 A VNF has a base module, named base.yaml, that defines a
1169 OS::Neutron::SecurityGroup. The security group will be referenced by an
1170 OS::Neutron::Port resource in an incremental module, named
1171 INCREMENTAL\_MODULE.yaml. The base module defines a parameter in the out
1172 section named dns\_sec\_grp\_id. dns\_sec\_grp\_id is defined as a
1173 parameter in the incremental module. ONAP captures the UUID value of
1174 dns\_sec\_grp\_id from the base module output statement and provides the
1175 value to the incremental module.
1177 Note that the example below is not a complete Heat Orchestration
1178 Template. The {network-role} has been defined as oam to represent an oam
1179 network and the {vm-type} has been defined as dns.
1183 .. code-block:: yaml
1190 type: OS::Neutron::SecurityGroup
1192 description: vDNS security group
1195 template: VNF_NAME_sec_grp_DNS
1197 VMF_NAME: {get_param: vnf_name}
1204 description: UUID of DNS Resource SecurityGroup
1205 value: { get_resource: DNS_SECURITY_GROUP }
1208 INCREMENTAL\_MODULE.yaml
1210 .. code-block:: yaml
1215 description: security group UUID
1220 type: OS::Neutron::Port
1224 template: VNF_NAME_dns_oam_port
1226 VNF_NAME: {get_param: vnf_name}
1227 network: { get_param: oam_net_name }
1228 fixed_ips: [{ "ip_address": { get_param: dns_oam_ip_0 }}]
1229 security_groups: [{ get_param: dns_sec_grp_id }]
1232 *Examples: Base Module creates an internal network*
1234 A VNF has a base module, named base\_module.yaml, that creates an
1235 internal network. An incremental module, named incremental\_module.yaml,
1236 will create a VM that will connect to the internal network. The base
1237 module defines a parameter in the out section named int\_oam\_net\_id.
1238 int\_oam\_net\_id is defined as a parameter in the incremental module.
1239 ONAP captures the UUID value of int\_oam\_net\_id from the base module
1240 output statement and provides the value to the incremental module.
1242 Note that the example below is not a complete Heat Orchestration
1243 Template. The {network-role} has been defined as oam to represent an oam
1244 network and the {vm-type} has been defined as lb for load balancer.
1248 .. code-block:: yaml
1250 heat_template_version: 2013-05-23
1254 type: OS::Neutron::Network
1260 value: {get_resource: int_oam_network }
1265 .. code-block:: yaml
1267 heat_template_version: 2013-05-23
1272 description: ID of shared private network from Base template
1275 description: name for the add-on VM instance
1279 type: OS::Nova::Server
1281 name: {get_param: lb_name_0}
1283 - port: { get_resource: lb_port }
1287 type: OS::Neutron::Port
1289 network_id: { get_param: int_oam_net_id }
1293 ---------------------
1295 This section includes guidelines for VNF providers to ensure that a Network
1296 Cloud Service Provider’s operations personnel have a common and
1297 consistent way to support VNFs and VNFCs.
1299 NCSPs may elect to support standard images to enable compliance with
1300 security, audit, regulatory and other needs. As part of the overall VNF
1301 software bundle, VNF suppliers using standard images would typically
1302 provide the NCSP with an install package consistent with the default OS
1303 package manager (e.g. aptitude for Ubuntu, yum for Redhat/CentOS).
1305 Section 5.a DevOps in *VNF Guidelines* describes
1306 the DevOps guidelines for VNFs.
1310 * R-46960 NCSPs **MAY** operate a limited set of Guest OS and CPU
1311 architectures and families, virtual machines, etc.
1312 * R-23475 VNFCs **SHOULD** be agnostic to the details of the Network Cloud
1313 (such as hardware, host OS, Hypervisor or container technology) and must run
1314 on the Network Cloud with acknowledgement to the paradigm that the Network
1315 Cloud will continue to rapidly evolve and the underlying components of
1316 the platform will change regularly.
1317 * R-33846 The VNF **MUST** install the NCSP required software on Guest OS
1318 images when not using the NCSP provided Guest OS images. [1]_
1319 * R-09467 The VNF **MUST** utilize only NCSP standard compute flavors. [1]_
1320 * R-02997 The VNF **MUST** preserve their persistent data. Running VMs
1321 will not be backed up in the Network Cloud infrastructure.
1322 * R-29760 The VNFC **MUST** be installed on non-root file systems,
1323 unless software is specifically included with the operating system
1324 distribution of the guest image.
1325 * R-20860 The VNF **MUST** be agnostic to the underlying infrastructure
1326 (such as hardware, host OS, Hypervisor), any requirements should be
1327 provided as specification to be fulfilled by any hardware.
1328 * R-89800 The VNF **MUST NOT** require Hypervisor-level customization
1329 from the cloud provider.
1330 * R-86758 The VNF **SHOULD** provide an automated test suite to validate
1331 every new version of the software on the target environment(s). The tests
1332 should be of sufficient granularity to independently test various
1333 representative VNF use cases throughout its lifecycle. Operations might
1334 choose to invoke these tests either on a scheduled basis or on demand to
1335 support various operations functions including test, turn-up and
1337 * R-39650 The VNF **SHOULD** provide the ability to test incremental
1339 * R-14853 The VNF **MUST** respond to a "move traffic" [2]_ command
1340 against a specific VNFC, moving all existing session elsewhere with
1341 minimal disruption if a VNF provides a load balancing function across
1342 multiple instances of its VNFCs. Note: Individual VNF performance
1343 aspects (e.g., move duration or disruption scope) may require further
1345 * R-06327 The VNF **MUST** respond to a "drain VNFC" [2]_ command against
1346 a specific VNFC, preventing new session from reaching the targeted VNFC,
1347 with no disruption to active sessions on the impacted VNFC, if a VNF
1348 provides a load balancing function across multiple instances of its VNFCs.
1349 This is used to support scenarios such as proactive maintenance with no
1351 * R-64713 The VNF **SHOULD** support a software promotion methodology
1352 from dev/test -> pre-prod -> production in software, development &
1353 testing and operations.
1356 --------------------------------
1358 Aid to help the VNF provider to fasten the integration with the GVNFM, the
1359 ONAP provides the VNF SDK tools, and the documents. In this charter,
1360 the develop steps for VNF providers will be introduced.
1362 First, using the VNF SDK tools to design the VNF with TOSCA model and
1363 output the VNF TOSCA package. The VNF package can be validated, and
1366 Second, the VNF provider should provide the VNF Rest API to integrate with
1367 the GVNFM if needed. The VNF Rest API is aligned to the ETSI IFA
1370 Third, the TOSCA model supports the EPA feature.
1374 1. The scripts to extend capacity to satisfy some special requirements.
1375 In the R2, the scripts is not implemented fully, and will be provided
1376 in the next release.
1378 2. The monitoring and scale policy also be provide the next release.
1382 Refer to NCSP’s Network Cloud specification
1385 Not currently supported in ONAP release 1