1 .. This work is licensed under a Creative Commons Attribution 4.0 International License.
2 .. http://creativecommons.org/licenses/by/4.0
3 .. Copyright 2017 AT&T Intellectual Property. All rights reserved.
6 VNF Development Requirements
7 ============================
12 Services are composed of VNFs and common components and are designed to
13 be agnostic of the location to leverage capacity where it exists in the
14 Network Cloud. VNFs can be instantiated in any location that meets the
15 performance and latency requirements of the service.
17 A key design principle for virtualizing services is decomposition of
18 network functions using NFV concepts into granular VNFs. This enables
19 instantiating and customizing only essential functions as needed for the
20 service, thereby making service delivery more nimble. It provides
21 flexibility of sizing and scaling and also provides flexibility with
22 packaging and deploying VNFs as needed for the service. It enables
23 grouping functions in a common cloud data center to minimize
24 inter-component latency. The VNFs should be designed with a goal of
25 being modular and reusable to enable using best-in-breed vendors.
27 Section 5.a VNF Design in *VNF Guidelines* describes
28 the overall guidelines for designing VNFs from VNF Components (VNFCs).
29 Below are more detailed requirements for composing VNFs.
31 VNF Design Requirements
33 * R-58421 The VNF **SHOULD** be decomposed into granular re-usable VNFCs.
34 * R-82223 The VNF **MUST** be decomposed if the functions have
35 significantly different scaling characteristics (e.g., signaling
36 versus media functions, control versus data plane functions).
37 * R-16496 The VNF **MUST** enable instantiating only the functionality that
38 is needed for the decomposed VNF (e.g., if transcoding is not needed it
39 should not be instantiated).
40 * R-02360 The VNFC **MUST** be designed as a standalone, executable process.
41 * R-34484 The VNF **SHOULD** create a single component VNF for VNFCs
42 that can be used by other VNFs.
43 * R-23035 The VNF **MUST** be designed to scale horizontally (more
44 instances of a VNF or VNFC) and not vertically (moving the existing
45 instances to larger VMs or increasing the resources within a VM)
46 to achieve effective utilization of cloud resources.
47 * R-30650 The VNF **MUST** utilize cloud provided infrastructure and
48 VNFs (e.g., virtualized Local Load Balancer) as part of the VNF so
49 that the cloud can manage and provide a consistent service resiliency
50 and methods across all VNF's.
51 * R-12709 The VNFC **SHOULD** be independently deployed, configured,
52 upgraded, scaled, monitored, and administered by ONAP.
53 * R-37692 The VNFC **MUST** provide API versioning to allow for
54 independent upgrades of VNFC.
55 * R-86585 The VNFC **SHOULD** minimize the use of state within
56 a VNFC to facilitate the movement of traffic from one instance
58 * R-65134 The VNF **SHOULD** maintain state in a geographically
59 redundant datastore that may, in fact, be its own VNFC.
60 * R-75850 The VNF **SHOULD** decouple persistent data from the VNFC
61 and keep it in its own datastore that can be reached by all instances
62 of the VNFC requiring the data.
63 * R-88199 The VNF **MUST** utilize a persistent datastore service that
64 can meet the data performance/latency requirements. (For example:
65 Datastore service could be a VNFC in VNF or a DBaaS in the Cloud
66 execution environment)
67 * R-99656 The VNF **MUST** NOT terminate stable sessions if a VNFC
69 * R-84473 The VNF **MUST** enable DPDK in the guest OS for VNF’s requiring
70 high packets/sec performance. High packet throughput is defined as greater
71 than 500K packets/sec.
72 * R-54430 The VNF **MUST** use the NCSP’s supported library and compute
73 flavor that supports DPDK to optimize network efficiency if using DPDK. [1]_
74 * R-18864 The VNF **MUST** NOT use technologies that bypass virtualization
75 layers (such as SR-IOV) unless approved by the NCSP (e.g., if necessary
76 to meet functional or performance requirements).
77 * R-64768 The VNF **MUST** limit the size of application data packets
78 to no larger than 9000 bytes for SDN network-based tunneling when
79 guest data packets are transported between tunnel endpoints that
80 support guest logical networks.
81 * R-74481 The VNF **MUST** NOT require the use of a dynamic routing
82 protocol unless necessary to meet functional requirements.
85 -------------------------
87 The VNF is responsible for meeting its resiliency goals and must factor
88 in expected availability of the targeted virtualization environment.
89 This is likely to be much lower than found in a traditional data center.
90 Resiliency is defined as the ability of the VNF to respond to error
91 conditions and continue to provide the service intended. A number of
92 software resiliency dimensions have been identified as areas that should
93 be addressed to increase resiliency. As VNFs are deployed into the
94 Network Cloud, resiliency must be designed into the VNF software to
95 provide high availability versus relying on the Network Cloud to achieve
98 Section 5.a Resiliency in *VNF Guidelines* describes
99 the overall guidelines for designing VNFs to meet resiliency goals.
100 Below are more detailed resiliency requirements for VNFs.
103 ^^^^^^^^^^^^^^^^^^^^^^
105 Design the VNF to be resilient to the failures of the underlying
106 virtualized infrastructure (Network Cloud). VNF design considerations
107 would include techniques such as multiple vLANs, multiple local and
108 geographic instances, multiple local and geographic data replication,
109 and virtualized services such as Load Balancers.
112 All Layer Redundancy Requirements
114 * R-52499 The VNF **MUST** meet their own resiliency goals and not rely
115 on the Network Cloud.
116 * R-42207 The VNF **MUST** design resiliency into a VNF such that the
117 resiliency deployment model (e.g., active-active) can be chosen at
119 * R-03954 The VNF **MUST** survive any single points of failure within
120 the Network Cloud (e.g., virtual NIC, VM, disk failure).
121 * R-89010 The VNF **MUST** survive any single points of software failure
122 internal to the VNF (e.g., in memory structures, JMS message queues).
123 * R-67709 The VNF **MUST** be designed, built and packaged to enable
124 deployment across multiple fault zones (e.g., VNFCs deployed in
125 different servers, racks, OpenStack regions, geographies) so that
126 in the event of a planned/unplanned downtime of a fault zone, the
127 overall operation/throughput of the VNF is maintained.
128 * R-35291 The VNF **MUST** support the ability to failover a VNFC
129 automatically to other geographically redundant sites if not
130 deployed active-active to increase the overall resiliency of the VNF.
131 * R-36843 The VNF **MUST** support the ability of the VNFC to be deployable
132 in multi-zoned cloud sites to allow for site support in the event of cloud
133 zone failure or upgrades.
134 * R-00098 The VNF **MUST NOT** impact the ability of the VNF to provide
135 service/function due to a single container restart.
136 * R-79952 The VNF **SHOULD** support container snapshots if not for rebuild
137 and evacuate for rollback or back out mechanism.
139 Minimize Cross Data-Center Traffic
140 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
142 Avoid performance-sapping data center-to-data center replication delay
143 by applying techniques such as caching and persistent transaction paths
144 - Eliminate replication delay impact between data centers by using a
145 concept of stickiness (i.e., once a client is routed to data center "A",
146 the client will stay with Data center “A” until the entire session is
149 Minimize Cross Data-Center Traffic Requirements
151 * R-92935 The VNF **SHOULD** minimize the propagation of state information
152 across multiple data centers to avoid cross data center traffic.
