VNF Design Requirements
-* R-xxxxx The VNF **SHOULD** be decomposed into granular re-usable VNFCs.
-* R-xxxxx The VNF **MUST** be decomposed if the functions have significantly different scaling characteristics (e.g., signaling versus media functions, control versus data plane functions).
-* R-xxxxx The VNF **MUST** enable instantiating only the functionality that is needed for the decomposed VNF (e.g., if transcoding is not needed it should not be instantiated).
-* R-xxxxx The VNFC **MUST** be designed as a standalone, executable process.
-* R-xxxxx The VNF **SHOULD** create a single component VNF for VNFCs that can be used by other VNFs.
-* R-xxxxx The VNF **MUST** be designed to scale horizontally (more instances of a VNF or VNFC) and not vertically (moving the existing instances to larger VMs or increasing the resources within a VM) to achieve effective utilization of cloud resources.
-* R-xxxxx The VNF **MUST** utilize cloud provided infrastructure and VNFs (e.g., virtualized Local Load Balancer) as part of the VNF so that the cloud can manage and provide a consistent service resiliency and methods across all VNF's.
-* R-xxxxx The VNFC **SHOULD** be independently deployed, configured, upgraded, scaled, monitored, and administered by ONAP.
-* R-xxxxx The VNFC **MUST** provide API versioning to allow for independent upgrades of VNFC.
-* R-xxxxx The VNFC **SHOULD** minimize the use of state within a VNFC to facilitate the movement of traffic from one instance to another.
-* R-xxxxx The VNF **SHOULD** maintain state in a geographically redundant datastore that may, in fact, be its own VNFC.
-* R-xxxxx The VNF **SHOULD** decouple persistent data from the VNFC and keep it in its own datastore that can be reached by all instances of the VNFC requiring the data.
-* R-xxxxx The VNF **MUST** utilize virtualized, scalable open source database software that can meet the performance/latency requirements of the service for all datastores.
-* R-xxxxx The VNF **MUST** NOT terminate stable sessions if a VNFC instance fails.
-* R-xxxxx The VNF **MUST** enable DPDK in the guest OS for VNF’s requiring high packets/sec performance. High packet throughput is defined as greater than 500K packets/sec.
-* R-xxxxx The VNF **MUST** use the NCSP’s supported library and compute flavor that supports DPDK to optimize network efficiency if using DPDK. [1]_
-* R-xxxxx The VNF **MUST** NOT use technologies that bypass virtualization layers (such as SR-IOV) unless approved by the NCSP (e.g., if necessary to meet functional or performance requirements).
-* R-xxxxx The VNF **MUST** limit the size of application data packets to no larger than 9000 bytes for SDN network-based tunneling when guest data packets are transported between tunnel endpoints that support guest logical networks.
-* R-xxxxx The VNF **MUST** NOT require the use of a dynamic routing protocol unless necessary to meet functional requirements.
+* R-58421 The VNF **SHOULD** be decomposed into granular re-usable VNFCs.
+* R-82223 The VNF **MUST** be decomposed if the functions have significantly different scaling characteristics (e.g., signaling versus media functions, control versus data plane functions).
+* R-16496 The VNF **MUST** enable instantiating only the functionality that is needed for the decomposed VNF (e.g., if transcoding is not needed it should not be instantiated).
+* R-02360 The VNFC **MUST** be designed as a standalone, executable process.
+* R-34484 The VNF **SHOULD** create a single component VNF for VNFCs that can be used by other VNFs.
+* R-23035 The VNF **MUST** be designed to scale horizontally (more instances of a VNF or VNFC) and not vertically (moving the existing instances to larger VMs or increasing the resources within a VM) to achieve effective utilization of cloud resources.
+* R-30650 The VNF **MUST** utilize cloud provided infrastructure and VNFs (e.g., virtualized Local Load Balancer) as part of the VNF so that the cloud can manage and provide a consistent service resiliency and methods across all VNF's.
+* R-12709 The VNFC **SHOULD** be independently deployed, configured, upgraded, scaled, monitored, and administered by ONAP.
+* R-37692 The VNFC **MUST** provide API versioning to allow for independent upgrades of VNFC.
+* R-86585 The VNFC **SHOULD** minimize the use of state within a VNFC to facilitate the movement of traffic from one instance to another.
+* R-65134 The VNF **SHOULD** maintain state in a geographically redundant datastore that may, in fact, be its own VNFC.
+* R-75850 The VNF **SHOULD** decouple persistent data from the VNFC and keep it in its own datastore that can be reached by all instances of the VNFC requiring the data.
+* R-88199 The VNF **MUST** utilize virtualized, scalable open source database software that can meet the performance/latency requirements of the service for all datastores.
+* R-99656 The VNF **MUST** NOT terminate stable sessions if a VNFC instance fails.
+* R-84473 The VNF **MUST** enable DPDK in the guest OS for VNF’s requiring high packets/sec performance. High packet throughput is defined as greater than 500K packets/sec.
+* R-54430 The VNF **MUST** use the NCSP’s supported library and compute flavor that supports DPDK to optimize network efficiency if using DPDK. [1]_
+* R-18864 The VNF **MUST** NOT use technologies that bypass virtualization layers (such as SR-IOV) unless approved by the NCSP (e.g., if necessary to meet functional or performance requirements).
+* R-64768 The VNF **MUST** limit the size of application data packets to no larger than 9000 bytes for SDN network-based tunneling when guest data packets are transported between tunnel endpoints that support guest logical networks.
+* R-74481 The VNF **MUST** NOT require the use of a dynamic routing protocol unless necessary to meet functional requirements.
b. VNF Resiliency
=================
All Layer Redundancy Requirements
-* R-xxxxx The VNF **MUST** meet their own resiliency goals and not rely on the Network Cloud.
-* R-xxxxx The VNF **MUST** design resiliency into a VNF such that the resiliency deployment model (e.g., active-active) can be chosen at run-time.
-* R-xxxxx The VNF **MUST** survive any single points of failure within the Network Cloud (e.g., virtual NIC, VM, disk failure).
-* R-xxxxx The VNF **MUST** survive any single points of software failure internal to the VNF (e.g., in memory structures, JMS message queues).
-* R-xxxxx The VNF **MUST** be designed, built and packaged to enable deployment across multiple fault zones (e.g., VNFCs deployed in different servers, racks, OpenStack regions, geographies) so that in the event of a planned/unplanned downtime of a fault zone, the overall operation/throughput of the VNF is maintained.
-* R-xxxxx The VNF **MUST** support the ability to failover a VNFC automatically to other geographically redundant sites if not deployed active-active to increase the overall resiliency of the VNF.
-* R-xxxxx The VNF **MUST** support the ability of the VNFC to be deployable in multi-zoned cloud sites to allow for site support in the event of cloud zone failure or upgrades.
+* R-52499 The VNF **MUST** meet their own resiliency goals and not rely on the Network Cloud.
+* R-42207 The VNF **MUST** design resiliency into a VNF such that the resiliency deployment model (e.g., active-active) can be chosen at run-time.
+* R-03954 The VNF **MUST** survive any single points of failure within the Network Cloud (e.g., virtual NIC, VM, disk failure).
+* R-89010 The VNF **MUST** survive any single points of software failure internal to the VNF (e.g., in memory structures, JMS message queues).
+* R-67709 The VNF **MUST** be designed, built and packaged to enable deployment across multiple fault zones (e.g., VNFCs deployed in different servers, racks, OpenStack regions, geographies) so that in the event of a planned/unplanned downtime of a fault zone, the overall operation/throughput of the VNF is maintained.
+* R-35291 The VNF **MUST** support the ability to failover a VNFC automatically to other geographically redundant sites if not deployed active-active to increase the overall resiliency of the VNF.
+* R-36843 The VNF **MUST** support the ability of the VNFC to be deployable in multi-zoned cloud sites to allow for site support in the event of cloud zone failure or upgrades.
Minimize Cross Data-Center Traffic
----------------------------------
Minimize Cross Data-Center Traffic Requirements
-* R-xxxxx The VNF **SHOULD** minimize the propagation of state information across multiple data centers to avoid cross data center traffic.
+* R-92935 The VNF **SHOULD** minimize the propagation of state information across multiple data centers to avoid cross data center traffic.
Application Resilient Error Handling
------------------------------------
Application Resilient Error Handling Requirements
-* R-xxxxx The VNF **MUST** detect connectivity failure for inter VNFC instance and intra/inter VNF and re-establish connectivity automatically to maintain the VNF without manual intervention to provide service continuity.
-* R-xxxxx The VNF **MUST** handle the restart of a single VNFC instance without requiring all VNFC instances to be restarted.
-* R-xxxxx The VNF **MUST** handle the start or restart of VNFC instances in any order with each VNFC instance establishing or re-establishing required connections or relationships with other VNFC instances and/or VNFs required to perform the VNF function/role without requiring VNFC instance(s) to be started/restarted in a particular order.
-* R-xxxxx The VNF **MUST** handle errors and exceptions so that they do not interrupt processing of incoming VNF requests to maintain service continuity.
-* R-xxxxx The VNF **MUST** provide the ability to modify the number of retries, the time between retries and the behavior/action taken after the retries have been exhausted for exception handling to allow the NCSP to control that behavior.
-* R-xxxxx The VNF **MUST** fully exploit exception handling to the extent that resources (e.g., threads and memory) are released when no longer needed regardless of programming language.
-* R-xxxxx The VNF **MUST** handle replication race conditions both locally and geo-located in the event of a data base instance failure to maintain service continuity.
-* R-xxxxx The VNF **MUST** automatically retry/resubmit failed requests made by the software to its downstream system to increase the success rate.
+* R-26371 The VNF **MUST** detect connectivity failure for inter VNFC instance and intra/inter VNF and re-establish connectivity automatically to maintain the VNF without manual intervention to provide service continuity.
+* R-18725 The VNF **MUST** handle the restart of a single VNFC instance without requiring all VNFC instances to be restarted.
+* R-06668 The VNF **MUST** handle the start or restart of VNFC instances in any order with each VNFC instance establishing or re-establishing required connections or relationships with other VNFC instances and/or VNFs required to perform the VNF function/role without requiring VNFC instance(s) to be started/restarted in a particular order.
+* R-80070 The VNF **MUST** handle errors and exceptions so that they do not interrupt processing of incoming VNF requests to maintain service continuity.
+* R-32695 The VNF **MUST** provide the ability to modify the number of retries, the time between retries and the behavior/action taken after the retries have been exhausted for exception handling to allow the NCSP to control that behavior.
+* R-48356 The VNF **MUST** fully exploit exception handling to the extent that resources (e.g., threads and memory) are released when no longer needed regardless of programming language.
+* R-67918 The VNF **MUST** handle replication race conditions both locally and geo-located in the event of a data base instance failure to maintain service continuity.
+* R-36792 The VNF **MUST** automatically retry/resubmit failed requests made by the software to its downstream system to increase the success rate.
System Resource Optimization
System Resource Optimization Requirements
-* R-xxxxx The VNF **MUST NOT** execute long running tasks (e.g., IO, database, network operations, service calls) in a critical section of code, so as to minimize blocking of other operations and increase concurrent throughput.
-* R-xxxxx The VNF **MUST** automatically advertise newly scaled components so there is no manual intervention required.
-* R-xxxxx The VNF **MUST** utilize FQDNs (and not IP address) for both Service Chaining and scaling.
-* R-xxxxx The VNF **MUST** deliver any and all functionality from any VNFC in the pool. The VNFC pool member should be transparent to the client. Upstream and downstream clients should only recognize the function being performed, not the member performing it.
-* R-xxxxx The VNF **SHOULD** automatically enable/disable added/removed sub-components or component so there is no manual intervention required.
-* R-xxxxx The VNF **SHOULD** support the ability to scale down a VNFC pool without jeopardizing active sessions. Ideally, an active session should not be tied to any particular VNFC instance.
-* R-xxxxx The VNF **SHOULD** support load balancing and discovery mechanisms in resource pools containing VNFC instances.
-* R-xxxxx The VNF **SHOULD** utilize resource pooling (threads, connections, etc.) within the VNF application so that resources are not being created and destroyed resulting in resource management overhead.
-* R-xxxxx The VNF **SHOULD** use techniques such as “lazy loading” when initialization includes loading catalogues and/or lists which can grow over time, so that the VNF startup time does not grow at a rate proportional to that of the list.
-* R-xxxxx The VNF **SHOULD** release and clear all shared assets (memory, database operations, connections, locks, etc.) as soon as possible, especially before long running sync and asynchronous operations, so as to not prevent use of these assets by other entities.
+* R-22059 The VNF **MUST NOT** execute long running tasks (e.g., IO, database, network operations, service calls) in a critical section of code, so as to minimize blocking of other operations and increase concurrent throughput.
+* R-63473 The VNF **MUST** automatically advertise newly scaled components so there is no manual intervention required.
+* R-74712 The VNF **MUST** utilize FQDNs (and not IP address) for both Service Chaining and scaling.
+* R-41159 The VNF **MUST** deliver any and all functionality from any VNFC in the pool. The VNFC pool member should be transparent to the client. Upstream and downstream clients should only recognize the function being performed, not the member performing it.
+* R-85959 The VNF **SHOULD** automatically enable/disable added/removed sub-components or component so there is no manual intervention required.
+* R-06885 The VNF **SHOULD** support the ability to scale down a VNFC pool without jeopardizing active sessions. Ideally, an active session should not be tied to any particular VNFC instance.
+* R-12538 The VNF **SHOULD** support load balancing and discovery mechanisms in resource pools containing VNFC instances.
+* R-98989 The VNF **SHOULD** utilize resource pooling (threads, connections, etc.) within the VNF application so that resources are not being created and destroyed resulting in resource management overhead.
+* R-55345 The VNF **SHOULD** use techniques such as “lazy loading” when initialization includes loading catalogues and/or lists which can grow over time, so that the VNF startup time does not grow at a rate proportional to that of the list.
+* R-35532 The VNF **SHOULD** release and clear all shared assets (memory, database operations, connections, locks, etc.) as soon as possible, especially before long running sync and asynchronous operations, so as to not prevent use of these assets by other entities.
Application Configuration Management
Application Configuration Management Requirements
-* R-xxxxx The VNF **MUST** allow configurations and configuration parameters to be managed under version control to ensure consistent configuration deployment, traceability and rollback.
-* R-xxxxx The VNF **MUST** allow configurations and configuration parameters to be managed under version control to ensure the ability to rollback to a known valid configuration.
-* R-xxxxx The VNF **MUST** allow changes of configuration parameters to be consumed by the VNF without requiring the VNF or its sub-components to be bounced so that the VNF availability is not effected.
+* R-77334 The VNF **MUST** allow configurations and configuration parameters to be managed under version control to ensure consistent configuration deployment, traceability and rollback.
+* R-99766 The VNF **MUST** allow configurations and configuration parameters to be managed under version control to ensure the ability to rollback to a known valid configuration.
+* R-73583 The VNF **MUST** allow changes of configuration parameters to be consumed by the VNF without requiring the VNF or its sub-components to be bounced so that the VNF availability is not effected.
Intelligent Transaction Distribution & Management
Intelligent Transaction Distribution & Management Requirements
-* R-xxxxx The VNF **SHOULD** use intelligent routing by having knowledge of multiple downstream/upstream endpoints that are exposed to it, to ensure there is no dependency on external services (such as load balancers) to switch to alternate endpoints.
-* R-xxxxx The VNF **SHOULD** use redundant connection pooling to connect to any backend data source that can be switched between pools in an automated/scripted fashion to ensure high availability of the connection to the data source.
-* R-xxxxx The VNF **SHOULD** include control loop mechanisms to notify the consumer of the VNF of their exceeding SLA thresholds so the consumer is able to control its load against the VNF.
+* R-21558 The VNF **SHOULD** use intelligent routing by having knowledge of multiple downstream/upstream endpoints that are exposed to it, to ensure there is no dependency on external services (such as load balancers) to switch to alternate endpoints.
+* R-08315 The VNF **SHOULD** use redundant connection pooling to connect to any backend data source that can be switched between pools in an automated/scripted fashion to ensure high availability of the connection to the data source.
+* R-27995 The VNF **SHOULD** include control loop mechanisms to notify the consumer of the VNF of their exceeding SLA thresholds so the consumer is able to control its load against the VNF.
