1 .. Modifications Copyright © 2017-2018 AT&T Intellectual Property.
3 .. Licensed under the Creative Commons License, Attribution 4.0 Intl.
4 (the "License"); you may not use this documentation except in compliance
5 with the License. You may obtain a copy of the License at
7 .. https://creativecommons.org/licenses/by/4.0/
9 .. Unless required by applicable law or agreed to in writing, software
10 distributed under the License is distributed on an "AS IS" BASIS,
11 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 See the License for the specific language governing permissions and
13 limitations under the License.
16 Requirement Changes Introduced in Casablanca
17 ========================================================
19 This document summarizes the requirement changes by section that were
20 introduced between the Beijing release and
21 Casablanca release. Click on the requirement number to
30 * **Requirements Added:** 102
31 * **Requirements Changed:** 232
32 * **Requirements Removed:** 63
35 Configuration Management > Ansible Standards and Capabilities > xNF Configuration via Ansible Requirements > Ansible Client Requirements
36 ----------------------------------------------------------------------------------------------------------------------------------------
46 The xNF **MUST** provide Ansible playbooks that are designed to run using
47 an inventory hosts file in a supported format; with site group that shall
48 be used to add site specific configurations to the target xNF VM(s) as
56 The xNF **MUST** define the "from=" clause to provide the list of IP
57 addresses of the Ansible Servers in the Cluster, separated by coma, to
58 restrict use of the SSH key pair to elements that are part of the Ansible
59 Cluster owner of the issued and assigned mechanized user ID.
66 The xNF **MUST** provide Ansible playbooks that are designed to run using
67 an inventory hosts file in a supported format; with group names matching
68 VNFC 3-character string adding "vip" for groups with virtual IP addresses
69 shared by multiple VMs as seen in examples provided in Appendix.
76 The xNF **MUST** provide the ability to include a "from=" clause in SSH
77 public keys associated with mechanized user IDs created for an Ansible
78 Server cluster to use for xNF VM authentication.
85 The xNF **MUST** provide Ansible playbooks that are designed to run using
86 an inventory hosts file in a supported format with only IP addresses or
87 IP addresses and VM/xNF names.
94 The xNF **MUST** permit authentication, using root account, only right
95 after instantiation and until post-instantiation configuration is
103 The xNF **MUST** provide the ability to remove root access once
104 post-instantiation configuration (Configure) is completed.
115 The xNF **MUST** have routable management IP addresses or FQDNs that
116 are reachable via the Ansible Server for the endpoints (VMs) of a
117 xNF that playbooks will target. ONAP will initiate requests to the
118 Ansible Server for invocation of playbooks against these end
126 The xNF **MUST** update the Ansible Server and other entities
127 storing and using the SSH keys for authentication when the SSH
128 keys used by Ansible are regenerated/updated.
130 **Note**: Ansible Server itself may be used to upload new SSH public
131 keys onto supported xNFs.
138 The xNF **MUST** load the Ansible Server SSH public key onto xNF
139 VM(s) /root/.ssh/authorized_keys as part of instantiation. Alternative,
140 is for Ansible Server SSH public key to be loaded onto xNF VM(s) under
141 /home/<Mechanized user ID>/.ssh/authorized_keys as part of instantiation,
142 when a Mechanized user ID is created during instantiation, and Configure
143 and all playbooks are designed to use a mechanized user ID only for
144 authentication (never using root authentication during Configure playbook
145 run). This will allow the Ansible Server to authenticate to perform
146 post-instantiation configuration without manual intervention and without
147 requiring specific xNF login IDs and passwords.
149 *CAUTION*: For xNFs configured using Ansible, to eliminate the need
150 for manual steps, post-instantiation and pre-configuration, to
151 upload of SSH public keys, SSH public keys loaded during (heat)
152 instantiation shall be preserved and not removed by (heat) embedded
160 The xNF **MUST** support SSH and allow SSH access by the
161 Ansible server to the endpoint VM(s) and comply with the Network
162 Cloud Service Provider guidelines for authentication and access.
169 The xNF **MUST** include as part of post-instantiation configuration
170 done by Ansible Playbooks the removal/update of the SSH public key from
171 /root/.ssh/authorized_keys, and update of SSH keys loaded through
172 instantiation to support Ansible. This may include creating Mechanized user
173 ID(s) used by the Ansible Server(s) on VNF VM(s) and uploading and
174 installing new SSH keys used by the mechanized use ID(s).
177 Configuration Management > Ansible Standards and Capabilities > xNF Configuration via Ansible Requirements > Ansible Playbook Requirements
178 ------------------------------------------------------------------------------------------------------------------------------------------
189 The xNF provider **MUST** deliver a new set of playbooks that includes
190 all updated and unchanged playbooks for any new revision to an existing
198 The xNF **MUST** support Ansible playbooks that are compatible with
199 Ansible version 2.6 or later.
206 The xNF provider **MUST** assign a new point release to the updated
207 playbook set. The functionality of a new playbook set must be tested before
208 it is deployed to the production.
219 The xNF **MUST** utilize information from key value pairs that will be
220 provided by the Ansible Server as "extra-vars" during invocation to
221 execute the desired xNF action. The "extra-vars" attribute-value pairs
222 are passed to the Ansible Server by an APPC/SDN-C as part of the
223 Rest API request. If the playbook requires files, they must also be
224 supplied using the methodology detailed in the Ansible Server API, unless
225 they are bundled with playbooks, example, generic templates. Any files
226 containing instance specific info (attribute-value pairs), not obtainable
227 from any ONAP inventory databases or other sources, referenced and used an
228 input by playbooks, shall be provisioned (and distributed) in advance of
229 use, e.g., xNF instantiation. Recommendation is to avoid these instance
230 specific, manually created in advance of instantiation, files.
237 The xNF **MUST** return control from Ansible Playbooks only after all
238 tasks performed by playbook are fully complete, signaling that the
239 playbook completed all tasks. When starting services, return control
240 only after all services are up. This is critical for workflows where
241 the next steps are dependent on prior tasks being fully completed.
248 The xNF **SHOULD** use playbooks that are designed to
249 automatically 'rollback' to the original state in case of any errors
250 for actions that change state of the xNF (e.g., configure).
252 **Note**: In case rollback at the playbook level is not supported or
253 possible, the xNF provider shall provide alternative rollback
254 mechanism (e.g., for a small xNF the rollback mechanism may rely
255 on workflow to terminate and re-instantiate VNF VMs and then re-run
256 playbook(s)). Backing up updated files is also recommended to support
257 rollback when soft rollback is feasible.
264 The xNF **MUST** write to a response file in JSON format that will be
265 retrieved and made available by the Ansible Server if, as part of a xNF
266 action (e.g., audit), a playbook is required to return any xNF
267 information/response. The text files must be written in the main playbook
268 home directory, in JSON format. The JSON file must be created for the xNF
269 with the name '<xNF name>_results.txt'. All playbook output results, for
270 all xNF VMs, to be provided as a response to the request, must be written
271 to this response file.
278 The xNF **MUST** support each APPC/SDN-C xNF action
279 by invocation of **one** playbook [#7.3.4]_. The playbook will be responsible
280 for executing all necessary tasks (as well as calling other playbooks)
281 to complete the request.
288 The xNF **SHOULD** use available backup capabilities to save a
289 copy of configuration files before implementing changes to support
290 operations such as backing out of software upgrades, configuration
291 changes or other work as this will help backing out of configuration
299 The xNF **SHOULD NOT** use playbooks that make requests to
300 Cloud resources e.g. Openstack (nova, neutron, glance, heat, etc.);
301 therefore, there is no use for Cloud specific variables like Openstack
302 UUIDs in Ansible Playbook related artifacts.
304 **Rationale**: Flows that require interactions with Cloud services e.g.
305 Openstack shall rely on workflows run by an Orchestrator
306 (Change Management) or other capability (such as a control loop or
307 Operations GUI) outside Ansible Server which can be executed by a
308 APPC/SDN-C. There are policies, as part of Control Loop
309 models, that send remediation action requests to an APPC/SDN-C; these
310 are triggered as a response to an event or correlated events published
314 Configuration Management > Chef Standards and Capabilities > xNF Configuration via Chef Requirements > Chef Roles/Requirements
315 ------------------------------------------------------------------------------------------------------------------------------
326 The xNF Package **MUST** include a run list of
327 roles/cookbooks/recipes, for each supported xNF action, that will
328 perform the desired xNF action in its entirety as specified by ONAP
329 (see Section 7.c, APPC/SDN-C APIs and Behavior, for list of xNF
330 actions and requirements), when triggered by a chef-client run list
334 Configuration Management > Controller Interactions With xNF > Configuration Commands
335 ------------------------------------------------------------------------------------
346 The xNF **MUST** support APPC/SDN-C ``Configure`` command.
353 The xNF **MUST** support APPC/SDN-C ``ConfigScaleOut`` command.
360 The xNF **MUST** support APPC ``ConfigBackup`` command.
367 The xNF **MUST** support APPC ``ConfigRestore`` command.
374 The xNF **MUST** support APPC ``Audit`` command.
381 The xNF **MUST** support APPC ``ConfigModify`` command.
384 Configuration Management > Controller Interactions With xNF > HealthCheck and Failure Related Commands
385 ------------------------------------------------------------------------------------------------------
396 The xNF **MUST** support APPC/SDN-C ``HealthCheck`` command.
399 Configuration Management > Controller Interactions With xNF > Lifecycle Management Related Commands
400 ---------------------------------------------------------------------------------------------------
411 The xNF **MUST**, if serving as a distribution point or anchor point for
412 steering point from source to destination, support the ONAP Controller's
413 ``DistributeTraffic`` command.
424 The xNF **MUST** support APPC/SDN-C ``QuiesceTraffic`` command.
431 The xNF **MUST** support APPC/SDN-C ``UpgradeSoftware`` command.
438 The xNF **MUST** support APPC ``StartApplication`` command.
445 The xNF **MUST** support APPC/SDN-C ``ResumeTraffic`` command.
452 The xNF **MUST** support APPC/SDN-C ``UpgradePostCheck`` command.
459 The xNF **MUST** support APPC/SDN-C ``UpgradeBackOut`` command.
466 The xNF **MUST** support APPC ``StopApplication`` command.
473 The xNF **MUST** support APPC/SDN-C ``UpgradeBackup`` command.
480 The xNF **MUST** support APPC/SDN-C ``UpgradePrecheck`` command.
483 Configuration Management > NETCONF Standards and Capabilities > xNF Configuration via NETCONF Requirements > NETCONF Server Requirements
484 ----------------------------------------------------------------------------------------------------------------------------------------
495 The xNF **MUST** implement the protocol operation:
496 ``discard-changes()`` - Revert the candidate configuration
497 data store to the running configuration.
504 The xNF **MUST** implement the protocol operation:
505 ``get-config(source, filter`` - Retrieve a (filtered subset of
506 a) configuration from the configuration data store source.
513 The xNF **MUST** implement the protocol operation:
514 ``commit(confirmed, confirm-timeout)`` - Commit candidate
515 configuration data store to the running configuration.
522 The xNF **MUST** implement the protocol operation:
523 ``edit-config(target, default-operation, test-option, error-option,
524 config)`` - Edit the target configuration data store by merging,
525 replacing, creating, or deleting new config elements.
532 The xNF **MUST** implement the protocol operation:
533 ``lock(target)`` - Lock the configuration data store target.
540 The xNF **MUST** implement the protocol operation:
541 ``close-session()`` - Gracefully close the current session.
548 The xNF **MUST** implement the protocol operation:
549 ``kill-session(session``- Force the termination of **session**.
556 The xNF **MUST** implement the protocol operation:
557 ``unlock(target)`` - Unlock the configuration data store target.
564 The xNF **SHOULD** implement the protocol operation:
565 ``delete-config(target)`` - Delete the named configuration
573 The xNF **SHOULD** implement the protocol operation:
574 ``copy-config(target, source)`` - Copy the content of the
575 configuration data store source to the configuration data store target.
578 Contrail Resource Parameters > Contrail Network Parameters > External Networks
579 ------------------------------------------------------------------------------
590 When a VNF's Heat Orchestration Template's Contrail resource
592 references an external network that requires the network's
593 Fully Qualified Domain Name (FQDN), the property parameter
595 * **MUST** follow the format ``{network-role}_net_fqdn``
596 * **MUST** be declared as type ``string``
597 * **MUST NOT** be enumerated in the VNF's Heat Orchestration Template's
601 Heat > Cinder Volumes
602 ---------------------
613 The VNF Heat Orchestration Template **MUST** define
614 "outputs" in the volume template for each Cinder volume
615 resource universally unique identifier (UUID) (i.e. ONAP
616 Volume Template Output Parameters).
619 Heat > Heat Orchestration Template Format > Heat Orchestration Template Structure > resources > metadata
620 --------------------------------------------------------------------------------------------------------
631 A VNF's Heat Orchestration Template's OS::Nova::Server
632 resource **MUST** contain the attribute "metadata".
635 Heat > Heat Template Constructs > Heat Files Support (get_file)
636 ---------------------------------------------------------------
647 When using the intrinsic function get_file, the included files
648 **MUST** have unique file names within the scope of the VNF.
651 Heat > Heat Template Constructs > Nested Heat Template Requirements
652 -------------------------------------------------------------------
663 The VNF Heat Orchestration Template **MUST** have unique
664 file names within the scope of the VNF for a nested heat yaml file.
667 Heat > Networking > External Networks
668 -------------------------------------
679 When a VNF connects to an external network, a network role,
680 referred to as the '{network-role}' **MUST** be assigned to the
681 external network for use in the VNF's Heat Orchestration Template.