154 Application Resilient Error Handling
155 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
157 Ensure an application communicating with a downstream peer is equipped
158 to intelligently handle all error conditions. Make sure code can handle
159 exceptions seamlessly - implement smart retry logic and implement
160 multi-point entry (multiple data centers) for back-end system
163 Application Resilient Error Handling Requirements
165 * R-26371 The VNF **MUST** detect communication failure for inter VNFC
166 instance and intra/inter VNF and re-establish communication
167 automatically to maintain the VNF without manual intervention to
168 provide service continuity.
169 * R-18725 The VNF **MUST** handle the restart of a single VNFC instance
170 without requiring all VNFC instances to be restarted.
171 * R-06668 The VNF **MUST** handle the start or restart of VNFC instances
172 in any order with each VNFC instance establishing or re-establishing
173 required connections or relationships with other VNFC instances and/or
174 VNFs required to perform the VNF function/role without requiring VNFC
175 instance(s) to be started/restarted in a particular order.
176 * R-80070 The VNF **MUST** handle errors and exceptions so that they do
177 not interrupt processing of incoming VNF requests to maintain service
178 continuity (where the error is not directly impacting the software
179 handling the incoming request).
180 * R-32695 The VNF **MUST** provide the ability to modify the number of
181 retries, the time between retries and the behavior/action taken after
182 the retries have been exhausted for exception handling to allow the
183 NCSP to control that behavior, where the interface and/or functional
184 specification allows for altering behaviour.
185 * R-48356 The VNF **MUST** fully exploit exception handling to the extent
186 that resources (e.g., threads and memory) are released when no longer
187 needed regardless of programming language.
188 * R-67918 The VNF **MUST** handle replication race conditions both locally
189 and geo-located in the event of a data base instance failure to maintain
191 * R-36792 The VNF **MUST** automatically retry/resubmit failed requests
192 made by the software to its downstream system to increase the success rate.
193 * R-70013 The VNF **MUST NOT** require any manual steps to get it ready for
194 service after a container rebuild.
195 * R-65515 The VNF **MUST** provide a mechanism and tool to start VNF
196 containers (VMs) without impacting service or service quality assuming
197 another VNF in same or other geographical location is processing service
199 * R-94978 The VNF **MUST** provide a mechanism and tool to perform a graceful
200 shutdown of all the containers (VMs) in the VNF without impacting service
201 or service quality assuming another VNF in same or other geographical
202 location can take over traffic and process service requests.
205 System Resource Optimization
206 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
208 Ensure an application is using appropriate system resources for the task
209 at hand; for example, do not use network or IO operations inside
210 critical sections, which could end up blocking other threads or
211 processes or eating memory if they are unable to complete. Critical
212 sections should only contain memory operation, and should not contain
213 any network or IO operation.
216 System Resource Optimization Requirements
218 * R-22059 The VNF **MUST NOT** execute long running tasks (e.g., IO,
219 database, network operations, service calls) in a critical section
220 of code, so as to minimize blocking of other operations and increase
221 concurrent throughput.
222 * R-63473 The VNF **MUST** automatically advertise newly scaled
223 components so there is no manual intervention required.
224 * R-74712 The VNF **MUST** utilize FQDNs (and not IP address) for
225 both Service Chaining and scaling.
226 * R-41159 The VNF **MUST** deliver any and all functionality from any
227 VNFC in the pool (where pooling is the most suitable solution). The
228 VNFC pool member should be transparent to the client. Upstream and
229 downstream clients should only recognize the function being performed,
230 not the member performing it.
231 * R-85959 The VNF **SHOULD** automatically enable/disable added/removed
232 sub-components or component so there is no manual intervention required.
233 * R-06885 The VNF **SHOULD** support the ability to scale down a VNFC pool
234 without jeopardizing active sessions. Ideally, an active session should
235 not be tied to any particular VNFC instance.
236 * R-12538 The VNF **SHOULD** support load balancing and discovery
237 mechanisms in resource pools containing VNFC instances.
238 * R-98989 The VNF **SHOULD** utilize resource pooling (threads,
239 connections, etc.) within the VNF application so that resources
240 are not being created and destroyed resulting in resource management
242 * R-55345 The VNF **SHOULD** use techniques such as “lazy loading” when
243 initialization includes loading catalogues and/or lists which can grow
244 over time, so that the VNF startup time does not grow at a rate
245 proportional to that of the list.
246 * R-35532 The VNF **SHOULD** release and clear all shared assets (memory,
247 database operations, connections, locks, etc.) as soon as possible,
248 especially before long running sync and asynchronous operations, so as
249 to not prevent use of these assets by other entities.
252 Application Configuration Management
253 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
255 Leverage configuration management audit capability to drive conformity
256 to develop gold configurations for technologies like Java, Python, etc.
258 Application Configuration Management Requirements
260 * R-77334 The VNF **MUST** allow configurations and configuration parameters
261 to be managed under version control to ensure consistent configuration
262 deployment, traceability and rollback.
263 * R-99766 The VNF **MUST** allow configurations and configuration parameters
264 to be managed under version control to ensure the ability to rollback to
265 a known valid configuration.
266 * R-73583 The VNF **MUST** allow changes of configuration parameters
267 to be consumed by the VNF without requiring the VNF or its sub-components
268 to be bounced so that the VNF availability is not effected.
271 Intelligent Transaction Distribution & Management
272 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
274 Leverage Intelligent Load Balancing and redundant components (hardware
275 and modules) for all transactions, such that at any point in the
276 transaction: front end, middleware, back end -- a failure in any one
277 component does not result in a failure of the application or system;
278 i.e., transactions will continue to flow, albeit at a possibly reduced
279 capacity until the failed component restores itself. Create redundancy
280 in all layers (software and hardware) at local and remote data centers;
281 minimizing interdependencies of components (i.e. data replication,
282 deploying non-related elements in the same container).
284 Intelligent Transaction Distribution & Management Requirements
286 * R-21558 The VNF **SHOULD** use intelligent routing by having knowledge
287 of multiple downstream/upstream endpoints that are exposed to it, to
288 ensure there is no dependency on external services (such as load balancers)
289 to switch to alternate endpoints.
290 * R-08315 The VNF **SHOULD** use redundant connection pooling to connect
291 to any backend data source that can be switched between pools in an
292 automated/scripted fashion to ensure high availability of the connection
294 * R-27995 The VNF **SHOULD** include control loop mechanisms to notify
295 the consumer of the VNF of their exceeding SLA thresholds so the consumer
296 is able to control its load against the VNF.
298 Deployment Optimization
299 ^^^^^^^^^^^^^^^^^^^^^^^^^^
301 Reduce opportunity for failure, by human or by machine, through smarter
302 deployment practices and automation. This can include rolling code
303 deployments, additional testing strategies, and smarter deployment
304 automation (remove the human from the mix).
306 Deployment Optimization Requirements
308 * R-73364 The VNF **MUST** support at least two major versions of the
309 VNF software and/or sub-components to co-exist within production
310 environments at any time so that upgrades can be applied across
311 multiple systems in a staggered manner.
312 * R-02454 The VNF **MUST** support the existence of multiple major/minor
313 versions of the VNF software and/or sub-components and interfaces that
314 support both forward and backward compatibility to be transparent to
315 the Service Provider usage.
316 * R-57855 The VNF **MUST** support hitless staggered/rolling deployments
317 between its redundant instances to allow "soak-time/burn in/slow roll"
318 which can enable the support of low traffic loads to validate the
319 deployment prior to supporting full traffic loads.