Deployment Optimization
-----------------------
Deployment Optimization Requirements
-* R-xxxxx The VNF **MUST** support at least two major versions of the VNF software and/or sub-components to co-exist within production environments at any time so that upgrades can be applied across multiple systems in a staggered manner.
-* R-xxxxx The VNF **MUST** support the existence of multiple major/minor versions of the VNF software and/or sub-components and interfaces that support both forward and backward compatibility to be transparent to the Service Provider usage.
-* R-xxxxx The VNF **MUST** support hitless staggered/rolling deployments between its redundant instances to allow "soak-time/burn in/slow roll" which can enable the support of low traffic loads to validate the deployment prior to supporting full traffic loads.
-* R-xxxxx The VNF **MUST** support the ability of a requestor of the service to determine the version (and therefore capabilities) of the service so that Network Cloud Service Provider can understand the capabilities of the service.
-* R-xxxxx The VNF **MUST** test for adherence to the defined performance budgets at each layer, during each delivery cycle with delivered results, so that the performance budget is measured and the code is adjusted to meet performance budget.
-* R-xxxxx The VNF **MUST** test for adherence to the defined performance budget at each layer, during each delivery cycle so that the performance budget is measured and feedback is provided where the performance budget is not met.
-* R-xxxxx The VNF **SHOULD** test for adherence to the defined resiliency rating recommendation at each layer, during each delivery cycle with delivered results, so that the resiliency rating is measured and the code is adjusted to meet software resiliency requirements.
-* R-xxxxx The VNF **SHOULD** test for adherence to the defined resiliency rating recommendation at each layer, during each delivery cycle so that the resiliency rating is measured and feedback is provided where software resiliency requirements are not met.
+* R-73364 The VNF **MUST** support at least two major versions of the VNF software and/or sub-components to co-exist within production environments at any time so that upgrades can be applied across multiple systems in a staggered manner.
+* R-02454 The VNF **MUST** support the existence of multiple major/minor versions of the VNF software and/or sub-components and interfaces that support both forward and backward compatibility to be transparent to the Service Provider usage.
+* R-57855 The VNF **MUST** support hitless staggered/rolling deployments between its redundant instances to allow "soak-time/burn in/slow roll" which can enable the support of low traffic loads to validate the deployment prior to supporting full traffic loads.
+* R-64445 The VNF **MUST** support the ability of a requestor of the service to determine the version (and therefore capabilities) of the service so that Network Cloud Service Provider can understand the capabilities of the service.
+* R-56793 The VNF **MUST** test for adherence to the defined performance budgets at each layer, during each delivery cycle with delivered results, so that the performance budget is measured and the code is adjusted to meet performance budget.
+* R-77667 The VNF **MUST** test for adherence to the defined performance budget at each layer, during each delivery cycle so that the performance budget is measured and feedback is provided where the performance budget is not met.
+* R-49308 The VNF **SHOULD** test for adherence to the defined resiliency rating recommendation at each layer, during each delivery cycle with delivered results, so that the resiliency rating is measured and the code is adjusted to meet software resiliency requirements.
+* R-16039 The VNF **SHOULD** test for adherence to the defined resiliency rating recommendation at each layer, during each delivery cycle so that the resiliency rating is measured and feedback is provided where software resiliency requirements are not met.
Monitoring & Dashboard
----------------------
Monitoring & Dashboard Requirements
-* R-xxxxx The VNF **MUST** provide a method of metrics gathering for each layer's performance to identify/document variances in the allocations so they can be addressed.
-* R-xxxxx The VNF **MUST** provide unique traceability of a transaction through its life cycle to ensure quick and efficient troubleshooting.
-* R-xxxxx The VNF **MUST** provide a method of metrics gathering and analysis to evaluate the resiliency of the software from both a granular as well as a holistic standpoint. This includes, but is not limited to thread utilization, errors, timeouts, and retries.
-* R-xxxxx The VNF **MUST** provide operational instrumentation such as logging, so as to facilitate quick resolution of issues with the VNF to provide service continuity.
-* R-xxxxx The VNF **MUST** monitor for and alert on (both sender and receiver) errant, running longer than expected and missing file transfers, so as to minimize the impact due to file transfer errors.
-* R-xxxxx The VNF **SHOULD** use an appropriately configured logging level that can be changed dynamically, so as to not cause performance degradation of the VNF due to excessive logging.
-* R-xxxxx The VNF **SHOULD** utilize Cloud health checks, when available from the Network Cloud, from inside the application through APIs to check the network connectivity, dropped packets rate, injection, and auto failover to alternate sites if needed.
-* R-xxxxx The VNF **MUST** conduct a resiliency impact assessment for all inter/intra-connectivity points in the VNF to provide an overall resiliency rating for the VNF to be incorporated into the software design and development of the VNF.
+* R-34957 The VNF **MUST** provide a method of metrics gathering for each layer's performance to identify/document variances in the allocations so they can be addressed.
+* R-49224 The VNF **MUST** provide unique traceability of a transaction through its life cycle to ensure quick and efficient troubleshooting.
+* R-52870 The VNF **MUST** provide a method of metrics gathering and analysis to evaluate the resiliency of the software from both a granular as well as a holistic standpoint. This includes, but is not limited to thread utilization, errors, timeouts, and retries.
+* R-92571 The VNF **MUST** provide operational instrumentation such as logging, so as to facilitate quick resolution of issues with the VNF to provide service continuity.
+* R-48917 The VNF **MUST** monitor for and alert on (both sender and receiver) errant, running longer than expected and missing file transfers, so as to minimize the impact due to file transfer errors.
+* R-28168 The VNF **SHOULD** use an appropriately configured logging level that can be changed dynamically, so as to not cause performance degradation of the VNF due to excessive logging.
+* R-87352 The VNF **SHOULD** utilize Cloud health checks, when available from the Network Cloud, from inside the application through APIs to check the network connectivity, dropped packets rate, injection, and auto failover to alternate sites if needed.
+* R-16560 The VNF **MUST** conduct a resiliency impact assessment for all inter/intra-connectivity points in the VNF to provide an overall resiliency rating for the VNF to be incorporated into the software design and development of the VNF.
c. VNF Security
===============
Integration and operation within a robust security environment is necessary and expected. The security architecture will include one or more of the following: IDAM (Identity and Access Management) for all system and applications access, Code scanning, network vulnerability scans, OS, Database and application patching, malware detection and cleaning, DDOS prevention, network security gateways (internal and external) operating at various layers, host and application based tools for security compliance validation, aggressive security patch application, tightly controlled software distribution and change control processes and other state of the art security solutions. The VNF is expected to function reliably within such an environment and the developer is expected to understand and accommodate such controls and can expected to supply responsive interoperability support and testing throughout the product’s lifecycle.
-* R-xxxxx The VNF **MUST** accommodate the security principle of “least privilege” during development, implementation and operation. The importance of “least privilege” cannot be overstated and must be observed in all aspects of VNF development and not limited to security. This is applicable to all sections of this document.
-* R-xxxxx The VNF **MUST** implement access control list for OA&M services (e.g., restricting access to certain ports or applications).
-* R-xxxxx The VNF **MUST** implement Data Storage Encryption (database/disk encryption) for Sensitive Personal Information (SPI) and other subscriber identifiable data. Note: subscriber’s SPI/data must be encrypted at rest, and other subscriber identifiable data should be encrypted at rest. Other data protection requirements exist and should be well understood by the developer.
-* R-xxxxx The VNF **SHOULD** implement a mechanism for automated and frequent "system configuration (automated provisioning / closed loop)" auditing.
-* R-xxxxx The VNF **SHOULD** be scanned using both network scanning and application scanning security tools on all code, including underlying OS and related configuration. Scan reports shall be provided. Remediation roadmaps shall be made available for any findings.
-* R-xxxxx The VNF **SHOULD** have source code scanned using scanning tools (e.g., Fortify) and provide reports.
-* R-xxxxx The VNF **MUST** distribute all production code from NCSP internal sources only. No production code, libraries, OS images, etc. shall be distributed from publically accessible depots.
-* R-xxxxx The VNF **MUST** provide all code/configuration files in a “Locked down” or hardened state or with documented recommendations for such hardening. All unnecessary services will be disabled. Vendor default credentials, community strings and other such artifacts will be removed or disclosed so that they can be modified or removed during provisioning.
-* R-xxxxx The VNF **SHOULD** support L3 VPNs that enable segregation of traffic by application (dropping packets not belonging to the VPN) (i.e., AVPN, IPSec VPN for Internet routes).
-* R-xxxxx The VNF **SHOULD** interoperate with various access control mechanisms for the Network Cloud execution environment (e.g., Hypervisors, containers).
-* R-xxxxx The VNF **SHOULD** support the use of virtual trusted platform module, hypervisor security testing and standards scanning tools.
-* R-xxxxx The VNF **MUST** interoperate with the ONAP (SDN) Controller so that it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual routing and forwarding rules.
-* R-xxxxx The VNF **SHOULD** support the ability to work with aliases (e.g., gateways, proxies) to protect and encapsulate resources.
-* R-xxxxx The VNF **MUST** pass all access to applications (Bearer, signaling and OA&M) through various security tools and platforms from ACLs, stateful firewalls and application layer gateways depending on manner of deployment. The application is expected to function (and in some cases, interwork) with these security tools.
-* R-xxxxx The VNF **MUST** have all vulnerabilities patched as soon as possible. Patching shall be controlled via change control process with vulnerabilities disclosed along with mitigation recommendations.
-* R-xxxxx The VNF **MUST** use the NCSP’s IDAM API for Identification, authentication and access control of customer or VNF application users.
-* R-xxxxx The VNF **MUST** use the NCSP’s IDAM API or comply with the requirements if not using the NCSP’s IDAM API, for identification, authentication and access control of OA&M and other system level functions.
-* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, support User-IDs and passwords to uniquely identify the user/application. VNF needs to have appropriate connectors to the Identity, Authentication and Authorization systems that enables access at OS, Database and Application levels as appropriate.
-* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, provide the ability to support Multi-Factor Authentication (e.g., 1st factor = Software token on device (RSA SecureID); 2nd factor = User Name+Password, etc.) for the users.
-* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, support Role-Based Access Control to permit/limit the user/application to performing specific activities.
-* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, support logging via ONAP for a historical view of “who did what and when”.
-* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, encrypt OA&M access (e.g., SSH, SFTP).
-* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, enforce a configurable maximum number of Login attempts policy for the users. VNF vendor must comply with "terminate idle sessions" policy. Interactive sessions must be terminated, or a secure, locking screensaver must be activated requiring authentication, after a configurable period of inactivity. The system-based inactivity timeout for the enterprise identity and access management system must also be configurable.
-* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, comply with the NCSP’s credential management policy.
-* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, expire passwords at regular configurable intervals.
-* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, comply with "password complexity" policy. When passwords are used, they shall be complex and shall at least meet the following password construction requirements: (1) be a minimum configurable number of characters in length, (2) include 3 of the 4 following types of characters: upper-case alphabetic, lower-case alphabetic, numeric, and special, (3) not be the same as the UserID with which they are associated or other common strings as specified by the environment, (4) not contain repeating or sequential characters or numbers, (5) not to use special characters that may have command functions, and (6) new passwords must not contain sequences of three or more characters from the previous password.
-* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, comply with "password changes (includes default passwords)" policy. Products will support password aging, syntax and other credential management practices on a configurable basis.
-* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, support use of common third party authentication and authorization tools such as TACACS+, RADIUS.
-* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, comply with "No Self-Signed Certificates" policy. Self-signed certificates must be used for encryption only, using specified and approved encryption protocols such as LS 1.1 or higher or equivalent security protocols such as IPSec, AES.
-* R-xxxxx The VNF **MUST**, if not using the NCSP’s IDAM API, authenticate system to system communications were one system accesses the resources of another system, and must never conceal individual accountability.
+* R-23740 The VNF **MUST** accommodate the security principle of “least privilege” during development, implementation and operation. The importance of “least privilege” cannot be overstated and must be observed in all aspects of VNF development and not limited to security. This is applicable to all sections of this document.
+* R-61354 The VNF **MUST** implement access control list for OA&M services (e.g., restricting access to certain ports or applications).
+* R-85633 The VNF **MUST** implement Data Storage Encryption (database/disk encryption) for Sensitive Personal Information (SPI) and other subscriber identifiable data. Note: subscriber’s SPI/data must be encrypted at rest, and other subscriber identifiable data should be encrypted at rest. Other data protection requirements exist and should be well understood by the developer.
+* R-92207 The VNF **SHOULD** implement a mechanism for automated and frequent "system configuration (automated provisioning / closed loop)" auditing.
+* R-23882 The VNF **SHOULD** be scanned using both network scanning and application scanning security tools on all code, including underlying OS and related configuration. Scan reports shall be provided. Remediation roadmaps shall be made available for any findings.
+* R-46986 The VNF **SHOULD** have source code scanned using scanning tools (e.g., Fortify) and provide reports.
+* R-55830 The VNF **MUST** distribute all production code from NCSP internal sources only. No production code, libraries, OS images, etc. shall be distributed from publically accessible depots.
+* R-99771 The VNF **MUST** provide all code/configuration files in a “Locked down” or hardened state or with documented recommendations for such hardening. All unnecessary services will be disabled. Vendor default credentials, community strings and other such artifacts will be removed or disclosed so that they can be modified or removed during provisioning.
+* R-19768 The VNF **SHOULD** support L3 VPNs that enable segregation of traffic by application (dropping packets not belonging to the VPN) (i.e., AVPN, IPSec VPN for Internet routes).
+* R-33981 The VNF **SHOULD** interoperate with various access control mechanisms for the Network Cloud execution environment (e.g., Hypervisors, containers).
+* R-40813 The VNF **SHOULD** support the use of virtual trusted platform module, hypervisor security testing and standards scanning tools.
+* R-56904 The VNF **MUST** interoperate with the ONAP (SDN) Controller so that it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual routing and forwarding rules.
+* R-26586 The VNF **SHOULD** support the ability to work with aliases (e.g., gateways, proxies) to protect and encapsulate resources.
+* R-49956 The VNF **MUST** pass all access to applications (Bearer, signaling and OA&M) through various security tools and platforms from ACLs, stateful firewalls and application layer gateways depending on manner of deployment. The application is expected to function (and in some cases, interwork) with these security tools.
+* R-69649 The VNF **MUST** have all vulnerabilities patched as soon as possible. Patching shall be controlled via change control process with vulnerabilities disclosed along with mitigation recommendations.
+* R-78010 The VNF **MUST** use the NCSP’s IDAM API for Identification, authentication and access control of customer or VNF application users.
+* R-42681 The VNF **MUST** use the NCSP’s IDAM API or comply with the requirements if not using the NCSP’s IDAM API, for identification, authentication and access control of OA&M and other system level functions.
+* R-68589 The VNF **MUST**, if not using the NCSP’s IDAM API, support User-IDs and passwords to uniquely identify the user/application. VNF needs to have appropriate connectors to the Identity, Authentication and Authorization systems that enables access at OS, Database and Application levels as appropriate.
+* R-52085 The VNF **MUST**, if not using the NCSP’s IDAM API, provide the ability to support Multi-Factor Authentication (e.g., 1st factor = Software token on device (RSA SecureID); 2nd factor = User Name+Password, etc.) for the users.
+* R-98391 The VNF **MUST**, if not using the NCSP’s IDAM API, support Role-Based Access Control to permit/limit the user/application to performing specific activities.
+* R-63217 The VNF **MUST**, if not using the NCSP’s IDAM API, support logging via ONAP for a historical view of “who did what and when”.
+* R-62498 The VNF **MUST**, if not using the NCSP’s IDAM API, encrypt OA&M access (e.g., SSH, SFTP).
+* R-79107 The VNF **MUST**, if not using the NCSP’s IDAM API, enforce a configurable maximum number of Login attempts policy for the users. VNF vendor must comply with "terminate idle sessions" policy. Interactive sessions must be terminated, or a secure, locking screensaver must be activated requiring authentication, after a configurable period of inactivity. The system-based inactivity timeout for the enterprise identity and access management system must also be configurable.
+* R-35144 The VNF **MUST**, if not using the NCSP’s IDAM API, comply with the NCSP’s credential management policy.
+* R-75041 The VNF **MUST**, if not using the NCSP’s IDAM API, expire passwords at regular configurable intervals.
