From 917598a93f9d06b01fc8bbf9d47ffb6861a00ffb Mon Sep 17 00:00:00 2001 From: rr929y Date: Wed, 2 Aug 2017 16:41:49 -0500 Subject: VNFRQTS--Updated Seed Docs/Updated File Structure VNFRQTS -- Update seed docs from 2q publish, and file structure for historical docs and guideline deliverables Issue-ID: VNFRQTS-49 Change-Id: I6601dbfe4f7d31c8f59a239943581adb821ab558 Signed-off-by: rr929y --- ... Virtual Network Functions 2-17-2017 clean.docx | Bin 87190 -> 0 bytes ...r_Virtual_Network_Functions_2_17_2017_clean.rst | 950 --------- .../index.rst | 7 - ...Network Cloud and OpenECOMP 2-6-2017 clean.docx | Bin 211650 -> 0 bytes .../VNF_Control_Loop.jpg | Bin 74973 -> 0 bytes ..._Network_Cloud_and_OpenECOMP_2_6_2017_clean.rst | 1114 ---------- .../VNF_Lifecycle.jpg | Bin 16839 -> 0 bytes .../VNF_VNFC_Relation.jpg | Bin 454310 -> 0 bytes .../index.rst | 7 - ...ements for OpenECOMP 2-15 NO track changes.docx | Bin 122885 -> 0 bytes ...rements_for_OpenECOMP_2_15_NO_track_changes.rst | 2249 -------------------- .../VNF_VNFC_Relation.jpg | Bin 454310 -> 0 bytes docs/VNF_Heat_Templates_for_OpenEcomp/index.rst | 7 - ...gement Requirements for OpenECOMP 2-6-2017.docx | Bin 227826 -> 0 bytes ...agement_Requirements_for_OpenECOMP_2_6_2017.rst | 1262 ----------- docs/VNF_Mgmt_Requirements_for_OpenEcomp/index.rst | 7 - docs/all_vnfrqts_seed_docs/index.rst | 8 + docs/all_vnfrqts_seed_docs/openO/index.rst | 7 + .../openO/inital_seed_openO/index.rst | 6 + docs/all_vnfrqts_seed_docs/open_ecomp/index.rst | 8 + ...Requirements for OpenECOMP 2-17-2017 clean.docx | Bin 0 -> 87190 bytes ..._Requirements_for_OpenECOMP_2_17_2017_clean.rst | 950 +++++++++ .../index.rst | 7 + ...Network Cloud and OpenECOMP 2-6-2017 clean.docx | Bin 0 -> 211650 bytes .../VNF_Control_Loop.jpg | Bin 0 -> 74973 bytes ..._Network_Cloud_and_OpenECOMP_2_6_2017_clean.rst | 1114 ++++++++++ .../VNF_Lifecycle.jpg | Bin 0 -> 16839 bytes .../VNF_VNFC_Relation.jpg | Bin 0 -> 454310 bytes .../index.rst | 7 + ...ements for OpenECOMP 2-15 NO track changes.docx | Bin 0 -> 122885 bytes ...rements_for_OpenECOMP_2_15_NO_track_changes.rst | 2249 ++++++++++++++++++++ .../VNF_VNFC_Relation.jpg | Bin 0 -> 454310 bytes .../VNF_Heat_Templates_for_OpenEcomp/index.rst | 7 + ...gement Requirements for OpenECOMP 2-6-2017.docx | Bin 0 -> 227826 bytes ...agement_Requirements_for_OpenECOMP_2_6_2017.rst | 1262 +++++++++++ .../index.rst | 7 + .../open_ecomp/inital_seed_ecomp/index.rst | 10 + ...oud Readiness Requirements for ONAP 7-3-17.docx | Bin 0 -> 89429 bytes .../VNF_Cloud_Readiness_Requirements_for_ONAP.rst | 972 +++++++++ .../index.rst | 7 + ...idelines for Network Cloud and ONAP 7-3-17.docx | Bin 0 -> 235923 bytes .../VNF_Control_Loop.jpg | Bin 0 -> 74973 bytes ...uidelines_for_Network_Cloud_and_ONAP_7_3_17.rst | 1133 ++++++++++ .../VNF_Lifecycle.jpg | Bin 0 -> 16839 bytes .../VNF_VNFC_Relation.jpg | Bin 0 -> 454310 bytes .../index.rst | 7 + .../Data_Model_For_Event_Records.png | Bin 0 -> 79667 bytes ...gement Requirements for OpenECOMP 7-3-2017.docx | Bin 0 -> 267039 bytes ...agement_Requirements_for_OpenECOMP_7_3_2017.rst | 2013 ++++++++++++++++++ .../index.rst | 7 + .../open_ecomp/q2_ecomp/index.rst | 9 + docs/index.rst | 15 +- docs/vnf_guidelines/index.rst | 8 + docs/vnf_guidelines/vnf_guidelines.rst | 2 + 54 files changed, 9807 insertions(+), 5611 deletions(-) delete mode 100644 docs/Common_Requirements_for_VNF_Functions/Common Requirements for Virtual Network Functions 2-17-2017 clean.docx delete mode 100644 docs/Common_Requirements_for_VNF_Functions/Common_Requirements_for_Virtual_Network_Functions_2_17_2017_clean.rst delete mode 100644 docs/Common_Requirements_for_VNF_Functions/index.rst delete mode 100644 docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF Guidelines for Network Cloud and OpenECOMP 2-6-2017 clean.docx delete mode 100644 docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF_Control_Loop.jpg delete mode 100644 docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF_Guidelines_for_Network_Cloud_and_OpenECOMP_2_6_2017_clean.rst delete mode 100644 docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF_Lifecycle.jpg delete mode 100644 docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF_VNFC_Relation.jpg delete mode 100644 docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/index.rst delete mode 100644 docs/VNF_Heat_Templates_for_OpenEcomp/VNF Heat Template Requirements for OpenECOMP 2-15 NO track changes.docx delete mode 100644 docs/VNF_Heat_Templates_for_OpenEcomp/VNF_Heat_Template_Requirements_for_OpenECOMP_2_15_NO_track_changes.rst delete mode 100644 docs/VNF_Heat_Templates_for_OpenEcomp/VNF_VNFC_Relation.jpg delete mode 100644 docs/VNF_Heat_Templates_for_OpenEcomp/index.rst delete mode 100644 docs/VNF_Mgmt_Requirements_for_OpenEcomp/VNF Management Requirements for OpenECOMP 2-6-2017.docx delete mode 100644 docs/VNF_Mgmt_Requirements_for_OpenEcomp/VNF_Management_Requirements_for_OpenECOMP_2_6_2017.rst delete mode 100644 docs/VNF_Mgmt_Requirements_for_OpenEcomp/index.rst create mode 100644 docs/all_vnfrqts_seed_docs/index.rst create mode 100644 docs/all_vnfrqts_seed_docs/openO/index.rst create mode 100644 docs/all_vnfrqts_seed_docs/openO/inital_seed_openO/index.rst create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/index.rst create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Cloud_Readiness_Requirements_for_OpenECOMP/VNF Cloud Readiness Requirements for OpenECOMP 2-17-2017 clean.docx create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Cloud_Readiness_Requirements_for_OpenECOMP/VNF_Cloud_Readiness_Requirements_for_OpenECOMP_2_17_2017_clean.rst create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Cloud_Readiness_Requirements_for_OpenECOMP/index.rst create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF Guidelines for Network Cloud and OpenECOMP 2-6-2017 clean.docx create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF_Control_Loop.jpg create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF_Guidelines_for_Network_Cloud_and_OpenECOMP_2_6_2017_clean.rst create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF_Lifecycle.jpg create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF_VNFC_Relation.jpg create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/index.rst create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Heat_Templates_for_OpenEcomp/VNF Heat Template Requirements for OpenECOMP 2-15 NO track changes.docx create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Heat_Templates_for_OpenEcomp/VNF_Heat_Template_Requirements_for_OpenECOMP_2_15_NO_track_changes.rst create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Heat_Templates_for_OpenEcomp/VNF_VNFC_Relation.jpg create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Heat_Templates_for_OpenEcomp/index.rst create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Management_Requirements_for_OpenEcomp/VNF Management Requirements for OpenECOMP 2-6-2017.docx create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Management_Requirements_for_OpenEcomp/VNF_Management_Requirements_for_OpenECOMP_2_6_2017.rst create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Management_Requirements_for_OpenEcomp/index.rst create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/index.rst create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Cloud_Readiness_Requirements_for_ONAP/VNF Cloud Readiness Requirements for ONAP 7-3-17.docx create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Cloud_Readiness_Requirements_for_ONAP/VNF_Cloud_Readiness_Requirements_for_ONAP.rst create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Cloud_Readiness_Requirements_for_ONAP/index.rst create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF Guidelines for Network Cloud and ONAP 7-3-17.docx create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF_Control_Loop.jpg create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF_Guidelines_for_Network_Cloud_and_ONAP_7_3_17.rst create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF_Lifecycle.jpg create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF_VNFC_Relation.jpg create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/index.rst create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Managment_Requirements_for_OpenECOMP/Data_Model_For_Event_Records.png create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Managment_Requirements_for_OpenECOMP/VNF Management Requirements for OpenECOMP 7-3-2017.docx create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Managment_Requirements_for_OpenECOMP/VNF_Management_Requirements_for_OpenECOMP_7_3_2017.rst create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Managment_Requirements_for_OpenECOMP/index.rst create mode 100644 docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/index.rst create mode 100644 docs/vnf_guidelines/index.rst create mode 100644 docs/vnf_guidelines/vnf_guidelines.rst diff --git a/docs/Common_Requirements_for_VNF_Functions/Common Requirements for Virtual Network Functions 2-17-2017 clean.docx b/docs/Common_Requirements_for_VNF_Functions/Common Requirements for Virtual Network Functions 2-17-2017 clean.docx deleted file mode 100644 index ce29b3a..0000000 Binary files a/docs/Common_Requirements_for_VNF_Functions/Common Requirements for Virtual Network Functions 2-17-2017 clean.docx and /dev/null differ diff --git a/docs/Common_Requirements_for_VNF_Functions/Common_Requirements_for_Virtual_Network_Functions_2_17_2017_clean.rst b/docs/Common_Requirements_for_VNF_Functions/Common_Requirements_for_Virtual_Network_Functions_2_17_2017_clean.rst deleted file mode 100644 index 4b30bb1..0000000 --- a/docs/Common_Requirements_for_VNF_Functions/Common_Requirements_for_Virtual_Network_Functions_2_17_2017_clean.rst +++ /dev/null @@ -1,950 +0,0 @@ -.. contents:: - :depth: 3 -.. - -**VNF Cloud Readiness Requirements for OpenECOMP** - -**Revision 1.0** - -**Revision Date 2/1/2017** - -**Document Revision History** - -+------------+------------+-----------------------------------------------------------------------------+ -| Date | Revision | Description | -+============+============+=============================================================================+ -| 2/1/2017 | 1.0 | Initial public release of VNF Cloud Readiness Requirements for OpenECOMP | -+------------+------------+-----------------------------------------------------------------------------+ - - -**Definitions** - -Throughout the document the terms have the following meaning: - -**MUST** This word, or the terms "REQUIRED" or "SHALL", mean that the -definition is an absolute requirement of the specification. - -**MUST** **NOT** This phrase, or the phrase "SHALL NOT", mean that the -definition is an absolute prohibition of the specification. - -**SHOULD** This word, or the adjective "RECOMMENDED", mean that there -may exist valid reasons in particular circumstances to ignore a -particular item, but the full implications must be understood and -carefully weighed before choosing a different course. - -**SHOULD** **NOT** This phrase, or the phrase "NOT RECOMMENDED" mean -that there may exist valid reasons in particular circumstances when the -particular behavior is acceptable or even useful, but the full -implications should be understood and the case carefully weighed before -implementing any behavior described with this label. - -**MAY** This word, or the adjective "OPTIONAL", mean that an item is -truly optional. One vendor may choose to include the item because a -particular marketplace requires it or because the vendor feels that it -enhances the product while another vendor may omit the same item. An -implementation which does not include a particular option MUST be -prepared to interoperate with another implementation which does include -the option, though perhaps with reduced functionality. In the same vein -an implementation which does include a particular option MUST be -prepared to interoperate with another implementation which does not -include the option (except, of course, for the feature the option -provides.) - -Introduction -============ - -This document is part of a hierarchy of documents that describes the -overall Requirements and Guidelines for OpenECOMP. The diagram below -identifies where this document fits in the hierarchy. - -+--------------------------------------------------+---------------------------------------------+------------------------------------------------+------------------------------+---------------------------------+ -| OpenECOMP Requirements and Guidelines | -+==================================================+=============================================+================================================+==============================+=================================+ -| VNF Guidelines for Network Cloud and OpenECOMP | Future OpenECOMP Subject Documents | -+--------------------------------------------------+---------------------------------------------+------------------------------------------------+------------------------------+---------------------------------+ -| VNF Cloud Readiness Requirements for OpenECOMP | VNF Management Requirements for OpenECOMP | VNF Heat Template Requirements for OpenECOMP | Future | Future Requirements Documents | -| | | | VNF Requirements Documents | | -+--------------------------------------------------+---------------------------------------------+------------------------------------------------+------------------------------+---------------------------------+ - -Document summary: - -*VNF Guidelines for Network Cloud and OpenECOMP* - -- Describes VNF environment and overview of requirements - -**VNF Cloud Readiness Requirements for OpenECOMP** - -- Cloud readiness requirements for VNFs (Design, Resiliency, Security, - and DevOps) - -*VNF Management Requirements for OpenECOMP* - -- Requirements for how VNFs interact and utilize OpenECOMP - -*VNF Heat Template Requirements for OpenECOMP* - -- Provides recommendations and standards for building Heat templates - compatible with OpenECOMP– initial implementations of Network Cloud - are assumed to be OpenStack based. - -This reference document lists the requirements that are the supporting -details for the Virtual Network Function (VNF) characteristics outlined -in the *VNF Guidelines for Network Cloud and OpenECOMP*. These -requirements are grouped into the following categories: VNF Design, -Resiliency, Security, and DevOps. Specific requirements for OpenECOMP -can be found in the *VNF Management Requirements for OpenECOMP* -reference document. - -This section outlines the guidelines for VNFs to be compliant with -running on a multi-tenant, Network Cloud infrastructure. VNFs must be -virtualized, software-based, execute in a multi-tenant cloud, and be -de-coupled from the cloud hardware. To achieve interoperability between -VNFs, open and standard interfaces and APIs must be used. The set of -reusable VNFs forms the basis of a VNF catalog that is made available to -service designers to compose new (service chained) services that can -include service-specific custom parameters and QoS policies. Use of open -source technologies to leverage industry innovation is important in the -design of virtualized services. Equally important is the re-use of -common technologies (e.g., virtualized load balancers, firewalls, etc.) -that are provided by the platform. - -VNF Design -========== - -Services are composed of VNFs and common components and are designed to -be agnostic of the location to leverage capacity where it exists in the -Network Cloud. VNFs can be instantiated in any location that meets the -performance and latency requirements of the service. - -A key design principle for virtualizing services is decomposition of -network functions using NFV concepts into granular VNFs. This enables -instantiating and customizing only essential functions as needed for the -service, thereby making service delivery more nimble. It provides -flexibility of sizing and scaling and also provides flexibility with -packaging and deploying VNFs as needed for the service. It enables -grouping functions in a common cloud data center to minimize -inter-component latency. The VNFs should be designed with a goal of -being modular and reusable to enable using best-in-breed vendors - -Section 4.1.1 in *VNF Guidelines for Network Cloud and OpenECOMP* -describes the overall guidelines for designing VNFs from VNF Components -(VNFCs). Below are more detailed requirements for composing VNFs. - -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| VNF Design Requirements | Type | ID # | -+================================================================================================================================================================================================================================+==========+=========+ -| Decompose VNFs into granular re-usable VNFCs | Should | 20010 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Decompose if the functions have significantly different scaling characteristics (e.g., signaling versus media functions, control versus data plane functions). | Must | 20020 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Decomposition of the VNF must enable instantiating only the functionality that is needed for the VNF (e.g., if transcoding is not needed it should not be instantiated). | Must | 20030 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Design VNFC as a standalone, executable process. | Must | 20040 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Create a single component VNF for VNFCs that can be used by other VNFs. | Should | 20050 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Design to scale horizontally (more instances of a VNF or VNFC) and not vertically (moving the existing instances to larger VMs or increasing the resources within a VM) to achieve effective utilization of cloud resources. | Must | 20060 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Utilize cloud provided infrastructure and VNFs (e.g., virtualized Local Load Balancer) as part of the VNF so that the cloud can manage and provide a consistent service resiliency and methods across all VNF's. | Must | 20070 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| VNFCs should be independently deployed, configured, upgraded, scaled, monitored, and administered by OpenECOMP. | Should | 20080 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide API versioning to allow for independent upgrades of VNFC. | Must | 20090 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Minimize the use of state within a VNFC to facilitate the movement of traffic from one instance to another. | Should | 20100 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Maintain state in a geographically redundant datastore that may, in fact, be its own VNFC. | Should | 20110 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Decouple persistent data from the VNFC and keep it in its own datastore that can be reached by all instances of the VNFC requiring the data. | Should | 20120 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Utilize virtualized, scalable open source database software that can meet the performance/latency requirements of the service for all datastores. | Must | 20130 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Failure of a VNFC instance must not terminate stable sessions. | Must | 20140 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Enable DPDK in the guest OS for VNF’s requiring high packets/sec performance. High packet throughput is defined as greater than 500K packets/sec. | Must | 20150 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| When using DPDK, use the NCSP’s supported library and compute flavor that supports DPDK to optimize network efficiency. [1]_ | Must | 20160 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Do not use technologies that bypass virtualization layers (such as SR-IOV) unless approved by the NCSP (e.g., if necessary to meet functional or performance requirements). | Must | 20170 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Limit the size of application data packets to no larger than 907400 bytes for SDN network-based tunneling when guest data packets are transported between tunnel endpoints that support guest logical networks. | Must | 20180 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Do not require the use of a dynamic routing protocol unless necessary to meet functional requirements. | Must | 20190 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ - -Resiliency -========== - -The VNF is responsible for meeting its resiliency goals and must factor -in expected availability of the targeted virtualization environment. -This is likely to be much lower than found in a traditional data center. -Resiliency is defined as the ability of the VNF to respond to error -conditions and continue to provide the service intended. A number of -software resiliency dimensions have been identified as areas that should -be addressed to increase resiliency. As VNFs are deployed into the -Network Cloud, resiliency must be designed into the VNF software to -provide high availability versus relying on the Network Cloud to achieve -that end. - -Section 4.1.2 in *VNF Guidelines for Network Cloud and OpenECOMP* -describes the overall guidelines for designing VNFs to meet resiliency -goals. Below are more detailed resiliency requirements for VNFs. - -All Layer Redundancy --------------------- - -Design the VNF to be resilient to the failures of the underlying -virtualized infrastructure (Network Cloud). VNF design considerations -would include techniques such as multiple vLANs, multiple local and -geographic instances, multiple local and geographic data replication, -and virtualized services such as Load Balancers. - -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| All Layer Redundancy Requirements | Type | ID # | -+=====================================================================================================================================================================================================================+========+=========+ -| VNFs are responsible to meet their own resiliency goals and not rely on the Network Cloud. | Must | 30010 | -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Design resiliency into a VNF such that the resiliency deployment model (e.g., active-active) can be chosen at run-time. | Must | 30020 | -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| VNFs must survive any single points of failure within the Network Cloud (e.g., virtual NIC, VM, disk failure). | Must | 30030 | -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| VNFs must survive any single points of software failure internal to the VNF (e.g., in memory structures, JMS message queues). | Must | 30040 | -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Design, build and package VNFs to enable deployment across multiple fault zones (e.g., VNFCs deployed in different servers, racks, OpenStack regions, geographies) to increase the overall resiliency of the VNF. | Must | 30050 | -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Support the ability to failover a VNFC automatically to other geographically redundant sites if not deployed active-active to increase the overall resiliency of the VNF. | Must | 30060 | -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Support the ability of the VNFC to be deployable in multi-zoned cloud sites to allow for site support in the event of cloud zone failure or upgrades. | Must | 30070 | -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ - -Minimize Cross Data-Center Traffic ----------------------------------- - -Avoid performance-sapping data center-to-data center replication delay -by applying techniques such as caching and persistent transaction paths -- Eliminate replication delay impact between data centers by using a -concept of stickiness (i.e., once a client is routed to data center "A", -the client will stay with Data center “A” until the entire session is -completed). - -+------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Minimize Cross Data-Center Traffic Requirements | Type | ID # | -+==================================================================================================================+==========+=========+ -| Minimize the propagation of state information across multiple data centers to avoid cross data center traffic. | Should | 31010 | -+------------------------------------------------------------------------------------------------------------------+----------+---------+ - -Application Resilient Error Handling ------------------------------------- - -Ensure an application communicating with a downstream peer is equipped -to intelligently handle all error conditions. Make sure code can handle -exceptions seamlessly - implement smart retry logic and implement -multi-point entry (multiple data centers) for back-end system -applications. - -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Application Resilient Error Handling Requirements | Type | ID # | -+==============================================================================================================================================================================================================================================================================================================================+========+=========+ -| Detect connectivity failure for inter VNFC instance and intra/inter VNF and re-establish connectivity automatically to maintain the VNF without manual intervention to provide service continuity. | Must | 32010 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Handle the restart of a single VNFC instance without requiring all VNFC instances to be restarted. | Must | 32020 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Handle the start or restart of VNFC instances in any order with each VNFC instance establishing or re-establishing required connections or relationships with other VNFC instances and/or VNFs required to perform the VNF function/role without requiring VNFC instance(s) to be started/restarted in a particular order. | Must | 32030 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Handle errors and exceptions so that they do not interrupt processing of incoming VNF requests to maintain service continuity. | Must | 32040 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Provide the ability to modify the number of retries, the time between retries and the behavior/action taken after the retries have been exhausted for exception handling to allow the Network Cloud Service Provider to control that behavior. | Must | 32050 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Fully exploit exception handling to the extent that resources (e.g., threads and memory) are released when no longer needed regardless of programming language. | Must | 32060 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Handle replication race conditions both locally and geo-located in the event of a data base instance failure to maintain service continuity. | Must | 32070 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Automatically retry/resubmit failed requests made by the software to its downstream system to increase the success rate. | Must | 32080 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ - -System Resource Optimization ----------------------------- - -Ensure an application is using appropriate system resources for the task -at hand; for example, do not use network or IO operations inside -critical sections, which could end up blocking other threads or -processes or eating memory if they are unable to complete. Critical -sections should only contain memory operation, and should not contain -any network or IO operation. - -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| System Resource Optimization Requirements | Type | ID # | -+=================================================================================================================================================================================================================================================+==========+=========+ -| Do not execute long running tasks (e.g., IO, database, network operations, service calls) in a critical section of code, so as to minimize blocking of other operations and increase concurrent throughput. | Must | 33010 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Automatically advertise newly scaled components so there is no manual intervention required. | Must | 33020 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Utilize FQDNs (and not IP address) for both Service Chaining and scaling. | Must | 33030 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Deliver any and all functionality from any VNFC in the pool. The VNFC pool member should be transparent to the client. Upstream and downstream clients should only recognize the function being performed, not the member performing it. | Must | 33040 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Automatically enable/disable added/removed sub-components or component so there is no manual intervention required. | Should | 33050 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Support the ability to scale down a VNFC pool without jeopardizing active sessions. Ideally, an active session should not be tied to any particular VNFC instance. | Should | 33060 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Support load balancing and discovery mechanisms in resource pools containing VNFC instances. | Should | 33070 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Utilize resource pooling (threads, connections, etc.) within the VNF application so that resources are not being created and destroyed resulting in resource management overhead. | Should | 33080 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use techniques such as “lazy loading” when initialization includes loading catalogues and/or lists which can grow over time, so that the VNF startup time does not grow at a rate proportional to that of the list. | Should | 33090 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Release and clear all shared assets (memory, database operations, connections, locks, etc.) as soon as possible, especially before long running sync and asynchronous operations, so as to not prevent use of these assets by other entities. | Should | 33100 | -+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ - -Application Configuration Management ------------------------------------- - -Leverage configuration management audit capability to drive conformity -to develop gold configurations for technologies like Java, Python, etc. - -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Application Configuration Management Requirements | Type | ID # | -+===================================================================================================================================================================================+========+=========+ -| Allow configurations and configuration parameters to be managed under version control to ensure consistent configuration deployment, traceability and rollback. | Must | 34010 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Allow configurations and configuration parameters to be managed under version control to ensure the ability to rollback to a known valid configuration. | Must | 34020 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Allow changes of configuration parameters to be consumed by the VNF without requiring the VNF or its sub-components to be bounced so that the VNF availability is not effected. | Must | 34030 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ - -Intelligent Transaction Distribution & Management -------------------------------------------------- - -Leverage Intelligent Load Balancing and redundant components (hardware -and modules) for all transactions, such that at any point in the -transaction: front end, middleware, back end -- a failure in any one -component does not result in a failure of the application or system; -i.e., transactions will continue to flow, albeit at a possibly reduced -capacity until the failed component restores itself. Create redundancy -in all layers (software and hardware) at local and remote data centers; -minimizing interdependencies of components (i.e. data replication, -deploying non-related elements in the same container). - -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Intelligent Transaction Distribution & Management Requirements | Type | ID # | -+==================================================================================================================================================================================================================================+==========+=========+ -| Use intelligent routing by having knowledge of multiple downstream/upstream endpoints that are exposed to it, to ensure there is no dependency on external services (such as load balancers) to switch to alternate endpoints. | Should | 35010 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use redundant connection pooling to connect to any backend data source that can be switched between pools in an automated/scripted fashion to ensure high availability of the connection to the data source. | Should | 35020 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Include control loop