320 * R-64445 The VNF **MUST** support the ability of a requestor of the
321 service to determine the version (and therefore capabilities) of the
322 service so that Network Cloud Service Provider can understand the
323 capabilities of the service.
324 * R-56793 The VNF **MUST** test for adherence to the defined performance
325 budgets at each layer, during each delivery cycle with delivered
326 results, so that the performance budget is measured and the code
327 is adjusted to meet performance budget.
328 * R-77667 The VNF **MUST** test for adherence to the defined performance
329 budget at each layer, during each delivery cycle so that the performance
330 budget is measured and feedback is provided where the performance budget
332 * R-49308 The VNF **SHOULD** test for adherence to the defined resiliency
333 rating recommendation at each layer, during each delivery cycle with
334 delivered results, so that the resiliency rating is measured and the
335 code is adjusted to meet software resiliency requirements.
336 * R-16039 The VNF **SHOULD** test for adherence to the defined
337 resiliency rating recommendation at each layer, during each
338 delivery cycle so that the resiliency rating is measured and
339 feedback is provided where software resiliency requirements are
342 Monitoring & Dashboard
343 ^^^^^^^^^^^^^^^^^^^^^^^^^
345 Promote dashboarding as a tool to monitor and support the general
346 operational health of a system. It is critical to the support of the
347 implementation of many resiliency patterns essential to the maintenance
348 of the system. It can help identify unusual conditions that might
349 indicate failure or the potential for failure. This would contribute to
350 improve Mean Time to Identify (MTTI), Mean Time to Repair (MTTR), and
351 post-incident diagnostics.
353 Monitoring & Dashboard Requirements
355 * R-34957 The VNF **MUST** provide a method of metrics gathering for each
356 layer's performance to identify/document variances in the allocations so
357 they can be addressed.
358 * R-49224 The VNF **MUST** provide unique traceability of a transaction
359 through its life cycle to ensure quick and efficient troubleshooting.
360 * R-52870 The VNF **MUST** provide a method of metrics gathering
361 and analysis to evaluate the resiliency of the software from both
362 a granular as well as a holistic standpoint. This includes, but is
363 not limited to thread utilization, errors, timeouts, and retries.
364 * R-92571 The VNF **MUST** provide operational instrumentation such as
365 logging, so as to facilitate quick resolution of issues with the VNF to
366 provide service continuity.
367 * R-48917 The VNF **MUST** monitor for and alert on (both sender and
368 receiver) errant, running longer than expected and missing file transfers,
369 so as to minimize the impact due to file transfer errors.
370 * R-28168 The VNF **SHOULD** use an appropriately configured logging
371 level that can be changed dynamically, so as to not cause performance
372 degradation of the VNF due to excessive logging.
373 * R-87352 The VNF **SHOULD** utilize Cloud health checks, when available
374 from the Network Cloud, from inside the application through APIs to check
375 the network connectivity, dropped packets rate, injection, and auto failover
376 to alternate sites if needed.
377 * R-16560 The VNF **SHOULD** conduct a resiliency impact assessment for all
378 inter/intra-connectivity points in the VNF to provide an overall resiliency
379 rating for the VNF to be incorporated into the software design and
380 development of the VNF.
383 ----------------------
385 The objective of this section is to provide the key security
386 requirements that need to be met by VNFs. The security requirements are
387 grouped into five areas as listed below. Other security areas will be
388 addressed in future updates. These security requirements are applicable
389 to all VNFs. Additional security requirements for specific types of VNFs
390 will be applicable and are outside the scope of these general
393 Section 5.a Security in *VNF Guidelines* outlines
394 the five broad security areas for VNFs that are detailed in the
397 - **VNF General Security**: This section addresses general security
398 requirements for the VNFs that the VNF provider will need to address.
400 - **VNF Identity and Access Management**: This section addresses
401 security requirements with respect to Identity and Access Management
402 as these pertain to generic VNFs.
404 - **VNF API Security**: This section addresses the generic security
405 requirements associated with APIs. These requirements are applicable
406 to those VNFs that use standard APIs for communication and data
409 - **VNF Security Analytics**: This section addresses the security
410 requirements associated with analytics for VNFs that deal with
411 monitoring, data collection and analysis.
413 - **VNF Data Protection**: This section addresses the security
414 requirements associated with data protection.
416 VNF General Security Requirements
417 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
419 This section provides details on the VNF general security requirements
420 on various security areas such as user access control, network security,
421 ACLs, infrastructure security, and vulnerability management. These
422 requirements cover topics associated with compliance, security patching,
423 logging/accounting, authentication, encryption, role-based access
424 control, least privilege access/authorization. The following security
425 requirements need to be met by the solution in a virtual environment:
427 General Security Requirements
429 Integration and operation within a robust security environment is necessary
430 and expected. The security architecture will include one or more of the
431 following: IDAM (Identity and Access Management) for all system and
432 applications access, Code scanning, network vulnerability scans, OS,
433 Database and application patching, malware detection and cleaning,
434 DDOS prevention, network security gateways (internal and external)
435 operating at various layers, host and application based tools for
436 security compliance validation, aggressive security patch application,
437 tightly controlled software distribution and change control processes
438 and other state of the art security solutions. The VNF is expected to
439 function reliably within such an environment and the developer is
440 expected to understand and accommodate such controls and can expected
441 to supply responsive interoperability support and testing throughout
442 the product’s lifecycle.
444 * R-23740 The VNF **MUST** accommodate the security principle of
445 “least privilege” during development, implementation and operation.
446 The importance of “least privilege” cannot be overstated and must be
447 observed in all aspects of VNF development and not limited to security.
448 This is applicable to all sections of this document.
449 * R-61354 The VNF **MUST** implement access control list for OA&M
450 services (e.g., restricting access to certain ports or applications).
451 * R-85633 The VNF **MUST** implement Data Storage Encryption
452 (database/disk encryption) for Sensitive Personal Information (SPI)
453 and other subscriber identifiable data. Note: subscriber’s SPI/data
454 must be encrypted at rest, and other subscriber identifiable data
455 should be encrypted at rest. Other data protection requirements exist
456 and should be well understood by the developer.
457 * R-92207 The VNF **SHOULD** implement a mechanism for automated and
458 frequent "system configuration (automated provisioning / closed loop)"
460 * R-23882 The VNF **SHOULD** be scanned using both network scanning
461 and application scanning security tools on all code, including underlying
462 OS and related configuration. Scan reports shall be provided. Remediation
463 roadmaps shall be made available for any findings.
464 * R-46986 The VNF **SHOULD** have source code scanned using scanning
465 tools (e.g., Fortify) and provide reports.
466 * R-55830 The VNF **MUST** distribute all production code from NCSP
467 internal sources only. No production code, libraries, OS images, etc.
468 shall be distributed from publically accessible depots.
469 * R-99771 The VNF **MUST** provide all code/configuration files in a
470 "Locked down" or hardened state or with documented recommendations for
471 such hardening. All unnecessary services will be disabled. VNF provider
472 default credentials, community strings and other such artifacts will be
473 removed or disclosed so that they can be modified or removed during
475 * R-19768 The VNF **SHOULD** support L3 VPNs that enable segregation of
476 traffic by application (dropping packets not belonging to the VPN) (i.e.,
477 AVPN, IPSec VPN for Internet routes).
478 * R-33981 The VNF **SHOULD** interoperate with various access control
479 mechanisms for the Network Cloud execution environment (e.g.,
480 Hypervisors, containers).
481 * R-40813 The VNF **SHOULD** support the use of virtual trusted platform
482 module, hypervisor security testing and standards scanning tools.