+* R-46908 The VNF **MUST**, if not using the NCSP’s IDAM API, comply with "password complexity" policy. When passwords are used, they shall be complex and shall at least meet the following password construction requirements: (1) be a minimum configurable number of characters in length, (2) include 3 of the 4 following types of characters: upper-case alphabetic, lower-case alphabetic, numeric, and special, (3) not be the same as the UserID with which they are associated or other common strings as specified by the environment, (4) not contain repeating or sequential characters or numbers, (5) not to use special characters that may have command functions, and (6) new passwords must not contain sequences of three or more characters from the previous password.
+* R-39342 The VNF **MUST**, if not using the NCSP’s IDAM API, comply with "password changes (includes default passwords)" policy. Products will support password aging, syntax and other credential management practices on a configurable basis.
+* R-40521 The VNF **MUST**, if not using the NCSP’s IDAM API, support use of common third party authentication and authorization tools such as TACACS+, RADIUS.
+* R-41994 The VNF **MUST**, if not using the NCSP’s IDAM API, comply with "No Self-Signed Certificates" policy. Self-signed certificates must be used for encryption only, using specified and approved encryption protocols such as LS 1.1 or higher or equivalent security protocols such as IPSec, AES.
+* R-23135 The VNF **MUST**, if not using the NCSP’s IDAM API, authenticate system to system communications were one system accesses the resources of another system, and must never conceal individual accountability.
VNF Identity and Access Management Requirements
-----------------------------------------------
Identity and Access Management Requirements
-* R-xxxxx The VNF **MUST** host connectors for access to the application layer.
-* R-xxxxx The VNF **MUST** host connectors for access to the OS (Operating System) layer.
-* R-xxxxx The VNF **MUST** host connectors for access to the database layer.
-* R-xxxxx The VNF **MUST**
-* R-xxxxx The VNF **MUST** comply with Individual Accountability (each person must be assigned a unique ID) when persons or non-person entities access VNFs.
-* R-xxxxx The VNF **MUST** comply with Least Privilege (no more privilege than required to perform job functions) when persons or non-person entities access VNFs.
-* R-xxxxx The VNF **MUST** comply with Segregation of Duties (access to a single layer and no developer may access production without special oversight) when persons or non-person entities access VNFs.
-* R-xxxxx The VNF **MUST NOT** allow vendor access to VNFs remotely.
-* R-xxxxx The VNF **MUST** authorize vendor access through a client application API by the client application owner and the resource owner of the VNF before provisioning authorization through Role Based Access Control (RBAC), Attribute Based Access Control (ABAC), or other policy based mechanism.
-* R-xxxxx The VNF **MUST** subject vendor VNF access to privilege reconciliation tools to prevent access creep and ensure correct enforcement of access policies.
-* R-xxxxx The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for OWASP Top 10.
-* R-xxxxx The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Password Attacks.
-* R-xxxxx The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Phishing / SMishing.
-* R-xxxxx The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Malware (Key Logger).
-* R-xxxxx The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Session Hijacking.
-* R-xxxxx The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for XSS / CSRF.
-* R-xxxxx The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Replay.
-* R-xxxxx The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Man in the Middle (MITM).
-* R-xxxxx The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Eavesdropping.
-* R-xxxxx The VNF **MUST** provide Context awareness data (device, location, time, etc.) and be able to integrate with threat detection system.
-* R-xxxxx The VNF vendor **MUST**, where a VNF vendor requires the assumption of permissions, such as root or administrator, first log in under their individual user login ID then switch to the other higher level account; or where the individual user login is infeasible, must login with an account with admin privileges in a way that uniquely identifies the individual performing the function.
-* R-xxxxx The VNF **MUST** authenticate system to system access and do not conceal a VNF vendor user’s individual accountability for transactions.
-* R-xxxxx The VNF **MUST** make visible a Warning Notices: A formal statement of resource intent, i.e., a warning notice, upon initial access to a VNF vendor user who accesses private internal networks or Company computer resources, e.g., upon initial logon to an internal web site, system or application which requires authentication.
-* R-xxxxx The VNF **MIST** use access controls for VNFs and their supporting computing systems at all times to restrict access to authorized personnel only, e.g., least privilege. These controls could include the use of system configuration or access control software.
-* R-xxxxx The VNF **MUST** provide minimum privileges for initial and default settings for new user accounts.
-* R-xxxxx The VNF **MUST** set the default settings for user access to sensitive commands and data to deny authorization.
-* R-xxxxx The VNF **MUST** conform to approved request, workflow authorization, and authorization provisioning requirements when creating privileged users.
-* R-xxxxx The VNF **MUST** have greater restrictions for access and execution, such as up to 3 factors of authentication and restricted authorization, for commands affecting network services, such as commands relating to VNFs, must.
-* R-xxxxx The VNF **MUST** encrypt TCP/IP--HTTPS (e.g., TLS v1.2) transmission of data on internal and external networks.
-* R-xxxxx The VNF **MUST** disable unnecessary or vulnerable cgi-bin programs.
-* R-xxxxx The VNF **MUST NOT** provide public or unrestricted access to any data without the permission of the data owner. All data classification and access controls must be followed.
-* R-xxxxx The VNF **MUST NOT** install or use systems, tools or utilities capable of capturing or logging data that was not created by them or sent specifically to them in production, without authorization of the VNF system owner.
-* R-xxxxx The VNF **MUST NOT** run security testing tools and programs, e.g., password cracker, port scanners, hacking tools in production, without authorization of the VNF system owner.
-* R-xxxxx The VNF **MUST NOT** include authentication credentials in security audit logs, even if encrypted.
-* R-xxxxx The VNF **SHOULD** use REST APIs exposed to Client Applications for the implementation of OAuth 2.0 Authorization Code Grant and Client Credentials Grant, as the standard interface for a VNF.
-* R-xxxxx The VNF **SHOULD** support hosting connectors for OS Level and Application Access.
-* R-xxxxx The VNF **SHOULD** support SCEP (Simple Certificate Enrollment Protocol).
+* R-95105 The VNF **MUST** host connectors for access to the application layer.
+* R-45496 The VNF **MUST** host connectors for access to the OS (Operating System) layer.
+* R-05470 The VNF **MUST** host connectors for access to the database layer.
+* R-77737 The VNF **MUST**
+* R-99174 The VNF **MUST** comply with Individual Accountability (each person must be assigned a unique ID) when persons or non-person entities access VNFs.
+* R-42874 The VNF **MUST** comply with Least Privilege (no more privilege than required to perform job functions) when persons or non-person entities access VNFs.
+* R-71787 The VNF **MUST** comply with Segregation of Duties (access to a single layer and no developer may access production without special oversight) when persons or non-person entities access VNFs.
+* R-86261 The VNF **MUST NOT** allow vendor access to VNFs remotely.
+* R-49945 The VNF **MUST** authorize vendor access through a client application API by the client application owner and the resource owner of the VNF before provisioning authorization through Role Based Access Control (RBAC), Attribute Based Access Control (ABAC), or other policy based mechanism.
+* R-31751 The VNF **MUST** subject vendor VNF access to privilege reconciliation tools to prevent access creep and ensure correct enforcement of access policies.
+* R-34552 The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for OWASP Top 10.
+* R-29301 The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Password Attacks.
+* R-72243 The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Phishing / SMishing.
+* R-58998 The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Malware (Key Logger).
+* R-14025 The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Session Hijacking.
+* R-31412 The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for XSS / CSRF.
+* R-51883 The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Replay.
+* R-44032 The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Man in the Middle (MITM).
+* R-58977 The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for Eavesdropping.
+* R-24825 The VNF **MUST** provide Context awareness data (device, location, time, etc.) and be able to integrate with threat detection system.
+* R-59391 The VNF vendor **MUST**, where a VNF vendor requires the assumption of permissions, such as root or administrator, first log in under their individual user login ID then switch to the other higher level account; or where the individual user login is infeasible, must login with an account with admin privileges in a way that uniquely identifies the individual performing the function.
+* R-85028 The VNF **MUST** authenticate system to system access and do not conceal a VNF vendor user’s individual accountability for transactions.
+* R-80335 The VNF **MUST** make visible a Warning Notices: A formal statement of resource intent, i.e., a warning notice, upon initial access to a VNF vendor user who accesses private internal networks or Company computer resources, e.g., upon initial logon to an internal web site, system or application which requires authentication.
+* R-73541 The VNF **MIST** use access controls for VNFs and their supporting computing systems at all times to restrict access to authorized personnel only, e.g., least privilege. These controls could include the use of system configuration or access control software.
+* R-64503 The VNF **MUST** provide minimum privileges for initial and default settings for new user accounts.
+* R-86835 The VNF **MUST** set the default settings for user access to sensitive commands and data to deny authorization.
+* R-77157 The VNF **MUST** conform to approved request, workflow authorization, and authorization provisioning requirements when creating privileged users.
+* R-81147 The VNF **MUST** have greater restrictions for access and execution, such as up to 3 factors of authentication and restricted authorization, for commands affecting network services, such as commands relating to VNFs, must.
+* R-49109 The VNF **MUST** encrypt TCP/IP--HTTPS (e.g., TLS v1.2) transmission of data on internal and external networks.
+* R-39562 The VNF **MUST** disable unnecessary or vulnerable cgi-bin programs.
+* R-15671 The VNF **MUST NOT** provide public or unrestricted access to any data without the permission of the data owner. All data classification and access controls must be followed.
+* R-89753 The VNF **MUST NOT** install or use systems, tools or utilities capable of capturing or logging data that was not created by them or sent specifically to them in production, without authorization of the VNF system owner.
+* R-19082 The VNF **MUST NOT** run security testing tools and programs, e.g., password cracker, port scanners, hacking tools in production, without authorization of the VNF system owner.
+* R-19790 The VNF **MUST NOT** include authentication credentials in security audit logs, even if encrypted.
+* R-85419 The VNF **SHOULD** use REST APIs exposed to Client Applications for the implementation of OAuth 2.0 Authorization Code Grant and Client Credentials Grant, as the standard interface for a VNF.
+* R-86455 The VNF **SHOULD** support hosting connectors for OS Level and Application Access.
+* R-48080 The VNF **SHOULD** support SCEP (Simple Certificate Enrollment Protocol).
VNF API Security Requirements
API Requirements
-* R-xxxxx The VNF **MUST** provide a mechanism to restrict access based on the attributes of the VNF and the attributes of the subject.
-* R-xxxxx The VNF **MUST** integrate with external authentication and authorization services (e.g., IDAM).
-* R-xxxxx The VNF **MUST** use certificates issued from publicly recognized Certificate Authorities (CA) for the authentication process where PKI-based authentication is used.
-* R-xxxxx The VNF **MUST** validate the CA signature on the certificate, ensure that the date is within the validity period of the certificate, check the Certificate Revocation List (CRL), and recognize the identity represented by the certificate where PKI-based authentication is used.
-* R-xxxxx The VNF **MUST** protect the confidentiality and integrity of data at rest and in transit from unauthorized access and modification.
-* R-xxxxx The VNF **MUST** protect against all denial of service attacks, both volumetric and non-volumetric, or integrate with external denial of service protection tools.
-* R-xxxxx The VNF **MUST** implement the following input validation control: Check the size (length) of all input. Do not permit an amount of input so great that it would cause the VNF to fail. Where the input may be a file, the VNF API must enforce a size limit.
-* R-xxxxx The VNF **MUST** implement the following input validation control: Do not permit input that contains content or characters inappropriate to the input expected by the design. Inappropriate input, such as SQL insertions, may cause the system to execute undesirable and unauthorized transactions against the database or allow other inappropriate access to the internal network.
-* R-xxxxx The VNF **MUST** implement the following input validation control: Validate that any input file has a correct and valid Multipurpose Internet Mail Extensions (MIME) type. Input files should be tested for spoofed MIME types.
-* R-xxxxx The VNF **MUST** validate input at all layers implementing VNF APIs.
-* R-xxxxx The VNF **MUST** comply with NIST standards and industry best practices for all implementations of cryptography.
-* R-xxxxx The VNF **MUST** implement all monitoring and logging as described in the Security Analytics section.
-* R-xxxxx The VNF **MUST** restrict changing the criticality level of a system security alarm to administrator(s).
-* R-xxxxx The VNF **MUST** monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection.
-* R-xxxxx The VNF **MUST** support requests for information from law enforcement and government agencies.
+* R-37608 The VNF **MUST** provide a mechanism to restrict access based on the attributes of the VNF and the attributes of the subject.
+* R-43884 The VNF **MUST** integrate with external authentication and authorization services (e.g., IDAM).
+* R-25878 The VNF **MUST** use certificates issued from publicly recognized Certificate Authorities (CA) for the authentication process where PKI-based authentication is used.
+* R-19804 The VNF **MUST** validate the CA signature on the certificate, ensure that the date is within the validity period of the certificate, check the Certificate Revocation List (CRL), and recognize the identity represented by the certificate where PKI-based authentication is used.
+* R-47204 The VNF **MUST** protect the confidentiality and integrity of data at rest and in transit from unauthorized access and modification.
+* R-33488 The VNF **MUST** protect against all denial of service attacks, both volumetric and non-volumetric, or integrate with external denial of service protection tools.
+* R-21652 The VNF **MUST** implement the following input validation control: Check the size (length) of all input. Do not permit an amount of input so great that it would cause the VNF to fail. Where the input may be a file, the VNF API must enforce a size limit.
+* R-54930 The VNF **MUST** implement the following input validation control: Do not permit input that contains content or characters inappropriate to the input expected by the design. Inappropriate input, such as SQL insertions, may cause the system to execute undesirable and unauthorized transactions against the database or allow other inappropriate access to the internal network.
+* R-21210 The VNF **MUST** implement the following input validation control: Validate that any input file has a correct and valid Multipurpose Internet Mail Extensions (MIME) type. Input files should be tested for spoofed MIME types.
+* R-23772 The VNF **MUST** validate input at all layers implementing VNF APIs.
+* R-87135 The VNF **MUST** comply with NIST standards and industry best practices for all implementations of cryptography.
+* R-02137 The VNF **MUST** implement all monitoring and logging as described in the Security Analytics section.
+* R-15659 The VNF **MUST** restrict changing the criticality level of a system security alarm to administrator(s).
+* R-19367 The VNF **MUST** monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection.
+* R-78066 The VNF **MUST** support requests for information from law enforcement and government agencies.
VNF Security Analytics Requirements
Security Analytics Requirements
-* R-xxxxx The VNF **MUST** support Real-time detection and notification of security events.
-* R-xxxxx The VNF **MUST** support Integration functionality via API/Syslog/SNMP to other functional modules in the network (e.g., PCRF, PCEF) that enable dynamic security control by blocking the malicious traffic or malicious end users
-* R-xxxxx The VNF **MUST** support API-based monitoring to take care of the scenarios where the control interfaces are not exposed, or are optimized and proprietary in nature.
-* R-xxxxx The VNF **MUST** support event logging, formats, and delivery tools to provide the required degree of event data to ONAP
-* R-xxxxx The VNF **MUST** support detection of malformed packets due to software misconfiguration or software vulnerability.
-* R-xxxxx The VNF **MUST** support integrated DPI/monitoring functionality as part of VNFs (e.g., PGW, MME).
-* R-xxxxx The VNF **MUST** support alternative monitoring capabilities when VNFs do not expose data or control traffic or use proprietary and optimized protocols for inter VNF communication.
-* R-xxxxx The VNF **MUST** support proactive monitoring to detect and report the attacks on resources so that the VNFs and associated VMs can be isolated, such as detection techniques for resource exhaustion, namely OS resource attacks, CPU attacks, consumption of kernel memory, local storage attacks.
-* R-xxxxx The VNF **MUST** coexist and operate normally with commercial anti-virus software which shall produce alarms every time when there is a security incident.
-* R-xxxxx The VNF **MUST** protect all security audit logs (including API, OS and application-generated logs), security audit software, data, and associated documentation from modification, or unauthorized viewing, by standard OS access control mechanisms, by sending to a remote system, or by encryption.
-* R-xxxxx The VNF **MUST** log successful and unsuccessful login attempts.
-* R-xxxxx The VNF **MUST** log logoffs.
-* R-xxxxx The VNF **MUST** log successful and unsuccessful changes to a privilege level.
-* R-xxxxx The VNF **MUST** log starting and stopping of security logging
-* R-xxxxx The VNF **MUST** log creating, removing, or changing the inherent privilege level of users.