684 Heat > Networking > Internal Networks
685 -------------------------------------
696 If a VNF's port is connected to an internal network and the port
697 is created in the same Heat Orchestration Template as the internal network,
698 then the port resource **MUST** use a 'get_resource' to obtain
702 Heat > ONAP Resource ID and Parameter Naming Convention > Contrail Resource Parameters > Contrail Network Parameters > External Networks
703 ----------------------------------------------------------------------------------------------------------------------------------------
714 A VNF's Heat Orchestration Template's parameter
715 '{network-role}_net_fqdn'
716 **MUST** be declared as type 'string'.
719 Heat > ONAP Resource ID and Parameter Naming Convention > Resource: OS::Nova::Server – Metadata Parameters > vm_role
720 --------------------------------------------------------------------------------------------------------------------
731 A VNF's Heat Orchestration Template's OS::Nova::Server
732 Resource metadata map value parameter 'vnf_name' **MUST** be
735 - enumerated in the VNF's Heat Orchestration
736 Template's environment file.
738 - hard coded in the VNF's Heat Orchestration
739 Template's OS::Nova::Resource metadata property.
742 Heat > ONAP Support of Environment Files
743 ----------------------------------------
754 The VNF Heat Orchestration Template **MUST** have a
755 corresponding environment file for a Cinder Volume Module.
762 The VNF Heat Orchestration Template **MUST** have a
763 corresponding environment file for an Incremental module.
770 The VNF Heat Orchestration Template **MUST** have a corresponding
771 environment file for a Base Module.
774 Monitoring & Management > Data Structure Specification of the Event Record
775 --------------------------------------------------------------------------
786 The xNF provider **MUST** indicate specific conditions that may arise, and
787 recommend actions that may be taken at specific thresholds, or if specific
788 conditions repeat within a specified time interval, using the semantics and
789 syntax described by the :doc:`VES Event Registration specification<../../../../vnfsdk/module.git/files/VESEventRegistration_3_0>`.
796 The xNF Provider **MAY** require that specific events, identified by their
797 ``eventName``, require that certain fields, which are optional in the common
798 event format, must be present when they are published.
805 The xNF provider **MUST** provide a YAML file formatted in adherence with
806 the :doc:`VES Event Registration specification<../../../../vnfsdk/module.git/files/VESEventRegistration_3_0>`
807 that defines the following information for each event produced by the VNF:
812 * Any special handling to be performed for that event
819 The events produced by the xNF **MUST** must be compliant with the common
820 event format defined in the
821 :doc:`VES Event Listener<../../../../vnfsdk/model.git/docs/files/VESEventListener_7_0_1>`
825 Monitoring & Management > Event Records - Data Structure Description > Common Event Header
826 ------------------------------------------------------------------------------------------
837 The VNF **MUST** produce VES events that include the following mandatory
838 fields in the common event header.
840 * ``domain`` - the event domain enumeration
841 * ``eventId`` - the event key unique to the event source
842 * ``eventName`` - the unique event name
843 * ``lastEpochMicrosec`` - the latest unix time (aka epoch time) associated
845 * ``priority`` - the processing priority enumeration
846 * ``reportingEntityName`` - name of the entity reporting the event or
847 detecting a problem in another xNF
848 * ``sequence`` - the ordering of events communicated by an event source
849 * ``sourceName`` - name of the entity experiencing the event issue, which
850 may be detected and reported by a separate reporting entity
851 * ``startEpochMicrosec`` - the earliest unix time (aka epoch time)
852 associated with the event
853 * ``version`` - the version of the event header
854 * ``vesEventListenerVersion`` - Version of the VES event listener API spec
855 that this event is compliant with
858 Monitoring & Management > Event Records - Data Structure Description > Miscellaneous
859 ------------------------------------------------------------------------------------
870 The VNF, when publishing events, **MUST NOT** send information through
871 extensible structures if the event specification has explicitly defined
872 fields for that information.
879 The VNF, when publishing events, **MUST** pass all information it is
880 able to collect even if the information field is identified as optional.
881 However, if the data cannot be collected, then optional fields can be
889 The VNF, when publishing events, **MUST** leverage camel case to separate
890 words and acronyms used as keys that will be sent through extensible fields.
891 When an acronym is used as the key, then only the first letter shall be
895 Monitoring & Management > Monitoring & Management Requirements > Asynchronous and Synchronous Data Delivery
896 -----------------------------------------------------------------------------------------------------------
907 The xNF **SHOULD** deliver all syslog messages to the VES Collector per the
908 specifications in Monitoring and Management chapter.
911 Monitoring & Management > Monitoring & Management Requirements > Bulk Performance Measurement
912 ---------------------------------------------------------------------------------------------
923 The xNF **SHOULD** support File transferring protocol, such as FTPES or SFTP,
924 when supporting the event-driven bulk transfer of monitoring data.
931 The xNF **SHOULD** support the data schema defined in 3GPP TS 32.435, when
932 supporting the event-driven bulk transfer of monitoring data.
939 The xNF **SHOULD** support FileReady VES event for event-driven bulk transfer
943 Monitoring & Management > Monitoring & Management Requirements > Google Protocol Buffers (GPB)
944 ----------------------------------------------------------------------------------------------
955 The xNF, when leveraging Google Protocol Buffers for events, **MUST**
956 serialize the events using native Google Protocol Buffers (GPB) according
957 to the following guidelines:
959 * The keys are represented as integers pointing to the system resources
960 for the xNF being monitored
961 * The values correspond to integers or strings that identify the
962 operational state of the VNF resource, such a statistics counters and
963 the state of an xNF resource.
964 * The required Google Protocol Buffers (GPB) metadata is provided in the
965 form of .proto files.
972 The xNF providers **MUST** provide the Service Provider the following
973 artifacts to support the delivery of high-volume xNF telemetry to
974 DCAE via GPB over TLS/TCP:
976 * A valid VES Event .proto definition file, to be used validate and
978 * A valid high volume measurement .proto definition file, to be used for
979 processing high volume events
980 * A supporting PM content metadata file to be used by analytics
981 applications to process high volume measurement events
984 Monitoring & Management > Monitoring & Management Requirements > JSON
985 ---------------------------------------------------------------------
996 The xNF, when leveraging JSON for events, **MUST** encode and serialize
997 content delivered to ONAP using JSON (RFC 7159) plain text format.
998 High-volume data is to be encoded and serialized using
999 `Avro <http://avro.apache.org/>`_, where the Avro [#7.4.1]_ data
1000 format are described using JSON.
1003 Monitoring & Management > Monitoring & Management Requirements > Reporting Frequency
1004 ------------------------------------------------------------------------------------
1015 The xNF **MUST** report exactly one Measurement event per period
1019 Monitoring & Management > Monitoring & Management Requirements > VNF telemetry via standardized interface
1020 ---------------------------------------------------------------------------------------------------------
1031 The xNF MUST produce heartbeat indicators consisting of events containing
1032 the common event header only per the VES Listener Specification.
1035 Requirements Removed
1036 ~~~~~~~~~~~~~~~~~~~~
1043 The xNF **MUST** provide all telemetry (e.g., fault event
1044 records, syslog records, performance records etc.) to ONAP using the
1045 model, format and mechanisms described in this section.
1048 Monitoring & Management > Transports and Protocols Supporting Resource Interfaces
1049 ---------------------------------------------------------------------------------
1060 The xNF **SHOULD** deliver event records that fall into the event domains
1068 The xNF **MUST** deliver event records to ONAP using the common transport
1069 mechanisms and protocols defined in this document.
1076 The xNF provider **MUST** reach agreement with the Service Provider on
1077 the selected methods for encoding, serialization and data delivery
1078 prior to the on-boarding of the xNF into ONAP SDC Design Studio.
1081 Monitoring & Management > Transports and Protocols Supporting Resource Interfaces > Bulk Telemetry Transmission
1082 ---------------------------------------------------------------------------------------------------------------
1093 The XNF **MAY** leverage bulk xNF telemetry transmission mechanism, as
1094 depicted in Figure 4, in instances where other transmission methods are not
1095 practical or advisable.
1098 Monitoring & Management > Transports and Protocols Supporting Resource Interfaces > xNF Telemetry using Google Protocol Buffers
1099 -------------------------------------------------------------------------------------------------------------------------------
1110 The xNF **MAY** leverage the Google Protocol Buffers (GPB) delivery model
1111 depicted in Figure 3 to support real-time performance management (PM) data.
1112 In this model the VES events are streamed as binary-encoded GBPs over via
1116 Monitoring & Management > Transports and Protocols Supporting Resource Interfaces > xNF Telemetry using VES/JSON Model
1117 ----------------------------------------------------------------------------------------------------------------------
1128 The xNF **SHOULD** leverage the JSON-driven model, as depicted in Figure 2,
1129 for data delivery unless there are specific performance or operational
1130 concerns agreed upon by the Service Provider that would warrant using an
1134 ONAP Heat Cinder Volumes
1135 ------------------------
1146 A VNF's Heat Orchestration Template's Cinder Volume Template **MUST**
1149 * An ``OS::Cinder::Volume`` resource
1150 * An ``OS::Heat::ResourceGroup`` resource that references a Nested YAML
1151 file that contains an ``OS::Cinder::Volume`` resource
1152 * A resource that defines the property ``type`` as a Nested YAML file
1153 (i.e., static nesting) and the Nested YAML contains
1154 an ``OS::Cinder::Volume`` resource
1157 ONAP Heat Heat Template Constructs > Heat Files Support (get_file)
1158 ------------------------------------------------------------------
1161 Requirements Changed
1162 ~~~~~~~~~~~~~~~~~~~~
1169 A VNF's Heat Orchestration Templates intrinsic function
1170 ``get_file`` <content key> **MAY** be used:
1172 * more than once in a VNF's Heat Orchestration Template
1173 * in two or more of a VNF's Heat Orchestration Templates
1174 * in a VNF's Heat Orchestration Templates nested YAML file
1181 If a VNF's Heat Orchestration Template uses the intrinsic function
1182 ``get_file``, the ``get_file`` target **MUST** be referenced in
1183 the Heat Orchestration Template by file name.
1190 A VNF's Heat Orchestration Template intrinsic function
1191 ``get_file`` **MUST NOT** utilize URL-based file retrieval.
1198 When using the intrinsic function get_file, ONAP does not support
1199 a directory hierarchy for included files. All files must be in a
1200 single, flat directory per VNF. A VNF's Heat Orchestration
1201 Template's ``get_file`` target files **MUST** be in the same
1202 directory hierarchy as the VNF's Heat Orchestration Templates.
1205 ONAP Heat Heat Template Constructs > Nested Heat Templates > Nested Heat Template Requirements
1206 ----------------------------------------------------------------------------------------------
1217 A VNF's Heat Orchestration Template **MUST** reference a Nested YAML
1218 file by name. The use of ``resource_registry`` in the VNF's Heat
1219 Orchestration Templates Environment File **MUST NOT** be used.
1222 ONAP Heat Networking > External Networks
1223 ----------------------------------------
1226 Requirements Changed
1227 ~~~~~~~~~~~~~~~~~~~~
1234 A VNF **MAY** be connected to zero, one or more than one external
1238 ONAP Heat Networking > Internal Networks
1239 ----------------------------------------
1242 Requirements Changed
1243 ~~~~~~~~~~~~~~~~~~~~
1250 A VNF's port connected to an internal network **MUST NOT** use the port
1251 for the purpose of reaching VMs in another VNF and/or an
1252 external gateway and/or
1260 A VNF's port connected to an internal network **MUST**
1261 use the port for the purpose of reaching VMs in the same VNF.
1268 A VNF **MAY** contain zero, one or more than one internal network.
1271 ONAP Heat Orchestration Template Format
1272 ---------------------------------------
1283 A VNF's Heat Orchestration Template **MUST** be compliant with the
1284 OpenStack Template Guide.
1287 ONAP Heat Orchestration Template Format > Environment File Format
1288 -----------------------------------------------------------------
1291 Requirements Changed
1292 ~~~~~~~~~~~~~~~~~~~~
1299 A VNF's Heat Orchestration template **MUST** have a
1300 corresponding environment file.
1307 A VNF's Heat Orchestration template's Environment File's
1308 ``parameters:`` section **MAY** (or **MAY NOT**) enumerate parameters.
1315 A VNF's Heat Orchestration template's Environment File **MUST**
1316 contain the ``parameters:`` section.
1319 ONAP Heat Orchestration Template Format > Heat Orchestration Template Structure > parameters
1320 --------------------------------------------------------------------------------------------
1323 Requirements Changed
1324 ~~~~~~~~~~~~~~~~~~~~
1331 A VNF Heat Orchestration's template's parameter **MUST** be used
1332 in a resource with the exception of the parameters for the
1333 ``OS::Nova::Server`` resource property ``availability_zone``.
1340 A VNF Heat Orchestration's template's parameter for the
1341 ``OS::Nova::Server`` resource property ``availability_zone``
1342 **MAY NOT** be used in any ``OS::Nova::Server``.
1345 ONAP Heat Orchestration Template Format > Heat Orchestration Template Structure > parameters > constraints
1346 ----------------------------------------------------------------------------------------------------------
1349 Requirements Changed
1350 ~~~~~~~~~~~~~~~~~~~~
1357 A VNF's Heat Orchestration Template's parameter defined
1358 in a non-nested YAML file as type
1359 ``number`` **MUST** have a parameter constraint of ``range`` or
1360 ``allowed_values`` defined.
1367 A VNF's Heat Orchestration Template's parameter defined
1368 in a nested YAML file
1369 **MUST NOT** have a parameter constraint defined.
1376 A VNF's Heat Orchestration Template's parameter defined
1377 in a non-nested YAML file as type
1378 ``boolean`` **MAY** have a parameter constraint defined.