mechanisms to notify the consumer of the VNF of their exceeding SLA thresholds so the consumer is able to control its load against the VNF. | Should | 35030 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ - -Deployment Optimization ------------------------ - -Reduce opportunity for failure, by human or by machine, through smarter -deployment practices and automation. This can include rolling code -deployments, additional testing strategies, and smarter deployment -automation (remove the human from the mix). - -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Deployment Optimization Requirements | Type | ID # | -+=====================================================================================================================================================================================================================================================+==========+=========+ -| Support at least two major versions of the VNF software and/or sub-components to co-exist within production environments at any time so that upgrades can be applied across multiple systems in a staggered manner. | Must | 36010 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Support the existence of multiple major/minor versions of the VNF software and/or sub-components and interfaces that support both forward and backward compatibility to be transparent to the Service Provider usage. | Must | 36020 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Support staggered/rolling deployments between its redundant instances to allow "soak-time/burn in/slow roll" which can enable the support of low traffic loads to validate the deployment prior to supporting full traffic loads. | Must | 36030 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Support the ability of a requestor of the service to determine the version (and therefore capabilities) of the service so that Network Cloud Service Provider can understand the capabilities of the service. | Must | 36040 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Test for adherence to the defined performance budgets at each layer, during each delivery cycle with delivered results, so that the performance budget is measured and the code is adjusted to meet performance budget. | Must | 36050 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Test for adherence to the defined performance budget at each layer, during each delivery cycle so that the performance budget is measured and feedback is provided where the performance budget is not met. | Must | 36060 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Test for adherence to the defined resiliency rating recommendation at each layer, during each delivery cycle with delivered results, so that the resiliency rating is measured and the code is adjusted to meet software resiliency requirements. | Should | 36070 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Test for adherence to the defined resiliency rating recommendation at each layer, during each delivery cycle so that the resiliency rating is measured and feedback is provided where software resiliency requirements are not met. | Should | 36080 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ - -Monitoring & Dashboard ----------------------- - -Promote dashboarding as a tool to monitor and support the general -operational health of a system. It is critical to the support of the -implementation of many resiliency patterns essential to the maintenance -of the system. It can help identify unusual conditions that might -indicate failure or the potential for failure. This would contribute to -improve Mean Time to Identify (MTTI), Mean Time to Repair (MTTR), and -post-incident diagnostics. - -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Monitoring & Dashboard Requirements | Type | ID # | -+================================================================================================================================================================================================================================================+==========+=========+ -| Provide a method of metrics gathering for each layer's performance to identify/document variances in the allocations so they can be addressed. | Must | 37010 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide unique traceability of a transaction through its life cycle to ensure quick and efficient troubleshooting. | Must | 37020 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide a method of metrics gathering and analysis to evaluate the resiliency of the software from both a granular as well as a holistic standpoint. This includes, but is not limited to thread utilization, errors, timeouts, and retries. | Must | 37030 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide operational instrumentation such as logging, so as to facilitate quick resolution of issues with the VNF to provide service continuity. | Must | 37040 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Monitor for and alert on (both sender and receiver) errant, running longer than expected and missing file transfers, so as to minimize the impact due to file transfer errors. | Must | 37050 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use an appropriately configured logging level that can be changed dynamically, so as to not cause performance degradation of the VNF due to excessive logging. | Should | 37060 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Utilize Cloud health checks, when available from the Network Cloud, from inside the application through APIs to check the network connectivity, dropped packets rate, injection, and auto failover to alternate sites if needed. | Should | 37070 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Conduct a resiliency impact assessment for all inter/intra-connectivity points in the VNF to provide an overall resiliency rating for the VNF to be incorporated into the software design and development of the VNF. | Must | 37080 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ - -Security -======== - -The objective of this section is to provide the key security -requirements that need to be met by VNFs. The security requirements are -grouped into five areas as listed below. Other security areas will be -addressed in future updates. These security requirements are applicable -to all VNFs. Additional security requirements for specific types of VNFs -will be applicable and are outside the scope of these general -requirements. - -Section 4.1.3 in *VNF Guidelines for Network Cloud and OpenECOMP* -outlines the five broad security areas for VNFs that are detailed in the -following sections: - -- **VNF General Security**: This section addresses general security - requirements for the VNFs that the vendors will need to address. - -- **VNF Identity and Access Management**: This section addresses - security requirements with respect to Identity and Access Management - as these pertain to generic VNFs. - -- **VNF API Security**: This section addresses the generic security - requirements associated with APIs. These requirements are applicable - to those VNFs that use standard APIs for communication and data - exchange. - -- **VNF Security Analytics**: This section addresses the security - requirements associated with analytics for VNFs that deal with - monitoring, data collection and analysis. - -- **VNF Data Protection**: This section addresses the security - requirements associated with data protection. - -VNF General Security Requirements ---------------------------------- - -This section provides details on the VNF general security requirements -on various security areas such as user access control, network security, -ACLs, infrastructure security, and vulnerability management. These -requirements cover topics associated with compliance, security patching, -logging/accounting, authentication, encryption, role-based access -control, least privilege access/authorization. The following security -requirements need to be met by the solution in a virtual environment: - -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| General Security Requirements | Type | ID # | | -+=================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+========================================================================================================================================================================================================================================================================================================================================================================================================================================+=========+=========+ -| Integration and operation within a robust security environment is necessary and expected. The security architecture will include one or more of the following: IDAM (Identity and Access Management) for all system and applications access, Code scanning, network vulnerability scans, OS, Database and application patching, malware detection and cleaning, DDOS prevention, network security gateways (internal and external) operating at various layers, host and application based tools for security compliance validation, aggressive security patch application, tightly controlled software distribution and change control processes and other state of the art security solutions. The VNF is expected to function reliably within such an environment and the developer is expected to understand and accommodate such controls and can expected to supply responsive interoperability support and testing throughout the product’s lifecycle. | Informational | 40010 | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| The VNF must accommodate the security principle of “least privilege” during development, implementation and operation. The importance of “least privilege” cannot be overstated and must be observed in all aspects of VNF development and not limited to security. This is applicable to all sections of this document. | Must | 40020 | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Implement access control list for OA&M services (e.g., restricting access to certain ports or applications). | Must | 40030 | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Implement Data Storage Encryption (database/disk encryption) for Sensitive Personal Information (SPI) and other subscriber identifiable data. Note: subscriber’s SPI/data must be encrypted at rest, and other subscriber identifiable data should be encrypted at rest. Other data protection requirements exist and should be well understood by the developer. | Must | 40040 | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Implement a mechanism for automated and frequent "system configuration (automated provisioning / closed loop)" auditing. | Should | 40050 | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Use both network scanning and application scanning security tools on all code, including underlying OS and related configuration. Scan reports shall be provided. Remediation roadmaps shall be made available for any findings. | Should | 40060 | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Perform source code to scanning tools (e.g., Fortify) and provide reports. | Should | 40070 | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Production code shall be distributed from NCSP internal sources only. No production code, libraries, OS images, etc. shall be distributed from publically accessible depots. | Must | 40080 | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Provide all code/configuration files in a “Locked down” or hardened state or with documented recommendations for such hardening. All unnecessary services will be disabled. Vendor default credentials, community strings and other such artifacts will be removed or disclosed so that they can be modified or removed during provisioning. | Must | 40090 | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Support L3 VPNs that enable segregation of traffic by application (dropping packets not belonging to the VPN) (i.e., AVPN, IPSec VPN for Internet routes). | Should | 40100 | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Interoperate with various access control mechanisms for the Network Cloud execution environment (e.g., Hypervisors, containers). | Should | 40110 | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| VNF should support the use of virtual trusted platform module, hypervisor security testing and standards scanning tools. | Should | 40120 | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Interoperate with the OpenECOMP (SDN) Controller so that it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual routing and forwarding rules. | Must | 40130 | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Support the ability to work with aliases (e.g., gateways, proxies) to protect and encapsulate resources. | Should | 40140 | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| All access to applications (Bearer, signaling and OA&M) will pass through various security tools and platforms from ACLs, stateful firewalls and application layer gateways depending on manner of deployment. The application is expected to function (and in some cases, interwork) with these security tools. | Must | 40150 | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Patch vulnerabilities in VNFs as soon as possible. Patching shall be controlled via change control process with vulnerabilities disclosed along with mitigation recommendations. | Must | 40160 | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Identification, authentication and access control of **customer** or **VNF application users** must be performed by utilizing the NCSP’s IDAM API. | Must | 40170 | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| Identification, authentication and access control of **OA&M** and other system level functions must use the NCSP’s IDAM API or comply with the following is expected. | Must | 40180 | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Support User-IDs and passwords to uniquely identify the user/application. VNF needs to have appropriate connectors to the Identity, Authentication and Authorization systems that enables access at OS, Database and Application levels as appropriate. | Must | 40190 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Provide the ability to support Multi-Factor Authentication (e.g., 1st factor = Software token on device (RSA SecureID); 2nd factor = User Name+Password, etc.) for the users. | Must | 40200 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Support Role-Based Access Control to permit/limit the user/application to performing specific activities. | Must | 40210 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Support logging via OpenECOMP for a historical view of “who did what and when”. | Must | 40220 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Encrypt OA&M access (e.g., SSH, SFTP). | Must | 40230 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Enforce a configurable maximum number of Login attempts policy for the users. VNF vendor must comply with "terminate idle sessions" policy. Interactive sessions must be terminated, or a secure, locking screensaver must be activated requiring authentication, after a configurable period of inactivity. The system-based inactivity timeout for the enterprise identity and access management system must also be configurable. | Must | 40240 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Comply with the NCSP’s credential management policy. | Must | 40250 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Password expiration must be required at regular configurable intervals. | Must | 40260 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Comply with "password complexity" policy. When passwords are used, they shall be complex and shall at least meet the following password construction requirements: | Must | 40270 | -| | | | | -| | - Be a minimum configurable number of characters in length. | | | -| | | | | -| | - Include 3 of the 4 following types of characters: upper-case alphabetic, lower-case alphabetic, numeric, and special. | | | -| | | | | -| | - Not be the same as the UserID with which they are associated or other common strings as specified by the environment. | | | -| | | | | -| | - Not contain repeating or sequential characters or numbers. | | | -| | | | | -| | - Not to use special characters that may have command functions. | | | -| | | | | -| | - New passwords must not contain sequences of three (3) or more characters from the previous password. | | | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Comply with "password changes (includes default passwords)" policy. Products will support password aging, syntax and other credential