-* R-xxxxx The VNF **MUST** log connections to a network listener of the resource.
-* R-xxxxx The VNF **MUST** log the field “event type” in the security audit logs.
-* R-xxxxx The VNF **MUST** log the field “date/time” in the security audit logs.
-* R-xxxxx The VNF **MUST** log the field “protocol” in the security audit logs.
-* R-xxxxx The VNF **MUST** log the field “service or program used for access” in the security audit logs.
-* R-xxxxx The VNF **MUST** log the field “success/failure” in the security audit logs.
-* R-xxxxx The VNF **MUST** log the field “Login ID” in the security audit logs.
-* R-xxxxx The VNF **MUST NOT** include an authentication credential, e.g., password, in the security audit logs, even if encrypted.
-* R-xxxxx The VNF **MUST** detect when the security audit log storage medium is approaching capacity (configurable) and issue an alarm via SMS or equivalent as to allow time for proper actions to be taken to pre-empt loss of audit data.
-* R-xxxxx The VNF **MUST** support the capability of online storage of security audit logs.
-* R-xxxxx The VNF **MUST** activate security alarms automatically when the following event is detected: configurable number of consecutive unsuccessful login attempts
-* R-xxxxx The VNF **MUST** activate security alarms automatically when the following event is detected: successful modification of critical system or application files
-* R-xxxxx The VNF **MUST** activate security alarms automatically when the following event is detected: unsuccessful attempts to gain permissions or assume the identity of another user
-* R-xxxxx The VNF **MUST** include the field “date” in the Security alarms (where applicable and technically feasible).
-* R-xxxxx The VNF **MUST** include the field “time” in the Security alarms (where applicable and technically feasible).
-* R-xxxxx The VNF **MUST** include the field “service or program used for access” in the Security alarms (where applicable and technically feasible).
-* R-xxxxx The VNF **MUST** include the field “success/failure” in the Security alarms (where applicable and technically feasible).
-* R-xxxxx The VNF **MUST** include the field “Login ID” in the Security alarms (where applicable and technically feasible).
-* R-xxxxx The VNF **MUST** restrict changing the criticality level of a system security alarm to administrator(s).
-* R-xxxxx The VNF **MUST** monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection.
-* R-xxxxx The VNF **MUST** support requests for information from law enforcement and government agencies.
-* R-xxxxx The VNF **MUST** implement “Closed Loop” automatic implementation (without human intervention) for Known Threats with detection rate in low false positives.
-* R-xxxxx The VNF **MUST** perform data capture for security functions.
-* R-xxxxx The VNF **MUST** generate security audit logs that must be sent to Security Analytics Tools for analysis.
-* R-xxxxx The VNF **MUST** provide audit logs that include user ID, dates, times for log-on and log-off, and terminal location at minimum.
-* R-xxxxx The VNF **MUST** provide security audit logs including records of successful and rejected system access data and other resource access attempts.
-* R-xxxxx The VNF **MUST** support the storage of security audit logs for agreed period of time for forensic analysis.
-* R-xxxxx The VNF **MUST** provide the capability of generating security audit logs by interacting with the operating system (OS) as appropriate.
-* R-xxxxx The VNF **MUST** have security logging for VNFs and their OSs be active from initialization. Audit logging includes automatic routines to maintain activity records and cleanup programs to ensure the integrity of the audit/logging systems.
+* R-48470 The VNF **MUST** support Real-time detection and notification of security events.
+* R-22286 The VNF **MUST** support Integration functionality via API/Syslog/SNMP to other functional modules in the network (e.g., PCRF, PCEF) that enable dynamic security control by blocking the malicious traffic or malicious end users
+* R-32636 The VNF **MUST** support API-based monitoring to take care of the scenarios where the control interfaces are not exposed, or are optimized and proprietary in nature.
+* R-61648 The VNF **MUST** support event logging, formats, and delivery tools to provide the required degree of event data to ONAP
+* R-22367 The VNF **MUST** support detection of malformed packets due to software misconfiguration or software vulnerability.
+* R-31961 The VNF **MUST** support integrated DPI/monitoring functionality as part of VNFs (e.g., PGW, MME).
+* R-20912 The VNF **MUST** support alternative monitoring capabilities when VNFs do not expose data or control traffic or use proprietary and optimized protocols for inter VNF communication.
+* R-73223 The VNF **MUST** support proactive monitoring to detect and report the attacks on resources so that the VNFs and associated VMs can be isolated, such as detection techniques for resource exhaustion, namely OS resource attacks, CPU attacks, consumption of kernel memory, local storage attacks.
+* R-58370 The VNF **MUST** coexist and operate normally with commercial anti-virus software which shall produce alarms every time when there is a security incident.
+* R-56920 The VNF **MUST** protect all security audit logs (including API, OS and application-generated logs), security audit software, data, and associated documentation from modification, or unauthorized viewing, by standard OS access control mechanisms, by sending to a remote system, or by encryption.
+* R-54520 The VNF **MUST** log successful and unsuccessful login attempts.
+* R-55478 The VNF **MUST** log logoffs.
+* R-08598 The VNF **MUST** log successful and unsuccessful changes to a privilege level.
+* R-13344 The VNF **MUST** log starting and stopping of security logging
+* R-07617 The VNF **MUST** log creating, removing, or changing the inherent privilege level of users.
+* R-94525 The VNF **MUST** log connections to a network listener of the resource.
+* R-31614 The VNF **MUST** log the field “event type” in the security audit logs.
+* R-97445 The VNF **MUST** log the field “date/time” in the security audit logs.
+* R-25547 The VNF **MUST** log the field “protocol” in the security audit logs.
+* R-06413 The VNF **MUST** log the field “service or program used for access” in the security audit logs.
+* R-15325 The VNF **MUST** log the field “success/failure” in the security audit logs.
+* R-89474 The VNF **MUST** log the field “Login ID” in the security audit logs.
+* R-04982 The VNF **MUST NOT** include an authentication credential, e.g., password, in the security audit logs, even if encrypted.
+* R-63330 The VNF **MUST** detect when the security audit log storage medium is approaching capacity (configurable) and issue an alarm via SMS or equivalent as to allow time for proper actions to be taken to pre-empt loss of audit data.
+* R-41252 The VNF **MUST** support the capability of online storage of security audit logs.
+* R-41825 The VNF **MUST** activate security alarms automatically when the following event is detected: configurable number of consecutive unsuccessful login attempts
+* R-43332 The VNF **MUST** activate security alarms automatically when the following event is detected: successful modification of critical system or application files
+* R-74958 The VNF **MUST** activate security alarms automatically when the following event is detected: unsuccessful attempts to gain permissions or assume the identity of another user
+* R-15884 The VNF **MUST** include the field “date” in the Security alarms (where applicable and technically feasible).
+* R-23957 The VNF **MUST** include the field “time” in the Security alarms (where applicable and technically feasible).
+* R-71842 The VNF **MUST** include the field “service or program used for access” in the Security alarms (where applicable and technically feasible).
+* R-57617 The VNF **MUST** include the field “success/failure” in the Security alarms (where applicable and technically feasible).
+* R-99730 The VNF **MUST** include the field “Login ID” in the Security alarms (where applicable and technically feasible).
+* R-29705 The VNF **MUST** restrict changing the criticality level of a system security alarm to administrator(s).
+* R-13627 The VNF **MUST** monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection.
+* R-21819 The VNF **MUST** support requests for information from law enforcement and government agencies.
+* R-56786 The VNF **MUST** implement “Closed Loop” automatic implementation (without human intervention) for Known Threats with detection rate in low false positives.
+* R-25094 The VNF **MUST** perform data capture for security functions.
+* R-04492 The VNF **MUST** generate security audit logs that must be sent to Security Analytics Tools for analysis.
+* R-19219 The VNF **MUST** provide audit logs that include user ID, dates, times for log-on and log-off, and terminal location at minimum.
+* R-30932 The VNF **MUST** provide security audit logs including records of successful and rejected system access data and other resource access attempts.
+* R-54816 The VNF **MUST** support the storage of security audit logs for agreed period of time for forensic analysis.
+* R-57271 The VNF **MUST** provide the capability of generating security audit logs by interacting with the operating system (OS) as appropriate.
+* R-84160 The VNF **MUST** have security logging for VNFs and their OSs be active from initialization. Audit logging includes automatic routines to maintain activity records and cleanup programs to ensure the integrity of the audit/logging systems.
VNF Data Protection Requirements
--------------------------------
Data Protection Requirements
-* R-xxxxx The VNF **MUST** provide the capability to restrict read and write access to data.
-* R-xxxxx The VNF **MUST** provide the capability to restrict access to data to specific users.
-* R-xxxxx The VNF **MUST** Provide the capability to encrypt data in transit on a physical or virtual network.
-* R-xxxxx The VNF **MUST** provide the capability to encrypt data on non-volatile memory.
-* R-xxxxx The VNF **SHOULD** disable the paging of the data requiring encryption, if possible, where the encryption of non-transient data is required on a device for which the operating system performs paging to virtual memory. If not possible to disable the paging of the data requiring encryption, the virtual memory should be encrypted.
-* R-xxxxx The VNF **MUST** provide the capability to integrate with an external encryption service.
-* R-xxxxx The VNF **MUST** use industry standard cryptographic algorithms and standard modes of operations when implementing cryptography.
-* R-xxxxx The VNF **SHOULD** use commercial algorithms only when there are no applicable governmental standards for specific cryptographic functions, e.g., public key cryptography, message digests.
-* R-xxxxx The VNF **MUST NOT** use the SHA, DSS, MD5, SHA-1 and Skipjack algorithms or other compromised encryption.
-* R-xxxxx The VNF **MUST** use, whenever possible, standard implementations of security applications, protocols, and format, e.g., S/MIME, TLS, SSH, IPSec, X.509 digital certificates for cryptographic implementations. These implementations must be purchased from reputable vendors and must not be developed in-house.
-* R-xxxxx The VNF **MUST** provide the ability to migrate to newer versions of cryptographic algorithms and protocols with no impact.
-* R-xxxxx The VNF **MUST** use symmetric keys of at least 112 bits in length.
-* R-xxxxx The VNF **MUST** use asymmetric keys of at least 2048 bits in length.
-* R-xxxxx The VNF **MUST** use commercial tools that comply with X.509 standards and produce x.509 compliant keys for public/private key generation.
-* R-xxxxx The VNF **MUST NOT** use keys generated or derived from predictable functions or values, e.g., values considered predictable include user identity information, time of day, stored/transmitted data.
-* R-xxxxx The VNF **MUST** provide the capability to configure encryption algorithms or devices so that they comply with the laws of the jurisdiction in which there are plans to use data encryption.
-* R-xxxxx The VNF **MUST** provide the capability of using certificates issued from a Certificate Authority not provided by the VNF vendor.
-* R-xxxxx The VNF **MUST** provide the capability of allowing certificate renewal and revocation.
-* R-xxxxx The VNF **MUST** provide the capability of testing the validity of a digital certificate by validating the CA signature on the certificate.
-* R-xxxxx The VNF **MUST** provide the capability of testing the validity of a digital certificate by validating the date the certificate is being used is within the validity period for the certificate.
-* R-xxxxx The VNF **MUST** provide the capability of testing the validity of a digital certificate by checking the Certificate Revocation List (CRL) for the certificates of that type to ensure that the certificate has not been revoked.
-* R-xxxxx The VNF **MUST** provide the capability of testing the validity of a digital certificate by recognizing the identity represented by the certificate — the "distinguished name".
+* R-58964 The VNF **MUST** provide the capability to restrict read and write access to data.
+* R-99112 The VNF **MUST** provide the capability to restrict access to data to specific users.
+* R-83227 The VNF **MUST** Provide the capability to encrypt data in transit on a physical or virtual network.
+* R-32641 The VNF **MUST** provide the capability to encrypt data on non-volatile memory.
+* R-13151 The VNF **SHOULD** disable the paging of the data requiring encryption, if possible, where the encryption of non-transient data is required on a device for which the operating system performs paging to virtual memory. If not possible to disable the paging of the data requiring encryption, the virtual memory should be encrypted.
+* R-93860 The VNF **MUST** provide the capability to integrate with an external encryption service.
+* R-73067 The VNF **MUST** use industry standard cryptographic algorithms and standard modes of operations when implementing cryptography.
+* R-22645 The VNF **SHOULD** use commercial algorithms only when there are no applicable governmental standards for specific cryptographic functions, e.g., public key cryptography, message digests.
+* R-12467 The VNF **MUST NOT** use the SHA, DSS, MD5, SHA-1 and Skipjack algorithms or other compromised encryption.
+* R-02170 The VNF **MUST** use, whenever possible, standard implementations of security applications, protocols, and format, e.g., S/MIME, TLS, SSH, IPSec, X.509 digital certificates for cryptographic implementations. These implementations must be purchased from reputable vendors and must not be developed in-house.
+* R-70933 The VNF **MUST** provide the ability to migrate to newer versions of cryptographic algorithms and protocols with no impact.
+* R-44723 The VNF **MUST** use symmetric keys of at least 112 bits in length.
+* R-25401 The VNF **MUST** use asymmetric keys of at least 2048 bits in length.
+* R-95864 The VNF **MUST** use commercial tools that comply with X.509 standards and produce x.509 compliant keys for public/private key generation.
+* R-12110 The VNF **MUST NOT** use keys generated or derived from predictable functions or values, e.g., values considered predictable include user identity information, time of day, stored/transmitted data.
+* R-52060 The VNF **MUST** provide the capability to configure encryption algorithms or devices so that they comply with the laws of the jurisdiction in which there are plans to use data encryption.
+* R-69610 The VNF **MUST** provide the capability of using certificates issued from a Certificate Authority not provided by the VNF vendor.
+* R-83500 The VNF **MUST** provide the capability of allowing certificate renewal and revocation.
+* R-29977 The VNF **MUST** provide the capability of testing the validity of a digital certificate by validating the CA signature on the certificate.
+* R-24359 The VNF **MUST** provide the capability of testing the validity of a digital certificate by validating the date the certificate is being used is within the validity period for the certificate.
+* R-39604 The VNF **MUST** provide the capability of testing the validity of a digital certificate by checking the Certificate Revocation List (CRL) for the certificates of that type to ensure that the certificate has not been revoked.
+* R-75343 The VNF **MUST** provide the capability of testing the validity of a digital certificate by recognizing the identity represented by the certificate — the "distinguished name".
d. VNF Modularity
=================
3. Independent Cinder Volume Modules
-* R-xxxxx The VNF **MUST** follow the naming convention (Section 5.b Filenames) for the ONAP Heat template. The naming convention identifies the module type.
+* R-05810 The VNF **MUST** follow the naming convention (Section 5.b Filenames) for the ONAP Heat template. The naming convention identifies the module type.
-* R-xxxxx The VNF **MUST** be composed of one “base” VNF module (also called a base module).
-* R-xxxxx The VNF **MAY** have zero to many “incremental” or “add on” VNF modules.
-* R-xxxxx The VNF **MUST** deploy the base module first, prior to the add-on modules.
+* R-37028 The VNF **MUST** be composed of one “base” VNF module (also called a base module).
+* R-41215 The VNF **MAY** have zero to many “incremental” or “add on” VNF modules.
+* R-20974 The VNF **MUST** deploy the base module first, prior to the add-on modules.
A module can be thought of as equivalent to a Heat template, where a
Heat template is composed of a YAML file and an environment file (also
persist after VNF deletion so that the volume can be reused on another
instance (e.g. during a failover activity).
-* R-xxxxx The VNF **MUST** keep the scope of a volume module, when it exists, to be 1:1 with the VNF Module (base or add-on).
-* R-xxxxx The VNF **MUST** create only the volumes needed by a single VNF module (base or add-on) in a single volume module.
+* R-11200 The VNF **MUST** keep the scope of a volume module, when it exists, to be 1:1 with the VNF Module (base or add-on).
+* R-93670 The VNF **MUST** create only the volumes needed by a single VNF module (base or add-on) in a single volume module.
These concepts will be described in more detail throughout the document.
This overview is provided to set the stage and help clarify the concepts
requires it. A Heat template is used to create or deploy a Heat stack.
Therefore, a module is also equivalent to a Heat Stack.
-* R-xxxxx The VNF **MUST** have a corresponding environment file for given YAML file.
+* R-74385 The VNF **MUST** have a corresponding environment file for given YAML file.