483 * R-56904 The VNF **MUST** interoperate with the ONAP (SDN) Controller so that
484 it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual
485 routing and forwarding rules.
486 * R-26586 The VNF **SHOULD** support the ability to work with aliases
487 (e.g., gateways, proxies) to protect and encapsulate resources.
488 * R-49956 The VNF **MUST** pass all access to applications (Bearer,
489 signaling and OA&M) through various security tools and platforms from
490 ACLs, stateful firewalls and application layer gateways depending on
491 manner of deployment. The application is expected to function (and in
492 some cases, interwork) with these security tools.
493 * R-69649 The VNF **MUST** have all vulnerabilities patched as soon
494 as possible. Patching shall be controlled via change control process
495 with vulnerabilities disclosed along with mitigation recommendations.
496 * R-78010 The VNF **MUST** use the NCSP’s IDAM API for Identification,
497 authentication and access control of customer or VNF application users.
498 * R-42681 The VNF **MUST** use the NCSP’s IDAM API or comply with
499 the requirements if not using the NCSP’s IDAM API, for identification,
500 authentication and access control of OA&M and other system level
502 * R-68589 The VNF **MUST**, if not using the NCSP’s IDAM API, support
503 User-IDs and passwords to uniquely identify the user/application. VNF
504 needs to have appropriate connectors to the Identity, Authentication
505 and Authorization systems that enables access at OS, Database and
506 Application levels as appropriate.
507 * R-52085 The VNF **MUST**, if not using the NCSP’s IDAM API, provide
508 the ability to support Multi-Factor Authentication (e.g., 1st factor =
509 Software token on device (RSA SecureID); 2nd factor = User Name+Password,
511 * R-98391 The VNF **MUST**, if not using the NCSP’s IDAM API, support
512 Role-Based Access Control to permit/limit the user/application to
513 performing specific activities.
514 * R-63217 The VNF **MUST**, if not using the NCSP’s IDAM API, support
515 logging via ONAP for a historical view of “who did what and when”.
516 * R-62498 The VNF **MUST**, if not using the NCSP’s IDAM API, encrypt
517 OA&M access (e.g., SSH, SFTP).
518 * R-79107 The VNF **MUST**, if not using the NCSP’s IDAM API, enforce
519 a configurable maximum number of Login attempts policy for the users.
520 VNF provider must comply with "terminate idle sessions" policy.
521 Interactive sessions must be terminated, or a secure, locking screensaver
522 must be activated requiring authentication, after a configurable period
523 of inactivity. The system-based inactivity timeout for the enterprise
524 identity and access management system must also be configurable.
525 * R-35144 The VNF **MUST**, if not using the NCSP’s IDAM API, comply
526 with the NCSP’s credential management policy.
527 * R-75041 The VNF **MUST**, if not using the NCSP’s IDAM API, expire
528 passwords at regular configurable intervals.
529 * R-46908 The VNF **MUST**, if not using the NCSP’s IDAM API, comply
530 with "password complexity" policy. When passwords are used, they shall
531 be complex and shall at least meet the following password construction
532 requirements: (1) be a minimum configurable number of characters in
533 length, (2) include 3 of the 4 following types of characters:
534 upper-case alphabetic, lower-case alphabetic, numeric, and special,
535 (3) not be the same as the UserID with which they are associated or
536 other common strings as specified by the environment, (4) not contain
537 repeating or sequential characters or numbers, (5) not to use special
538 characters that may have command functions, and (6) new passwords must
539 not contain sequences of three or more characters from the previous
541 * R-39342 The VNF **MUST**, if not using the NCSP’s IDAM API, comply
542 with "password changes (includes default passwords)" policy. Products
543 will support password aging, syntax and other credential management
544 practices on a configurable basis.
545 * R-40521 The VNF **MUST**, if not using the NCSP’s IDAM API, support
546 use of common third party authentication and authorization tools such
548 * R-41994 The VNF **MUST**, if not using the NCSP’s IDAM API, comply
549 with "No Self-Signed Certificates" policy. Self-signed certificates
550 must be used for encryption only, using specified and approved
551 encryption protocols such as TLS 1.2 or higher or equivalent security
552 protocols such as IPSec, AES.
553 * R-23135 The VNF **MUST**, if not using the NCSP’s IDAM API,
554 authenticate system to system communications where one system
555 accesses the resources of another system, and must never conceal
556 individual accountability.
558 VNF Identity and Access Management Requirements
559 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
561 The following security requirements for logging, identity, and access
562 management need to be met by the solution in a virtual environment:
565 Identity and Access Management Requirements
567 * R-95105 The VNF **MUST** host connectors for access to the application
569 * R-45496 The VNF **MUST** host connectors for access to the OS
570 (Operating System) layer.
571 * R-05470 The VNF **MUST** host connectors for access to the database layer.
572 * R-99174 The VNF **MUST** comply with Individual Accountability
573 (each person must be assigned a unique ID) when persons or non-person
574 entities access VNFs.
575 * R-42874 The VNF **MUST** comply with Least Privilege (no more
576 privilege than required to perform job functions) when persons
577 or non-person entities access VNFs.
578 * R-71787 The VNF **MUST** comply with Segregation of Duties (access to a
579 single layer and no developer may access production without special
580 oversight) when persons or non-person entities access VNFs.
581 * R-86261 The VNF **MUST NOT** allow VNF provider access to VNFs remotely.
582 * R-49945 The VNF **MUST** authorize VNF provider access through a
583 client application API by the client application owner and the resource
584 owner of the VNF before provisioning authorization through Role Based
585 Access Control (RBAC), Attribute Based Access Control (ABAC), or other
586 policy based mechanism.
587 * R-31751 The VNF **MUST** subject VNF provider access to privilege
588 reconciliation tools to prevent access creep and ensure correct
589 enforcement of access policies.
590 * R-34552 The VNF **MUST** provide or support the Identity and Access
591 Management (IDAM) based threat detection data for OWASP Top 10.
592 * R-29301 The VNF **MUST** provide or support the Identity and Access
593 Management (IDAM) based threat detection data for Password Attacks.
594 * R-72243 The VNF **MUST** provide or support the Identity and Access
595 Management (IDAM) based threat detection data for Phishing / SMishing.
596 * R-58998 The VNF **MUST** provide or support the Identity and Access
597 Management (IDAM) based threat detection data for Malware (Key Logger).
598 * R-14025 The VNF **MUST** provide or support the Identity and Access
599 Management (IDAM) based threat detection data for Session Hijacking.
600 * R-31412 The VNF **MUST** provide or support the Identity and Access
601 Management (IDAM) based threat detection data for XSS / CSRF.
602 * R-51883 The VNF **MUST** provide or support the Identity and Access
603 Management (IDAM) based threat detection data for Replay.
604 * R-44032 The VNF **MUST** provide or support the Identity and Access
605 Management (IDAM) based threat detection data for Man in the Middle (MITM).
606 * R-58977 The VNF **MUST** provide or support the Identity and Access
607 Management (IDAM) based threat detection data for Eavesdropping.
608 * R-24825 The VNF **MUST** provide Context awareness data (device,
609 location, time, etc.) and be able to integrate with threat detection system.