management practices on a configurable basis. | Must | 40280 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Support use of common third party authentication and authorization tools such as TACACS+, RADIUS. | Must | 40290 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Comply with "No Self-Signed Certificates" policy. Self-signed certificates must be used for encryption only, using specified and approved encryption protocols such as LS 1.1 or higher or equivalent security protocols such as IPSec, AES. | Must | 40300 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ -| | Authenticate system to system communications where one system accesses the resources of another system, and must never conceal individual accountability. | Must | 40310 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ - -VNF Identity and Access Management Requirements ------------------------------------------------ - -The following security requirements for logging, identity, and access -management need to be met by the solution in a virtual environment: - -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Identity and Access Management Requirements | Type | ID # | -+================================================================================================================================================================================================================================================================================================================================================================================================+==========+=========+ -| Access to VNFs will be required at several layers. Hence, VNF vendor needs to be able to host connectors for access to the following layers: | | | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Application | Must | 41010 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. OS (Operating System) | Must | 41020 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Database | Must | 41030 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Manage access to VNF, its OS, or Database by an enterprise access request process. | Must | 41040 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Comply with the following when persons or non-person entities access VNFs: | | | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Individual Accountability (each person must be assigned a unique ID) | Must | 41050 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Least Privilege (no more privilege than required to perform job functions) | Must | 41060 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Segregation of Duties (access to a single layer and no developer may access production without special oversight) | Must | 41070 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Vendors will not be allowed to access VNFs remotely, e.g., VPN | Must | 41080 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Vendors accessing VNFs through a client application API must be authorized by the client application owner and the resource owner of the VNF before provisioning authorization through Role Based Access Control (RBAC), Attribute Based Access Control (ABAC), or other policy based mechanism. | Must | 41090 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Vendor VNF access will be subject to privilege reconciliation tools to prevent access creep and ensure correct enforcement of access policies. | Must | 41100 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide or Support the Identity and Access Management (IDAM) based threat detection data for: | | | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. OWASP Top 10 | Must | 41110 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Password Attacks | Must | 41120 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Phishing / SMishing | Must | 41130 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Malware (Key Logger) | Must | 41140 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Session Hijacking | Must | 41150 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. XSS / CSRF | Must | 41160 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Replay | Must | 41170 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Man in the Middle (MITM) | Must | 41180 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Eavesdropping | Must | 41190 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide Context awareness data (device, location, time, etc.) and be able to integrate with threat detection system. | Must | 41200 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Where a VNF vendor requires the assumption of permissions, such as root or administrator, the vendor user must first log in under their individual user login ID then switch to the other higher level account; or where the individual user login is infeasible, must login with an account with admin privileges in a way that uniquely identifies the individual performing the function. | Must | 41210 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Authenticate system to system access and do not conceal a VNF vendor user’s individual accountability for transactions. | Must | 41220 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Warning Notices: A formal statement of resource intent, i.e., a warning notice, must be made visible upon initial access to a VNF vendor user who accesses private internal networks or Company computer resources, e.g., upon initial logon to an internal web site, system or application which requires authentication. | Must | 41230 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use access controls for VNFs and their supporting computing systems at all times to restrict access to authorized personnel only, e.g., least privilege. These controls could include the use of system configuration or access control software. | Must | 41240 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Initial and default settings for new user accounts must provide minimum privileges only. | Must | 41250 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Default settings for user access to sensitive commands and data must be denied authorization. | Must | 41260 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Privileged users may be created conforming to approved request, workflow authorization, and authorization provisioning requirements. | Must | 41270 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Commands affecting network services, such as commands relating to VNFs, must have greater restrictions for access and execution, such as up to 3 factors of authentication and restricted authorization. | Must | 41280 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Encrypt TCP/IP--HTTPS (e.g., TLS v1.2) transmission of data on internal and external networks. | Must | 41290 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Unnecessary or vulnerable cgi-bin programs must be disabled. | Must | 41300 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| No public or unrestricted access to any data should be provided without the permission of the data owner. All data classification and access controls must be followed. | Must | 41310 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| When in production, vendors or developers must not do the following without authorization of the VNF system owner including: | | | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Install or use systems, tools or utilities capable of capturing or logging data that was not created by them or sent specifically to them; | Must | 41320 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. Run security testing tools and programs, e.g., password cracker, port scanners, hacking tools. | Must | 41330 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Authentication credentials must not be included in security audit logs, even if encrypted. | Must | 41340 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| The standard interface for a VNF should be REST APIs exposed to Client Applications for the implementation of OAuth 2.0 Authorization Code Grant and Client Credentials Grant. | Should | 41350 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Support hosting connectors for OS Level and Application Access. | Should | 41360 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Support SCEP (Simple Certificate Enrollment Protocol). | Should | 41370 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ - -VNF API Security Requirements ------------------------------ - -This section covers API security requirements when these are used by the -VNFs. Key security areas covered in API security are Access Control, -Authentication, Passwords, PKI Authentication Alarming, Anomaly -Detection, CALEA, Monitoring and Logging, Input Validation, -Cryptography, Business continuity, Biometric Authentication, -Identification, Confidentiality and Integrity, and Denial of Service. - -The solution in a virtual environment needs to meet the following API -security requirements: - -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| API Requirements | Type | ID # | -+==========================================================================================================================================================================================================================================================================================================================+========+=========+ -| Provide a mechanism to restrict access based on the attributes of the VNF and the attributes of the subject. | Must | 42010 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Integrate with external authentication and authorization services (e.g., IDAM). | Must | 42020 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Use certificates issued from publicly recognized Certificate Authorities (CA) for the authentication process where PKI-based authentication is used | Must | 42030 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Validate the CA signature on the certificate, ensure that the date is within the validity period of the certificate, check the Certificate Revocation List (CRL), and recognize the identity represented by the certificate where PKI-based authentication is used. | Must | 42040 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Protect the confidentiality and integrity of data at rest and in transit from unauthorized access and modification. | Must | 42050 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Protect against all denial of service attacks, both volumetric and non-volumetric, or integrate with external denial of service protection tools | Must | 42060 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Implement at minimum the following input validation controls: | | | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Check the size (length) of all input. Do not permit an amount of input so great that it would cause the VNF to fail. Where the input may be a file, the VNF API must enforce a size limit. | Must | 42070 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Do not permit input that contains content or characters inappropriate to the input expected by the design. Inappropriate input, such as SQL insertions, may cause the system to execute undesirable and unauthorized transactions against the database or allow other inappropriate access to the internal network. | Must | 42080 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Validate that any input file has a correct and valid Multipurpose Internet Mail Extensions (MIME) type. Input files should be tested for spoofed MIME types. | Must | 42090 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Validate input at all layers implementing VNF APIs. | Must | 42100 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Comply with NIST standards and industry best practices for all implementations of cryptography | Must | 42110 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Implement all monitoring and logging as described in the Security Analytics section. | Must | 42120 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Restrict changing the criticality level of a system security alarm to administrator(s). | Must | 42130 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection. | Must | 42140 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Support requests for information from law enforcement and government agencies. | Must | 42150 | -+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ - -VNF Security Analytics Requirements ------------------------------------ - -This section covers VNF security analytics requirements that are mostly -applicable to security monitoring. The VNF Security Analytics cover the -collection and analysis of data following key areas of security -monitoring: - -- Anti-virus software - -- Logging - -- Data capture - -- Tasking - -- DPI - -- API based monitoring - -- Detection and notification - -- Resource exhaustion detection - -- Proactive and scalable monitoring - -- Mobility and guest VNF monitoring - -- Closed loop monitoring - -- Interfaces to management and orchestration - -- Malformed packet detections - -- Service chaining - -- Dynamic security control - -- Dynamic load balancing - -The following requirements of security monitoring need to be met by the -solution in a virtual environment. - -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Security Analytics Requirements | Type | ID # | -+==========================================================================================================================================================================================================================================================================================+========+=========+ -| Support the following monitoring features by the VNF: | | | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Real-time detection and notification of security events. | Must | 43010 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Integration functionality via API/Syslog/SNMP to other functional modules in the network (e.g., PCRF, PCEF) that enable dynamic security control by blocking the malicious traffic or malicious end users | Must | 43020 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. API-based monitoring to take care of the scenarios where the control interfaces are not exposed, or are optimized and proprietary in nature | Must | 43030 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Event logging, formats, and delivery tools to provide the required degree of event data to OpenECOMP | Must | 43040 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Detection of malformed packets due to software misconfiguration or software vulnerability | Must | 43050 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Integrated DPI/monitoring functionality as part of VNFs (e.g., PGW, MME) | Must | 43060 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Alternative monitoring capabilities when VNFs do not expose data or control traffic or use proprietary and optimized protocols for inter VNF communication | Must | 43070 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Proactive monitoring to detect and report the attacks on resources so that the VNFs and associated VMs can be isolated, such as detection techniques for resource exhaustion, namely OS resource attacks, CPU attacks, consumption of kernel memory, local storage attacks. | Must | 43080 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Coexist and operate normally with commercial anti-virus software which shall produce alarms every time when there is a security incident. | Must | 43090 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Protect all security audit logs (including API, OS and application-generated logs), security audit software, data, and associated documentation from modification, or unauthorized viewing, by standard OS access control mechanisms, by sending to a remote system, or by encryption. | Must | 43100 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Log the following events: | | | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Successful and unsuccessful login attempts | Must | 43110 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Logoffs | Must | 43120 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Successful and unsuccessful changes to a privilege level | Must | 43130 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Starting and stopping of security logging | Must | 43140 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Creating, removing, or changing the inherent privilege level of users | Must | 43150 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Connections to a network listener of the resource | Must | 43160 