However, there are cases where a module maybe composed of more than one
Heat stack and/or more than one YAML file.
and/or base template if persistence is not required, thus not
requiring the optional Volume template.
-* R-xxxxx The VNF **MAY** have a VNF module that supports nested templates. In this case, there will be
-one or more additional YAML files.
+* R-52501 The VNF **MAY** have a VNF module that supports nested templates. In this case, there will be one or more additional YAML files.
-* R-xxxxx The VNF **MUST** expose any shared resource defined in the base module template and used across the entire VNF (e.g., private networks, server groups) to the incremental or add-on modules by declaring their resource UUIDs as Heat outputs (i.e., ONAP Base Template Output Parameter in the output section of the Heat template).Those outputs will be provided by ONAP as input parameter values to all add-on module Heat templates in the VNF that have declared the parameter in the template.
+* R-78037 The VNF **MUST** expose any shared resource defined in the base module template and used across the entire VNF (e.g., private networks, server groups) to the incremental or add-on modules by declaring their resource UUIDs as Heat outputs (i.e., ONAP Base Template Output Parameter in the output section of the Heat template).Those outputs will be provided by ONAP as input parameter values to all add-on module Heat templates in the VNF that have declared the parameter in the template.
*Note:* A Cinder volume is *not* considered a shared resource. A volume
template must correspond 1:1 with a base template or add-on module
Scaling Considerations
----------------------
-* R-xxxxx The VNF **MAY** be scaled by (**static scaling**) manually driven to add new capacity or **(dynamic scaling)** driven in near real-time by the ONAP controllers based on a real-time need.
+* R-56853 The VNF **MAY** be scaled by (**static scaling**) manually driven to add new capacity or **(dynamic scaling)** driven in near real-time by the ONAP controllers based on a real-time need.
With VNF Modularity, the recommended approach for scaling is to provide
additional “growth unit” templates that can be used to create additional
- Growth templates can use the private networks and other shared
resources exposed by the Base Module template.
-* R-xxxxx The VNF **SHOULD** be scaled by providing additional "growth unit" templates that can be used to create additional resources in logical scaling increments.
+* R-87957 The VNF **SHOULD** be scaled by providing additional "growth unit" templates that can be used to create additional resources in logical scaling increments.
VNF Modules may also be updated “in-place” using the OpenStack Heat
Update capability, by deploying an updated Heat template with different
contained in the original module template*. Note that this also requires
re-specification of all existing parameters as well as new ones.
-* R-xxxxx The VNF **MAY** be scaled "in-place" using the OpenStack Heat update capability.
+* R-99074 The VNF **MAY** be scaled "in-place" using the OpenStack Heat update capability.
*For this approach:*
DevOps Requirements
-* R-xxxxx The VNF **MUST** utilize only the Guest OS versions that are supported by the NCSP’s Network Cloud. [1]_
-* R-xxxxx The VNF **SHOULD** utilize only NCSP provided Guest OS images. [2]_
-* R-xxxxx The VNF **MUST** utilize only NCSP standard compute flavors. [2]_
-* R-xxxxx The VNF **MUST** preserve their persistent data. Running VMs will not be backed up in the Network Cloud infrastructure.
-* R-xxxxx The VNFC **MUST** be installed on non-root file systems, unless software is specifically included with the operating system distribution of the guest image.
-* R-xxxxx The VNF **MUST** be agnostic to the underlying infrastructure (such as hardware, host OS, Hypervisor), any requirements should be provided as specification to be fulfilled by any hardware.
-* R-xxxxx The VNF **MUST NOT** require Hypervisor-level customization from the cloud provider.
-* R-xxxxx The VNF **SHOULD** provide an automated test suite to validate every new version of the software on the target environment(s). The tests should be of sufficient granularity to independently test various representative VNF use cases throughout its lifecycle. Operations might choose to invoke these tests either on a scheduled basis or on demand to support various operations functions including test, turn-up and troubleshooting.
-* R-xxxxx The VNF **SHOULD** provide the ability to test incremental growth of the VNF.
-* R-xxxxx The VNF **MUST** respond to a "move traffic" [3]_ command against a specific VNFC, moving all existing session elsewhere with minimal disruption if a VNF provides a load balancing function across multiple instances of its VNFCs. Note: Individual VNF performance aspects (e.g., move duration or disruption scope) may require further constraints.
-* R-xxxxx The VNF **MUST** respond to a "drain VNFC" [2]_ command against a specific VNFC, preventing new session from reaching the targeted VNFC, with no disruption to active sessions on the impacted VNFC, if a VNF provides a load balancing function across multiple instances of its VNFCs. This is used to support scenarios such as proactive maintenance with no user impact,
+* R-46960 The VNF **MUST** utilize only the Guest OS versions that are supported by the NCSP’s Network Cloud. [1]_
+* R-23475 The VNF **SHOULD** utilize only NCSP provided Guest OS images. [2]_
+* R-09467 The VNF **MUST** utilize only NCSP standard compute flavors. [2]_
+* R-02997 The VNF **MUST** preserve their persistent data. Running VMs will not be backed up in the Network Cloud infrastructure.
+* R-29760 The VNFC **MUST** be installed on non-root file systems, unless software is specifically included with the operating system distribution of the guest image.
+* R-20860 The VNF **MUST** be agnostic to the underlying infrastructure (such as hardware, host OS, Hypervisor), any requirements should be provided as specification to be fulfilled by any hardware.
+* R-89800 The VNF **MUST NOT** require Hypervisor-level customization from the cloud provider.
+* R-86758 The VNF **SHOULD** provide an automated test suite to validate every new version of the software on the target environment(s). The tests should be of sufficient granularity to independently test various representative VNF use cases throughout its lifecycle. Operations might choose to invoke these tests either on a scheduled basis or on demand to support various operations functions including test, turn-up and troubleshooting.
+* R-39650 The VNF **SHOULD** provide the ability to test incremental growth of the VNF.
+* R-14853 The VNF **MUST** respond to a "move traffic" [3]_ command against a specific VNFC, moving all existing session elsewhere with minimal disruption if a VNF provides a load balancing function across multiple instances of its VNFCs. Note: Individual VNF performance aspects (e.g., move duration or disruption scope) may require further constraints.
+* R-06327 The VNF **MUST** respond to a "drain VNFC" [2]_ command against a specific VNFC, preventing new session from reaching the targeted VNFC, with no disruption to active sessions on the impacted VNFC, if a VNF provides a load balancing function across multiple instances of its VNFCs. This is used to support scenarios such as proactive maintenance with no user impact,
f. VNF Develop Steps
=======================
**Resource Description**
-* R-xxxxx The VNF Vendor **MUST** include a Manifest File that contains a list of all the components in the VNF package.
-* R-xxxxx The VNF Package **MUST** include VNF Identification Data to uniquely identify the resource for a given Vendor. The identification data must include: an identifier for the VNF, the name of the VNF as was given by the VNF Vendor, VNF description, VNF Vendor, and version.
-* R-xxxxx The VNF Package **MUST** include documentation describing VNF Management APIs. The document must include information and tools for:
+* R-77707 The VNF Vendor **MUST** include a Manifest File that contains a list of all the components in the VNF package.
+* R-66070 The VNF Package **MUST** include VNF Identification Data to uniquely identify the resource for a given Vendor. The identification data must include: an identifier for the VNF, the name of the VNF as was given by the VNF Vendor, VNF description, VNF Vendor, and version.
+* R-69565 The VNF Package **MUST** include documentation describing VNF Management APIs. The document must include information and tools for:
- ONAP to deploy and configure (initially and ongoing) the VNF application(s) (e.g., NETCONF APIs). Includes description of configurable parameters for the VNF and whether the parameters can be configured after VNF instantiation.
- ONAP to monitor the health of the VNF (conditions that require healing and/or scaling responses). Includes a description of:
- Parameters that can be monitored for the VNF and event records (status, fault, flow, session, call, control plane, etc.) generated by the VNF after instantiation.
- Runtime lifecycle events and related actions (e.g., control responses, tests) which can be performed for the VNF.
-* R-xxxxx The VNF Package **MUST** include documentation describing VNF Functional APIs that are utilized to build network and application services. This document describes the externally exposed functional inputs and outputs for the VNF, including interface format and protocols supported.
-* R-xxxxx The VNF Vendor **MUST** provide documentation describing VNF Functional Capabilities that are utilized to operationalize the VNF and compose complex services.
-* R-xxxxx The VNF Vendor **MUST** provide information regarding any dependency (e.g., affinity, anti-affinity) with other VNFs and resources.
+
+* R-84366 The VNF Package **MUST** include documentation describing VNF Functional APIs that are utilized to build network and application services. This document describes the externally exposed functional inputs and outputs for the VNF, including interface format and protocols supported.
+* R-36280 The VNF Vendor **MUST** provide documentation describing VNF Functional Capabilities that are utilized to operationalize the VNF and compose complex services.
+* R-98617 The VNF Vendor **MUST** provide information regarding any dependency (e.g., affinity, anti-affinity) with other VNFs and resources.
**Resource Configuration**
-* R-xxxxx The VNF **MUST** support and provide artifacts for configuration management using at least one of the following technologies:
+* R-89571 The VNF **MUST** support and provide artifacts for configuration management using at least one of the following technologies:
+
- Netconf/YANG
- Chef
- Ansible
+
Note: The requirements for Netconf/YANG, Chef, and Ansible protocols are provided separately and must be supported only if the corresponding protocol option is provided by the vendor.
**Configuration Management via Netconf/YANG**
- * R-xxxxx The VNF Vendor **MUST** provide a Resource/Device YANG model as a foundation for creating the YANG model for configuration. This will include VNF attributes/parameters and valid values/attributes configurable by policy.
+ * R-30278 The VNF Vendor **MUST** provide a Resource/Device YANG model as a foundation for creating the YANG model for configuration. This will include VNF attributes/parameters and valid values/attributes configurable by policy.
+
**Configuration Management via Chef**
- * R-xxxxx The VNF Vendor **MUST** provide cookbooks to be loaded on the appropriate Chef Server.
- * R-xxxxx The VNF Vendor **MUST** provide a JSON file for each supported action for the VNF. The JSON file must contain key value pairs with all relevant values populated with sample data that illustrates its usage. The fields and their description are defined in Appendix A.
+ * R-13390 The VNF Vendor **MUST** provide cookbooks to be loaded on the appropriate Chef Server.
+ * R-18525 The VNF Vendor **MUST** provide a JSON file for each supported action for the VNF. The JSON file must contain key value pairs with all relevant values populated with sample data that illustrates its usage. The fields and their description are defined in Appendix A.
+
Note: Chef support in ONAP is not currently available and planned for 4Q 2017.
**Configuration Management via Ansible**
- * R-xxxxx The VNF Vendor **MUST** provide playbooks to be loaded on the appropriate Ansible Server.
- * R-xxxxx The VNF Vendor **MUST** provide a JSON file for each supported action for the VNF. The JSON file must contain key value pairs with all relevant values populated with sample data that illustrates its usage. The fields and their description are defined in Appendix B.
+ * R-75608 The VNF Vendor **MUST** provide playbooks to be loaded on the appropriate Ansible Server.
+ * R-16777 The VNF Vendor **MUST** provide a JSON file for each supported action for the VNF. The JSON file must contain key value pairs with all relevant values populated with sample data that illustrates its usage. The fields and their description are defined in Appendix B.
+
Note: Ansible support in ONAP is not currently available and planned for 4Q 2017.
-* R-xxxxx The VNF Package **MUST** include configuration scripts for boot sequence and configuration.
-* R-xxxxx The VNF Vendor **MUST** provide configurable parameters (if unable to conform to YANG model) including VNF attributes/parameters and valid values, dynamic attributes and cross parameter dependencies (e.g., customer provisioning data).
+
+* R-46567 The VNF Package **MUST** include configuration scripts for boot sequence and configuration.
+* R-16065 The VNF Vendor **MUST** provide configurable parameters (if unable to conform to YANG model) including VNF attributes/parameters and valid values, dynamic attributes and cross parameter dependencies (e.g., customer provisioning data).
**Resource Control Loop**
-* R-xxxxx The VNF Vendor **MUST** provide documentation for the VNF Policy Description to manage the VNF runtime lifecycle. The document must include a description of how the policies (conditions and actions) are implemented in the VNF.
-* R-xxxxx The VNF Package **MUST** include documentation describing the fault, performance, capacity events/alarms and other event records that are made available by the VNF. The document must include:
+* R-22888 The VNF Vendor **MUST** provide documentation for the VNF Policy Description to manage the VNF runtime lifecycle. The document must include a description of how the policies (conditions and actions) are implemented in the VNF.
+* R-01556 The VNF Package **MUST** include documentation describing the fault, performance, capacity events/alarms and other event records that are made available by the VNF. The document must include:
+
- A unique identification string for the specific VNF, a description of the problem that caused the error, and steps or procedures to perform Root Cause Analysis and resolve the issue.
- All events, severity level (e.g., informational, warning, error) and descriptions including causes/fixes if applicable for the event.
- All events (fault, measurement for VNF Scaling, Syslogs, State Change and Mobile Flow), that need to be collected at each VM, VNFC (defined in *VNF Guidelines for Network Cloud and ONAP*) and for the overall VNF.
-* R-xxxxx The VNF Vendor **MUST** provide an XML file that contains a list of VNF error codes, descriptions of the error, and possible causes/corrective action.
-* R-xxxxx The VNF Package **MUST** include documentation describing all parameters that are available to monitor the VNF after instantiation (includes all counters, OIDs, PM data, KPIs, etc.) that must be collected for reporting purposes. The documentation must include a list of:
+
+* R-27711 The VNF Vendor **MUST** provide an XML file that contains a list of VNF error codes, descriptions of the error, and possible causes/corrective action.
+* R-01478 The VNF Package **MUST** include documentation describing all parameters that are available to monitor the VNF after instantiation (includes all counters, OIDs, PM data, KPIs, etc.) that must be collected for reporting purposes. The documentation must include a list of:
- Monitoring parameters/counters exposed for virtual resource management and VNF application management.
- KPIs and metrics that need to be collected at each VM for capacity planning and performance management purposes.
- For each KPI, identify the suggested actions that need to be performed when a threshold crossing alert event is recorded.
- Describe any requirements for the monitoring component of tools for Network Cloud automation and management to provide these records to components of the VNF.
- When applicable, provide calculators needed to convert raw data into appropriate reporting artifacts.
-* R-xxxxx The VNF Package **MUST** include documentation describing supported VNF scaling capabilities and capacity limits (e.g., number of users, bandwidth, throughput, concurrent calls).
-* R-xxxxx The VNF Package **MUST** include documentation describing the characteristics for the VNF reliability and high availability.
-* R-xxxxx The VNF Vendor **MUST** provide an artifact per VNF that contains all of the VNF Event Records supported. The artifact should include reference to the specific release of the VNF Event Stream Common Event Data Model document it is based on. ( `AT&T Service Specification; Service: VES Event Listener <https://github.com/att/evel-test-collector/tree/master/docs/att_interface_definition>`__)
+
+* R-56815 The VNF Package **MUST** include documentation describing supported VNF scaling capabilities and capacity limits (e.g., number of users, bandwidth, throughput, concurrent calls).
+* R-48596 The VNF Package **MUST** include documentation describing the characteristics for the VNF reliability and high availability.
+* R-74763 The VNF Vendor **MUST** provide an artifact per VNF that contains all of the VNF Event Records supported. The artifact should include reference to the specific release of the VNF Event Stream Common Event Data Model document it is based on. ( `AT&T Service Specification; Service: VES Event Listener <https://github.com/att/evel-test-collector/tree/master/docs/att_interface_definition>`__)
**Compute, Network, abd Storage Requirements**
-* R-xxxxx The VNF Package **MUST** include VNF topology that describes basic network and application connectivity internal and external to the VNF including Link type, KPIs, Bandwidth, latency, jitter, QoS (if applicable) for each interface.
-* R-xxxxx The VNF Package **MUST** include VM requirements via a Heat template that provides the necessary data for:
+* R-35851 The VNF Package **MUST** include VNF topology that describes basic network and application connectivity internal and external to the VNF including Link type, KPIs, Bandwidth, latency, jitter, QoS (if applicable) for each interface.
+* R-97102 The VNF Package **MUST** include VM requirements via a Heat template that provides the necessary data for:
- - VM specifications for all VNF components - for hypervisor, CPU, memory, storage.