610 * R-59391 The VNF provider **MUST**, where a VNF provider requires
611 the assumption of permissions, such as root or administrator, first
612 log in under their individual user login ID then switch to the other
613 higher level account; or where the individual user login is infeasible,
614 must login with an account with admin privileges in a way that
615 uniquely identifies the individual performing the function.
616 * R-85028 The VNF **MUST** authenticate system to system access and
617 do not conceal a VNF provider user’s individual accountability for
619 * R-80335 The VNF **MUST** make visible a Warning Notice: A formal
620 statement of resource intent, i.e., a warning notice, upon initial
621 access to a VNF provider user who accesses private internal networks
622 or Company computer resources, e.g., upon initial logon to an internal
623 web site, system or application which requires authentication.
624 * R-73541 The VNF **MUST** use access controls for VNFs and their
625 supporting computing systems at all times to restrict access to
626 authorized personnel only, e.g., least privilege. These controls
627 could include the use of system configuration or access control
629 * R-64503 The VNF **MUST** provide minimum privileges for initial
630 and default settings for new user accounts.
631 * R-86835 The VNF **MUST** set the default settings for user access
632 to sensitive commands and data to deny authorization.
633 * R-77157 The VNF **MUST** conform to approved request, workflow
634 authorization, and authorization provisioning requirements when
635 creating privileged users.
636 * R-81147 The VNF **MUST** have greater restrictions for access and
637 execution, such as up to 3 factors of authentication and restricted
638 authorization, for commands affecting network services, such as
639 commands relating to VNFs.
640 * R-49109 The VNF **MUST** encrypt TCP/IP--HTTPS (e.g., TLS v1.2)
641 transmission of data on internal and external networks.
642 * R-39562 The VNF **MUST** disable unnecessary or vulnerable cgi-bin programs.
643 * R-15671 The VNF **MUST NOT** provide public or unrestricted access
644 to any data without the permission of the data owner. All data
645 classification and access controls must be followed.
646 * R-89753 The VNF **MUST NOT** install or use systems, tools or
647 utilities capable of capturing or logging data that was not created
648 by them or sent specifically to them in production, without
649 authorization of the VNF system owner.
650 * R-19082 The VNF **MUST NOT** run security testing tools and
651 programs, e.g., password cracker, port scanners, hacking tools
652 in production, without authorization of the VNF system owner.
653 * R-19790 The VNF **MUST NOT** include authentication credentials
654 in security audit logs, even if encrypted.
655 * R-85419 The VNF **SHOULD** use REST APIs exposed to Client
656 Applications for the implementation of OAuth 2.0 Authorization
657 Code Grant and Client Credentials Grant, as the standard interface
659 * R-48080 The VNF **SHOULD** support SCEP (Simple Certificate
660 Enrollment Protocol).
663 VNF API Security Requirements
664 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
666 This section covers API security requirements when these are used by the
667 VNFs. Key security areas covered in API security are Access Control,
668 Authentication, Passwords, PKI Authentication Alarming, Anomaly
669 Detection, Lawful Intercept, Monitoring and Logging, Input Validation,
670 Cryptography, Business continuity, Biometric Authentication,
671 Identification, Confidentiality and Integrity, and Denial of Service.
673 The solution in a virtual environment needs to meet the following API
674 security requirements:
679 * R-37608 The VNF **MUST** provide a mechanism to restrict access based
680 on the attributes of the VNF and the attributes of the subject.
681 * R-43884 The VNF **MUST** integrate with external authentication
682 and authorization services (e.g., IDAM).
683 * R-25878 The VNF **MUST** use certificates issued from publicly
684 recognized Certificate Authorities (CA) for the authentication process
685 where PKI-based authentication is used.
686 * R-19804 The VNF **MUST** validate the CA signature on the certificate,
687 ensure that the date is within the validity period of the certificate,
688 check the Certificate Revocation List (CRL), and recognize the identity
689 represented by the certificate where PKI-based authentication is used.
690 * R-47204 The VNF **MUST** protect the confidentiality and integrity of
691 data at rest and in transit from unauthorized access and modification.
692 * R-33488 The VNF **MUST** protect against all denial of service
693 attacks, both volumetric and non-volumetric, or integrate with external
694 denial of service protection tools.
695 * R-21652 The VNF **MUST** implement the following input validation
696 control: Check the size (length) of all input. Do not permit an amount
697 of input so great that it would cause the VNF to fail. Where the input
698 may be a file, the VNF API must enforce a size limit.
699 * R-54930 The VNF **MUST** implement the following input validation
700 control: Do not permit input that contains content or characters
701 inappropriate to the input expected by the design. Inappropriate input,
702 such as SQL insertions, may cause the system to execute undesirable
703 and unauthorized transactions against the database or allow other
704 inappropriate access to the internal network.
705 * R-21210 The VNF **MUST** implement the following input validation
706 control: Validate that any input file has a correct and valid
707 Multipurpose Internet Mail Extensions (MIME) type. Input files
708 should be tested for spoofed MIME types.
709 * R-23772 The VNF **MUST** validate input at all layers implementing VNF APIs.
710 * R-87135 The VNF **MUST** comply with NIST standards and industry
711 best practices for all implementations of cryptography.
712 * R-02137 The VNF **MUST** implement all monitoring and logging as
713 described in the Security Analytics section.
714 * R-15659 The VNF **MUST** restrict changing the criticality level of
715 a system security alarm to administrator(s).
716 * R-19367 The VNF **MUST** monitor API invocation patterns to detect
717 anomalous access patterns that may represent fraudulent access or
718 other types of attacks, or integrate with tools that implement anomaly
720 * R-78066 The VNF **MUST** support requests for information from law
721 enforcement and government agencies.
724 VNF Security Analytics Requirements
725 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
727 This section covers VNF security analytics requirements that are mostly
728 applicable to security monitoring. The VNF Security Analytics cover the
729 collection and analysis of data following key areas of security
732 - Anti-virus software
742 - API based monitoring
744 - Detection and notification
746 - Resource exhaustion detection
748 - Proactive and scalable monitoring
750 - Mobility and guest VNF monitoring
752 - Closed loop monitoring
754 - Interfaces to management and orchestration
756 - Malformed packet detections
760 - Dynamic security control
762 - Dynamic load balancing
764 - Connection attempts to inactive ports (malicious port scanning)
766 The following requirements of security monitoring need to be met by the
767 solution in a virtual environment.
769 Security Analytics Requirements
771 * R-48470 The VNF **MUST** support Real-time detection and
772 notification of security events.
773 * R-22286 The VNF **MUST** support Integration functionality via
774 API/Syslog/SNMP to other functional modules in the network (e.g.,
775 PCRF, PCEF) that enable dynamic security control by blocking the
776 malicious traffic or malicious end users
777 * R-32636 The VNF **MUST** support API-based monitoring to take care of
778 the scenarios where the control interfaces are not exposed, or are
779 optimized and proprietary in nature.
780 * R-61648 The VNF **MUST** support event logging, formats, and delivery
781 tools to provide the required degree of event data to ONAP
782 * R-22367 The VNF **MUST** support detection of malformed packets due to
783 software misconfiguration or software vulnerability.
784 * R-31961 The VNF **MUST** support integrated DPI/monitoring functionality
785 as part of VNFs (e.g., PGW, MME).
786 * R-20912 The VNF **MUST** support alternative monitoring capabilities
787 when VNFs do not expose data or control traffic or use proprietary and
788 optimized protocols for inter VNF communication.