1385 A VNF's Heat Orchestration Template's parameter defined
1386 in a non-nested YAML file as type
1387 ``string`` **MAY** have a parameter constraint defined.
1394 A VNF's Heat Orchestration Template's parameter defined
1395 in a non-nested YAML file as type
1396 ``json`` **MAY** have a parameter constraint defined.
1403 A VNF's Heat Orchestration Template's parameter defined
1404 in a non-nested YAML file as
1405 type ``comma_delimited_list`` **MAY** have a parameter constraint defined.
1408 ONAP Heat Orchestration Template Format > Heat Orchestration Template Structure > parameters > default
1409 ------------------------------------------------------------------------------------------------------
1412 Requirements Changed
1413 ~~~~~~~~~~~~~~~~~~~~
1420 If a VNF Heat Orchestration Template parameter has a default value,
1421 it **MUST** be enumerated in the environment file.
1424 ONAP Heat Orchestration Template Format > Heat Orchestration Template Structure > parameters > type
1425 ---------------------------------------------------------------------------------------------------
1428 Requirements Changed
1429 ~~~~~~~~~~~~~~~~~~~~
1436 A VNF's Heat Orchestration Template's parameter type **MUST** be one of
1437 the following values:
1442 * ``comma_delimited_list``
1446 ONAP Heat Orchestration Template Format > Heat Orchestration Template Structure > resources
1447 -------------------------------------------------------------------------------------------
1450 Requirements Changed
1451 ~~~~~~~~~~~~~~~~~~~~
1458 A VNF's Heat Orchestration Template's Nested YAML files **MAY**
1459 (or **MAY NOT**) contain the section ``resources:``.
1462 ONAP Heat Orchestration Template Format > Heat Orchestration Template Structure > resources > deletion_policy
1463 -------------------------------------------------------------------------------------------------------------
1466 Requirements Changed
1467 ~~~~~~~~~~~~~~~~~~~~
1474 VNF's Heat Orchestration Template's Resource **MAY** declare the
1475 attribute ``deletion_policy:``.
1478 ONAP Heat Orchestration Template Format > Heat Orchestration Template Structure > resources > external_id
1479 ---------------------------------------------------------------------------------------------------------
1482 Requirements Changed
1483 ~~~~~~~~~~~~~~~~~~~~
1490 VNF's Heat Orchestration Template's Resource **MAY** declare the
1491 attribute ``external_id:``.
1494 ONAP Heat Orchestration Template Format > Heat Orchestration Template Structure > resources > metadata
1495 ------------------------------------------------------------------------------------------------------
1506 A VNF's Heat Orchestration Template's Resource **MAY** declare the
1507 attribute ``metadata``.
1510 ONAP Heat Orchestration Template Format > Heat Orchestration Template Structure > resources > properties
1511 --------------------------------------------------------------------------------------------------------
1514 Requirements Changed
1515 ~~~~~~~~~~~~~~~~~~~~
1522 If a VNF's Heat Orchestration Template resource attribute
1523 ``property:`` uses a nested ``get_param``, the nested
1524 ``get_param`` **MUST** reference an index.
1527 ONAP Heat Orchestration Templates Overview > ONAP Heat Orchestration Template Filenames > Base Modules
1528 ------------------------------------------------------------------------------------------------------
1531 Requirements Changed
1532 ~~~~~~~~~~~~~~~~~~~~
1539 A VNF Heat Orchestration Template's Base Module file name **MUST** include
1540 case insensitive 'base' in the filename and
1541 **MUST** match one of the following four
1544 1.) ``base_<text>.y[a]ml``
1546 2.) ``<text>_base.y[a]ml``
1550 4.) ``<text>_base_<text>``.y[a]ml
1552 where ``<text>`` **MUST** contain only alphanumeric characters and
1553 underscores '_' and **MUST NOT** contain the case insensitive word ``base``.
1556 ONAP Heat Orchestration Templates Overview > ONAP Heat Orchestration Template Filenames > Cinder Volume Modules
1557 ---------------------------------------------------------------------------------------------------------------
1560 Requirements Changed
1561 ~~~~~~~~~~~~~~~~~~~~
1568 VNF Heat Orchestration Template's Cinder Volume Module's Environment File
1569 **MUST** be named identical to the VNF Heat Orchestration Template's
1570 Cinder Volume Module with ``.y[a]ml`` replaced with ``.env``.
1577 A VNF Heat Orchestration Template's Cinder Volume Module **MUST**
1578 be named identical to the base or incremental module it is supporting with
1579 ``_volume`` appended.
1582 ONAP Heat Orchestration Templates Overview > ONAP Heat Orchestration Template Filenames > Incremental Modules
1583 -------------------------------------------------------------------------------------------------------------
1586 Requirements Changed
1587 ~~~~~~~~~~~~~~~~~~~~
1594 VNF Heat Orchestration Template's Incremental Module file name
1595 **MUST** contain only alphanumeric characters and underscores
1596 '_' and **MUST NOT** contain the case insensitive word ``base``.
1599 ONAP Heat Orchestration Templates Overview > ONAP Heat Orchestration Template Filenames > Nested Heat file
1600 ----------------------------------------------------------------------------------------------------------
1603 Requirements Changed
1604 ~~~~~~~~~~~~~~~~~~~~
1611 VNF Heat Orchestration Template's Nested YAML file name **MUST** contain
1612 only alphanumeric characters and underscores '_' and
1613 **MUST NOT** contain the case insensitive word ``base``.
1616 ONAP Heat Orchestration Templates Overview > ONAP VNF Modularity Overview
1617 -------------------------------------------------------------------------
1620 Requirements Changed
1621 ~~~~~~~~~~~~~~~~~~~~
1628 A VNF's Base Module **MUST** have a corresponding Environment File.
1635 At orchestration time, the VNF's Base Module **MUST**
1636 be deployed first, prior to any incremental modules.
1643 A VNF's Cinder Volume Module **MUST** have a corresponding environment file
1650 A VNF's Cinder Volume Module, when it exists, **MUST** be 1:1
1651 with a Base module or Incremental module.
1658 A VNF's Heat Orchestration Template **MAY** be
1659 1.) Base Module Heat Orchestration Template (also referred to as a
1661 2.) Incremental Module Heat Orchestration Template (referred to as
1662 an Incremental Module), or
1663 3.) a Cinder Volume Module Heat Orchestration Template (referred to as
1664 Cinder Volume Module).
1671 A VNF's Incremental Module **MUST** have a corresponding Environment File
1678 A VNF **MUST** be composed of one Base Module
1681 ONAP Heat Orchestration Templates Overview > Output Parameters > ONAP Volume Module Output Parameters
1682 -----------------------------------------------------------------------------------------------------
1685 Requirements Changed
1686 ~~~~~~~~~~~~~~~~~~~~
1693 A VNF's Heat Orchestration Templates' Cinder Volume Module Output
1694 Parameter's name and type **MUST** match the input parameter name and type
1695 in the corresponding Base Module or Incremental Module unless the Output
1696 Parameter is of the type ``comma_delimited_list``, then the corresponding
1697 input parameter **MUST** be declared as type ``json``.
1704 A VNF's Heat Orchestration Template's Cinder Volume Module Output
1706 **MUST** include the
1707 UUID(s) of the Cinder Volumes created in template,
1708 while others **MAY** be included.
1711 ONAP Heat VNF Modularity
1712 ------------------------
1715 Requirements Changed
1716 ~~~~~~~~~~~~~~~~~~~~
1723 A shared Heat Orchestration Template resource is a resource that **MUST**
1724 be defined in the base module and will be referenced by one or
1725 more resources in one or more incremental modules.
1727 The UUID of the shared resource (created in the base module) **MUST** be
1728 exposed by declaring a parameter in the
1729 ``outputs`` section of the base module.
1731 For ECOMP to provided the UUID value of the shared resource to the
1732 incremental module, the parameter name defined in the ``outputs``
1733 section of the base module **MUST** be defined as a parameter
1734 in the ``parameters`` section of the incremental module.
1736 ECOMP will capture the output parameter name and value in the base module
1737 and provide the value to the corresponding parameter(s) in the
1738 incremental module(s).
1741 ONAP Output Parameter Names > Predefined Output Parameters > OAM Management IP Addresses
1742 ----------------------------------------------------------------------------------------
1745 Requirements Changed
1746 ~~~~~~~~~~~~~~~~~~~~
1753 If the VNF's OAM Management IP Address is assigned by ONAP SDN-C and
1754 assigned in the VNF's Heat Orchestration Template's via a heat resource
1755 ``OS::Neutron::Port`` property ``fixed_ips`` map property
1756 ``ip_adress`` parameter (e.g., ``{vm-type}_{network-role}_ip_{index}``,
1757 ``{vm-type}_{network-role}_v6_ip_{index}``)
1758 and the OAM IP Address is required to be inventoried in ONAP A&AI,
1759 then the parameter **MUST** be echoed in an output statement.
1761 .. code-block:: yaml
1764 oam_management_v4_address:
1765 value: {get_param: {vm-type}_{network-role}_ip_{index} }
1766 oam_management_v6_address:
1767 value: {get_param: {vm-type}_{network-role}_v6_ip_{index} }
1774 If the VNF's OAM Management IP Address is cloud assigned and
1775 and the OAM IP Address is required to be inventoried in ONAP A&AI,
1776 then the parameter **MUST** be obtained by the
1777 resource ``OS::Neutron::Port``
1778 attribute ``ip_address``.
1785 If a VNF has one IPv6 OAM Management IP Address and the
1786 IP Address needs to be inventoried in ONAP's A&AI
1787 database, an output parameter **MUST** be declared in only one of the
1788 VNF's Heat Orchestration Templates and the parameter **MUST** be named
1789 ``oam_management_v6_address``.
1792 ONAP TOSCA VNFD Requirements > TOSCA VNF Descriptor > Capability Types
1793 ----------------------------------------------------------------------
1804 The VNFD provided by VNF vendor may use the below described TOSCA
1805 capabilities. An on-boarding entity (ONAP SDC) **MUST** support them.
1807 **tosca.capabilities.nfv.VirtualBindable**
1809 A node type that includes the VirtualBindable capability indicates
1810 that it can be pointed by **tosca.relationships.nfv.VirtualBindsTo**
1813 **tosca.capabilities.nfv.VirtualLinkable**
1815 A node type that includes the VirtualLinkable capability indicates
1816 that it can be pointed by **tosca.relationships.nfv.VirtualLinksTo**
1819 **tosca.capabilities.nfv.ExtVirtualLinkable**
1821 A node type that includes the ExtVirtualLinkable capability
1822 indicates that it can be pointed by
1823 **tosca.relationships.nfv.VirtualLinksTo** relationship.
1825 **Note**: This capability type is used in Casablanca how it does
1826 not exist in the last SOL001 draft
1828 **tosca.capabilities.nfv.VirtualCompute** and
1829 **tosca.capabilities.nfv.VirtualStorage** includes flavours of VDU
1832 ONAP TOSCA VNFD Requirements > TOSCA VNF Descriptor > Data Types
1833 ----------------------------------------------------------------
1844 The below table includes the data types used by NFV node and is based
1845 on TOSCA/YAML constructs specified in draft GS NFV-SOL 001. The node
1846 data definitions/attributes used in VNFD **MUST** comply with the below
1854 The below table describes the data types used for LCM configuration
1855 and is based on TOSCA constructs specified in draft GS NFV-SOL 001.
1856 The LCM configuration data elements used in VNFD **MUST** comply
1857 with the below table.
1860 ONAP TOSCA VNFD Requirements > TOSCA VNF Descriptor > General
1861 -------------------------------------------------------------
1872 The following table defines the major TOSCA Types specified in
1873 ETSI NFV-SOL001 standard draft. The VNFD provided by a VNF vendor
1874 **MUST** comply with the below definitions:
1881 The VNFD **MAY** include TOSCA/YAML definitions that are not part of
1882 NFV Profile. If provided, these definitions MUST comply with TOSCA
1883 Simple Profile in YAML v.1.2.
1890 The VNF Descriptor (VNFD) provided by VNF vendor **MUST** comply with
1891 TOSCA/YAML based Service template for VNF descriptor specified in
1894 **Note**: As the ETSI NFV-SOL001 is work in progress the below tables
1895 summarizes the TOSCA definitions agreed to be part of current version
1896 of NFV profile and that VNFD MUST comply with in ONAP Release 2+
1904 A VNFD is a deployment template which describes a VNF in terms of
1905 deployment and operational behavior requirements. It contains
1906 virtualized resources (nodes) requirements as well as connectivity
1907 and interfaces requirements and **MUST** comply with info elements
1908 specified in ETSI GS NFV-IFA 011. The main parts of the VNFD are
1911 - VNF topology: it is modeled in a cloud agnostic way using virtualized
1912 containers and their connectivity. Virtual Deployment Units (VDU)
1913 describe the capabilities of the virtualized containers, such as
1914 virtual CPU, RAM, disks; their connectivity is modeled with VDU
1915 Connection Point Descriptors (VduCpd), Virtual Link Descriptors
1916 (VnfVld) and VNF External Connection Point Descriptors
1919 - VNF deployment aspects: they are described in one or more
1920 deployment flavours, including configurable parameters, instantiation
1921 levels, placement constraints (affinity / antiaffinity), minimum and
1922 maximum VDU instance numbers. Horizontal scaling is modeled with
1923 scaling aspects and the respective scaling levels in the deployment
1926 **Note**: The deployment aspects (deployment flavour etc.) are postponed
1927 for future ONAP releases.
1929 - VNF lifecycle management (LCM) operations: describes the LCM operations
1930 supported per deployment flavour, and their input parameters;
1931 Note, thatthe actual LCM implementation resides in a different layer,
1932 namely referring to additional template artifacts.