+- VM specifications for all VNF components - for hypervisor, CPU, memory, storage.
- Network connections, interface connections, internal and external to VNF.
- High availability redundancy model.
- Scaling/growth VM specifications.
+
Note: Must comply with the *Heat requirements in 5.b*.
-* R-xxxxx The VNF Vendor **MUST** provide the binaries and images needed to instantiate the VNF (VNF and VNFC images).
-* R-xxxxx The VNF Vendor **MUST** describe scaling capabilities to manage scaling characteristics of the VNF.
+
+* R-26881 The VNF Vendor **MUST** provide the binaries and images needed to instantiate the VNF (VNF and VNFC images).
+* R-96634 The VNF Vendor **MUST** describe scaling capabilities to manage scaling characteristics of the VNF.
**Testing**
-* R-xxxxx The VNF Package **MUST** include documentation describing the tests that were conducted by the Vendor and the test results.
-* R-xxxxx The VNF Vendor **MUST** provide their testing scripts to support testing.
-* R-xxxxx The VNF Vendor **MUST** provide software components that can be packaged with/near the VNF, if needed, to simulate any functions or systems that connect to the VNF system under test. This component is necessary only if the existing testing environment does not have the necessary simulators.
+* R-43958 The VNF Package **MUST** include documentation describing the tests that were conducted by the Vendor and the test results.
+* R-04298 The VNF Vendor **MUST** provide their testing scripts to support testing.
+* R-58775 The VNF Vendor **MUST** provide software components that can be packaged with/near the VNF, if needed, to simulate any functions or systems that connect to the VNF system under test. This component is necessary only if the existing testing environment does not have the necessary simulators.
**Licensing Requirements**
-* R-xxxxx The VNF **MUST** provide metrics (e.g., number of sessions, number of subscribers, number of seats, etc.) to ONAP for tracking every license.
-* R-xxxxx The VNF Vendor **MUST** agree to the process that can be met by Service Provider reporting infrastructure. The Contract shall define the reporting process and the available reporting tools.
-* R-xxxxx The VNF Vendor **MUST** enumerate all of the open source licenses their VNF(s) incorporate.
-* R-xxxxx The VNF Vendor **MUST NOT** require audits of Service Provider’s business.
-* R-xxxxx The VNF Vendor **MUST NOT** require additional infrastructure such as a vendor license server for Vendor functions and metrics..
-* R-xxxxx The VNF **MUST** provide clear measurements for licensing purposes to allow automated scale up/down by the management system.
-* R-xxxxx The VNF Vendor **MUST** provide the ability to scale up a vendor supplied product during growth and scale down a vendor supplied product during decline without “real-time” restrictions based upon vendor permissions.
-* R-xxxxx The VNF Vendor **MUST** provide a universal license key per VNF to be used as needed by services (i.e., not tied to a VM instance) as the recommended solution. The vendor may provide pools of Unique VNF License Keys, where there is a unique key for each VNF instance as an alternate solution. Licensing issues should be resolved without interrupting in-service VNFs.
-* R-xxxxx The VNF Vendor **MUST** support the metadata about licenses (and their applicable entitlements) as defined in this document for VNF software, and any license keys required to authorize use of the VNF software. This metadata will be used to facilitate onboarding the VNF into the ONAP environment and automating processes for putting the licenses into use and managing the full lifecycle of the licenses. The details of this license model are described in Appendix C. Note: License metadata support in ONAP is not currently available and planned for 1Q 2018.
+* R-85653 The VNF **MUST** provide metrics (e.g., number of sessions, number of subscribers, number of seats, etc.) to ONAP for tracking every license.
+* R-44125 The VNF Vendor **MUST** agree to the process that can be met by Service Provider reporting infrastructure. The Contract shall define the reporting process and the available reporting tools.
+* R-40827 The VNF Vendor **MUST** enumerate all of the open source licenses their VNF(s) incorporate.
+* R-97293 The VNF Vendor **MUST NOT** require audits of Service Provider’s business.
+* R-44569 The VNF Vendor **MUST NOT** require additional infrastructure such as a vendor license server for Vendor functions and metrics..
+* R-13613 The VNF **MUST** provide clear measurements for licensing purposes to allow automated scale up/down by the management system.
+* R-27511 The VNF Vendor **MUST** provide the ability to scale up a vendor supplied product during growth and scale down a vendor supplied product during decline without “real-time” restrictions based upon vendor permissions.
+* R-85991 The VNF Vendor **MUST** provide a universal license key per VNF to be used as needed by services (i.e., not tied to a VM instance) as the recommended solution. The vendor may provide pools of Unique VNF License Keys, where there is a unique key for each VNF instance as an alternate solution. Licensing issues should be resolved without interrupting in-service VNFs.
+* R-47849 The VNF Vendor **MUST** support the metadata about licenses (and their applicable entitlements) as defined in this document for VNF software, and any license keys required to authorize use of the VNF software. This metadata will be used to facilitate onboarding the VNF into the ONAP environment and automating processes for putting the licenses into use and managing the full lifecycle of the licenses. The details of this license model are described in Appendix C. Note: License metadata support in ONAP is not currently available and planned for 1Q 2018.
c. Configuration Management
===========================
**Configuration Management**
-* R-xxxxx The VNF **MUST** include a NETCONF server enabling runtime configuration and lifecycle management capabilities.
-* R-xxxxx The VNF **MUST** provide a NETCONF interface fully defined by supplied YANG models for the embedded NETCONF server.
+* R-88026 The VNF **MUST** include a NETCONF server enabling runtime configuration and lifecycle management capabilities.
+* R-95950 The VNF **MUST** provide a NETCONF interface fully defined by supplied YANG models for the embedded NETCONF server.
**NETCONF Server Requirements**
-* R-xxxxx The VNF **MUST** allow the NETCONF server connection parameters to be configurable during virtual machine instantiation through Heat templates where SSH keys, usernames, passwords, SSH service and SSH port numbers are Heat template parameters.
-* R-xxxxx The VNF **MUST** implement the protocol operation: **close-session()**- Gracefully close the current session.
-* R-xxxxx The VNF **MUST** implement the protocol operation: **commit(confirmed, confirm-timeout)** - Commit candidate configuration datastore to the running configuration.
-* R-xxxxx The VNF **MUST** implement the protocol operation: **discard-changes()** - Revert the candidate configuration datastore to the running configuration.
-* R-xxxxx The VNF **MUST** implement the protocol operation: **edit-config(target, default-operation, test-option, error-option, config)** - Edit the target configuration datastore by merging, replacing, creating, or deleting new config elements.
-* R-xxxxx The VNF **MUST** implement the protocol operation: **get(filter)** - Retrieve (a filtered subset of) the running configuration and device state information. This should include the list of VNF supported schemas.
-* R-xxxxx The VNF **MUST** implement the protocol operation: **get-config(source, filter)** - Retrieve a (filtered subset of a) configuration from the configuration datastore source.
-* R-xxxxx The VNF **MUST** implement the protocol operation: **kill-session(session)** - Force the termination of **session**.
-* R-xxxxx The VNF **MUST** implement the protocol operation: **lock(target)** - Lock the configuration datastore target.
-* R-xxxxx The VNF **MUST** implement the protocol operation: **unlock(target)** - Unlock the configuration datastore target.
-* R-xxxxx The VNF **SHOULD** implement the protocol operation: **copy-config(target, source) -** Copy the content of the configuration datastore source to the configuration datastore target.
-* R-xxxxx The VNF **SHOULD** implement the protocol operation: **delete-config(target) -** Delete the named configuration datastore target.
-* R-xxxxx The VNF **SHOULD** implement the protocol operation: **get-schema(identifier, version, format) -** Retrieve the YANG schema.
-* R-xxxxx The VNF **MUST** allow all configuration data shall to be edited through a NETCONF <edit-config> operation. Proprietary NETCONF RPCs that make configuration changes are not sufficient.
-* R-xxxxx The VNF **MUST** allow the entire configuration of the VNF to be retrieved via NETCONF's <get-config> and <edit-config>, independently of whether it was configured via NETCONF or other mechanisms.
-* R-xxxxx The VNF **MUST** support **:partial-lock** and **:partial-unlock** capabilities, defined in RFC 5717. This allows multiple independent clients to each write to a different part of the <running> configuration at the same time.
-* R-xxxxx The VNF **MUST** support **:rollback-on-error** value for the <error-option> parameter to the <edit-config> operation. If any error occurs during the requested edit operation, then the target database (usually the running configuration) will be left affected. This provides an 'all-or-nothing' edit mode for a single <edit-config> request.
-* R-xxxxx The VNF **MUST** support the **:startup** capability. It will allow the running configuration to be copied to this special database. It can also be locked and unlocked.
-* R-xxxxx The VNF **MUST** support the **:url** value to specify protocol operation source and target parameters. The capability URI for this feature will indicate which schemes (e.g., file, https, sftp) that the server supports within a particular URL value. The 'file' scheme allows for editable local configuration databases. The other schemes allow for remote storage of configuration databases.
-* R-xxxxx The VNF **MUST** implement at least one of the capabilities **:candidate** or **:writable-running**. If both **:candidate** and **:writable-running** are provided then two locks should be supported.
-* R-xxxxx The VNF **MUST** fully support the XPath 1.0 specification for filtered retrieval of configuration and other database contents. The 'type' attribute within the <filter> parameter for <get> and <get-config> operations may be set to 'xpath'. The 'select' attribute (which contains the XPath expression) will also be supported by the server. A server may support partial XPath retrieval filtering, but it cannot advertise the **:xpath** capability unless the entire XPath 1.0 specification is supported.
-* R-xxxxx The VNF **MUST** implement the **:validate** capability
-* R-xxxxx The VNF **MUST** implement **:confirmed-commit** If **:candidate** is supported.
-* R-xxxxx The VNF **MUST** implement the **:with-defaults** capability [RFC6243].
-* R-xxxxx The VNF **MUST** implement the data model discovery and download as defined in [RFC6022].
-* R-xxxxx The VNF **SHOULD** implement the NETCONF Event Notifications [RFC5277].
-* R-xxxxx The VNF **MUST** define all data models in YANG [RFC6020], and the mapping to NETCONF shall follow the rules defined in this RFC.
-* R-xxxxx The VNF **MUST** follow the data model upgrade rules defined in [RFC6020] section 10. All deviations from section 10 rules shall be handled by a built-in automatic upgrade mechanism.
-* R-xxxxx The VNF **MUST** support parallel and simultaneous configuration of separate objects within itself.
-* R-xxxxx The VNF **MUST** support locking if a common object is being manipulated by two simultaneous NETCONF configuration operations on the same VNF within the context of the same writable running data store (e.g., if an interface parameter is being configured then it should be locked out for configuration by a simultaneous configuration operation on that same interface parameter).
-* R-xxxxx The VNF **MUST** apply locking based on the sequence of NETCONF operations, with the first configuration operation locking out all others until completed.
-* R-xxxxx The VNF **MUST** permit locking at the finest granularity if a VNF needs to lock an object for configuration to avoid blocking simultaneous configuration operations on unrelated objects (e.g., BGP configuration should not be locked out if an interface is being configured or entire Interface configuration should not be locked out if a non-overlapping parameter on the interface is being configured).
-* R-xxxxx The VNF **MUST** be able to specify the granularity of the lock via a restricted or full XPath expression.
-* R-xxxxx The VNF **MUST** guarantee the VNF configuration integrity for all simultaneous configuration operations (e.g., if a change is attempted to the BUM filter rate from multiple interfaces on the same EVC, then they need to be sequenced in the VNF without locking either configuration method out).
-* R-xxxxx The VNF **MUST** release locks to prevent permanent lock-outs when/if a session applying the lock is terminated (e.g., SSH session is terminated).
-* R-
xxxxx The VNF **MUST** release locks to prevent permanent lock-outs when the corresponding <partial-unlock> operation succeeds.
-* R-xxxxx The VNF **MUST** release locks to prevent permanent lock-outs when a user configured timer has expired forcing the NETCONF SSH Session termination (i.e., product must expose a configuration knob for a user setting of a lock expiration timer)
-* R-xxxxx The VNF **MUST** allow another NETCONF session to be able to initiate the release of the lock by killing the session owning the lock, using the <kill-session> operation to guard against hung NETCONF sessions.
-* R-xxxxx The VNF **MUST** support simultaneous <commit> operations within the context of this locking requirements framework.
-* R-xxxxx The VNF **MUST** support all operations, administration and management (OAM) functions available from the supplier for VNFs using the supplied YANG code and associated NETCONF servers.
-* R-xxxxx The VNF **MUST** support sub tree filtering.
-* R-xxxxx The VNF **MUST** support heartbeat via a <get> with null filter.
-* R-xxxxx The VNF **MUST** support get-schema (ietf-netconf-monitoring) to pull YANG model over session.
-* R-xxxxx The VNF PACKAGE **MUST** validated YANG code using the open source pyang [2]_ program using the following commands:
+* R-73468 The VNF **MUST** allow the NETCONF server connection parameters to be configurable during virtual machine instantiation through Heat templates where SSH keys, usernames, passwords, SSH service and SSH port numbers are Heat template parameters.
+* R-90007 The VNF **MUST** implement the protocol operation: **close-session()**- Gracefully close the current session.
+* R-70496 The VNF **MUST** implement the protocol operation: **commit(confirmed, confirm-timeout)** - Commit candidate configuration datastore to the running configuration.
+* R-18733 The VNF **MUST** implement the protocol operation: **discard-changes()** - Revert the candidate configuration datastore to the running configuration.
+* R-44281 The VNF **MUST** implement the protocol operation: **edit-config(target, default-operation, test-option, error-option, config)** - Edit the target configuration datastore by merging, replacing, creating, or deleting new config elements.
+* R-60106 The VNF **MUST** implement the protocol operation: **get(filter)** - Retrieve (a filtered subset of) the running configuration and device state information. This should include the list of VNF supported schemas.
+* R-29488 The VNF **MUST** implement the protocol operation: **get-config(source, filter)** - Retrieve a (filtered subset of a) configuration from the configuration datastore source.
+* R-11235 The VNF **MUST** implement the protocol operation: **kill-session(session)** - Force the termination of **session**.
+* R-02597 The VNF **MUST** implement the protocol operation: **lock(target)** - Lock the configuration datastore target.
+* R-96554 The VNF **MUST** implement the protocol operation: **unlock(target)** - Unlock the configuration datastore target.
+* R-29324 The VNF **SHOULD** implement the protocol operation: **copy-config(target, source) -** Copy the content of the configuration datastore source to the configuration datastore target.
+* R-88031 The VNF **SHOULD** implement the protocol operation: **delete-config(target) -** Delete the named configuration datastore target.
+* R-97529 The VNF **SHOULD** implement the protocol operation: **get-schema(identifier, version, format) -** Retrieve the YANG schema.
+* R-62468 The VNF **MUST** allow all configuration data shall to be edited through a NETCONF <edit-config> operation. Proprietary NETCONF RPCs that make configuration changes are not sufficient.
+* R-01382 The VNF **MUST** allow the entire configuration of the VNF to be retrieved via NETCONF's <get-config> and <edit-config>, independently of whether it was configured via NETCONF or other mechanisms.
+* R-28756 The VNF **MUST** support **:partial-lock** and **:partial-unlock** capabilities, defined in RFC 5717. This allows multiple independent clients to each write to a different part of the <running> configuration at the same time.
+* R-83873 The VNF **MUST** support **:rollback-on-error** value for the <error-option> parameter to the <edit-config> operation. If any error occurs during the requested edit operation, then the target database (usually the running configuration) will be left affected. This provides an 'all-or-nothing' edit mode for a single <edit-config> request.
+* R-68990 The VNF **MUST** support the **:startup** capability. It will allow the running configuration to be copied to this special database. It can also be locked and unlocked.
+* R-68200 The VNF **MUST** support the **:url** value to specify protocol operation source and target parameters. The capability URI for this feature will indicate which schemes (e.g., file, https, sftp) that the server supports within a particular URL value. The 'file' scheme allows for editable local configuration databases. The other schemes allow for remote storage of configuration databases.
+* R-20353 The VNF **MUST** implement at least one of the capabilities **:candidate** or **:writable-running**. If both **:candidate** and **:writable-running** are provided then two locks should be supported.