789 * R-73223 The VNF **MUST** support proactive monitoring to detect and
790 report the attacks on resources so that the VNFs and associated VMs can
791 be isolated, such as detection techniques for resource exhaustion, namely
792 OS resource attacks, CPU attacks, consumption of kernel memory, local
794 * R-58370 The VNF **MUST** coexist and operate normally with commercial
795 anti-virus software which shall produce alarms every time when there is a
797 * R-56920 The VNF **MUST** protect all security audit logs (including
798 API, OS and application-generated logs), security audit software, data,
799 and associated documentation from modification, or unauthorized viewing,
800 by standard OS access control mechanisms, by sending to a remote system,
802 * R-54520 The VNF **MUST** log successful and unsuccessful login attempts.
803 * R-55478 The VNF **MUST** log logoffs.
804 * R-08598 The VNF **MUST** log successful and unsuccessful changes to
806 * R-13344 The VNF **MUST** log starting and stopping of security
808 * R-07617 The VNF **MUST** log creating, removing, or changing the
809 inherent privilege level of users.
810 * R-94525 The VNF **MUST** log connections to a network listener of the
812 * R-31614 The VNF **MUST** log the field “event type” in the security
814 * R-97445 The VNF **MUST** log the field “date/time” in the security
816 * R-25547 The VNF **MUST** log the field “protocol” in the security audit logs.
817 * R-06413 The VNF **MUST** log the field “service or program used for
818 access” in the security audit logs.
819 * R-15325 The VNF **MUST** log the field “success/failure” in the
821 * R-89474 The VNF **MUST** log the field “Login ID” in the security audit logs.
822 * R-04982 The VNF **MUST NOT** include an authentication credential,
823 e.g., password, in the security audit logs, even if encrypted.
824 * R-63330 The VNF **MUST** detect when the security audit log storage
825 medium is approaching capacity (configurable) and issue an alarm via
826 SMS or equivalent as to allow time for proper actions to be taken to
827 pre-empt loss of audit data.
828 * R-41252 The VNF **MUST** support the capability of online storage of
830 * R-41825 The VNF **MUST** activate security alarms automatically when
831 the following event is detected: configurable number of consecutive
832 unsuccessful login attempts
833 * R-43332 The VNF **MUST** activate security alarms automatically when
834 the following event is detected: successful modification of critical
835 system or application files
836 * R-74958 The VNF **MUST** activate security alarms automatically when
837 the following event is detected: unsuccessful attempts to gain permissions
838 or assume the identity of another user
839 * R-15884 The VNF **MUST** include the field “date” in the Security alarms
840 (where applicable and technically feasible).
841 * R-23957 The VNF **MUST** include the field “time” in the Security alarms
842 (where applicable and technically feasible).
843 * R-71842 The VNF **MUST** include the field “service or program used for
844 access” in the Security alarms (where applicable and technically feasible).
845 * R-57617 The VNF **MUST** include the field “success/failure” in the
846 Security alarms (where applicable and technically feasible).
847 * R-99730 The VNF **MUST** include the field “Login ID” in the Security
848 alarms (where applicable and technically feasible).
849 * R-29705 The VNF **MUST** restrict changing the criticality level of a
850 system security alarm to administrator(s).
851 * R-13627 The VNF **MUST** monitor API invocation patterns to detect
852 anomalous access patterns that may represent fraudulent access or other
853 types of attacks, or integrate with tools that implement anomaly and
855 * R-21819 The VNF **MUST** support requests for information from law
856 enforcement and government agencies.
857 * R-56786 The VNF **MUST** implement “Closed Loop” automatic implementation
858 (without human intervention) for Known Threats with detection rate in low
860 * R-25094 The VNF **MUST** perform data capture for security functions.
861 * R-04492 The VNF **MUST** generate security audit logs that must be sent
862 to Security Analytics Tools for analysis.
863 * R-19219 The VNF **MUST** provide audit logs that include user ID, dates,
864 times for log-on and log-off, and terminal location at minimum.
865 * R-30932 The VNF **MUST** provide security audit logs including records
866 of successful and rejected system access data and other resource access
868 * R-54816 The VNF **MUST** support the storage of security audit logs
869 for agreed period of time for forensic analysis.
870 * R-57271 The VNF **MUST** provide the capability of generating security
871 audit logs by interacting with the operating system (OS) as appropriate.
872 * R-84160 The VNF **MUST** have security logging for VNFs and their
873 OSs be active from initialization. Audit logging includes automatic
874 routines to maintain activity records and cleanup programs to ensure
875 the integrity of the audit/logging systems.
877 VNF Data Protection Requirements
878 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
880 This section covers VNF data protection requirements that are mostly
881 applicable to security monitoring.
884 Data Protection Requirements
886 * R-58964 The VNF **MUST** provide the capability to restrict read
887 and write access to data.
888 * R-99112 The VNF **MUST** provide the capability to restrict access
889 to data to specific users.
890 * R-83227 The VNF **MUST** Provide the capability to encrypt data in
891 transit on a physical or virtual network.
892 * R-32641 The VNF **MUST** provide the capability to encrypt data on
894 * R-13151 The VNF **SHOULD** disable the paging of the data requiring
895 encryption, if possible, where the encryption of non-transient data is
896 required on a device for which the operating system performs paging to
897 virtual memory. If not possible to disable the paging of the data
898 requiring encryption, the virtual memory should be encrypted.
899 * R-93860 The VNF **MUST** provide the capability to integrate with an
900 external encryption service.
901 * R-73067 The VNF **MUST** use industry standard cryptographic algorithms
902 and standard modes of operations when implementing cryptography.
903 * R-22645 The VNF **SHOULD** use commercial algorithms only when there
904 are no applicable governmental standards for specific cryptographic
905 functions, e.g., public key cryptography, message digests.
906 * R-12467 The VNF **MUST NOT** use the SHA, DSS, MD5, SHA-1 and
907 Skipjack algorithms or other compromised encryption.
908 * R-02170 The VNF **MUST** use, whenever possible, standard implementations
909 of security applications, protocols, and format, e.g., S/MIME, TLS, SSH,
910 IPSec, X.509 digital certificates for cryptographic implementations.
911 These implementations must be purchased from reputable vendors and must
912 not be developed in-house.
913 * R-70933 The VNF **MUST** provide the ability to migrate to newer
914 versions of cryptographic algorithms and protocols with no impact.
915 * R-44723 The VNF **MUST** use symmetric keys of at least 112 bits in length.
916 * R-25401 The VNF **MUST** use asymmetric keys of at least 2048 bits in length.
917 * R-95864 The VNF **MUST** use commercial tools that comply with X.509
918 standards and produce x.509 compliant keys for public/private key generation.
919 * R-12110 The VNF **MUST NOT** use keys generated or derived from
920 predictable functions or values, e.g., values considered predictable
921 include user identity information, time of day, stored/transmitted data.
922 * R-52060 The VNF **MUST** provide the capability to configure encryption
923 algorithms or devices so that they comply with the laws of the jurisdiction
924 in which there are plans to use data encryption.
925 * R-69610 The VNF **MUST** provide the capability of using certificates
926 issued from a Certificate Authority not provided by the VNF provider.
927 * R-83500 The VNF **MUST** provide the capability of allowing certificate
928 renewal and revocation.
929 * R-29977 The VNF **MUST** provide the capability of testing the validity
930 of a digital certificate by validating the CA signature on the certificate.