1939 The VNFD **MUST** comply with ETSI GS NFV-SOL001 document endorsing
1940 the above mentioned NFV Profile and maintaining the gaps with the
1941 requirements specified in ETSI GS NFV-IFA011 standard.
1944 ONAP TOSCA VNFD Requirements > TOSCA VNF Descriptor > Interface Types
1945 ---------------------------------------------------------------------
1956 The VNFD provided by VNF vendor may use the below described TOSCA
1957 interface types. An on-boarding entity (ONAP SDC) **MUST** support them.
1959 **tosca.interfaces.nfv.vnf.lifecycle.Nfv** supports LCM operations
1962 ONAP TOSCA VNFD Requirements > TOSCA VNF Descriptor > Relationship Types
1963 ------------------------------------------------------------------------
1974 The VNFD provided by VNF vendor may use the below described TOSCA
1975 relationships. An on-boarding entity (ONAP SDC) **MUST** support them.
1977 **tosca.relationships.nfv.VirtualBindsTo**
1979 This relationship type represents an association relationship between
1980 VDU and CP node types.
1982 **tosca.relationships.nfv.VirtualLinksTo**
1984 This relationship type represents an association relationship between
1985 the VduCpd's and VirtualLinkDesc node types.
1988 ONAP TOSCA VNFD Requirements > VNF CSAR Package > VNF Package Contents
1989 ----------------------------------------------------------------------
2000 The VNF package Manifest file **MUST** contain: VNF package meta-data, a
2001 list of all artifacts (both internal and external) entry's including
2002 their respected URI's, an algorithm to calculate a digest and a digest
2003 result calculated on the content of each artifacts, as specified in
2004 ETSI GS NFV-SOL004. The VNF Package MUST include VNF Identification
2005 Data to uniquely identify the resource for a given VNF provider. The
2006 identification data must include: an identifier for the VNF, the name
2007 of the VNF as was given by the VNF provider, VNF description, VNF
2008 provider, and version.
2015 The VNF package **MUST** contain all standard artifacts as specified in
2016 ETSI GS NFV-SOL004 including Manifest file, VNFD (or Main TOSCA/YAML
2017 based Service Template) and other optional artifacts. CSAR Manifest
2018 file as per SOL004 - for example ROOT\\ **MainServiceTemplate.mf**
2025 The VNF provider **MUST** provide their testing scripts to support
2026 testing as specified in ETSI NFV-SOL004 - Testing directory in CSAR
2033 The VNF provider **MUST** provide the binaries and images needed to
2034 instantiate the VNF (VNF and VNFC images) either as:
2036 - Local artifact in CSAR: ROOT\\Artifacts\\ **VNF_Image.bin**
2038 - externally referred (by URI) artifact in Manifest file (also may be
2039 referred by VNF Descriptor)
2041 Note: Currently, ONAP doesn't have the capability of Image management,
2042 we upload the image into VIM/VNFM manually.
2049 The VNF provider MUST enumerate all of the open source licenses
2050 their VNF(s) incorporate. CSAR License directory as per ETSI SOL004.
2052 for example ROOT\\Licenses\\ **License_term.txt**
2055 ONAP TOSCA VNFD Requirements > VNF CSAR Package > VNF Package Structure and Format
2056 ----------------------------------------------------------------------------------
2067 The VNF package **MUST** be arranged as a CSAR archive as specified in
2068 TOSCA Simple Profile in YAML 1.2.
2075 The VNF package provided by a VNF vendor **MAY** be either with
2076 TOSCA-Metadata directory (CSAR Option 1) or without TOSCA-Metadata
2077 directory (CSAR Option 2) as specified in ETSI GS NFV-SOL004. On-boarding
2078 entity (ONAP SDC) must support both options.
2080 **Note:** SDC supports only the CSAR Option 1 in Casablanca. The Option 2
2081 will be considered in future ONAP releases,
2084 PNF Plug and Play > PNF Plug and Play
2085 -------------------------------------
2096 The PNF **MUST** support the provisioning of security and authentication
2097 parameters (HTTP username and password) in order to be able to authenticate
2098 with DCAE (in ONAP).
2100 Note: In R3, a username and password are used with the DCAE VES Event
2101 Listener which are used for HTTP Basic Authentication.
2103 Note: The configuration management and provisioning software are specific
2104 to a vendor architecture.
2111 The following VES Events **MUST** be supported by the PNF: pnfRegistration
2112 VES Event, HVol VES Event, and Fault VES Event. These are onboarded via
2113 he SDC Design Studio.
2115 Note: these VES Events are emitted from the PNF to support PNF Plug and
2116 Play, High Volume Measurements, and Fault events respectively.
2123 The PNF **MAY** support the optional parameters for Service
2124 Configuration Parameters.
2126 Note: These are detailed in the Stage 5 PnP
2128 Note: These parameters are optional, and not all PNFs will support any
2129 or all of these parameters, it is up to the vendor and service provider
2130 to ascertain which ones are supported up to an including all of the ones
2131 that have been defined. Note: It is expected that there will be a growing
2132 list of supported configuration parameters in future releases of ONAP.
2139 The PNF **MUST** support the Ansible protocol for a Service Configuration
2140 message exchange between the PNF and PNF Controller (in ONAP).
2142 Note: this exchange may be either Ansible, Chef, or NetConf depending on
2143 the PNF. Note: The PNF Controller may be VF-C, APP-C or SDN-C based on the
2144 PNF and PNF domain. Note: for R3 (Casablanca) only Ansible is supported.
2151 The PNF **MUST** support & accept the provisioning of an ONAP contact IP
2152 address (in IPv4 or IPv6 format).
2154 Note: For example, it a possibility is that an external EMS would configure
2155 & provision the ONAP contact IP address to the PNF (in either IPv4 or
2156 IPv6 format). For the PNF Plug and Play Use Case, this IP address is the
2157 service provider's "point of entry" to the DCAE VES Listener.
2159 Note: different service provider's network architecture may also require
2160 special setup to allow an external PNF to contact the ONAP installation.
2161 For example, in the AT&T network, a maintenance tunnel is used to access
2169 If the PNF encounters an error authenticating, reaching the ONAP DCAE VES
2170 Event listener or recieves an error response from sending the pnfRegistration
2171 VES Event, it **MAY** log the error, and notify the operator.
2173 Note: the design of how errors are logged, retrieved and reported
2174 will be a vendor-specific architecture. Reporting faults and errors
2175 is also a vendor specific design. It is expected that the PNF shall
2176 have a means to log an error and notify a user when a fault condition
2177 occurs in trying to contact ONAP, authenticate or send a pnfRegistration
2185 (Error Case) - If an error is encountered by the PNF during a
2186 Service Configuration exchange with ONAP, the PNF **MAY** log the
2187 error and notify an operator.
2194 The PNF Vendor **MAY** provide software version(s) to be supported by PNF
2195 for SDC Design Studio PNF Model. This is set in the PNF Model property
2203 The PNF **MAY** support a HTTP connection to the DCAE VES Event Listener.
2205 Note: HTTP is allowed but not recommended.
2212 (Error Case) - The PNF **MUST** support a configurable timer to stop the
2213 periodicity sending of the pnfRegistration VES event. If this timer expires
2214 during a Service Configuration exchange between the PNF and ONAP, it
2215 MAY log a time-out error and notify an operator.
2217 Note: It is expected that each vendor will enforce and define a PNF
2218 service configuration timeout period. This is because the PNF cannot
2219 wait indefinitely as there may also be a technician on-site trying to
2220 complete installation & commissioning. The management of the VES event
2221 exchange is also a requirement on the PNF to be developed by the PNF
2229 The PNF **MUST** support sending a pnfRegistration VES event.
2236 When the PNF receives a Service configuration from ONAP, the PNF **MUST**
2237 cease sending the pnfRegistration VES Event.
2244 The PNF **MUST** support a HTTPS connection to the DCAE VES Event
2252 The PNF **MUST** have "ONAP Aware" software which is capable of performing
2253 PNF PnP registration with ONAP. The "ONAP Aware" software is capable of
2254 performing the PNF PnP Registration with ONAP MUST either be loaded
2255 separately or integrated into the PNF software upon physical delivery
2256 and installation of the PNF.
2258 Note: It is up to the specific vendor to design the software management
2266 The PNF **MUST** use a IP address to contact ONAP.
2268 Note: it is expected that an ONAP operator can ascertain the ONAP IP
2269 address or the security gateway to reach ONAP on the VID or ONAP portal
2272 Note: The ONAP contact IP address has been previously configured and
2273 provisioned prior to this step.
2275 Note: The ONAP IP address could be provisioned or resolved through
2283 When the PNF sets up a HTTP or HTTPS connection, it **MUST** provide a
2284 username and password to the DCAE VES Collector for HTTP Basic
2287 Note: HTTP Basic Authentication has 4 steps: Request, Authenticate,
2288 Authorization with Username/Password Credentials, and Authentication Status
2289 as per RFC7617 and RFC 2617.
2296 If the PNF set up a TLS connection and mutual (two-way) authentication is
2297 being used, then the PNF **MUST** provide its own X.509v3 Certificate to
2298 the DCAE VES Collector for authentication.
2300 Note: This allows TLS authentication by DCAE VES Collector.
2302 Note: The PNF got its X.509 certificate through Enrollment with an
2303 operator certificate authority or a X.509 vendor certificate from the
2306 Note: In R3 three authentication options are supported:
2308 (1) HTTP with Username & Password and no TLS.
2310 (2) HTTP with Username & Password & TLS with two-way certificate
2313 (3) HTTP with Username & Password & TLS with server-side
2314 certificate authentication.
2321 The PNF **MUST** send the pnfRegistration VES event periodically.
2328 The pnfRegistration VES event periodicity **MUST** be configurable.
2330 Note: The PNF uses the service configuration request as a semaphore to
2331 stop sending the pnfRegistration sent. See the requirement PNP-5360
2339 Requirements Changed
2340 ~~~~~~~~~~~~~~~~~~~~
2347 When a VNF's Heat Orchestration Template's resource is associated with a
2348 single internal network, the Resource ID **MUST** contain the text
2349 ``int_{network-role}``.
2356 When a VNF's Heat Orchestration Template's resource is associated
2357 with more than one ``{vm-type}`` and/or more than one internal and/or
2358 external network, the Resource ID **MUST** not contain the ``{vm-type}``
2359 and/or ``{network-role}``/``int_{network-role}``. It also should contain the
2360 term ``shared`` and/or contain text that identifies the VNF.
2367 When a VNF's Heat Orchestration Template's resource is associated with a
2368 single ``{vm-type}``
2369 and a single external network, the Resource ID text **MUST** contain both
2371 and the ``{network-role}``
2373 - the ``{vm-type}`` **MUST** appear before the ``{network-role}`` and
2374 **MUST** be separated by an underscore '_'
2377 - e.g., ``{vm-type}_{network-role}``, ``{vm-type}_{index}_{network-role}``
2380 - note that an ``{index}`` value **MAY** separate the ``{vm-type}`` and the
2381 ``{network-role}`` and when this occurs underscores **MUST** separate the
2382 three values. (e.g., ``{vm-type}_{index}_{network-role}``).
2389 When a VNF's Heat Orchestration Template's resource is associated with a
2390 single ``{vm-type}`` and a single internal network, the Resource ID **MUST**
2391 contain both the ``{vm-type}`` and the ``int_{network-role}`` and
2393 - the ``{vm-type}`` **MUST** appear before the ``int_{network-role}`` and
2394 **MUST** be separated by an underscore '_'
2396 - (e.g., ``{vm-type}_int_{network-role}``,
2397 ``{vm-type}_{index}_int_{network-role}``)
2399 - note that an ``{index}`` value **MAY** separate the
2400 ``{vm-type}`` and the ``int_{network-role}`` and when this occurs
2401 underscores **MUST** separate the three values.
2402 (e.g., ``{vm-type}_{index}_int_{network-role}``).