+* R-11499 The VNF **MUST** fully support the XPath 1.0 specification for filtered retrieval of configuration and other database contents. The 'type' attribute within the <filter> parameter for <get> and <get-config> operations may be set to 'xpath'. The 'select' attribute (which contains the XPath expression) will also be supported by the server. A server may support partial XPath retrieval filtering, but it cannot advertise the **:xpath** capability unless the entire XPath 1.0 specification is supported.
+* R-83790 The VNF **MUST** implement the **:validate** capability
+* R-49145 The VNF **MUST** implement **:confirmed-commit** If **:candidate** is supported.
+* R-58358 The VNF **MUST** implement the **:with-defaults** capability [RFC6243].
+* R-59610 The VNF **MUST** implement the data model discovery and download as defined in [RFC6022].
+* R-87662 The VNF **SHOULD** implement the NETCONF Event Notifications [RFC5277].
+* R-93443 The VNF **MUST** define all data models in YANG [RFC6020], and the mapping to NETCONF shall follow the rules defined in this RFC.
+* R-26115 The VNF **MUST** follow the data model upgrade rules defined in [RFC6020] section 10. All deviations from section 10 rules shall be handled by a built-in automatic upgrade mechanism.
+* R-10716 The VNF **MUST** support parallel and simultaneous configuration of separate objects within itself.
+* R-29495 The VNF **MUST** support locking if a common object is being manipulated by two simultaneous NETCONF configuration operations on the same VNF within the context of the same writable running data store (e.g., if an interface parameter is being configured then it should be locked out for configuration by a simultaneous configuration operation on that same interface parameter).
+* R-53015 The VNF **MUST** apply locking based on the sequence of NETCONF operations, with the first configuration operation locking out all others until completed.
+* R-02616 The VNF **MUST** permit locking at the finest granularity if a VNF needs to lock an object for configuration to avoid blocking simultaneous configuration operations on unrelated objects (e.g., BGP configuration should not be locked out if an interface is being configured or entire Interface configuration should not be locked out if a non-overlapping parameter on the interface is being configured).
+* R-41829 The VNF **MUST** be able to specify the granularity of the lock via a restricted or full XPath expression.
+* R-66793 The VNF **MUST** guarantee the VNF configuration integrity for all simultaneous configuration operations (e.g., if a change is attempted to the BUM filter rate from multiple interfaces on the same EVC, then they need to be sequenced in the VNF without locking either configuration method out).
+* R-54190 The VNF **MUST** release locks to prevent permanent lock-outs when/if a session applying the lock is terminated (e.g., SSH session is terminated).
+* R-
03465 The VNF **MUST** release locks to prevent permanent lock-outs when the corresponding <partial-unlock> operation succeeds.
+* R-63935 The VNF **MUST** release locks to prevent permanent lock-outs when a user configured timer has expired forcing the NETCONF SSH Session termination (i.e., product must expose a configuration knob for a user setting of a lock expiration timer)
+* R-10173 The VNF **MUST** allow another NETCONF session to be able to initiate the release of the lock by killing the session owning the lock, using the <kill-session> operation to guard against hung NETCONF sessions.
+* R-88899 The VNF **MUST** support simultaneous <commit> operations within the context of this locking requirements framework.
+* R-07545 The VNF **MUST** support all operations, administration and management (OAM) functions available from the supplier for VNFs using the supplied YANG code and associated NETCONF servers.
+* R-60656 The VNF **MUST** support sub tree filtering.
+* R-80898 The VNF **MUST** support heartbeat via a <get> with null filter.
+* R-06617 The VNF **MUST** support get-schema (ietf-netconf-monitoring) to pull YANG model over session.
+* R-25238 The VNF PACKAGE **MUST** validated YANG code using the open source pyang [2]_ program using the following commands:
.. code-block:: python
$ pyang --verbose --strict <YANG-file-name(s)>
$ echo $!
-* R-xxxxx The VNF **MUST** have the echo command return a zero value otherwise the validation has failed
-* R-xxxxx The VNF **MUST** support NETCONF server that can be mounted on OpenDaylight (client) and perform the following operations:
- - Modify, update, change, rollback configurations using each configuration data element.
- - Query each state (non-configuration) data element.
- - Execute each YANG RPC.
- - Receive data through each notification statement.
+* R-63953 The VNF **MUST** have the echo command return a zero value otherwise the validation has failed
+* R-26508 The VNF **MUST** support NETCONF server that can be mounted on OpenDaylight (client) and perform the following operations:
+
+- Modify, update, change, rollback configurations using each configuration data element.
+- Query each state (non-configuration) data element.
+- Execute each YANG RPC.
+- Receive data through each notification statement.
The following requirements provides the Yang models that suppliers must
conform, and those where applicable, that suppliers need to use.
-* R-xxxxx The VNF **MUST** conform its YANG model to RFC 6060, “YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)”
-* R-xxxxx The VNF **MUST** conform its YANG model to RFC 6022, “YANG module for NETCONF monitoring”.
-* R-xxxxx The VNF **MUST** conform its YANG model to RFC 6470, “NETCONF Base Notifications”.
-* R-xxxxx The VNF **MUST** conform its YANG model to RFC 6244, “An Architecture for Network Management Using NETCONF and YANG”.
-* R-xxxxx The VNF **MUST** conform its YANG model to RFC 6087, “Guidelines for Authors and Reviewers of YANG Data Model Documents”.
-* R-xxxxx The VNF **SHOULD** conform its YANG model to \*\*RFC 6991, “Common YANG Data Types”.
-* R-xxxxx The VNF **SHOULD** conform its YANG model to RFC 6536, “NETCONF Access Control Model”.
-* R-xxxxx The VNF **SHOULD** conform its YANG model to RFC 7223, “A YANG Data Model for Interface Management”.
-* R-xxxxx The VNF **SHOULD** conform its YANG model to RFC 7223, “IANA Interface Type YANG Module”.
-* R-xxxxx The VNF **SHOULD** conform its YANG model to RFC 7277, “A YANG Data Model for IP Management”.
-* R-xxxxx The VNF **SHOULD** conform its YANG model to RFC 7317, “A YANG Data Model for System Management”.
-* R-xxxxx The VNF **SHOULD** conform its YANG model to RFC 7407, “A YANG Data Model for SNMP Configuration”.
+* R-28545 The VNF **MUST** conform its YANG model to RFC 6060, “YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)”
+* R-29967 The VNF **MUST** conform its YANG model to RFC 6022, “YANG module for NETCONF monitoring”.
+* R-22700 The VNF **MUST** conform its YANG model to RFC 6470, “NETCONF Base Notifications”.
+* R-10353 The VNF **MUST** conform its YANG model to RFC 6244, “An Architecture for Network Management Using NETCONF and YANG”.
+* R-53317 The VNF **MUST** conform its YANG model to RFC 6087, “Guidelines for Authors and Reviewers of YANG Data Model Documents”.
+* R-33955 The VNF **SHOULD** conform its YANG model to \*\*RFC 6991, “Common YANG Data Types”.
+* R-22946 The VNF **SHOULD** conform its YANG model to RFC 6536, “NETCONF Access Control Model”.
+* R-10129 The VNF **SHOULD** conform its YANG model to RFC 7223, “A YANG Data Model for Interface Management”.
+* R-12271 The VNF **SHOULD** conform its YANG model to RFC 7223, “IANA Interface Type YANG Module”.
+* R-49036 The VNF **SHOULD** conform its YANG model to RFC 7277, “A YANG Data Model for IP Management”.
+* R-87564 The VNF **SHOULD** conform its YANG model to RFC 7317, “A YANG Data Model for System Management”.
+* R-24269 The VNF **SHOULD** conform its YANG model to RFC 7407, “A YANG Data Model for SNMP Configuration”.
The NETCONF server interface shall fully conform to the following
NETCONF RFCs.
-* R-xxxxx The VNF **MUST** conform to the NETCONF RFC 4741, “NETCONF Configuration Protocol”.
-* R-xxxxx The VNF **MUST** conform to the NETCONF RFC 4742, “Using the NETCONF Configuration Protocol over Secure Shell (SSH)”.
-* R-xxxxx The VNF **MUST** conform to the NETCONF RFC 5277, “NETCONF Event Notification”.
-* R-xxxxx The VNF **MUST** conform to the NETCONF RFC 5717, “Partial Lock Remote Procedure Call”.
-* R-xxxxx The VNF **MUST** conform to the NETCONF RFC 6241, “NETCONF Configuration Protocol”.
-* R-xxxxx The VNF **MUST** conform to the NETCONF RFC 6242, “Using the Network Configuration Protocol over Secure Shell”.
+* R-33946 The VNF **MUST** conform to the NETCONF RFC 4741, “NETCONF Configuration Protocol”.
+* R-04158 The VNF **MUST** conform to the NETCONF RFC 4742, “Using the NETCONF Configuration Protocol over Secure Shell (SSH)”.
+* R-13800 The VNF **MUST** conform to the NETCONF RFC 5277, “NETCONF Event Notification”.
+* R-01334 The VNF **MUST** conform to the NETCONF RFC 5717, “Partial Lock Remote Procedure Call”.
+* R-08134 The VNF **MUST** conform to the NETCONF RFC 6241, “NETCONF Configuration Protocol”.
+* R-78282 The VNF **MUST** conform to the NETCONF RFC 6242, “Using the Network Configuration Protocol over Secure Shell”.
VNF REST APIs
--------------
**REST APIs**
-* R-xxxxx The VNF **MUST** support the HealthCheck RPC. The HealthCheck RPC, executes a vendor-defined VNF Healthcheck over the scope of the entire VNF (e.g., if there are multiple VNFCs, then run a health check, as appropriate, for all VNFCs). It returns a 200 OK if the test completes. A JSON object is returned indicating state (healthy, unhealthy), scope identifier, time-stamp and one or more blocks containing info and fault information. If the VNF is unable to run the HealthCheck, return a standard http error code and message.
+* R-31809 The VNF **MUST** support the HealthCheck RPC. The HealthCheck RPC, executes a vendor-defined VNF Healthcheck over the scope of the entire VNF (e.g., if there are multiple VNFCs, then run a health check, as appropriate, for all VNFCs). It returns a 200 OK if the test completes. A JSON object is returned indicating state (healthy, unhealthy), scope identifier, time-stamp and one or more blocks containing info and fault information. If the VNF is unable to run the HealthCheck, return a standard http error code and message.
Examples:
- **Chef Server hosted by ONAP**: ONAP will provide a Chef Server to manage a VNF.
- * R-xxxxx The VNF Package **MUST** include all relevant cookbooks to be loaded on the ONAP Chef Server.
+ * R-77786 The VNF Package **MUST** include all relevant cookbooks to be loaded on the ONAP Chef Server.
- **Chef Server hosted in Tenant Space**: The Chef Server may also be hosted external to ONAP in tenant space.
- * R-xxxxx The VNF **MUST** meet the same guidelines as Chef Server hosted by ONAP.
- * R-xxxxx The VNF Package **MUST** include appropriate credentials so that ONAP can interact with the Chef Server.
+ * R-85428 The VNF **MUST** meet the same guidelines as Chef Server hosted by ONAP.
+ * R-23823 The VNF Package **MUST** include appropriate credentials so that ONAP can interact with the Chef Server.
**Chef Client Requirements**
-* R-xxxxx The VNF **MUST** have the chef-client be preloaded with validator keys and configuration to register with the designated Chef Server as part of the installation process.
-* R-xxxxx The VNF **MUST** have routable FQDNs for all the endpoints (VMs) of a VNF that contain chef-clients which are used to register with the Chef Server. As part of invoking VNF actions, ONAP will trigger push jobs against FQDNs of endpoints for a VNF, if required.
-* R-xxxxx The VNF **MAY** expose a single endpoint that is responsible for all functionality.
-* R-xxxxx The VNF **MUST** be installed with:
+* R-79224 The VNF **MUST** have the chef-client be preloaded with validator keys and configuration to register with the designated Chef Server as part of the installation process.
+* R-72184 The VNF **MUST** have routable FQDNs for all the endpoints (VMs) of a VNF that contain chef-clients which are used to register with the Chef Server. As part of invoking VNF actions, ONAP will trigger push jobs against FQDNs of endpoints for a VNF, if required.
+* R-47068 The VNF **MAY** expose a single endpoint that is responsible for all functionality.
+* R-67114 The VNF **MUST** be installed with:
+
- Chef-Client >= 12.0
- Chef push jobs client >= 2.0
**Chef Roles/Requirements**
-* R-xxxxx The VNF Package **MUST** include all relevant Chef artifacts (roles/cookbooks/recipes) required to execute VNF actions requested by ONAP for loading on appropriate Chef Server.
-* R-xxxxx The VNF Package **MUST** include a run list of roles/cookbooks/recipes, for each supported VNF action, that will perform the desired VNF action in its entirety as specified by ONAP (see Section 8.c, ONAP Controller APIs and Behavior, for list of VNF actions and requirements), when triggered by a chef-client run list in JSON file.
-* R-xxxxx The VNF **MUST NOT** use any instance specific parameters for the VNF in roles/cookbooks/recipes invoked for a VNF action.
-* R-xxxxx The VNF **MUST** accept all necessary instance specific data from the environment or node object attributes for the VNF in roles/cookbooks/recipes invoked for a VNF action.
-* R-xxxxx The VNF **MUST** over-ride any default values for configurable parameters that can be set by ONAP in the roles, cookbooks and recipes.
-* R-xxxxx The VNF **MUST** update status on the Chef Server appropriately (e.g., via a fail or raise an exception) if the chef-client run encounters any critical errors/failures when executing a VNF action.
-* R-xxxxx The VNF **MUST** populate an attribute, defined as node[‘PushJobOutput’] with the desired output on all nodes in the push job that execute chef-client run if the VNF action requires the output of a chef-client run be made available (e.g., get running configuration).
-* R-xxxxx The VNF Package **MUST** have appropriate cookbooks that are designed to automatically ‘rollback’ to the original state in case of any errors for actions that change state of the VNF (e.g., configure).
-* R-xxxxx The VNF **SHOULD** support callback URLs to return information to ONAP upon completion of the chef-client run for any chef-client run associated with a VNF action.
+* R-27310 The VNF Package **MUST** include all relevant Chef artifacts (roles/cookbooks/recipes) required to execute VNF actions requested by ONAP for loading on appropriate Chef Server.
+* R-26567 The VNF Package **MUST** include a run list of roles/cookbooks/recipes, for each supported VNF action, that will perform the desired VNF action in its entirety as specified by ONAP (see Section 8.c, ONAP Controller APIs and Behavior, for list of VNF actions and requirements), when triggered by a chef-client run list in JSON file.
+* R-98911 The VNF **MUST NOT** use any instance specific parameters for the VNF in roles/cookbooks/recipes invoked for a VNF action.
+* R-37929 The VNF **MUST** accept all necessary instance specific data from the environment or node object attributes for the VNF in roles/cookbooks/recipes invoked for a VNF action.
+* R-62170 The VNF **MUST** over-ride any default values for configurable parameters that can be set by ONAP in the roles, cookbooks and recipes.
+* R-78116 The VNF **MUST** update status on the Chef Server appropriately (e.g., via a fail or raise an exception) if the chef-client run encounters any critical errors/failures when executing a VNF action.
+* R-44013 The VNF **MUST** populate an attribute, defined as node[‘PushJobOutput’] with the desired output on all nodes in the push job that execute chef-client run if the VNF action requires the output of a chef-client run be made available (e.g., get running configuration).
+* R-30654 The VNF Package **MUST** have appropriate cookbooks that are designed to automatically ‘rollback’ to the original state in case of any errors for actions that change state of the VNF (e.g., configure).
+* R-65755 The VNF **SHOULD** support callback URLs to return information to ONAP upon completion of the chef-client run for any chef-client run associated with a VNF action.
+
- As part of the push job, ONAP will provide two parameters in the environment of the push job JSON object:
- ‘RequestId’ a unique Id to be used to identify the request,
- ‘CallbackUrl’, the URL to post response back.
+
- If the CallbackUrl field is empty or missing in the push job, then the chef-client run need not post the results back via callback.
-* R-xxxxx The VNF **MUST** Upon completion of the chef-client run, POST back on the callback URL, a JSON object as described in Table A2 if the chef-client run list includes a cookbook/recipe that is callback capable. Failure to POST on the Callback Url should not be considered a critical error. That is, if the chef-client successfully completes the VNF action, it should reflect this status on the Chef Server regardless of whether the Callback succeeded or not.