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Log, at minimum, the following fields (where applicable and technically feasible) in the security audit logs: | | | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Event type | Must | 43170 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Date/time | Must | 43180 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Protocol | Must | 43190 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Service or program used for access | Must | 43200 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Success/failure | Must | 43210 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Login ID | Must | 43220 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Security audit logs must never contain an authentication credential, e.g., password, even if encrypted. | Must | 43230 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Detect when the security audit log storage medium is approaching capacity (configurable) and issue an alarm via SMS or equivalent as to allow time for proper actions to be taken to pre-empt loss of audit data. | Must | 43240 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Support the capability of online storage of security audit logs. | Must | 43250 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Activate security alarms automatically when the following events, at a minimum, are detected: | | | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Configurable number of consecutive unsuccessful login attempts | Must | 43260 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Successful modification of critical system or application files | Must | 43270 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Unsuccessful attempts to gain permissions or assume the identity of another user | Must | 43280 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Include, at a minimum, the following fields in the Security alarms (where applicable and technically feasible): | | | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Date | Must | 43290 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Time | Must | 43300 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Service or program used for access | Must | 43310 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Success/failure | Must | 43320 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| a. Login ID | Must | 43330 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Restrict changing the criticality level of a system security alarm to administrator(s). | Must | 43340 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection. | Must | 43350 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Support requests for information from law enforcement and government agencies. | Must | 43360 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Implement “Closed Loop” automatic implementation (without human intervention) for Known Threats with detection rate in low false positives. | Must | 43370 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Perform data capture for security functions. | Must | 43380 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Generate security audit logs that must be sent to Security Analytics Tools for analysis. | Must | 43390 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Provide audit logs that include user ID, dates, times for log-on and log-off, and terminal location at minimum. | Must | 43400 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Provide security audit logs including records of successful and rejected system access data and other resource access attempts. | Must | 43410 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Support the storage of security audit logs for agreed period of time for forensic analysis. | Must | 43420 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Provide the capability of generating security audit logs by interacting with the operating system (OS) as appropriate. | Must | 43430 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ -| Security logging for VNFs and their OSs must be active from initialization. Audit logging includes automatic routines to maintain activity records and cleanup programs to ensure the integrity of the audit/logging systems. | Must | 43440 | -+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ - -VNF Data Protection Requirements --------------------------------- - -This section covers VNF data protection requirements that are mostly -applicable to security monitoring. - -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Data Protection Requirements | Type | ID # | -+======================================================================================================================================================================================================================================================================================================================+==========+=========+ -| Provide the capability to restrict read and write access to data. | Must | 44010 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability to restrict access to data to specific users. | Must | 44020 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability to encrypt data in transit on a physical or virtual network. | Must | 44030 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability to encrypt data on non-volatile memory. | Must | 44040 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Where the encryption of non-transient data is required on a device for which the operating system performs paging to virtual memory, then if possible disable the paging of the data requiring encryption, if not the virtual memory should be encrypted. | Should | 44050 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability to integrate with an external encryption service. | Must | 44060 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use industry standard cryptographic algorithms and standard modes of operations when implementing cryptography. | Must | 44070 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use commercial algorithms only when there are no applicable US federal standards for specific cryptographic functions, e.g., public key cryptography, message digests. | Should | 44080 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| The SHA, DSS, MD5, SHA-1 and Skipjack algorithms or other compromised encryption must not be used. | Must | 44090 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use, whenever possible, standard implementations of security applications, protocols, and format, e.g., S/MIME, TLS, SSH, IPSec, X.509 digital certificates for cryptographic implementations. These implementations must be purchased from reputable vendors and must not be developed in-house. | Must | 44100 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| A VNF must provide the ability to migrate to newer versions of cryptographic algorithms and protocols with no impact. | Must | 44110 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use symmetric keys of at least 112 bits in length. | Must | 44120 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use asymmetric keys of at least 2048 bits in length. | Must | 44130 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Use commercial tools that comply with X.509 standards and produce x.509 compliant keys for public/private key generation. Keys must not be generated or derived from predictable functions or values, e.g., values considered predictable include user identity information, time of day, stored/transmitted data. | Must | 44140 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability to configure encryption algorithms or devices so that they comply with the laws of the United States and those of any country in which there are plans to use data encryption. | Must | 44150 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability of using certificates issued from a Certificate Authority not provided by the VNF vendor. | Must | 44160 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability of allowing certificate renewal and revocation. | Must | 44170 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability of testing the validity of a digital certificate by performing the following: | | | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. The CA signature on the certificate must be validated | Must | 44180 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. The date the certificate is being used must be within the validity period for the certificate | Must | 44190 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. The Certificate Revocation List (CRL) for the certificates of that type must be checked to ensure that the certificate has not been revoked | Must | 44200 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| a. The identity represented by the certificate — the "distinguished name" — must be recognized | Must | 44210 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability of encrypting selected data fields stored or bound for security logs. | Must | 44220 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability of deleting data stored in the VNF. | Must | 44230 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Provide the capability to make data available in order to support requests from law enforcement and government agencies as required by legal or regulatory mandates. Capability must be configurable for MOW deployment. | Must | 44240 | -+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ - -DevOps -====== - -This section includes guidelines for vendors to ensure that a Network -Cloud Service Provider’s operations personnel have a common and -consistent way to support VNFs and VNFCs. - -NCSPs may elect to support standard images to enable compliance with -security, audit, regulatory and other needs. As part of the overall VNF -software bundle, VNF suppliers using standard images would typically -provide the NCSP with an install package consistent with the default OS -package manager (e.g. aptitude for Ubuntu, yum for Redhat/CentOS). - -Section 4.1.4 in *VNF Guidelines for Network Cloud and OpenECOMP* -describes the DevOps guidelines for VNFs. - -Additional requirements will be included in the next release of the -document. - -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| DevOps Requirements | Type | ID # | -+=======================================================================================================================================================================================================================+==========+=========+ -| Utilize only the Guest OS versions that are supported by the NCSP’s Network Cloud. [2]_ | Must | 50010 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Utilize only NCSP supported Guest OS images.\ :sup:`2` | Should | 50020 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Utilize only NCSP standard compute flavors.\ :sup:`2` | Must | 50030 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Running VMs will not be backed up in the Network Cloud infrastructure. Bringing a VM back up with the configuration required must be accomplished by using appropriate snapshot images or using persistent storage. | Must | 50040 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ -| Install VNFC(s) on non-root file systems, unless software is specifically included with the operating system distribution of the guest image. | Must | 50050 | -+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ - -**Copyright 2017 AT&T Intellectual Property. All Rights Reserved.** - -This paper is licensed to you under the Creative Commons License: - -**Creative Commons Attribution-ShareAlike 4.0 International Public -License** - -You may obtain a copy of the License at: - -https://creativecommons.org/licenses/by-sa/4.0/legalcode - -**You are free to:** - -- Share — copy and redistribute the material in any medium or format - -- Adapt — remix, transform, and build upon the material for any - purpose, even commercially. - -- The licensor cannot revoke these freedoms as long as you follow the - license terms. - -**Under the following terms:** - -- Attribution — You must give appropriate credit, provide a link to the - license, and indicate if changes were made. You may do so in any - reasonable manner, but **not** in any way that suggests the - licensor endorses you or your use. - -- ShareAlike — If you remix, transform, or build upon the material, you - must distribute your contributions under the same license as the - original. - -- No additional restrictions — You may not apply legal terms or - technological measures that legally restrict others from doing - anything the license permits. - -**Notices:** - -- You do not have to comply with the license for elements of the - material in the public domain or where your use is permitted by an - applicable exception or limitation. - -- No warranties are given. The license may not give you all of the - permissions necessary for your intended use. For example, other - rights such as publicity, privacy, or moral rights may limit how you - use the material. - -.. [1] - Refer to NCSP’s Network Cloud specification - -.. [2] - Refer to NCSP’s Network Cloud specification \ No newline at end of file diff --git a/docs/Common_Requirements_for_VNF_Functions/index.rst b/docs/Common_Requirements_for_VNF_Functions/index.rst deleted file mode 100644 index 3ff97e2..0000000 --- a/docs/Common_Requirements_for_VNF_Functions/index.rst +++ /dev/null @@ -1,7 +0,0 @@ -Common Requirements for VNF Functions ----------------------------------------- - -.. toctree:: - :maxdepth: 2 - - Common_Requirements_for_Virtual_Network_Functions_2_17_2017_clean \ No newline at end of file diff --git a/docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF Guidelines for Network Cloud and OpenECOMP 2-6-2017 clean.docx b/docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF Guidelines for Network Cloud and OpenECOMP 2-6-2017 clean.docx deleted file mode 100644 index 169f9ac..0000000 Binary files a/docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF Guidelines for Network Cloud and OpenECOMP 2-6-2017 clean.docx and /dev/null differ diff --git a/docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF_Control_Loop.jpg b/docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF_Control_Loop.jpg deleted file mode 100644 index 73dbcbb..0000000 Binary files a/docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF_Control_Loop.jpg and /dev/null differ diff --git a/docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF_Guidelines_for_Network_Cloud_and_OpenECOMP_2_6_2017_clean.rst b/docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF_Guidelines_for_Network_Cloud_and_OpenECOMP_2_6_2017_clean.rst deleted file mode 100644 index c4f332c..0000000 --- a/docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF_Guidelines_for_Network_Cloud_and_OpenECOMP_2_6_2017_clean.rst +++ /dev/null @@ -1,1114 +0,0 @@ -.. contents:: - :depth: 3 -.. - -**VNF Guidelines for Network Cloud and OpenECOMP** - -**Version 1.0** - -**February 1, 2017** - -Document Revision History - -+------------+------------+----------------------------------------------------------------------------+ -| Date | Revision | Description | -+============+============+============================================================================+ -| 2/1/2017 | 1.0 | Initial public release of VNF Guidelines for Network Cloud and OpenECOMP | -+------------+------------+----------------------------------------------------------------------------+ - -Table of Contents - -Abstract -======== - -This white paper and the accompanying reference documents set forth -guidelines and requirements for Virtual Network Functions (VNFs) that -run in Network Clouds [1]_ and are managed by OpenECOMP [2]_. This -document set is part of the OpenECOMP community and focuses on setting -and evolving VNF standards that will facilitate industry discussion, -participation, alignment and evolution toward comprehensive and -actionable VNF best practices and standard interfaces. The goal is to -accelerate adoption of VNF best practices which will increase -innovation, minimize customization needed to onboard VNFs as well as -reduce implementation complexity, time and cost for all impacted -stakeholders. The intent is to drive harmonization of VNFs across VNF -providers, Network Cloud Service Providers (NCSPs) and the overall -Network Function Virtualization (NFV) ecosystem by providing both long -term vision as well as short term focus and clarity where no current -open source implementations exist today. - -This first release of the guidelines and requirements, although -applicable in many implementations, is targeted for those -implementations that consist of Network Clouds based on OpenStack. -Future versions of these guidelines are envisioned to include other -targeted virtualization environments, such as Customer Premises or other -single-tenant small scale cloud implementations. - -In addition, given the relative maturity of key technologies involved, -rapid innovation of NFV/SDN and virtualization technologies as well as -the evolving OpenECOMP roadmap, this will be a living package that will -evolve over time. These documents will become part of the OpenECOMP -related requirements documents. The following enhancements are -anticipated to be addressed in the next set of releases: - -- Open source software and demos of simple reference VNFs; - -- Automation of VNF onboarding and other aspects of VNF lifecycle as - supported by OpenECOMP; - -- Consistent VNF packaging for automated onboarding using OpenECOMP; - -- Other implementation examples for targeted virtualization - environments beyond OpenStack based Network Clouds; - -- Incubation and certification environment to provide a self-service - program to gauge maturity and readiness of VNFs. - -Introduction -============ - -Motivation ----------- - -The requirements and guidelines defined herein are intended to -facilitate industry discussion, participation alignment and evolution -toward comprehensive and actionable VNF best practices. Integration -costs are a significant impediment to the development and deployment of -new services. We envision developing open source industry processes and -best practices leading eventually to VNF standards supporting commercial -acquisition of VNFs with minimal integration costs. Traditional PNFs -have all been unique like snowflakes and required expensive custom -integration, whereas VNF products and services should be designed for -easier integration just like Lego\ :sup:`TM` blocks. For example, by -standardizing on common actions and related APIs supported by VNFs, plug -and play integration is assured, jumpstarting automation with management -frameworks. Onboarding VNFs would no longer require complex and -protracted integration or development activities thus maximizing -automation and minimizing integration cost. Creating VNF open source -environments, best practices and standards provides additional benefits -to the NFV ecosystems such as: - -- Larger market for VNF providers - -- Rapid introduction and integration of new capabilities into the - services providers environment - -- Reduced development times and costs for VNF providers - -- Better availability of new capabilities to NCSPs - -- Better distribution of new capabilities to end-user consumers - -- Reduced integration cost (capex) for NCSPs - -- Usage based software licensing for end-user consumers and NCSPs - -Audience ---------- - -The industry transformation associated with softwarization [3]_ results -in a number of changes in traditional approaches for industry -collaboration. Changes from hardware to software, from waterfall to -agile processes and the emergence of industry supported open source -communities imply corresponding changes in processes at many industry -collaboration bodies. With limited operational experience and much more -dynamic requirements, open source communities are expected to evolve -these VNF guidelines further before final documentation of those aspects -necessary for standardization. This white paper and accompanying -reference documents provides VNF providers, NCSPs and other interested -3rd parties a set of guidelines and requirements for the design, build -and overall lifecycle management of VNFs. - -**VNF Providers** - -Both suppliers transitioning from providing physical network functions -(PNFs) to providing VNFs as well as new market entrants should find -these VNF requirements and guidelines a useful introduction to the -requirements to be able to develop VNFs for deployment into a Network -Cloud. VNF Providers may also be interested to test their VNFs in the -context of an open source implementation of the environment. - -**Network Cloud Service Providers (NCSPs)** - -A NCSP provides services based on Network Cloud infrastructure as well -as services above the infrastructure layer, e.g., platform service, -end-to-end services. - -Common approaches to packaging of VNFs enable economies of scale in -their development. As suitable infrastructure becomes deployed, NCSPs -have a common interest in guidelines that support the ease of deployment -of VNFs in each other’s Network Cloud. After reading these VNF -guidelines, NCSPs should be motivated to join AT&T in evolving these -guidelines in the OpenECOMP open source community to meet the industry’s -collective needs. - -**Other interested parties** - -Other parties such as solution providers, open source community, -industry standard bodies, students and researchers of network -technologies, as well as enterprise customers may also be interested in -the VNF Guidelines. Solution Providers focused on specific industry -verticals may find these VNF guidelines useful in the development of -specialized VNFs that can better address the needs of their industry -through deployment of these VNFs in NCSP infrastructure. Open Source -developers can use these VNF guidelines to facilitate the automation of -VNF ingestion and deployment. The emergence of a market for VNFs enables -NCSPs to more rapidly deliver increased functionality, for execution on -white box hardware on customer’s premises – such functionality may be of -particular interest to enterprises supporting similar infrastructure. - -Program and Document Structure ------------------------------- - -This document is part of a hierarchy of documents that describes the -overall Requirements and Guidelines for OpenECOMP. The diagram below -identifies where this document fits in the hierarchy. - -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| OpenECOMP Requirements and Guidelines | -+===============================================================================================================================================================================================================+ -| VNF Guidelines for Network Cloud and OpenECOMP | Future OpenECOMP Subject Documents | -+------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| VNF Cloud Readiness Requirements for OpenECOMP | VNF Management Requirements for OpenECOMP | VNF Heat Template Requirements for OpenECOMP | Future,VNF Requirements Documents | Future Requirements Documents | -+------------------------------------------------+-------------------------------------------+----------------------------------------------+-----------------------------------+-------------------------------+ - -Document summary: - -**VNF Guidelines for Network Cloud and OpenECOMP** - -- Describes VNF environment and overview of requirements - -*VNF Cloud Readiness Requirements for OpenECOMP* - -- Cloud readiness requirements for VNFs (Design, Resiliency, Security, - and DevOps) - -*VNF Management Requirements for OpenECOMP* - -- Requirements for how VNFs interact and utilize OpenECOMP - -*VNF Heat Template Requirements for OpenECOMP* - -- Provides recommendations and standards for building Heat templates - compatible with OpenECOMP– initial implementations of Network Cloud - are assumed to be OpenStack based. - -VNF Context -=========== - -A technology trend towards softwarization is impacting the -communications industry as it has already impacted a number of other -industries. This trend is expected to have some significant impacts on -the products and processes of this industry. The transformation from -products primarily based on hardware to products primarily based on -software has a number of impacts. The completeness of the software -packages to ease integration, usage based licensing to reflect scaling -properties, independence from hardware and location and software -resilience in the presence of underlying hardware failure all gain in -importance compared to prior solutions. The processes supporting -software products and services are also expected to transform from -traditional waterfall methodologies to agile methods. In agile -processes, characteristics such as versioned APIs, rolling upgrades, -automated testing and deployment support with incremental release -schedules become important for these software products and services. -Industry process related to software products and services also change -with the rise of industrially supported open source communities. -Engagement with these open source communities enables sharing of best -practices and collaborative development of open source testing and -integration regimes, open source APIs and open source code bases. - -The term VNF is inspired by the work [4]_ of the ETSI [5]_ Network -Functions Virtualization (NFV) Industry Specification Group (ISG). -ETSI’s VNF definition includes both historically network functions, such -as Virtual Provider Edge (VPE), Virtual Customer Edge (VCE), and Session -Border Controller (SBC), as well as historically non-network functions -when used to support network services, such as network-supporting web -servers and databases. The VNF discussion in these guidelines applies to -all types of virtualized workloads, not just network appliance -workloads. Having a consistent approach to virtualizing any workload -provides more industry value than just virtualizing some workloads. [6]_ - -VNFs are functions that are implemented in Network Clouds. Network -Clouds must support end-to-end high-bandwidth low latency network flows -through VNFs running in virtualization environments. For example, a -Network Cloud is able to provide a firewall service to be created such -that all Internet traffic to a customer premise passes through a virtual -firewall running in the Network Cloud. - -A data center may be the most common target for a virtualization -environment, but it is not the only target. Virtualization environments -are also supported by more constrained resources e.g., Enterprise -Customer Premise Equipment (CPE). Virtualization environments are also -expected to be available at more distributed network locations by -architecting central offices as data centers, or virtualizing functions -located at the edge of the operator infrastructure (e.g., virtualized -Optical Line Termination (vOLT) or xRAN [7]_) and in constrained -resource Access Nodes. Expect detailed requirements to evolve with these -additional virtualization environments. Some VNFs may scale across all -these environments, but all VNFs should onboard through the same process -before deployment to the targeted virtualization environment. - -Business Process Impacts -------------------------- - -Business process changes need to occur in order to realize full benefits -of VNF characteristics: efficiency via automation, open source reliance, -and improved cycle time through careful design. - -**Efficiency via Automation** - -reliant on human labor for critical operational tasks don’t scale. By -aggressively automating all VNF operational procedures, VNFs have lower -operational cost, are more rapidly deployed at scale and are more -consistent in their operation. OpenECOMP provides the automation -framework which VNFs can take advantage of simply by implementing -OpenECOMP compatible interfaces and lifecycle models. This enables -automation which drives operational efficiencies and delivers the -corresponding benefits. - -**Open Source** - -VNFs are expected to run on infrastructure largely enabled by open -source software. For example, OpenStack [8]_ is often used to provide -the virtualized compute, network, and storage capabilities used to host -VNFs. OpenDaylight (ODL) [9]_ can provide the network control plane. The -OPNFV community [10]_ provides a reference platform through integration -of ODL, OpenStack and other relevant open source projects. VNFs also run -in open source operating systems like Linux. VNFs might also utilize -open source software libraries to take advantage of required common but -critical software capabilities where community support is available. -Automation becomes easier, overall costs go down and time to market can -decrease when VNFs can be developed and tested in an open source -reference platform environment prior to on-boarding by the NCSP. All of -these points contribute to a lower cost structure for both VNF providers -and NCSPs. - -**Improved Cycle Time through Careful Design** - -Today’s fast paced world requires businesses to evolve rapidly in order -to stay relevant and competitive. To a large degree VNFs, when used with -the same control, orchestration, management and policy framework (e.g., -OpenECOMP), will improve service development and composition. VNFs -should enable NCSPs to exploit recursive nesting of VNFs to acquire VNFs -at the smallest appropriate granularity so that new VNFs and network -services can be composed. The ETSI NFV Framework [11]_ envisages such -recursive assembly of VNFs, but many current implementations fail to -support such features. Designing for VNF reuse often requires that -traditional appliance based PNFs be refactored into multiple individual -VNFs where each does one thing particularly well. While the original -appliance based PNF can be replicated virtually by the right combination -and organization of lower level VNFs, the real advantage comes in -creating new services composed of different combinations of lower level -VNFs (possibly from many providers) organized in new ways. Easier and -faster service creation often generates real value for businesses. As -softwarization trends progress towards more agile processes, VNFs, -OpenECOMP and Network Clouds are all expected to evolve towards -continuous integration, testing and deployment of small incremental -changes to de-risk the upgrade process. - -ETSI Network Function Virtualization (NFV) comparison ------------------------------------------------------ - -ETSI defines a VNF as an implementation of a network function that can -be deployed on a Network Function Virtualization Infrastructure (NFVI). -Service instances may be composed of an assembly of VNFs. In turn, a VNF -may also be assembled from VNF components (VNFCs) that each provide a -reusable set of functionality. VNFs are expected to take advantage of -platform provided common services. - -VNF management and control under OpenECOMP is different than management -and control exposed in the ETSI MANO model. With OpenECOMP, there is -only a single management and control plane. In ETSI’s Framework [12]_, -architectural options exist for preserving legacy systems that increase -integration costs e.g., different VNFs can be controlled by VNF Managers -(VNFMs) and Element Management Systems (EMSs) provided by different -software providers. OpenECOMP addresses the concern that multiple VNFMs -in this space will hinder VNF reuse and increase VNF and service -integration costs. Asking all VNF providers to take advantage of and -interoperate with common control software mitigates related reuse and -integration challenges. The common, SDN based, control platform -(OpenECOMP) is being made available as an open source project to reduce -friction for VNF providers and enable new network functions to get to -market faster and with lower costs. - -Also under OpenECOMP, VNF providers do not provide their own proprietary -VNF Managers (VNFM) or Element Management Systems (EMS). Those -capabilities are provided by OpenECOMP. Hence, VNFs are required to -consume open interfaces to OpenECOMP in support of management and -control. The VNF Package must include the appropriate data models for -integration with OpenECOMP to enable management and control of the -VNFCs. - -**Figure 1** shows a simplified OpenECOMP and Infrastructure view to -highlight how individual Virtual Network Functions plug into the -OpenECOMP control loops. - -|image0| - -\ **Figure 1. Control Loop** - -In the control loop view in **Figure 1**, the VNF provides an event -data stream via an API to Data Collection, Analytics and Events (DCAE). -DCAE analyzes and aggregates the data stream and when particular -conditions are detected, uses policy to enable what, if any, action -should be triggered. Some of the triggered actions may require a -controller to make changes to the VNF through a VNF provided API. - -For a detailed comparison between ETSI NFV and OpenECOMP, refer to -Appendix C - Comparison between VNF Guidelines and ETSI GS NFV-SWA 001. - -Evolving VNF Related Industry Activities ----------------------------------------- - -Many existing industry collaboration bodies are structured around a -particular service or segment of the network. VNFs are intended to -operate across multiple services and execute on commodity targeted -virtualization environments. With the NCSPs transformation to acquiring -products and services based on location and hardware independent VNFs, -the opportunity exists for instances of those VNFs to be deployed across -multiple network locations and services where suitable virtualization -infrastructure is available. - -The rise of industry-supported open source communities has created new -opportunities for collaboration and challenges for existing industry -communities such as Standards Developing Organizations (SDOs). -Collaboration in many SDOs defers intellectual property issues. Most -industrially-supported open source communities resolve intellectual -property issues between collaborators through explicit contribution -licensing agreements. Common infrastructure software components (e.g., -SDN Controllers, Cloud Management Systems) are expected to be available -through industrially supported open source communities (e.g., Open -Daylight and OpenStack). Whether VNFs are open or proprietary, they -should use open APIs, test and integration capabilities developed in -industrially supported open source communities (e.g., OpenECOMP, OPNFV). - -The migration path for operator’s existing processes and services to -effectively utilize VNFs may be operator specific. The requirements for -VNFs may be expected to evolve rapidly as the industry develops -experience with operational and development best practices for VNFs. In -particular, industry operations procedures are expected to evolve -towards agile software methodologies, DevOps, continuous integration and -continuous deployment (CI/CD). In this environment of changing and -context-dependent VNF requirements, agile, pragmatic approaches focused -on delivering functionality in the near term and evolving it towards -targeted VNF characteristics are preferred over lengthy waterfall -industry standardization processes. Demonstrating functionality and -interoperability of appropriate VNF-related APIs in open source -communities is considered a pre-requisite to starting industry -specification work documenting stable interfaces. - -While multiple open source communities exist supporting particular -infrastructure software options, the market success of any particular -option combination cannot be assured. Integration communities such as -OPNFV provide an approach enabling VNF providers to test their products -and services against a variety of expected configurations available in -the industry. - -Evolving towards VNFs ---------------------- - -In order to deploy VNFs, a target virtualization environment must -already be in place. The NCSPs scale necessitates a phased rollout of -virtualization infrastructure and then of VNFs upon that infrastructure. -Some VNF use cases may require greenfield infrastructure deployments, -others may start brownfield deployments in centralized data centers and -then scale deployment more widely as infrastructure becomes available. -Some service providers have been very public and proactive in setting -transformation targets associated with VNFs [13]_. - -Because of the complexity of migration and integration issues, the -requirements for VNFs in the short term may need to be contextualized to -the specific service and transition planning. - -Much of the existing VNF work has been based on corresponding network -function definitions and requirements developed for PNFs. Many of the -assumptions about PNFs do not apply to VNFs and the modularity of the -functionality is expected to be significantly different. In addition, -the increased service velocity objectives of NFV are based on new types -of VNFs being developed to support new services being deployed in -virtualized environments. Much of the functionality associated with 5G -(e.g., IoT, augmented reality/virtual reality) is thus expected to be -deployed as VNFs in targeted virtualization infrastructure towards the -edge of the network. - -VNF Characteristics -=================== - -VNFs need to be constructed using a distributed systems architecture -that we will call "Network Cloud Ready". They need to interact with the -orchestration and control platform provided by OpenECOMP and address the -new security challenges that come in this environment. - -The main goal of a Network Cloud Ready VNF is to run ‘well’ on any -Network Cloud (public or private) over any network (carrier or -enterprise). In addition, for optimal performance and efficiency, VNFs -will be designed to take advantage of Network Clouds. This requires -careful engineering in both VNFs and candidate Network Cloud computing -frameworks. - -To ensure Network Cloud capabilities are leveraged and VNF resource -consumption meets engineering and economic targets, VNF performance and -efficiency will be benchmarked in a controlled lab environment. In line -with the principles and practices laid out in ETSI GS NFV-PER 001, -efficiency testing will consist of benchmarking VNF performance with a -reference workload and associated performance metrics on a reference -Network Cloud (or, when appropriate, additional benchmarking on a bare -metal reference platform). - -Network Cloud Ready VNF characteristics and design consideration can be -grouped into three areas: - -- Cloud Readiness - -- OpenECOMP Ready - -- Virtualization Environment Ready - -Detailed requirements are contained in the reference documents that are -listed in Appendix B - References. - -Cloud Readiness ---------------- - -VNFs should be designed to operate within a cloud environment from the -first stages of the development. The VNF provider should think clearly -about how the VNF should be decomposed into various modules. Resiliency -within a cloud environment is very different than in a physical -environment and the developer should give early thought as to how the -Network Cloud Service Provider will ensure the level of resiliency -required by the VNF and then provide the capabilities needed within that -VNF. Scaling and Security should also be well thought out at design time -so that the VNF runs well in a virtualized environment. Finally, the VNF -Provider also needs to think about how they will integrate and deploy -new versions of the VNF. Since the cloud environment is very dynamic, -the developer should utilize DevOps practices to deploy new software. - -Requirements for Cloud Readiness can be found in the *VNF Common -Requirements for OpenECOMP* document. - -VNF Design -~~~~~~~~~~ - -A VNF may be a large construct and therefore when designing it, it is -important to think about the components from which it will be composed. -The ETSI SWA 001 document gives a good overview of the architecture of a -VNF in Chapter 4 as well as some good examples of how to compose a VNF -in its Annex B. When laying out the components of the VNF it is -important to keep in mind the following principles: Single Capability, -Independence, State and the APIs. - -Many Network Clouds will use Heat to describe orchestration templates -for instantiating VNFs and VNFCs. Heat has a useful abstraction called a -“module” that can contain one or more VNFCs. A module can be thought of -as a deployment unit. In general the goal should be for each module to -contain a single VNFC. - -Single Capability -^^^^^^^^^^^^^^^^^ - -VNFs should be carefully decomposed into loosely coupled, granular, -re-usable VNFCs that can be distributed and scaled on a Network Cloud. -VNFCs should be responsible for a single capability. - -The Network Cloud will define several flavors of VMs for a VNF designer -to choose from for instantiating a VNFC. The best practice is to keep -the VNFCs as lightweight as possible while still fulfilling the business -requirements for the "single capability", however the VNFC should not be -so small that the overhead of constructing, maintaining, and operating -the service outweighs its utility. - -Independence -^^^^^^^^^^^^ - -VNFCs should be independently deployed, configured, upgraded, scaled, -monitored, and administered (by OpenECOMP). The VNFC must be a -standalone executable process. - -API versioning is one of the biggest enablers of independence. To be -able to independently evolve a component, versioning must ensure -existing clients of the component are not forced to flash-cut with each -interface change. API versioning enables smoother evolution while -preserving backward compatibility. - -Scaling -^^^^^^^ - -Each VNFC within a VNF must support independent horizontal scaling, by -adding/removing instances, in response to demand loads on that VNFC. The -Network Cloud is not expected to support adding/removing resources -(compute, memory, storage) to an existing instance of a VNFC (vertical -scaling). A VNF should be designed such that its components can scale -independently of each other. Scaling one component should not require -another component to be scaled at the same time. All scaling will be -controlled by OpenECOMP. - -Managing State -^^^^^^^^^^^^^^ - -VNFCs and their interfaces should isolate and manage state to allow for -high-reliability, scalability, and performance in a Network Cloud -environment. The use of state should be minimized as much as possible to -facilitate the movement of traffic from one instance of a VNFC to -another. Where state is required it should be maintained in a -geographically redundant data store that may in fact be its own VNFC. - -This concept of decoupling state data can be extended to all persistent -data. Persistent data should be held in a loosely coupled database. -These decoupled databases need to be engineered and placed correctly to -still meet all the performance and resiliency requirements of the -service. - -Lightweight and Open APIs -^^^^^^^^^^^^^^^^^^^^^^^^^ - -Key functions are accessible via open APIs, which align to Industry API -Standards and supported by an open and extensible information/data -model. - -Reusability -^^^^^^^^^^^ - -Properly (de)composing a VNF requires thinking about “reusability”. -Components should be designed to be reusable within the VNF as well as -by other VNFs. The “single capability” principle aids in this -requirement. If a VNFC could be reusable by other VNFs then it should be -designed as its own single component VNF that may then be chained with -other VNFs. Likewise, a VNF provider should make use of other common -platform VNFs such as firewalls and load balancers, instead of building -their own. - -Resiliency -~~~~~~~~~~ - -The VNF is responsible for meeting its resiliency goals and must factor -in expected availability of the targeted virtualization environment. -This is likely to be much lower than found in a traditional data center. -The VNF developer should design the function in such a way that if there -is a platform problem the VNF will continue working as needed and meet -the SLAs of that function. VNFs should be designed to survive single -failure platform problems including: hypervisor, server, datacenter -outages, etc. There will also be significant planned downtime for the -Network Cloud as the infrastructure goes through hardware and software -upgrades. The VNF should support tools for gracefully meeting the -service needs such as methods for migrating traffic between instances -and draining traffic from an instance. The VNF needs to rapidly respond -to the changing conditions of the underlying infrastructure. - -VNF resiliency can typically be met through redundancy often supported -by distributed systems architectures. This is another reason for -favoring smaller VNFCs. By having more instances of smaller VNFCs it is -possible to spread the instance out across servers, racks, datacenters, -and geographic regions. This level of redundancy can mitigate most -failure scenarios and has the potential to provide a service with even -greater availability than the old model. Careful consideration of VNFC -modularity also minimizes the impact of failures when an instance does -fail. - -Security -~~~~~~~~ - -Security must be integral to the VNF through its design, development, -instantiation, operation, and retirement phases. VNF architectures -deliver new security capabilities that make it easier to maximize -responsiveness during a cyber-attack and minimize service interruption -to the customers. SDN enables the environment to expand and adapt for -additional traffic and incorporation of security solutions. Further, -additional requirements will exist to support new security capabilities -as well as provide checks during the development and production stages -to assure the expected advantages are present and compensating controls -exist to mitigate new risks. - -New security requirements will evolve along with the new architecture. -Initially, these requirements will fall into the following categories: - -- VNF General Security Requirements - -- VNF Identity and Access Management Requirements - -- VNF API Security Requirements - -- VNF Security Analytics Requirements - -- VNF Data Protection Requirements - -DevOps -~~~~~~ - -The OpenECOMP software development and deployment methodology is -evolving toward a DevOps model. VNF development and deployment should -evolve in the same direction, enabling agile delivering of end-to-end -services. Following these same principles better positions OpenECOMP and -VNF development to coevolve in the same direction. - -Testing -^^^^^^^ - -VNF packages should provide comprehensive automated regression, -performance and reliability testing with VNFs based on open industry -standard testing tools and methodologies. VNF packages should provide -acceptance and diagnostic tests and in-service instrumentation to be -used in production to validate VNF operation. - -Build and Deployment Processes -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -VNF packages should include continuous integration and continuous -deployment (CI/CD) software artifacts that utilize automated open -industry standard system and container build tools. The VNF package -should include parameterized configuration variables to enable automated -build customization. Don’t create unique (snowflake) VNFs requiring any -manual work or human attention to deploy. Do create standardized (Lego™) -VNFs that can be deployed in a fully automated way. - -OpenECOMP will orchestrate updates and upgrades of VNFs. The target -method for updates and upgrades is to onboard and validate the new -version, then build a new instance with the new version of software, -transfer traffic to that instance and kill the old instance. There -should be no need for the VNF or its components to provide an -update/upgrade mechanism. - -Automation -^^^^^^^^^^ - -Increased automation is enabled by VNFs and VNF design and composition. -VNF and VNFCs should provide the following automation capabilities, as -triggered or managed via OpenECOMP: - -- Events and alarms - -- Lifecycle events - -- Zero-Touch rolling upgrades and downgrades - -- Configuration - -OpenECOMP Ready ---------------- - -OpenECOMP is the “brain” providing the lifecycle management and control -of software-centric network resources, infrastructure and services. -OpenECOMP is critical in achieving the objectives to increase the value -of the Network Cloud to customers by rapidly on-boarding new services, -enabling the creation of a new ecosystem of consumer and enterprise -services, reducing capital and operational expenditures, and providing -operations efficiencies. It delivers enhanced customer experience by -allowing them in near real-time to reconfigure their network, services, -and capacity. - -For more details, refer to the `ECOMP Architecture White -Paper `__\ [14]_. - -One of the main OpenECOMP responsibilities is to rapidly onboard and -enrich VNFs to be cataloged as resources to allow composition and -deployment of services in a multi-vendor plug and play environment. It -is also extremely important to be able to automatically manage the VNF -run-time lifecycle to fully realize benefits of NFV. The VNF run-time -lifecycle includes aspects such as instantiation, configuration, elastic -scaling, automatic recovery from resource failures, and resource -allocation. It is therefore imperative to provide VNFs that are equipped -with well-defined capabilities that comply with OpenECOMP standards to -allow rapid onboarding and automatic lifecycle management of these -resources when deploying services as depicted in **Figure 2**. - -|image1| - -\ **Figure 2. VNF Complete Lifecycle Stages** - -In order to realize these capabilities within the OpenECOMP platform, it -is important to adhere to a set of key principles (listed below) for -VNFs to integrate into OpenECOMP. - -Requirements for OpenECOMP Ready can be found