2405 Resource IDs > Contrail Heat Resources Resource ID Naming Convention > OS::ContrailV2::VirtualNetwork
2406 -----------------------------------------------------------------------------------------------------
2409 Requirements Changed
2410 ~~~~~~~~~~~~~~~~~~~~
2417 A VNF's Heat Orchestration Template's Resource
2418 ``OS::ContrailV2::VirtualNetwork`` Resource ID **MUST** use the naming convention
2420 1) ``int_{network-role}_network``
2424 2) ``int_{network-role}_RVN`` where RVN represents Resource Virtual
2427 VNF Heat Orchestration Templates can only create internal networks.
2428 There is no ``{index}`` after ``{network-role}`` because ``{network-role}``
2429 **MUST** be unique in the scope of the VNF's
2430 Heat Orchestration Template.
2432 Note that option 1 is preferred.
2435 Resource IDs > OpenStack Heat Resources Resource ID Naming Convention > OS::Neutron::Net
2436 ----------------------------------------------------------------------------------------
2439 Requirements Changed
2440 ~~~~~~~~~~~~~~~~~~~~
2447 A VNF's Heat Orchestration Template's Resource ``OS::Neutron::Net``
2448 Resource ID **MUST** use the naming convention
2450 * ``int_{network-role}_network``
2452 VNF Heat Orchestration Templates can only create internal networks.
2453 There is no ``{index}`` after ``{network-role}`` because ``{network-role}``
2454 **MUST** be unique in the scope of the VNF's
2455 Heat Orchestration Template.
2458 Resource: OS::Neutron::Port - Parameters > Introduction > Items to Note
2459 -----------------------------------------------------------------------
2462 Requirements Changed
2463 ~~~~~~~~~~~~~~~~~~~~
2470 If a VNF's Port is attached to an external network and the port's
2471 IP addresses are assigned by ONAP's SDN-Controller,
2472 the ``OS::Neutron::Port`` Resource's
2474 * property ``fixed_ips`` map property ``ip_address`` **MUST** be used
2475 * property ``fixed_ips`` map property ``subnet``
2476 **MUST NOT** be used
2483 If a VNF's Port is attached to a network (internal or external)
2484 and the port's IP addresses are cloud assigned by OpenStack's DHCP
2485 Service, the ``OS::Neutron::Port`` Resource's
2487 * property ``fixed_ips`` map property ``ip_address`` **MUST NOT** be used
2488 * property ``fixed_ips`` map property ``subnet``
2496 If a VNF's Port is attached to an internal network and the port's
2497 IP addresses are statically assigned by the VNF's Heat Orchestration\
2498 Template (i.e., enumerated in the Heat Orchestration Template's
2499 environment file), the ``OS::Neutron::Port`` Resource's
2501 * property ``fixed_ips`` map property ``ip_address`` **MUST** be used
2502 * property ``fixed_ips`` map property ``subnet``
2503 **MUST NOT** be used
2506 Resource: OS::Neutron::Port - Parameters > Property: allowed_address_pairs, Map Property: ip_address > VIP Assignment, External Networks, Supported by Automation
2507 -----------------------------------------------------------------------------------------------------------------------------------------------------------------
2510 Requirements Changed
2511 ~~~~~~~~~~~~~~~~~~~~
2518 When the VNF's Heat Orchestration Template's Resource
2519 ``OS::Neutron::Port`` is attaching to an external network (per the
2520 ONAP definition, see Requirement R-57424),
2521 and an IPv6 Virtual IP (VIP)
2522 address is assigned via ONAP automation
2523 using the property ``allowed_address_pairs``
2524 map property ``ip_address``,
2525 the parameter name **MUST** follow the
2528 * ``{vm-type}_{network-role}_floating_v6_ip``
2532 * ``{vm-type}`` is the {vm-type} associated with the
2534 * ``{network-role}`` is the {network-role} of the external
2537 And the parameter **MUST** be declared as type ``string``.
2544 When the VNF's Heat Orchestration Template's Resource
2545 ``OS::Neutron::Port`` is attaching to an external network (per the
2546 ONAP definition, see Requirement R-57424),
2547 and an IPv4 Virtual IP (VIP)
2548 address is assigned via ONAP automation
2549 using the property ``allowed_address_pairs``
2550 map property ``ip_address`` and
2551 the parameter name **MUST** follow the
2554 * ``{vm-type}_{network-role}_floating_ip``
2558 * ``{vm-type}`` is the {vm-type} associated with the
2560 * ``{network-role}`` is the {network-role} of the external
2563 And the parameter **MUST** be declared as type ``string``.
2566 Resource: OS::Neutron::Port - Parameters > Property: fixed_ips, Map Property: ip_address
2567 ----------------------------------------------------------------------------------------
2570 Requirements Changed
2571 ~~~~~~~~~~~~~~~~~~~~
2578 The VNF's Heat Orchestration Template's Resource
2579 ``OS::Neutron::Port`` property ``fixed_ips``
2580 map property ``ip_address`` parameter
2581 ``{vm-type}_int_{network-role}_ip_{index}``
2582 **MUST** be enumerated in the
2583 VNF's Heat Orchestration Template's Environment File.
2590 The VNF's Heat Orchestration Template's Resource
2591 ``OS::Neutron::Port`` property ``fixed_ips``
2592 map property ``ip_address`` parameter
2593 ``{vm-type}_{network-role}_ip_{index}``
2594 **MUST NOT** be enumerated in the
2595 VNF's Heat Orchestration Template's Environment File.
2602 When the VNF's Heat Orchestration Template's Resource
2603 ``OS::Neutron::Port`` is attaching to an internal network (per the
2604 ONAP definition, see Requirements R-52425 and R-46461),
2605 and an IPv4 address is assigned
2606 using the property ``fixed_ips``
2607 map property ``ip_address`` and the parameter type is defined as a
2608 ``comma_delimited_list``,
2609 the parameter name **MUST** follow the
2612 * ``{vm-type}_int_{network-role}_ips``
2616 * ``{vm-type}`` is the {vm-type} associated with the
2617 ``OS::Nova::Server``
2618 * ``{network-role}`` is the {network-role} of the internal
2626 When the VNF's Heat Orchestration Template's Resource
2627 ``OS::Neutron::Port`` is attaching to an internal network (per the
2628 ONAP definition, see Requirements R-52425 and R-46461),
2629 and an IPv4 address is assigned
2630 using the property ``fixed_ips``
2631 map property ``ip_address`` and the parameter type is
2632 defined as a ``string``,
2633 the parameter name **MUST** follow the
2636 * ``{vm-type}_int_{network-role}_ip_{index}``
2640 * ``{vm-type}`` is the {vm-type} associated with the
2642 * ``{network-role}`` is the {network-role} of the internal
2644 * the value for ``{index`` must start at zero (0) and increment by one
2651 The VNF's Heat Orchestration Template's Resource
2652 ``OS::Neutron::Port`` property ``fixed_ips``
2653 map property ``ip_address`` parameter
2654 ``{vm-type}_int_{network-role}_int_ips``
2655 **MUST** be enumerated in the
2656 VNF's Heat Orchestration Template's Environment File.
2663 When the VNF's Heat Orchestration Template's Resource
2664 ``OS::Neutron::Port`` is attaching to an external network (per the
2665 ONAP definition, see Requirement R-57424),
2666 and an IPv6 address is assigned
2667 using the property ``fixed_ips``
2668 map property ``ip_address`` and the parameter type is defined as a
2669 ``comma_delimited_list``,
2670 the parameter name **MUST** follow the
2673 * ``{vm-type}_{network-role}_v6_ips``
2677 * ``{vm-type}`` is the {vm-type} associated with the
2679 * ``{network-role}`` is the {network-role} of the external
2687 The VNF's Heat Orchestration Template's Resource
2688 ``OS::Neutron::Port`` property ``fixed_ips``
2689 map property ``ip_address`` parameter
2690 ``{vm-type}_{network-role}_v6_ip_{index}``
2691 **MUST NOT** be enumerated in the
2692 VNF's Heat Orchestration Template's Environment File.
2699 The VNF's Heat Orchestration Template's Resource
2700 ``OS::Neutron::Port`` property ``fixed_ips``
2701 map property ``ip_address`` parameter
2702 ``{vm-type}_int_{network-role}_v6_ips``
2703 **MUST** be enumerated in the
2704 VNF's Heat Orchestration Template's Environment File.
2711 The VNF's Heat Orchestration Template's Resource ``OS::Neutron::Port``
2712 property ``fixed_ips``
2713 map property ``ip_address``
2714 parameter associated with an internal network, i.e.,
2716 * ``{vm-type}_int_{network-role}_ip_{index}``
2717 * ``{vm-type}_int_{network-role}_v6_ip_{index}``
2718 * ``{vm-type}_int_{network-role}_ips``
2719 * ``{vm-type}_int_{network-role}_v6_ips``
2722 **MUST** be enumerated in the Heat Orchestration
2723 Template's Environment File and IP addresses **MUST** be
2731 When the VNF's Heat Orchestration Template's Resource
2732 ``OS::Neutron::Port`` is attaching to an external network (per the
2733 ONAP definition, see Requirement R-57424),
2734 and an IPv4 address is assigned
2735 using the property ``fixed_ips``
2736 map property ``ip_address`` and the parameter type is defined as a string,
2737 the parameter name **MUST** follow the
2740 * ``{vm-type}_{network-role}_ip_{index}``
2744 * ``{vm-type}`` is the {vm-type} associated with the
2745 ``OS::Nova::Server``
2746 * ``{network-role}`` is the {network-role} of the external
2748 * the value for ``{index}`` must start at zero (0) and increment by one
2755 When the VNF's Heat Orchestration Template's Resource
2756 ``OS::Neutron::Port`` is attaching to an internal network (per the
2757 ONAP definition, see Requirements R-52425 and R-46461),
2758 and an IPv6 address is assigned
2759 using the property ``fixed_ips``
2760 map property ``ip_address`` and the parameter type is defined as a
2761 ``comma_delimited_list``,
2762 the parameter name **MUST** follow the
2765 * ``{vm-type}_int_{network-role}_v6_ips``
2769 * ``{vm-type}`` is the {vm-type} associated with the
2770 ``OS::Nova::Server``
2771 * ``{network-role}`` is the {network-role} of the internal
2779 When the VNF's Heat Orchestration Template's Resource
2780 ``OS::Neutron::Port`` is attaching to an external network (per the
2781 ONAP definition, see Requirement R-57424),
2782 and an IPv6 address is assigned
2783 using the property ``fixed_ips``
2784 map property ``ip_address`` and the parameter type is defined as a string,
2785 the parameter name **MUST** follow the
2788 * ``{vm-type}_{network-role}_v6_ip_{index}``
2792 * ``{vm-type}`` is the {vm-type} associated with the
2794 * ``{network-role}`` is the {network-role} of the external
2796 * the value for ``{index}`` must start at zero (0) and increment by one
2803 The VNF's Heat Orchestration Template's Resource ``OS::Neutron::Port``
2804 property ``fixed_ips``
2805 map property ``ip_address``
2806 parameter associated with an external network, i.e.,
2808 * ``{vm-type}_{network-role}_ip_{index}``
2809 * ``{vm-type}_{network-role}_v6_ip_{index}``
2810 * ``{vm-type}_{network-role}_ips``
2811 * ``{vm-type}_{network-role}_v6_ips``
2814 **MUST NOT** be enumerated in the Heat Orchestration
2815 Template's Environment File. ONAP provides the IP address
2816 assignments at orchestration time.
2823 When the VNF's Heat Orchestration Template's Resource
2824 ``OS::Neutron::Port`` is attaching to an external network (per the
2825 ONAP definition, see Requirement R-57424),
2826 and an IPv4 address is assigned
2827 using the property ``fixed_ips``
2828 map property ``ip_address`` and the parameter type is defined as a
2829 ``comma_delimited_list``,
2830 the parameter name **MUST** follow the
2833 * ``{vm-type}_{network-role}_ips``
2837 * ``{vm-type}`` is the {vm-type} associated with the
2838 ``OS::Nova::Server``
2839 * ``{network-role}`` is the {network-role} of the external
2847 The VNF's Heat Orchestration Template's Resource
2848 ``OS::Neutron::Port`` property ``fixed_ips``
2849 map property ``ip_address`` parameter
2850 ``{vm-type}_int_{network-role}_v6_ip_{index}``
2851 **MUST** be enumerated in the
2852 VNF's Heat Orchestration Template's Environment File.
2859 When the VNF's Heat Orchestration Template's Resource
2860 ``OS::Neutron::Port`` is attaching to an internal network (per the
2861 ONAP definition, see RRequirements R-52425 and R-46461),
2862 and an IPv6 address is assigned
2863 using the property ``fixed_ips``
2864 map property ``ip_address`` and the parameter type is defined as a
2866 the parameter name **MUST** follow the
2869 * ``{vm-type}_int_{network-role}_v6_ip_{index}``
2873 * ``{vm-type}`` is the {vm-type} associated with the
2874 ``OS::Nova::Server``
2875 * ``{network-role}`` is the {network-role} of the internal
2877 * the value for ``{index}`` must start at zero (0) and increment by one
2880 Resource: OS::Neutron::Port - Parameters > Property: fixed_ips, Map Property: subnet
2881 ------------------------------------------------------------------------------------
2884 Requirements Changed
2885 ~~~~~~~~~~~~~~~~~~~~
2894 * the VNF's Heat Orchestration Template's
2895 resource ``OS::Neutron::Port`` in an Incremental Module is attaching
2896 to an internal network (per the ONAP definition, see
2897 Requirements R-52425 and R-46461)
2898 that is created in the Base Module, AND
2899 * an IPv4 address is being cloud assigned by OpenStack's DHCP Service AND
2900 * the internal network IPv4 subnet is to be specified
2901 using the property ``fixed_ips`` map property ``subnet``,
2903 the parameter **MUST** follow the naming convention
2905 * ``int_{network-role}_subnet_id``
2909 * ``{network-role}`` is the network role of the internal network
2911 Note that the parameter **MUST** be defined as an ``output`` parameter in
2919 When the VNF's Heat Orchestration Template's
2920 resource ``OS::Neutron::Port`` is attaching
2921 to an external network (per the ONAP definition, see
2922 Requirement R-57424),
2923 and an IPv4 address is being cloud assigned by OpenStack's DHCP Service
2924 and the external network IPv4 subnet is to be specified
2925 using the property ``fixed_ips``
2926 map property ``subnet``, the parameter
2927 **MUST** follow the naming convention
2929 * ``{network-role}_subnet_id``
2933 * ``{network-role}`` is the network role of the network.
2940 The VNF's Heat Orchestration Template's Resource
2941 ``OS::Neutron::Port`` property ``fixed_ips``
2942 map property ``subnet`` parameter
2943 ``int_{network-role}_v6_subnet_id``
2944 **MUST NOT** be enumerated in the
2945 VNF's Heat Orchestration Template's Environment File.
2954 * the VNF's Heat Orchestration Template's
2955 resource ``OS::Neutron::Port`` in an Incremental Module is attaching
2956 to an internal network (per the ONAP definition, see Requirements
2957 R-52425 and R-46461)
2958 that is created in the Base Module, AND
2959 * an IPv6 address is being cloud assigned by OpenStack's DHCP Service AND
2960 * the internal network IPv6 subnet is to be specified
2961 using the property ``fixed_ips`` map property ``subnet``,
2963 the parameter **MUST** follow the naming convention
2964 ``int_{network-role}_v6_subnet_id``,
2965 where ``{network-role}`` is the network role of the internal network.