931 * R-24359 The VNF **MUST** provide the capability of testing the validity
932 of a digital certificate by validating the date the certificate is being
933 used is within the validity period for the certificate.
934 * R-39604 The VNF **MUST** provide the capability of testing the
935 validity of a digital certificate by checking the Certificate Revocation
936 List (CRL) for the certificates of that type to ensure that the
937 certificate has not been revoked.
938 * R-75343 The VNF **MUST** provide the capability of testing the
939 validity of a digital certificate by recognizing the identity represented
940 by the certificate — the "distinguished name".
943 ---------------------------
945 ONAP Heat Orchestration Templates: Overview
946 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
948 ONAP supports a modular Heat Orchestration Template design pattern,
949 referred to as *VNF Modularity.*
951 ONAP VNF Modularity Overview
952 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
954 With VNF Modularity, a single VNF may be composed from one or more Heat
955 Orchestration Templates, each of which represents a subset of the
956 overall VNF. These component parts are referred to as “\ *VNF
957 Modules*\ ”. During orchestration, these modules are deployed
958 incrementally to create the complete VNF.
960 A modular Heat Orchestration Template can be either one of the following
965 2. Incremental Module
967 3. Cinder Volume Module
969 * R-37028 The VNF **MUST** be composed of one “base” module.
970 * R-41215 The VNF **MAY** have zero to many “incremental” modules.
971 * R-20974 The VNF **MUST** deploy the base module first, prior to
972 the incremental modules.
974 ONAP also supports the concept of an optional, independently deployed
975 Cinder volume via a separate Heat Orchestration Templates, referred to
976 as a Cinder Volume Module. This allows the volume to persist after a
977 Virtual Machine (VM) (i.e., OS::Nova::Server) is deleted, allowing the
978 volume to be reused on another instance (e.g., during a failover
981 * R-11200 The VNF **MUST** keep the scope of a Cinder volume module,
982 when it exists, to be 1:1 with the VNF Base Module or Incremental Module.
984 * R-38474 The VNF **MUST** have a corresponding environment file for
986 * R-81725 The VNF **MUST** have a corresponding environment file for
987 an Incremental Module.
988 * R-53433 The VNF **MUST** have a corresponding environment file for
989 a Cinder Volume Module.
991 These concepts will be described in more detail throughout the document.
992 This overview is provided to set the stage and help clarify the concepts
993 that will be introduced.
997 ^^^^^^^^^^^^^^^^^^^^^^
999 ONAP supports a modular Heat Orchestration Template design pattern,
1000 referred to as *VNF Modularity.* With this approach, a single VNF may be
1001 composed from one or more Heat Orchestration Templates, each of which
1002 represents a subset of the overall VNF. These component parts are
1003 referred to as “\ *VNF Modules*\ ”. During orchestration, these modules
1004 are deployed incrementally to create the complete VNF.
1006 A modular Heat Orchestration Template can be either one of the following
1011 2. Incremental Module
1013 3. Cinder Volume Module
1015 A VNF must be composed of one “base” module and may be composed of zero
1016 to many “incremental” modules. The base module must be deployed first,
1017 prior to the incremental modules.
1019 ONAP also supports the concept of an optional, independently deployed
1020 Cinder volume via a separate Heat Orchestration Templates, referred to
1021 as a Cinder Volume Module. This allows the volume to persist after a VM
1022 (i.e., OS::Nova::Server) is deleted, allowing the volume to be reused on
1023 another instance (e.g., during a failover activity).
1025 The scope of a Cinder volume module, when it exists, must be 1:1 with a
1026 Base module or Incremental Module.
1028 A Base Module must have a corresponding environment file.
1030 An Incremental Module must have a corresponding environment file.
1032 A Cinder Volume Module must have a corresponding environment file.
1034 A VNF module (base, incremental, cinder) may support nested templates.
1036 A shared Heat Orchestration Template resource must be defined in the
1037 base module. A shared resource is a resource that that will be
1038 referenced by another resource that is defined in the Base Module and/or
1039 one or more incremental modules.
1041 When the shared resource needs to be referenced by a resource in an
1042 incremental module, the UUID of the shared resource must be exposed by
1043 declaring an ONAP Base Module Output Parameter.
1045 Note that a Cinder volume is *not* a shared resource. A volume template
1046 must correspond 1:1 with a base module or incremental module.
1048 An example of a shared resource is the resource
1049 OS::Neutron::SecurityGroup. Security groups are sets of IP filter rules
1050 that are applied to a VNF’s networking. The resource OS::Neutron::Port
1051 has a property security\_groups which provides the security groups
1052 associated with port. The value of parameter(s) associated with this
1053 property must be the UUIDs of the resource(s)
1054 OS::Neutron::SecurityGroup.
1056 *Note:* A Cinder volume is *not* considered a shared resource. A volume
1057 template must correspond 1:1 with a base template or add-on module
1060 Suggested Patterns for Modular VNFs
1061 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
1063 There are numerous variations of VNF modularity. Below are two suggested
1066 **Option 1: Modules per VNFC type**
1068 a. Base module contains only the shared resources.
1070 b. Group all VMs (e.g., VNFCs) of a given type (i.e. {vm-type}) into its
1071 own incremental module. That is, the VNF has an incremental module
1074 c. For a given {vm-type} incremental module, the VNF may have
1076 i. One incremental module used for both initial turn up and re-used
1077 for scaling. This approach is used when the number of VMs
1078 instantiated will be the same for initial deployment and scaling.
1080 ii. Two incremental modules, where one is used for initial turn up
1081 and one is used for scaling. This approach is used when the
1082 number of VMs instantiated will be different for initial
1083 deployment and scaling.
1085 **Option 2: Base VNF with Incremental Growth Modules**
1087 a. Base module contains a complete initial VNF instance
1089 b. Incremental modules for incremental scaling units
1091 i. May contain VMs of multiple types in logical scaling combinations
1093 ii. May be separated by VM type for multi-dimensional scaling
1095 With no growth units, Option 2 is equivalent to the “One Heat Template
1098 Note that modularization of VNFs is not required. A single Heat
1099 Orchestration Template (a base module) may still define a complete VNF,
1100 which might be appropriate for smaller VNFs that do not have any scaling
1106 There are some rules to follow when building modular VNF templates:
1108 1. All VNFs must have one Base VNF Module (template) that must be the
1109 first one deployed. The base template:
1111 a. Must include all shared resources (e.g., private networks, server
1112 groups, security groups)
1114 b. Must expose all shared resources (by UUID) as “outputs” in its
1115 associated Heat template (i.e., ONAP Base Module Output
1118 c. May include initial set of VMs
1120 d. May be operational as a stand-alone “minimum” configuration of the
1123 2. VNFs may have one or more incremental modules which:
1125 a. Defines additional resources that can be added to an existing VNF
1127 b. Must be complete Heat templates
1129 i. i.e. not snippets to be incorporated into some larger template
1131 c. Should define logical growth-units or sub-components of an overall
1134 d. On creation, receives appropriate Base Module outputs as
1137 i. Provides access to all shared resources (by UUID)
1139 ii. must not be dependent on other Add-On VNF Modules
1141 e. Multiple instances of an incremental Module may be added to the
1142 same VNF (e.g., incrementally grow a VNF by a fixed “add-on”
1145 3. Each VNF Module (base or incremental) may have (optional) an
1146 associated Cinder Volume Module (see Cinder Volume Templates)
1148 a. Volume modules must correspond 1:1 with a base module or
1151 b. A Cinder volume may be embedded within the base module or
1152 incremental module if persistence is not required
1154 4. Shared resource UUIDs are passed between the base module and
1155 incremental modules via Heat Outputs Parameters (i.e., Base Module
1158 a. The output parameter name in the base must match the parameter
1159 name in the add-on module
1161 VNF Modularity Examples
1162 ^^^^^^^^^^^^^^^^^^^^^^^^^^
1164 *Example: Base Module creates SecurityGroup*
1166 A VNF has a base module, named base.yaml, that defines a
1167 OS::Neutron::SecurityGroup. The security group will be referenced by an
1168 OS::Neutron::Port resource in an incremental module, named
1169 INCREMENTAL\_MODULE.yaml. The base module defines a parameter in the out
1170 section named dns\_sec\_grp\_id. dns\_sec\_grp\_id is defined as a
1171 parameter in the incremental module. ONAP captures the UUID value of
1172 dns\_sec\_grp\_id from the base module output statement and provides the
1173 value to the incremental module.