+
+* R-15885 The VNF **MUST** Upon completion of the chef-client run, POST back on the callback URL, a JSON object as described in Table A2 if the chef-client run list includes a cookbook/recipe that is callback capable. Failure to POST on the Callback Url should not be considered a critical error. That is, if the chef-client successfully completes the VNF action, it should reflect this status on the Chef Server regardless of whether the Callback succeeded or not.
ONAP Chef API Usage
~~~~~~~~~~~~~~~~~~~
- **Ansible Server hosted by ONAP**: ONAP will provide an Ansible Server to manage a VNF.
- * R-xxxxx The VNF Package **MUST** include all relevant playbooks to ONAP to be loaded on the Ansible Server.
+ * R-07879 The VNF Package **MUST** include all relevant playbooks to ONAP to be loaded on the Ansible Server.
- **Ansible Server hosted in Tenant Space**:
- * R-xxxxx The VNF **MUST** meet the same guidelines as the Ansible Server hosted by ONAP.
- * R-xxxxx The VNF **MUST** meet the ONAP Ansible Server API Interface requirements.
+ * R-35305 The VNF **MUST** meet the same guidelines as the Ansible Server hosted by ONAP.
+ * R-91681 The VNF **MUST** meet the ONAP Ansible Server API Interface requirements.
**Ansible Client Requirements**
-* R-xxxxx The VNF **MUST** have routable FQDNs that are reachable via the Ansible Server for the endpoints (VMs) of a VNF on which playbooks will be executed. ONAP will initiate requests to the Ansible Server for invocation of playbooks against these end points [6]_.
-* R-xxxxx The VNF **MAY** have a single endpoint.
-* R-xxxxx The VNF **MUST** have Python >= 2.7 on the endpoint VM(s) of a VNF on which an Ansible playbook will be executed.
-* R-xxxxx The VNF **MUST** must support SSH and allow SSH access to the Ansible server for the endpoint VM(s) and comply with the Network Cloud Service Provider guidelines for authentication and access.
+* R-32217 The VNF **MUST** have routable FQDNs that are reachable via the Ansible Server for the endpoints (VMs) of a VNF on which playbooks will be executed. ONAP will initiate requests to the Ansible Server for invocation of playbooks against these end points [6]_.
+* R-98929 The VNF **MAY** have a single endpoint.
+* R-54373 The VNF **MUST** have Python >= 2.7 on the endpoint VM(s) of a VNF on which an Ansible playbook will be executed.
+* R-35401 The VNF **MUST** must support SSH and allow SSH access to the Ansible server for the endpoint VM(s) and comply with the Network Cloud Service Provider guidelines for authentication and access.
**Ansible Playbook Requirements**
An Ansible playbook is a collection of tasks that is executed on the Ansible server (local host) and/or the target VM (s) in order to complete the desired action.
-* R-xxxxx The VNF **MUST** make available (or load on VNF Ansible Server) playbooks that conform to the ONAP requirement.
-* R-xxxxx The VNF **MUST** support each VNF action by invocation of **one** playbook [7]_. The playbook will be responsible for executing all necessary tasks (as well as calling other playbooks) to complete the request.
-* R-xxxxx The VNF **MUST NOT** use any instance specific parameters in a playbook.
-* R-xxxxx The VNF **MUST** utilize information from key value pairs that will be provided by the Ansible Server as extra-vars during invocation to execute the desired VNF action. If the playbook requires files, they must also be supplied using the methodology detailed in the Ansible Server API.
+* R-40293 The VNF **MUST** make available (or load on VNF Ansible Server) playbooks that conform to the ONAP requirement.
+* R-49396 The VNF **MUST** support each VNF action by invocation of **one** playbook [7]_. The playbook will be responsible for executing all necessary tasks (as well as calling other playbooks) to complete the request.
+* R-33280 The VNF **MUST NOT** use any instance specific parameters in a playbook.
+* R-48698 The VNF **MUST** utilize information from key value pairs that will be provided by the Ansible Server as extra-vars during invocation to execute the desired VNF action. If the playbook requires files, they must also be supplied using the methodology detailed in the Ansible Server API.
+
The Ansible Server will determine if a playbook invoked to execute a VNF action finished successfully or not using the “PLAY_RECAP” summary in Ansible log. The playbook will be considered to successfully finish only if the “PLAY RECAP” section at the end of playbook execution output has no unreachable hosts and no failed tasks. Otherwise, the playbook will be considered to have failed.
-* R-xxxxx The VNF **MUST** use playbooks designed to allow Ansible Server to infer failure or success based on the “PLAY_RECAP” capability.
-* R-xxxxx The VNF **MUST** write to a specific set of text files that will be retrieved and made available by the Ansible Server If, as part of a VNF action (e.g., audit), a playbook is required to return any VNF information.
-* R-xxxxx The VNF **SHOULD** use playbooks that are designed to automatically ‘rollback’ to the original state in case of any errors for actions that change state of the VNF (e.g., configure).
+* R-43253 The VNF **MUST** use playbooks designed to allow Ansible Server to infer failure or success based on the “PLAY_RECAP” capability.
+* R-50252 The VNF **MUST** write to a specific set of text files that will be retrieved and made available by the Ansible Server If, as part of a VNF action (e.g., audit), a playbook is required to return any VNF information.
+* R-51442 The VNF **SHOULD** use playbooks that are designed to automatically ‘rollback’ to the original state in case of any errors for actions that change state of the VNF (e.g., configure).
ONAP Controller APIs and Behavior
---------------------------------
**VNF telemetry via standardized interface**
-* R-xxxxx The VNF **MUST** provide all telemetry (e.g., fault event records, syslog records, performance records etc.) to ONAP using the model, format and mechanisms described in this section.
+* R-51910 The VNF **MUST** provide all telemetry (e.g., fault event records, syslog records, performance records etc.) to ONAP using the model, format and mechanisms described in this section.
**Encoding and Serialization**
-* R-xxxxx The VNF **MUST** encode and serialize content delivered to ONAP using JSON (option 1). High-volume data is to be encoded and serialized using Avro, where Avro data format are described using JSON (option 2) [8]_.
+* R-19624 The VNF **MUST** encode and serialize content delivered to ONAP using JSON (option 1). High-volume data is to be encoded and serialized using Avro, where Avro data format are described using JSON (option 2) [8]_.
- JSON plain text format is preferred for moderate volume data sets (option 1), as JSON has the advantage of having well-understood simple processing and being human-readable without additional decoding. Examples of moderate volume data sets include the fault alarms and performance alerts, heartbeat messages, measurements used for VNF scaling and syslogs.
- Binary format using Avro is preferred for high volume data sets (option 2) such as mobility flow measurements and other high-volume streaming events (such as mobility signaling events or SIP signaling) or bulk data, as this will significantly reduce the volume of data to be transmitted. As of the date of this document, all events are reported using plain text JSON and REST.
**Reporting Frequency**
-* R-xxxxx The VNF **MUST** vary the frequency that asynchronous data is delivered based on the content and how data may be aggregated or grouped together. For example, alarms and alerts are expected to be delivered as soon as they appear. In contrast, other content, such as performance measurements, KPIs or reported network signaling may have various ways of packaging and delivering content. Some content should be streamed immediately; or content may be monitored over a time interval, then packaged as collection of records and delivered as block; or data may be collected until a package of a certain size has been collected; or content may be summarized statistically over a time interval, or computed as a KPI, with the summary or KPI being delivered.
- - We expect the reporting frequency to be configurable depending on the virtual network function’s needs for management. For example, Service Provider may choose to vary the frequency of collection between normal and trouble-shooting scenarios.
- - Decisions about the frequency of data reporting will affect the size of delivered data sets, recommended delivery method, and how the data will be interpreted by ONAP. However, this should not affect deserialization and decoding of the data, which will be guided by the accompanying JSON schema.
+* R-98191 The VNF **MUST** vary the frequency that asynchronous data is delivered based on the content and how data may be aggregated or grouped together. For example, alarms and alerts are expected to be delivered as soon as they appear. In contrast, other content, such as performance measurements, KPIs or reported network signaling may have various ways of packaging and delivering content. Some content should be streamed immediately; or content may be monitored over a time interval, then packaged as collection of records and delivered as block; or data may be collected until a package of a certain size has been collected; or content may be summarized statistically over a time interval, or computed as a KPI, with the summary or KPI being delivered.
+
+ - We expect the reporting frequency to be configurable depending on the virtual network function’s needs for management. For example, Service Provider may choose to vary the frequency of collection between normal and trouble-shooting scenarios.
+ - Decisions about the frequency of data reporting will affect the size of delivered data sets, recommended delivery method, and how the data will be interpreted by ONAP. However, this should not affect deserialization and decoding of the data, which will be guided by the accompanying JSON schema.
**Addressing and Delivery Protocol**
ONAP destinations can be addressed by URLs for RESTful data PUT. Future data sets may also be addressed by host name and port number for TCP streaming, or by host name and landing zone directory for SFTP transfer of bulk files.
-* R-xxxxx The VNF **SHOULD** use REST using HTTPS delivery of plain text JSON for moderate sized asynchronous data sets, and for high volume data sets when feasible.
-* R-xxxxx The VNF **MUST** have the capability of maintaining a primary and backup DNS name (URL) for connecting to ONAP collectors, with the ability to switch between addresses based on conditions defined by policy such as time-outs, and buffering to store messages until they can be delivered. At its discretion, the service provider may choose to populate only one collector address for a VNF. In this case, the network will promptly resolve connectivity problems caused by a collector or network failure transparently to the VNF.
-* R-xxxxx The VNF **MUST** be configured with initial address(es) to use at deployment time. After that the address(es) may be changed through ONAP-defined policies delivered from ONAP to the VNF using PUTs to a RESTful API, in the same way that other controls over data reporting will be controlled by policy.
-* R-xxxxx The VNF **MAY** use other options which are expected to include
+* R-88482 The VNF **SHOULD** use REST using HTTPS delivery of plain text JSON for moderate sized asynchronous data sets, and for high volume data sets when feasible.
+* R-84879 The VNF **MUST** have the capability of maintaining a primary and backup DNS name (URL) for connecting to ONAP collectors, with the ability to switch between addresses based on conditions defined by policy such as time-outs, and buffering to store messages until they can be delivered. At its discretion, the service provider may choose to populate only one collector address for a VNF. In this case, the network will promptly resolve connectivity problems caused by a collector or network failure transparently to the VNF.
+* R-81777 The VNF **MUST** be configured with initial address(es) to use at deployment time. After that the address(es) may be changed through ONAP-defined policies delivered from ONAP to the VNF using PUTs to a RESTful API, in the same way that other controls over data reporting will be controlled by policy.
+* R-08312 The VNF **MAY** use other options which are expected to include
+
- REST delivery of binary encoded data sets.
- TCP for high volume streaming asynchronous data sets and for other high volume data sets. TCP delivery can be used for either JSON or binary encoded data sets.
- SFTP for asynchronous bulk files, such as bulk files that contain large volumes of data collected over a long time interval or data collected across many VNFs. This is not preferred. Preferred is to reorganize the data into more frequent or more focused data sets, and deliver these by REST or TCP as appropriate.
- REST for synchronous data, using RESTCONF (e.g., for VNF state polling).
-* R-xxxxx The VNF **MUST**, by ONAP Policy, provide the ONAP addresses as data destinations for each VNF, and may be changed by Policy while the VNF is in operation. We expect the VNF to be capable of redirecting traffic to changed destinations with no loss of data, for example from one REST URL to another, or from one TCP host and port to another.
+
+* R-03070 The VNF **MUST**, by ONAP Policy, provide the ONAP addresses as data destinations for each VNF, and may be changed by Policy while the VNF is in operation. We expect the VNF to be capable of redirecting traffic to changed destinations with no loss of data, for example from one REST URL to another, or from one TCP host and port to another.
**Asynchronous and Synchronous Data Delivery**
-* R-xxxxx The VNF **MUST** deliver asynchronous data as data becomes available, or according to the configured frequency.
-* R-xxxxx The VNF **MUST** must encode the delivered data using JSON or Avro, addressed and delivered as described in the previous paragraphs.
-* R-xxxxx The VNF **MUST** respond to data requests from ONAP as soon as those requests are received, as a synchronous response.
-* R-xxxxx The VNF **MUST** use the RESTCONF/NETCONF framework used by the ONAP configuration subsystem for synchronous communication.
-* R-xxxxx The VNF **MUST** use the YANG configuration models and RESTCONF (https://tools.ietf.org/html/draft-ietf-netconf-restconf-09#page-46).
-* R-xxxxx The VNF **MUST** respond with content encoded in JSON, as described in the RESTCONF specification. This way the encoding of a synchronous communication will be consistent with Avro.
-* R-xxxxx The VNF **MUST** respond to an ONAP request to deliver the current data for any of the record types defined in Section 8.d “Data Model for Event Records” by returning the requested record, populated with the current field values. (Currently the defined record types include the common header record, technology independent records such as Fault, Heartbeat, State Change, Syslog, and technology specific records such as Mobile Flow, Signaling and Voice Quality records. Additional record types will be added in the future as they are standardized and become available.)
-* R-xxxxx The VNF **MUST** respond to an ONAP request to deliver granular data on device or subsystem status or performance, referencing the YANG configuration model for the VNF by returning the requested data elements.
-* R-xxxxx The VNF **SHOULD** use “Modeling JSON text with YANG”, https://trac.tools.ietf.org/id/draft-lhotka-netmod-yang-json-00.html, If YANG models need to be translated to and from JSON. YANG configuration and content can be represented via JSON, consistent with Avro, as described in “Encoding and Serialization” section.
+* R-06924 The VNF **MUST** deliver asynchronous data as data becomes available, or according to the configured frequency.
+* R-73285 The VNF **MUST** must encode the delivered data using JSON or Avro, addressed and delivered as described in the previous paragraphs.
+* R-42140 The VNF **MUST** respond to data requests from ONAP as soon as those requests are received, as a synchronous response.
+* R-34660 The VNF **MUST** use the RESTCONF/NETCONF framework used by the ONAP configuration subsystem for synchronous communication.
+* R-86585 The VNF **MUST** use the YANG configuration models and RESTCONF (https://tools.ietf.org/html/draft-ietf-netconf-restconf-09#page-46).
+* R-11240 The VNF **MUST** respond with content encoded in JSON, as described in the RESTCONF specification. This way the encoding of a synchronous communication will be consistent with Avro.
+* R-70266 The VNF **MUST** respond to an ONAP request to deliver the current data for any of the record types defined in Section 8.d “Data Model for Event Records” by returning the requested record, populated with the current field values. (Currently the defined record types include the common header record, technology independent records such as Fault, Heartbeat, State Change, Syslog, and technology specific records such as Mobile Flow, Signaling and Voice Quality records. Additional record types will be added in the future as they are standardized and become available.)
+* R-46290 The VNF **MUST** respond to an ONAP request to deliver granular data on device or subsystem status or performance, referencing the YANG configuration model for the VNF by returning the requested data elements.
+* R-43327 The VNF **SHOULD** use “Modeling JSON text with YANG”, https://trac.tools.ietf.org/id/draft-lhotka-netmod-yang-json-00.html, If YANG models need to be translated to and from JSON. YANG configuration and content can be represented via JSON, consistent with Avro, as described in “Encoding and Serialization” section.
**Security**
-* R-xxxxx The VNF **MUST** support secure connections and transports.
-* R-xxxxx The VNF **MUST** control access to ONAP and to VNFs, and creation of connections, through secure credentials, log-on and exchange mechanisms.
-* R-xxxxx The VNF **MUST** carry data in motion only over secure connections.
-* R-xxxxx The VNF **MUST** encrypt any content containing Sensitive Personal Information (SPI) or certain proprietary data, in addition to applying the regular procedures for securing access and delivery.
+* R-42366 The VNF **MUST** support secure connections and transports.
+* R-44290 The VNF **MUST** control access to ONAP and to VNFs, and creation of connections, through secure credentials, log-on and exchange mechanisms.
+* R-47597 The VNF **MUST** carry data in motion only over secure connections.
+* R-68165 The VNF **MUST** encrypt any content containing Sensitive Personal Information (SPI) or certain proprietary data, in addition to applying the regular procedures for securing access and delivery.
Data Model for Event Records
-----------------------------
Code Review / vnfrqts / requirements.git / commitdiff