2967 Note that the parameter **MUST** be defined as an ``output`` parameter in
2975 When the VNF's Heat Orchestration Template's
2976 resource ``OS::Neutron::Port`` is attaching
2977 to an external network (per the ONAP definition, see
2978 Requirement R-57424),
2979 and an IPv6 address is being cloud assigned by OpenStack's DHCP Service
2980 and the external network IPv6 subnet is to be specified
2981 using the property ``fixed_ips``
2982 map property ``subnet``, the parameter
2983 **MUST** follow the naming convention
2985 * ``{network-role}_v6_subnet_id``
2989 * ``{network-role}`` is the network role of the network.
2996 The VNF's Heat Orchestration Template's Resource
2997 ``OS::Neutron::Port`` property ``fixed_ips``
2998 map property ``subnet`` parameter
2999 ``{network-role}_subnet_id``
3000 **MUST NOT** be enumerated in the
3001 VNF's Heat Orchestration Template's Environment File.
3008 The VNF's Heat Orchestration Template's Resource
3009 ``OS::Neutron::Port`` property ``fixed_ips``
3010 map property ``subnet`` parameter
3011 ``{network-role}_v6_subnet_id``
3012 **MUST NOT** be enumerated in the
3013 VNF's Heat Orchestration Template's Environment File.
3020 The VNF's Heat Orchestration Template's
3021 resource ``OS::Neutron::Port`` property ``fixed_ips``
3022 map property ``subnet`` parameter
3023 **MUST** be declared type ``string``.
3030 The VNF's Heat Orchestration Template's Resource
3031 ``OS::Neutron::Port`` property ``fixed_ips``
3032 map property ``subnet`` parameter
3033 ``int_{network-role}_subnet_id``
3034 **MUST NOT** be enumerated in the
3035 VNF's Heat Orchestration Template's Environment File.
3038 Resource: OS::Neutron::Port - Parameters > Property: network
3039 ------------------------------------------------------------
3042 Requirements Changed
3043 ~~~~~~~~~~~~~~~~~~~~
3050 The VNF's Heat Orchestration Template's Resource ``OS::Neutron::Port``
3051 property ``network``
3052 parameter **MUST NOT** be enumerated in the Heat Orchestration
3053 Template's Environment File.
3060 When the VNF's Heat Orchestration Template's Resource
3061 ``OS::Neutron::Port`` is attaching to an external network (per the
3062 ONAP definition, see Requirement R-57424), the
3063 ``network`` parameter name **MUST**
3065 * follow the naming convention ``{network-role}_net_id`` if the Neutron
3066 network UUID value is used to reference the network
3067 * follow the naming convention ``{network-role}_net_name`` if the
3068 OpenStack network name is used to reference the network.
3070 where ``{network-role}`` is the network-role of the external network
3071 and a ``get_param`` **MUST** be used as the intrinsic function.
3078 When the VNF's Heat Orchestration Template's resource
3079 ``OS::Neutron::Port`` is attaching to an internal network (per the
3080 ONAP definition, see Requirements R-52425 and R-46461),
3081 and the internal network is created in the
3082 same Heat Orchestration Template as the ``OS::Neutron::Port``,
3083 the ``network`` property value **MUST** obtain the UUID
3084 of the internal network by using the intrinsic function
3086 and referencing the Resource ID of the internal network.
3093 When the VNF's Heat Orchestration Template's Resource
3094 ``OS::Neutron::Port`` is attaching to an internal network (per the
3095 ONAP definition, see Requirements R-52425 and R-46461),
3096 and the internal network is created in a
3097 different Heat Orchestration Template than the ``OS::Neutron::Port``,
3098 the ``network`` parameter name **MUST**
3100 * follow the naming convention ``int_{network-role}_net_id`` if the Neutron
3101 network UUID value is used to reference the network
3102 * follow the naming convention ``int_{network-role}_net_name`` if the
3103 OpenStack network name in is used to reference the network.
3105 where ``{network-role}`` is the network-role of the internal network and
3106 a ``get_param`` **MUST** be used as the intrinsic function.
3109 Resource: OS::Nova::Server - Parameters
3110 ---------------------------------------
3121 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource's
3124 * property ``image`` parameter name
3125 * property ``flavor`` parameter name
3126 * property ``name`` parameter name
3129 **MUST** contain the identical ``{vm-type}``
3130 and **MUST** follow the naming conventions defined
3131 in R-58670, R-45188, R-54171, R-87817, and R-29751.
3134 Resource: OS::Nova::Server - Parameters > Property: Name
3135 --------------------------------------------------------
3146 The VNF's Heat Orchestration Template's Resource ``OS::Nova::Server``
3147 property ``name`` value **MUST** be be obtained via a ``get_param``.
3150 Requirements Changed
3151 ~~~~~~~~~~~~~~~~~~~~
3158 When the VNF's Heat Orchestration Template's Resource ``OS::Nova::Server``
3159 property ``name`` parameter is defined as a ``string``, a parameter
3160 **MUST** be delcared for
3161 each ``OS::Nova::Server`` resource associated with the ``{vm-type}``.
3168 When the VNF's Heat Orchestration Template's Resource ``OS::Nova::Server``
3169 property ``name`` parameter is defined as a ``string``,
3170 the parameter name **MUST** follow the naming convention
3171 ``{vm-type}_name_{index}``, where ``{index}`` is a numeric
3172 value that starts at
3173 zero and increments by one.
3180 The VNF's Heat Orchestration Template's Resource ``OS::Nova::Server``
3182 ``name`` parameter **MUST** be declared as either type ``string``
3183 or type ``comma_delimited_list``.
3186 Resource: OS::Nova::Server - Parameters > Property: Name > Contrail Issue with Values for OS::Nova::Server Property Name
3187 ------------------------------------------------------------------------------------------------------------------------
3190 Requirements Changed
3191 ~~~~~~~~~~~~~~~~~~~~
3198 The VNF's Heat Orchestration Template's Resource ``OS::Nova::Server``
3200 ``name`` parameter value **SHOULD NOT** contain special characters
3201 since the Contrail GUI has a limitation displaying special characters.
3203 However, if special characters must be used, the only special characters
3204 supported are: --- \" ! $ ' (\ \ ) = ~ ^ | @ ` { } [ ] > , . _
3207 Resource: OS::Nova::Server - Parameters > Property: availability_zone
3208 ---------------------------------------------------------------------
3211 Requirements Changed
3212 ~~~~~~~~~~~~~~~~~~~~
3219 A VNF's Heat Orchestration Template that contains an ``OS::Nova:Server``
3220 Resource **MAY** define a parameter for the property
3221 ``availability_zone`` that is not utilized in any ``OS::Nova::Server``
3222 resources in the Heat Orchestration Template.
3229 The VNF's Heat Orchestration Template's Resource ``OS::Nova::Server``
3231 ``availability_zone`` parameter name **MUST** follow the naming convention
3232 ``availability_zone_{index}`` where the ``{index}``
3233 **MUST** start at zero and
3237 Resource: OS::Nova::Server - Parameters > Property: flavor
3238 ----------------------------------------------------------
3249 The VNF's Heat Orchestration Template's Resource ``OS::Nova::Server``
3250 property ``flavor`` value **MUST** be be obtained via a ``get_param``.
3253 Resource: OS::Nova::Server - Parameters > Property: image
3254 ---------------------------------------------------------
3265 The VNF's Heat Orchestration Template's Resource ``OS::Nova::Server``
3266 property ``image`` value **MUST** be be obtained via a ``get_param``.
3269 Resource: OS::Nova::Server Metadata Parameters > environment_context
3270 --------------------------------------------------------------------
3273 Requirements Changed
3274 ~~~~~~~~~~~~~~~~~~~~
3281 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3283 ``metadata`` key/value pair ``environment_context`` **MUST NOT**
3284 be enumerated in the Heat Orchestration Template's environment file.
3291 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3292 property ``metadata``key/value pair ``environment_context``
3293 parameter ``environment_context`` **MUST NOT**
3294 have parameter constraints defined.
3301 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3302 property ``metadata`` key/value pair ``environment_context``
3303 parameter **MUST** be declared as ``environment_context`` and the
3304 parameter type **MUST** be defined as type: ``string``.
3307 Resource: OS::Nova::Server Metadata Parameters > vf_module_id
3308 -------------------------------------------------------------
3311 Requirements Changed
3312 ~~~~~~~~~~~~~~~~~~~~
3319 If a VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3321 ``metadata`` key/value pair ``vf_module_id`` is passed into a
3323 file, the key/value pair name ``vf_module_id`` **MUST NOT** change.
3330 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3331 property ``metadata`` **MUST**
3332 contain the key/value pair ``vf_module_id``
3333 and the value MUST be obtained via a ``get_param``.
3340 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource property
3341 ``metadata`` key/value pair ``vf_module_id`` parameter **MUST**
3342 be declared as ``vf_module_id`` and the parameter **MUST**
3343 be defined as type: ``string``.
3350 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource property
3351 ``metadata`` key/value pair ``vf_module_id`` parameter ``vf_module_id``
3353 have parameter constraints defined.
3360 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource property
3361 ``metadata`` key/value pair ``vf_module_id`` parameter ``vf_module_id``
3363 be enumerated in the Heat Orchestration Template's environment file.
3366 Resource: OS::Nova::Server Metadata Parameters > vf_module_index
3367 ----------------------------------------------------------------
3370 Requirements Changed
3371 ~~~~~~~~~~~~~~~~~~~~
3378 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3380 ``metadata`` key/value pair ``vf_module_index`` parameter
3381 ``vf_module_index`` **MUST NOT**
3382 be enumerated in the Heat Orchestration Template's environment file.
3389 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3390 property ``metadata`` key/value pair ``vf_module_index`` **MUST NOT**
3391 have parameter constraints defined.
3398 If a VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3399 property ``metadata`` key/value pair ``vf_module_index`` is passed into a
3400 Nested YAML file, the key/value pair
3401 ``vf_module_index`` **MUST NOT** change.
3408 A VNF's Heat Orchestration Template's ``OS::Nova::Server``
3409 resource property ``metadata`` **MAY**
3410 contain the key/value pair ``vf_module_index``
3411 and the value **MUST** be obtained via a ``get_param``.
3418 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3419 property ``metadata`` key/value pair ``vf_module_index`` **MUST NOT**
3420 be used in a ``OS::Cinder::Volume`` resource and **MUST NOT** be
3421 used in VNF's Volume template;
3422 it is not supported.
3429 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3431 ``metadata`` key/value pair ``vf_module_index`` parameter **MUST**
3432 be declared as ``vf_module_index`` and the parameter **MUST** be
3433 defined as type: ``number``.
3436 Resource: OS::Nova::Server Metadata Parameters > vf_module_name
3437 ---------------------------------------------------------------
3440 Requirements Changed
3441 ~~~~~~~~~~~~~~~~~~~~
3448 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3449 property ``metadata`` **SHOULD**
3450 contain the key/value pair ``vf_module_name`` and the value **MUST**
3451 be obtained via a ``get_param``.
3458 If a VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3459 property ``metadata`` key/value pair ``vf_module_name`` is passed into a
3461 file, the key/value pair name ``vf_module_name`` **MUST NOT** change.
3468 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3469 property ``metadata`` key/value pair ``vf_module_name``
3470 parameter ``vf_module_name`` **MUST NOT**
3471 be enumerated in the Heat Orchestration Template's environment file.
3478 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3480 ``metadata`` key/value pair ``vf_module_name`` parameter ``vf_module_name``
3481 **MUST NOT** have parameter constraints defined.
3488 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3490 ``metadata`` key/value pair ``vf_module_name`` parameter **MUST** be
3491 declared as ``vf_module_name`` and the parameter **MUST**
3492 be defined as type: ``string``.
3495 Resource: OS::Nova::Server Metadata Parameters > vm_role
3496 --------------------------------------------------------
3499 Requirements Changed
3500 ~~~~~~~~~~~~~~~~~~~~
3507 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3508 property ``metadata`` key/value pair ``vm_role`` parameter ``vm_role``
3509 **MUST NOT** have parameter constraints defined.
3516 If a VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3517 property ``metadata`` key/value pair ``vm_role`` is passed into a Nested
3519 file, the key/value pair name ``vm_role`` **MUST NOT** change.
3526 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3527 property ``metadata`` key/value pair ``vm_role`` value **MUST**
3528 only contain alphanumeric characters and underscores (i.e., '_').
3535 If a VNF's Heat Orchestration Template's ``OS::Nova::Server``
3537 ``metadata`` key/value pair ``vm_role`` value is obtained via
3538 ``get_param``, the parameter **MUST** be declared as ``vm_role``
3539 and the parameter **MUST** be defined as type: ``string``.
3546 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource property
3547 ``metadata`` **MAY**
3548 contain the key/value pair ``vm_role`` and the value **MUST** be
3552 - hard coded in the key/value pair ``vm_role``.
3555 Resource: OS::Nova::Server Metadata Parameters > vnf_id
3556 -------------------------------------------------------
3559 Requirements Changed
3560 ~~~~~~~~~~~~~~~~~~~~
3567 If a VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3569 ``metadata`` key/value pair ``vnf_id`` is passed into a Nested YAML
3570 file, the key/value pair name ``vnf_id`` **MUST NOT** change.
3577 A VNF's Heat Orchestration Template's ``OS::Nova::Server``
3579 ``metadata`` key/value pair ``vnf_id`` parameter ``vnf_id`` **MUST NOT**
3580 be enumerated in the Heat Orchestration Template's environment file.
3587 A VNF's Heat Orchestration Template's ``OS::Nova::Server``
3589 ``metadata`` key/value pair ``vnf_id`` parameter
3590 **MUST** be declared as ``vnf_id`` and the parameter **MUST**
3591 be defined as type: ``string``.