1175 Note that the example below is not a complete Heat Orchestration
1176 Template. The {network-role} has been defined as oam to represent an oam
1177 network and the {vm-type} has been defined as dns.
1181 .. code-block:: yaml
1188 type: OS::Neutron::SecurityGroup
1190 description: vDNS security group
1193 template: VNF_NAME_sec_grp_DNS
1195 VMF_NAME: {get_param: vnf_name}
1202 description: UUID of DNS Resource SecurityGroup
1203 value: { get_resource: DNS_SECURITY_GROUP }
1206 INCREMENTAL\_MODULE.yaml
1208 .. code-block:: yaml
1213 description: security group UUID
1218 type: OS::Neutron::Port
1222 template: VNF_NAME_dns_oam_port
1224 VNF_NAME: {get_param: vnf_name}
1225 network: { get_param: oam_net_name }
1226 fixed_ips: [{ "ip_address": { get_param: dns_oam_ip_0 }}]
1227 security_groups: [{ get_param: dns_sec_grp_id }]
1230 *Examples: Base Module creates an internal network*
1232 A VNF has a base module, named base\_module.yaml, that creates an
1233 internal network. An incremental module, named incremental\_module.yaml,
1234 will create a VM that will connect to the internal network. The base
1235 module defines a parameter in the out section named int\_oam\_net\_id.
1236 int\_oam\_net\_id is defined as a parameter in the incremental module.
1237 ONAP captures the UUID value of int\_oam\_net\_id from the base module
1238 output statement and provides the value to the incremental module.
1240 Note that the example below is not a complete Heat Orchestration
1241 Template. The {network-role} has been defined as oam to represent an oam
1242 network and the {vm-type} has been defined as lb for load balancer.
1246 .. code-block:: yaml
1248 heat_template_version: 2013-05-23
1252 type: OS::Neutron::Network
1258 value: {get_resource: int_oam_network }
1263 .. code-block:: yaml
1265 heat_template_version: 2013-05-23
1270 description: ID of shared private network from Base template
1273 description: name for the add-on VM instance
1277 type: OS::Nova::Server
1279 name: {get_param: lb_name_0}
1281 - port: { get_resource: lb_port }
1285 type: OS::Neutron::Port
1287 network_id: { get_param: int_oam_net_id }
1291 ---------------------
1293 This section includes guidelines for VNF providers to ensure that a Network
1294 Cloud Service Provider’s operations personnel have a common and
1295 consistent way to support VNFs and VNFCs.
1297 NCSPs may elect to support standard images to enable compliance with
1298 security, audit, regulatory and other needs. As part of the overall VNF
1299 software bundle, VNF suppliers using standard images would typically
1300 provide the NCSP with an install package consistent with the default OS
1301 package manager (e.g. aptitude for Ubuntu, yum for Redhat/CentOS).
1303 Section 5.a DevOps in *VNF Guidelines* describes
1304 the DevOps guidelines for VNFs.
1308 * R-46960 NCSPs **MAY** operate a limited set of Guest OS and CPU
1309 architectures and families, virtual machines, etc.
1310 * R-23475 VNFCs **SHOULD** be agnostic to the details of the Network Cloud
1311 (such as hardware, host OS, Hypervisor or container technology) and must run
1312 on the Network Cloud with acknowledgement to the paradigm that the Network
1313 Cloud will continue to rapidly evolve and the underlying components of
1314 the platform will change regularly.
1315 * R-33846 The VNF **MUST** install the NCSP required software on Guest OS
1316 images when not using the NCSP provided Guest OS images. [1]_
1317 * R-09467 The VNF **MUST** utilize only NCSP standard compute flavors. [1]_
1318 * R-02997 The VNF **MUST** preserve their persistent data. Running VMs
1319 will not be backed up in the Network Cloud infrastructure.
1320 * R-29760 The VNFC **MUST** be installed on non-root file systems,
1321 unless software is specifically included with the operating system
1322 distribution of the guest image.
1323 * R-20860 The VNF **MUST** be agnostic to the underlying infrastructure
1324 (such as hardware, host OS, Hypervisor), any requirements should be
1325 provided as specification to be fulfilled by any hardware.
1326 * R-89800 The VNF **MUST NOT** require Hypervisor-level customization
1327 from the cloud provider.
1328 * R-86758 The VNF **SHOULD** provide an automated test suite to validate
1329 every new version of the software on the target environment(s). The tests
1330 should be of sufficient granularity to independently test various
1331 representative VNF use cases throughout its lifecycle. Operations might
1332 choose to invoke these tests either on a scheduled basis or on demand to
1333 support various operations functions including test, turn-up and
1335 * R-39650 The VNF **SHOULD** provide the ability to test incremental
1337 * R-14853 The VNF **MUST** respond to a "move traffic" [2]_ command
1338 against a specific VNFC, moving all existing session elsewhere with
1339 minimal disruption if a VNF provides a load balancing function across
1340 multiple instances of its VNFCs. Note: Individual VNF performance
1341 aspects (e.g., move duration or disruption scope) may require further
1343 * R-06327 The VNF **MUST** respond to a "drain VNFC" [2]_ command against
1344 a specific VNFC, preventing new session from reaching the targeted VNFC,
1345 with no disruption to active sessions on the impacted VNFC, if a VNF
1346 provides a load balancing function across multiple instances of its VNFCs.
1347 This is used to support scenarios such as proactive maintenance with no
1349 * R-64713 The VNF **SHOULD** support a software promotion methodology
1350 from dev/test -> pre-prod -> production in software, development &
1351 testing and operations.
1354 --------------------------------
1356 Aid to help the VNF provider to fasten the integration with the GVNFM, the
1357 ONAP provides the VNF SDK tools, and the documents. In this charter,
1358 the develop steps for VNF providers will be introduced.
1360 First, using the VNF SDK tools to design the VNF with TOSCA model and
1361 output the VNF TOSCA package. The VNF package can be validated, and
1364 Second, the VNF provider should provide the VNF Rest API to integrate with
1365 the GVNFM if needed. The VNF Rest API is aligned to the ETSI IFA
1368 Third, the TOSCA model supports the HPA feature.
1372 1. The scripts to extend capacity to satisfy some special requirements.
1373 In the R2, the scripts is not implemented fully, and will be provided
1374 in the next release.
1376 2. The monitoring and scale policy also be provide the next release.
1380 Refer to NCSP’s Network Cloud specification
1383 Not currently supported in ONAP release 1