3598 A VNF's Heat Orchestration Template's ``OS::Nova::Server``
3599 resource property ``metadata`` **MUST**
3600 contain the key/value pair ``vnf_id``
3601 and the value **MUST** be obtained via a ``get_param``.
3608 A VNF's Heat Orchestration Template's ``OS::Nova::Server``
3610 ``metadata`` key/value pair ``vnf_id`` parameter ``vnf_id`` **MUST NOT**
3611 have parameter constraints defined.
3614 Resource: OS::Nova::Server Metadata Parameters > vnf_name
3615 ---------------------------------------------------------
3618 Requirements Changed
3619 ~~~~~~~~~~~~~~~~~~~~
3626 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3627 property ``metadata`` key/value pair ``vnf_name`` parameter
3628 ``vnf_name`` **MUST NOT**
3629 be enumerated in the Heat Orchestration Template's environment file.
3636 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource property
3637 ``metadata`` **MUST** contain the key/value pair ``vnf_name`` and the
3638 value **MUST** be obtained via a ``get_param``.
3645 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3646 property ``metadata`` key/value pair ``vnf_name``
3647 parameter ``vnf_name`` **MUST NOT**
3648 have parameter constraints defined.
3655 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3656 property ``metadata`` key/value pair ``vnf_name`` parameter **MUST**
3657 be declared as ``vnf_name`` and the parameter **MUST** be defined as
3665 If a VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3667 ``metadata`` key/value pair ``vnf_name`` is passed into a Nested YAML
3668 file, the key/value pair name ``vnf_name`` **MUST NOT** change.
3671 Resource: OS::Nova::Server Metadata Parameters > workload_context
3672 -----------------------------------------------------------------
3675 Requirements Changed
3676 ~~~~~~~~~~~~~~~~~~~~
3683 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3684 property ``metadata`` key/value pair ``workload_context``
3686 be declared as ``workload_context`` and the parameter **MUST**
3687 be defined as type: ``string``.
3694 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3695 property ``metadata`` key/value pair ``workload_context``
3696 parameter ``workload_context`` **MUST NOT**
3697 be enumerated in the Heat Orchestration Template's environment file.
3704 A VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3705 property ``metadata`` key/value pair ``workload_context``
3706 parameter ``workload_context`` **MUST NOT**
3707 have parameter constraints defined.
3714 If a VNF's Heat Orchestration Template's ``OS::Nova::Server`` resource
3715 property ``metadata`` key/value pair ``workload_context``
3716 is passed into a Nested YAML
3717 file, the key/value pair name ``workload_context`` **MUST NOT** change.
3720 VNF On-boarding and package management > Resource Description
3721 -------------------------------------------------------------
3732 The VNF package MUST provide :doc:`VES Event Registration <../../../../vnfsdk/module.git/files/VESEventRegistration_3_0>`
3733 for all VES events provided by that xNF.
3740 The VNF documentation **MUST** contain a list of the files within the VNF
3741 package that are static during the VNF's runtime.
3744 VNF On-boarding and package management > Testing
3745 ------------------------------------------------
3748 Requirements Changed
3749 ~~~~~~~~~~~~~~~~~~~~
3756 The xNF Package **MUST** include documentation describing
3757 the tests that were conducted by the xNF provider and the test results.
3760 VNF Resiliency > Virtual Function - Container Recovery Requirements
3761 -------------------------------------------------------------------
3772 The VNF **MUST** support ONAP Controller's Evacuate command.
3779 The VNF **MUST** support ONAP Controller's Snapshot command.
3782 VNF Security > VNF API Security Requirements
3783 --------------------------------------------
3786 Requirements Changed
3787 ~~~~~~~~~~~~~~~~~~~~
3794 The VNF **MUST** implement the following input validation control
3795 on APIs: Validate that any input file has a correct and valid
3796 Multipurpose Internet Mail Extensions (MIME) type. Input files
3797 should be tested for spoofed MIME types.
3804 The VNF **MUST** implement the following input validation controls:
3805 Do not permit input that contains content or characters inappropriate
3806 to the input expected by the design. Inappropriate input, such as
3807 SQL expressions, may cause the system to execute undesirable and
3808 unauthorized transactions against the database or allow other
3809 inappropriate access to the internal network (injection attacks).
3816 The VNF **SHOULD** integrate with the Operator's authentication and
3817 authorization services (e.g., IDAM).
3820 Requirements Removed
3821 ~~~~~~~~~~~~~~~~~~~~
3828 The VNF **MUST** implement all monitoring and logging as
3829 described in the Security Analytics section.
3836 The VNF **MUST** restrict changing the criticality level of
3837 a system security alarm to administrator(s).
3844 The VNF **MUST** monitor API invocation patterns to detect
3845 anomalous access patterns that may represent fraudulent access or
3846 other types of attacks, or integrate with tools that implement anomaly
3847 and abuse detection.
3854 The VNF **MUST** validate the CA signature on the certificate,
3855 ensure that the date is within the validity period of the certificate,
3856 check the Certificate Revocation List (CRL), and recognize the identity
3857 represented by the certificate where PKI-based authentication is used.
3864 The VNF **MUST** validate input at all layers implementing VNF APIs.
3871 The VNF **MUST** use certificates issued from publicly
3872 recognized Certificate Authorities (CA) for the authentication process
3873 where PKI-based authentication is used.
3880 The VNF **MUST** provide a mechanism to restrict access based
3881 on the attributes of the VNF and the attributes of the subject.
3888 The VNF **MUST** support requests for information from law
3889 enforcement and government agencies.
3896 The VNF **MUST** comply with NIST standards and industry
3897 best practices for all implementations of cryptography.
3900 VNF Security > VNF Cryptography Requirements
3901 --------------------------------------------
3904 Requirements Changed
3905 ~~~~~~~~~~~~~~~~~~~~
3912 The VNF **SHOULD** support an automated certificate management protocol
3913 such as CMPv2, Simple Certificate Enrollment Protocol (SCEP) or
3914 Automated Certificate Management Environment (ACME).
3921 The VNF **SHOULD** provide the capability to integrate with an
3922 external encryption service.
3929 The VNF **MUST** support the use of X.509 certificates issued from any
3930 Certificate Authority (CA) that is compliant with RFC5280, e.g., a public
3931 CA such as DigiCert or Let's Encrypt, or an RFC5280 compliant Operator
3934 Note: The VNF provider cannot require the use of self-signed certificates
3935 in an Operator's run time environment.
3942 The VNF **MUST** support HTTP/S using TLS v1.2 or higher
3943 with strong cryptographic ciphers.
3946 VNF Security > VNF Data Protection Requirements
3947 -----------------------------------------------
3950 Requirements Changed
3951 ~~~~~~~~~~~~~~~~~~~~
3958 The VNF **MUST** provide the capability of using X.509 certificates
3959 issued by an external Certificate Authority.
3966 The VNF **MUST** provide the capability to restrict read
3967 and write access to data handled by the VNF.
3974 The VNF **MUST** be capable of protecting the confidentiality and integrity
3975 of data at rest and in transit from unauthorized access and modification.
3982 The VNF **MUST** provide the capability to encrypt data on
3983 non-volatile memory.Non-volative memory is storage that is
3984 capable of retaining data without electrical power, e.g.
3985 Complementary metal-oxide-semiconductor (CMOS) or hard drives.
3992 The VNF **MUST** use NIST and industry standard cryptographic
3993 algorithms and standard modes of operations when implementing
4001 The VNF **MUST** support digital certificates that comply with X.509
4009 The VNF **MUST** use, whenever possible, standard implementations
4010 of security applications, protocols, and formats, e.g., S/MIME, TLS, SSH,
4011 IPSec, X.509 digital certificates for cryptographic implementations.
4012 These implementations must be purchased from reputable vendors or obtained
4013 from reputable open source communities and must not be developed in-house.
4020 The VNF **MUST** provide the ability to migrate to newer
4021 versions of cryptographic algorithms and protocols with minimal impact.
4028 The VNF **MUST NOT** use compromised encryption algorithms.
4029 For example, SHA, DSS, MD5, SHA-1 and Skipjack algorithms.
4030 Acceptable algorithms can be found in the NIST FIPS publications
4031 (https://csrc.nist.gov/publications/fips) and in the
4032 NIST Special Publications (https://csrc.nist.gov/publications/sp).
4035 Requirements Removed
4036 ~~~~~~~~~~~~~~~~~~~~
4043 The VNF **SHOULD** use commercial algorithms only when there
4044 are no applicable governmental standards for specific cryptographic
4045 functions, e.g., public key cryptography, message digests.
4052 The VNF **MUST** provide the capability to restrict access
4053 to data to specific users.
4056 VNF Security > VNF General Security Requirements
4057 ------------------------------------------------
4068 Login access (e.g., shell access) to the operating system layer, whether
4069 interactive or as part of an automated process, **MUST** be through an
4070 encrypted protocol such as SSH or TLS.
4077 The VNF **MUST NOT** contain any backdoors.
4084 If SNMP is utilized, the VNF **MUST** support at least SNMPv3 with
4085 message authentication.
4092 The VNF application processes **MUST NOT** run as root.
4099 The VNF **MUST**, after a successful login at command line or a GUI,
4100 display the last valid login date and time and the number of unsuccessful
4101 attempts since then made with that user's ID. This requirement is only
4102 applicable when the user account is defined locally in the VNF.
4109 The VNF **MUST** log any security event required by the VNF Requirements to
4110 Syslog using LOG_AUTHPRIV for any event that would contain sensitive
4111 information and LOG_AUTH for all other relevant events.
4118 The VNF **MUST** be operable without the use of Network File System (NFS).
4125 The VNF **MUST** include a configuration, e.g., a heat template or CSAR
4126 package, that specifies the targetted parameters, e.g. a limited set of
4127 ports, over which the VNF will communicate (including internal, external
4128 and management communication).
4135 The VNF **MUST** store Authentication Credentials used to authenticate to
4136 other systems encrypted except where there is a technical need to store
4137 the password unencrypted in which case it must be protected using other
4138 security techniques that include the use of file and directory permissions.
4139 Ideally, credentials SHOULD rely on a HW Root of Trust, such as a
4143 Requirements Changed
4144 ~~~~~~~~~~~~~~~~~~~~
4151 The VNF **MUST** support encrypted access protocols, e.g., TLS,
4159 The VNF **SHOULD** provide the capability for the Operator to run security
4160 vulnerability scans of the operating system and all application layers.
4167 The VNF **MUST** provide a mechanism (e.g., access control list) to
4168 permit and/or restrict access to services on the VNF by source,
4169 destination, protocol, and/or port.
4176 The VNF **SHOULD** support network segregation, i.e., separation of OA&M
4177 traffic from signaling and payload traffic, using technologies such as
4185 The VNF **MUST** allow the Operator to disable or remove any security
4186 testing tools or programs included in the VNF, e.g., password cracker,
4194 The VNF **MUST** support the ability to prohibit remote access to the VNF
4195 via a host based security mechanism.
4202 The VNF **MUST** have all code (e.g., QCOW2) and configuration files
4203 (e.g., HEAT template, Ansible playbook, script) hardened, or with
4204 documented recommended configurations for hardening and interfaces that
4205 allow the Operator to harden the VNF. Actions taken to harden a system
4206 include disabling all unnecessary services, and changing default values
4207 such as default credentials and community strings.
4214 For all GUI and command-line interfaces, the VNF **MUST** provide the
4215 ability to present a warning notice that is set by the Operator. A warning
4216 notice is a formal statement of resource intent presented to everyone
4217 who accesses the system.
4224 The VNF **MUST** provide functionality that enables the Operator to comply
4225 with requests for information from law enforcement and government agencies.
4232 The VNF **MUST** implement and enforce the principle of least privilege
4233 on all protected interfaces.
4240 The VNF **SHOULD** support the use of virtual trusted platform
4248 The VNF Provider **MUST** have patches available for vulnerabilities
4249 in the VNF as soon as possible. Patching shall be controlled via change
4250 control process with vulnerabilities disclosed along with
4251 mitigation recommendations.
4258 The VNF **SHOULD** provide a mechanism that enables the operators to
4259 perform automated system configuration auditing at configurable time
4263 Requirements Removed
4264 ~~~~~~~~~~~~~~~~~~~~
4271 The VNF **SHOULD** support the ability to work with aliases
4272 (e.g., gateways, proxies) to protect and encapsulate resources.
4279 The VNF **SHOULD** interoperate with various access control
4280 mechanisms for the Network Cloud execution environment (e.g.,
4281 Hypervisors, containers).
4288 The VNF **MUST**, if not using the NCSP's IDAM API, comply
4289 with the NCSP's credential management policy.
4296 The VNF **MUST**, if not using the NCSP's IDAM API, comply
4297 with "password changes (includes default passwords)" policy. Products
4298 will support password aging, syntax and other credential management
4299 practices on a configurable basis.
4306 The VNF **MUST**, if not using the NCSP's IDAM API, support
4307 use of common third party authentication and authorization tools such
4315 The VNF **MUST** use the NCSP's IDAM API or comply with
4316 the requirements if not using the NCSP's IDAM API, for identification,
4317 authentication and access control of OA&M and other system level
4325 The VNF **MUST** pass all access to applications (Bearer,
4326 signaling and OA&M) through various security tools and platforms from
4327 ACLs, stateful firewalls and application layer gateways depending on
4328 manner of deployment. The application is expected to function (and in
4329 some cases, interwork) with these security tools.
4336 The VNF **MUST**, if not using the NCSP's IDAM API, provide
4337 the ability to support Multi-Factor Authentication (e.g., 1st factor =
4338 Software token on device (RSA SecureID); 2nd factor = User Name+Password,
4339 etc.) for the users.
4346 The VNF **MUST** distribute all production code from NCSP
4347 internal sources only. No production code, libraries, OS images, etc.
4348 shall be distributed from publically accessible depots.
4355 The VNF **MUST**, if not using the NCSP's IDAM API, support
4356 logging via ONAP for a historical view of "who did what and when."
4363 The VNF **MUST**, if not using the NCSP's IDAM API, support
4364 User-IDs and passwords to uniquely identify the user/application. VNF
4365 needs to have appropriate connectors to the Identity, Authentication
4366 and Authorization systems that enables access at OS, Database and
4367 Application levels as appropriate.
4374 The VNF **MUST** implement Data Storage Encryption
4375 (database/disk encryption) for Sensitive Personal Information (SPI)
4376 and other subscriber identifiable data.
4378 Note: Subscribers SPI/data must be encrypted at rest, and other
4379 subscriber identifiable data should be encrypted at rest. Other
4380 data protection requirements exist and should be well understood
4384 VNF Security > VNF Identity and Access Management Requirements
4385 --------------------------------------------------------------
4396 The VNF **MUST** provide a means for the user to explicitly logout, thus
4397 ending that session for that authenticated user.
4404 The VNF **MUST**, if not integrated with the Operator's Identity and Access
4405 Management system, or enforce a configurable "terminate idle sessions"
4406 policy by terminating the session after a configurable period of inactivity.
4413 The VNF **MUST NOT** display "Welcome" notices or messages that could
4414 be misinterpreted as extending an invitation to unauthorized users.
4421 A failed authentication attempt **MUST NOT** identify the reason for the
4422 failure to the user, only that the authentication failed.
4429 The VNF **MUST** have the capability of allowing the Operator to create,
4430 manage, and automatically provision user accounts using an Operator
4431 approved identity lifecycle management tool using a standard protocol,
4439 The VNF MUST not store authentication credentials to itself in clear
4440 text or any reversible form and must use salting.
4447 The VNF **MUST** support account names that contain at least A-Z, a-z,
4448 0-9 character sets and be at least 6 characters in length.
4451 Requirements Changed
4452 ~~~~~~~~~~~~~~~~~~~~
4459 The VNF **MUST**, if not integrated with the Operator's identity and
4460 access management system, authenticate all access to protected GUIs, CLIs,
4468 The VNF **MUST** provide access controls that allow the Operator
4469 to restrict access to VNF functions and data to authorized entities.
4476 The VNF **MUST** integrate with standard identity and access management
4477 protocols such as LDAP, TACACS+, Windows Integrated Authentication
4478 (Kerberos), SAML federation, or OAuth 2.0.
4485 The VNF **MUST** set the default settings for user access
4486 to deny authorization, except for a super user type of account.
4487 When a VNF is added to the network, nothing should be able to use
4488 it until the super user configures the VNF to allow other users
4489 (human and application) have access.
4496 The VNF **MUST NOT** allow the assumption of the permissions of another
4497 account to mask individual accountability. For example, use SUDO when a
4498 user requires elevated permissions such as root or admin.
4505 The VNF **MUST**, if not integrated with the Operator's Identity and
4506 Access Management system, support configurable password expiration.
4513 Each architectural layer of the VNF (eg. operating system, network,
4514 application) **MUST** support access restriction independently of all
4515 other layers so that Segregation of Duties can be implemented.
4522 The VNF **MUST**, if not integrated with the Operator's Identity
4523 and Access Management system, support the ability to disable the
4524 userID after a configurable number of consecutive unsuccessful
4525 authentication attempts using the same userID.
4532 The VNF **MUST**, if not integrated with the Operator's Identity and
4533 Access Management system, comply with "password complexity" policy. When
4534 passwords are used, they shall be complex and shall at least meet the
4535 following password construction requirements: (1) be a minimum configurable
4536 number of characters in length, (2) include 3 of the 4 following types of
4537 characters: upper-case alphabetic, lower-case alphabetic, numeric, and
4538 special, (3) not be the same as the UserID with which they are associated
4539 or other common strings as specified by the environment, (4) not contain
4540 repeating or sequential characters or numbers, (5) not to use special
4541 characters that may have command functions, and (6) new passwords must
4542 not contain sequences of three or more characters from the previous
4550 The VNF **SHOULD** support OAuth 2.0 authorization using an external
4551 Authorization Server.
4558 The VNF **MUST**, if not integrated with the Operator's Identity and
4559 Access Management system, support Role-Based Access Control to enforce
4567 The VNF **MUST**, if not integrated with the Operator's Identity and
4568 Access Management system, support the creation of multiple IDs so that
4569 individual accountability can be supported.
4576 The VNF **MUST** support strong authentication, also known as
4577 multifactor authentication, on all protected interfaces exposed by the
4578 VNF for use by human users. Strong authentication uses at least two of the
4579 three different types of authentication factors in order to prove the
4580 claimed identity of a user.
4587 The VNF **MUST** allow the Operator to restrict access based on
4588 the assigned permissions associated with an ID in order to support
4589 Least Privilege (no more privilege than required to perform job
4593 Requirements Removed
4594 ~~~~~~~~~~~~~~~~~~~~
4601 The VNF **MUST** host connectors for access to the database layer.
4608 The VNF **MUST** provide or support the Identity and Access
4609 Management (IDAM) based threat detection data for Session Hijacking.
4616 The VNF **MUST NOT** include authentication credentials
4617 in security audit logs, even if encrypted.
4624 The VNF **MUST** provide Context awareness data (device,
4625 location, time, etc.) and be able to integrate with threat detection system.
4632 The VNF **MUST** provide or support the Identity and Access
4633 Management (IDAM) based threat detection data for Password Attacks.
4640 The VNF **MUST** provide or support the Identity and Access
4641 Management (IDAM) based threat detection data for XSS / CSRF.
4648 The VNF **MUST** subject VNF provider access to privilege
4649 reconciliation tools to prevent access creep and ensure correct
4650 enforcement of access policies.
4657 The VNF **MUST** provide or support the Identity and Access
4658 Management (IDAM) based threat detection data for Man in the Middle (MITM).
4665 The VNF **MUST** host connectors for access to the OS (Operating System) layer.
4672 The VNF **MUST** authorize VNF provider access through a
4673 client application API by the client application owner and the resource
4674 owner of the VNF before provisioning authorization through Role Based
4675 Access Control (RBAC), Attribute Based Access Control (ABAC), or other
4676 policy based mechanism.
4683 The VNF **MUST** provide or support the Identity and Access
4684 Management (IDAM) based threat detection data for Replay.
4691 The VNF **MUST** provide or support the Identity and Access
4692 Management (IDAM) based threat detection data for Eavesdropping.
4699 The VNF **MUST** provide or support the Identity and Access
4700 Management (IDAM) based threat detection data for Malware (Key Logger).
4707 The VNF **MUST** provide minimum privileges for initial
4708 and default settings for new user accounts.
4715 The VNF **MUST** provide or support the Identity and Access
4716 Management (IDAM) based threat detection data for Phishing / SMishing.
4723 The VNF **MUST** use access controls for VNFs and their
4724 supporting computing systems at all times to restrict access to
4725 authorized personnel only, e.g., least privilege. These controls
4726 could include the use of system configuration or access control
4734 The VNF **MUST** conform to approved request, workflow
4735 authorization, and authorization provisioning requirements when
4736 creating privileged users.
4743 The VNF **MUST** authenticate system to system access and
4744 do not conceal a VNF provider user's individual accountability for
4752 The VNF **MUST NOT** install or use systems, tools or
4753 utilities capable of capturing or logging data that was not created
4754 by them or sent specifically to them in production, without
4755 authorization of the VNF system owner.
4762 The VNF **MUST** host connectors for access to the application layer.
4765 VNF Security > VNF Security Analytics Requirements
4766 --------------------------------------------------
4777 The VNF **MUST** log the Source IP address in the security audit logs.
4784 The VNF **SHOULD** provide the capability of maintaining the integrity of
4785 its static files using a cryptographic method.
4792 The VNF **MUST** be capable of automatically synchronizing the system clock
4793 daily with the Operator's trusted time source, to assure accurate time
4794 reporting in log files. It is recommended that Coordinated Universal Time
4795 (UTC) be used where possible, so as to eliminate ambiguity owing to daylight
4803 The VNF **MUST** have the capability to securely transmit the security logs
4804 and security events to a remote system before they are purged from the
4812 The VNF **MUST** log automated remote activities performed with
4813 elevated privileges.
4816 Requirements Changed
4817 ~~~~~~~~~~~~~~~~~~~~
4824 The VNF **MUST** log success and unsuccessful creation, removal, or
4825 change to the inherent privilege level of users.
4832 The VNF **MUST** support detection of malformed packets due to software
4833 misconfiguration or software vulnerability, and generate an error to the
4834 syslog console facility.
4841 The VNF **MUST** be implemented so that it is not vulnerable to OWASP
4842 Top 10 web application security risks.
4849 The VNF **MUST** log successful and unsuccessful authentication
4850 attempts, e.g., authentication associated with a transaction,
4851 authentication to create a session, authentication to assume elevated
4859 The VNF **SHOULD** operate with anti-virus software which produces alarms
4860 every time a virus is detected.
4867 The VNF **MUST** log connections to the network listeners of the
4875 The VNF **MUST** activate security alarms automatically when
4876 it detects the successful modification of a critical system or
4884 The VNF **MUST** activate security alarms automatically when
4885 a configurable number of consecutive unsuccessful login attempts
4893 The VNF **MUST** restrict changing the criticality level of a
4894 system security alarm to users with administrative privileges.
4901 The VNF **MUST** detect when its security audit log storage
4902 medium is approaching capacity (configurable) and issue an alarm.
4909 The VNF **MUST** log successful and unsuccessful access to VNF
4910 resources, including data.
4917 The VNF **MUST** generate security audit logs that can be sent
4918 to Security Analytics Tools for analysis.
4925 The VNF **MUST** activate security alarms automatically when
4926 it detects an unsuccessful attempt to gain permissions
4927 or assume the identity of another user.
4934 The VNF **MUST** support the storage of security audit logs for a
4935 configurable period of time.
4938 Requirements Removed
4939 ~~~~~~~~~~~~~~~~~~~~
4946 The VNF **MUST** log successful and unsuccessful changes to a privilege level.
4953 The VNF **MUST** provide audit logs that include user ID, dates,
4954 times for log-on and log-off, and terminal location at minimum.
4961 The VNF **MUST** support alternative monitoring capabilities
4962 when VNFs do not expose data or control traffic or use proprietary and
4963 optimized protocols for inter VNF communication.
4970 The VNF **MUST** perform data capture for security functions.
4977 The VNF **MUST** support integrated DPI/monitoring functionality
4978 as part of VNFs (e.g., PGW, MME).
4985 The VNF **MUST** implement "Closed Loop" automatic implementation
4986 (without human intervention) for Known Threats with detection rate in low
4994 The VNF **MUST** provide the capability of generating security
4995 audit logs by interacting with the operating system (OS) as appropriate.
5002 The VNF **MUST** support event logging, formats, and delivery
5003 tools to provide the required degree of event data to ONAP.
5010 Requirements Changed
5011 ~~~~~~~~~~~~~~~~~~~~
5018 A VNF's Heat Orchestration Template's ``{network-role}`` **MUST** contain
5019 only alphanumeric characters and/or underscores '_' and
5020 **MUST NOT** contain any of the following strings:
5021 ``_int`` or ``int_`` or ``_int_``.
5028 A VNF's Heat Orchestration Template's Resource property parameter that
5029 is associated with an internal network **MUST** include
5030 ``int_{network-role}`` as part of the parameter name,
5031 where ``int_`` is a hard coded string.
5038 A VNF's Heat Orchestration Template's Resource ID that is associated
5039 with an internal network **MUST** include ``int_{network-role}`` as part
5040 of the Resource ID, where ``int_`` is a hard coded string.
5047 Requirements Changed
5048 ~~~~~~~~~~~~~~~~~~~~
5055 A VNF's Heat Orchestration Template's Resource property parameter that is
5056 associated with a unique Virtual Machine type **MUST** include
5057 ``{vm-type}`` as part of the parameter name with two exceptions:
5059 1.) The Resource ``OS::Nova::Server`` property ``availability_zone``
5060 parameter **MUST NOT** be prefixed with a common ``{vm-type}`` identifier,
5062 2.) The Resource ``OS::Nova::Server`` eight mandatory and optional
5064 parameters (i.e., ``vnf_name``, ``vnf_id``, ``vf_module_id``,
5065 ``vf_module_name``, ``vm_role``,
5066 ``vf_module_index``, ``environment_context``, ``workload_context``)
5067 **MUST NOT** be prefixed with a common ``{vm-type}`` identifier.
5074 A VNF's Heat Orchestration Template's ``{vm-type}`` **MUST** contain only
5075 alphanumeric characters and/or underscores '_' and **MUST NOT**
5076 contain any of the following strings:
5077 ``_int`` or ``int_`` or ``_int_``.
5084 When a VNF's Heat Orchestration Template creates a Virtual Machine
5085 (i.e., ``OS::Nova::Server``),
5086 each "class" of VMs **MUST** be assigned a VNF unique
5087 ``{vm-type}``; where "class" defines VMs that
5088 **MUST** have the following identical characteristics:
5090 1.) ``OS::Nova::Server`` resource property ``flavor`` value
5092 2.) ``OS::Nova::Server`` resource property ``image`` value
5094 3.) Cinder Volume attachments
5096 - Each VM in the "class" **MUST** have the identical Cinder Volume
5099 4.) Network attachments and IP address requirements
5101 - Each VM in the "class" **MUST** have the the identical number of
5102 ports connecting to the identical networks and requiring the identical
5103 IP address configuration.