in the *VNF Management -Requirements for OpenECOMP* document. - -Design Definition -~~~~~~~~~~~~~~~~~ - -Onboarding automation will be facilitated by applying standards-based -approaches to VNF packaging to describe the VNF’s infrastructure -resource requirements, topology, licensing model, design constraints, -and other dependencies to enable successful VNF deployment and -management of VNF configuration and operational behavior. - -The current VNF Package Requirement is based on a subset of the -Requirements contained in the ETSI Document: ETSI GS NFV-MAN 001 v1.1.1 -and GS NFV IFA011 V0.3.0 (2015-10) - Network Functions Virtualization -(NFV), Management and Orchestration, VNF Packaging Specification. - -Configuration Management -~~~~~~~~~~~~~~~~~~~~~~~~ - -OpenECOMP must be able to orchestrate and manage the VNF configuration -to provide fully automated environment for rapid service provisioning -and modification. VNF configuration/reconfiguration must be allowed -directly through standardized APIs without the need for an EMS. - -Monitoring and Management -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The end-to-end service reliability and availability in a virtualized -environment will greatly depend on the ability to monitor and manage the -behavior of Virtual Network Functions in real-time. OpenECOMP platform -must be able to monitor the health of the network and VNFs through -collection of event and performance data directly from network resources -utilizing standardized APIs without the need for an EMS. The VNF -provider must provide visibility into VNF performance and fault at the -VNFC level (VNFC is the smallest granularity of functionality in our -architecture) to allow OpenECOMP to proactively monitor, test, diagnose -and trouble shoot the health and behavior of VNFs at their source. - -Virtualization Environment Ready --------------------------------- - -Every Network Cloud Service Provider will have a different set of -resources and capabilities for their Network Cloud, but there are some -common resources and capabilities that nearly every NCSP will offer. - -Network Cloud -~~~~~~~~~~~~~ - -VNFCs should be agnostic to the details of the Network Cloud (such as -hardware, host OS, Hypervisor or container technology) and must run on -the Network Cloud with acknowledgement to the paradigm that the Network -Cloud will continue to rapidly evolve and the underlying components of -the platform will change regularly. VNFs should be prepared to move -VNFCs across VMs, hosts, locations or datacenters, or Network Clouds. - -Overlay Network -~~~~~~~~~~~~~~~ - -VNFs should be compliant with the Network Cloud network virtualization -platform including the specific set of characteristics and features. - -The Network Cloud is expected to be tuned to support VNF performance -requirements. Initially, specifics may differ per Network Cloud -implementation and are expected to evolve over time, especially as the -technology matures. - -Guest Operating Systems -~~~~~~~~~~~~~~~~~~~~~~~ - -VNFs should use the NCSP’s standard set of OS images to enable -compliance with security, audit, regulatory and other needs. - -Compute Flavors -~~~~~~~~~~~~~~~ - -VNFs should take advantage of the standard Network Cloud capabilities in -terms of VM characteristics (often referred to as VM Flavors), VM sizes -and cloud acceleration capabilities aimed at VNFs such as Intel’s Data -Plane Development Kit (DPDK). - -Summary -======= - -The intent of these guidelines and requirements is to provide long term -vision as well as short term focus and clarity where no current open -source implementation exists today. The goal is to accelerate the -adoption of VNFs which will increase innovation, minimize customization -to onboard VNFs, reduce implementation time and complexity as well as -lower overall costs for all stakeholders. It is critical for the -Industry to align on a set of standards and interfaces to quickly -realize the benefits of NFV. AT&T is contributing these guidelines to -the OpenECOMP open source community as a step in moving toward -standards. These guidelines are based on our experience with large scale -deployment and operations of VNFs over the past several years. - -This VNF guidelines document provides a general overview and points to -more detailed requirements documents. The subtending documents provide -more detailed requirements and are listed in Appendix B - References. -All documents are expected to evolve. - -Some of these VNF guidelines may be more broadly applicable in the -industry, e.g., in other open source communities or standards bodies. -The art of VNF architecture and development is expected to mature -rapidly with practical deployment and operations experience from a -broader ecosystem of types of VNFs and different VNF providers. -Individual operators may also choose to provide their own extensions and -enhancements to support their particular operational processes, but -these guidelines are expected to remain broadly applicable across a -number of service providers interested in acquiring VNFs. - -We invite feedback on these VNF Guidelines in the context of the -OpenECOMP Project. We anticipate an ongoing project within the OpenECOMP -Community to maintain similar guidance for VNF developers to enable them -to more easily develop VNFs which are compatible with the evolving -releases of OpenECOMP. Comments on these guidelines should be discussed -there. - -Appendix A - Glossary -====================== - -+-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Heat | Heat is a service to orchestrate composite cloud applications using a declarative template format through an OpenStack-native REST API. | -+-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Network Clouds | Network Clouds are built on a framework containing these essential elements: refactoring hardware elements into software functions running on commodity cloud computing infrastructure; aligning access, core, and edge networks with the traffic patterns created by IP based services; integrating the network and cloud technologies on a software platform that enables rapid, highly automated, deployment and management of services, and software defined control so that both infrastructure and functions can be optimized across change in service demand and infrastructure availability; and increasing competencies in software integration and a DevOps operations model. | -+-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Network Cloud Service Provider | Network Cloud Service Provider (NCSP) is a company or organization, making use of a communications network to provide Network Cloud services on a commercial basis to third parties. | -+-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| SDOs | Standards Developing Organizations are organizations which are active in the development of standards intended to address the needs of a group of affected adopters. | -+-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Softwarization | Softwarization is the transformation of business processes to reflect characteristics of software centric products, services, lifecycles, and methods. | -+-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Targeted Virtualization Environment | Targeted Virtualization Environment is the execution environment for VNFs. While Network Clouds located in datacenters are a common execution environment, VNFs can and will be deployed in various locations (e.g., non-datacenter environments) and form factors (e.g., enterprise Customer Premise Equipment). Non-datacenter environments are expected to be available at more distributed network locations including central offices and at the edge of the NCSP’s infrastructure. | -+-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| VM | Virtual Machine (VM) is a virtualized computation environment that behaves very much like a physical computer/server. A VM has all its ingredients (processor, memory/storage, interfaces/ports) of a physical computer/server and is generated by a hypervisor, which partitions the underlying physical resources and allocates them to VMs. Virtual Machines are capable of hosting a virtual network function component (VNFC). | -+-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| VNF | Virtual Network Function (VNF) is the software implementation of a function that can be deployed on a Network Cloud. It includes network functions that provide transport and forwarding. It also includes other functions when used to support network services, such as network-supporting web servers and database. | -+-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| VNFC | Virtual Network Function Component (VNFC) are the sub-components of a VNF providing a VNF Provider a defined sub-set of that VNF's functionality, with the main characteristic that a single instance of this component maps 1:1 against a single Virtualization Container. See Figure 3 for the relationship between VNFC and VNFs. | -| | |image2| | -+-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -Appendix B - References -======================= - -1. VNF Cloud Readiness Requirements for OpenECOMP - -2. VNF Management Requirements for OpenECOMP - -3. VNF Heat Template Requirements for OpenECOMP - -Appendix C - Comparison between VNF Guidelines and ETSI GS NFV-SWA 001 -====================================================================== - -The VNF guidelines presented in this document (VNF Guidelines) overlap -with the ETSI GS NFV-SWA 001 (Network Functions Virtualization (NFV); -Virtual Network Function Architecture) document. For convenience we will -just refer to this document as SWA 001. - -The SWA 001 document is a survey of the landscape for architecting a -VNF. It includes many different options for building a VNF that take -advantage of the ETSI MANO architecture. - -The Network Cloud and OpenECOMP have similarities to ETSI’s MANO, but -also have differences described in earlier sections. The result is -differences in the VNF requirements. Since these VNF Guidelines are for -a specific implementation of an architecture they are narrower in scope -than what is specified in the SWA 001 document. - -The VNF Guidelines primarily overlaps the SWA 001 in Sections 4 and 5. -The other sections of the SWA 001 document lie outside the scope of the -VNF Guidelines. - -This appendix will describe the differences between these two documents -indexed on the SWA 001 sections - -Section 4 Overview of VNF in the NFV Architecture -------------------------------------------------- - -This section provides an overview of the ETSI NFVI architecture and how -it interfaces with the VNF architecture. Because of the differences -between infrastructure architectures there will naturally be some -differences in how it interfaces with the VNF. - -A high level view of the differences in architecture can be found in the -main body of this document and a more detailed analysis can be found in -the ECOMP Architecture White Paper\ [15]_. - -Section 4.3 Interfaces -~~~~~~~~~~~~~~~~~~~~~~ - -Since OpenECOMP provides the VNFM and EMS functionality for all VNFs the -SWA-3 and SWA-4 interfaces are OpenECOMP interfaces. All OpenECOMP -interfaces are described in this package of documents. - -Section 5 VNF Design Patterns and Properties --------------------------------------------- - -This section of the SWA 001 document gives a broad view of all the -possible design patterns of VNFs. The VNF Guidelines do not generally -differ from this section. The VNF Guidelines address a more specific -scope than what is allowed in the SWA 001 document. - -Section 5.1 VNF Design Patterns -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The following are differences between the VNF Guidelines and SWA-001: - -- 5.1.2 - The Network Cloud does not recognize the distinction between - “parallelizable” and “non-parallelizable” VNFCs, where parallelizable - means that there can be multiple instances of the VNFC. In the VNF - Guidelines, all VNFCs should support multiple instances and therefore - be parallelizable. - -- 5.1.3 - The VNF Guidelines encourages the use of stateless VNFCs. - However, where state is needed it should be kept external to the VNFC - to enable easier failover - -- 5.1.5 - The VNF Guidelines only accepts horizontal scaling (scale - out/in) by VNFC. Vertical scaling (scale up/down) is not supported by - OpenECOMP. - -- 5.1.5 - Since OpenECOMP provides all EMS and VNFM functionality - On-Demand scaling is accomplished through OpenECOMP and not directly - by the VNF - -Section 5.2 VNF Update and Upgrade -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -- 5.2.2 - OpenECOMP will orchestrate updates and upgrades. The - preferred method for updates and upgrades is to build a new instance - with the new version of software, transfer traffic to that instance - and kill the old instance - -Section 5.3 VNF Properties -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The following are differences between the VNF Guidelines and SWA-001: - -- 5.3.1 - In a Network Cloud all VNFs must be only “COTS-Ready”. The - VNF Guidelines does not support “Partly COTS-READY” or “Hardware - Dependent”. - -- 5.3.2 – The only virtualization environment currently supported by - OpenECOMP is “Virtual Machines”. The VNF Guidelines state that all - VNFs should be hypervisor agnostic. Other virtualized environment - options such as containers are not currently supported. However, - container technology is targeted to be supported in the future. - -- 5.3.3 - All VNFs must scale horizontally (scale out/in) within the - Network Cloud. Vertical (scale up/down) is not supported. - -- 5.3.5 - The VNF Guidelines state that OpenECOMP will provide full - policy management for all VNFs. The VNF will not provide its own - policy management for provisioning and management. - -- 5.3.7 - The VNF Guidelines recognizes both stateless and stateful - VNFCs but it encourages the minimization of stateful VNFCs. - -- 5.3.11 - The VNF Guidelines only allows for OpenECOMP management of - the VNF. It does not allow a proprietary management interface for use - with a 3rd party EMS - -Section 5.4 Attributes describing VNF Requirements -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Attributes described in the VNF Guidelines and reference documents -include those attributes defined in this section of the SWA 001 document -but also include additional attributes. - -**Copyright 2017 AT&T Intellectual Property. All Rights Reserved.** - -This paper is licensed to you under the Creative Commons License: - -**Creative Commons Attribution-ShareAlike 4.0 International Public -License** - -You may obtain a copy of the License at: - -https://creativecommons.org/licenses/by-sa/4.0/legalcode - -**You are free to:** - -- Share — copy and redistribute the material in any medium or format - -- Adapt — remix, transform, and build upon the material for any - purpose, even commercially. - -- The licensor cannot revoke these freedoms as long as you follow the - license terms. - -**Under the following terms:** - -- Attribution — You must give appropriate credit, provide a link to the - license, and indicate if changes were made. You may do so in any - reasonable manner, but **not** in any way that suggests the - licensor endorses you or your use. - -- ShareAlike — If you remix, transform, or build upon the material, you - must distribute your contributions under the same license as the - original. - -- No additional restrictions — You may not apply legal terms or - technological measures that legally restrict others from doing - anything the license permits. - -**Notices:** - -- You do not have to comply with the license for elements of the - material in the public domain or where your use is permitted by an - applicable exception or limitation. - -- No warranties are given. The license may not give you all of the - permissions necessary for your intended use. For example, other - rights such as publicity, privacy, or moral rights may limit how you - use the material. - -.. [1] - Network Clouds are built on a framework containing these essential - elements: refactoring hardware elements into software functions - running on commodity cloud computing infrastructure; aligning access, - core, and edge networks with the traffic patterns created by IP based - services; integrating the network and cloud technologies on a - software platform that enables rapid, highly automated, deployment - and management of services, and software defined control so that both - infrastructure and functions can be optimized across change in - service demand and infrastructure availability; and increasing - competencies in software integration and a DevOps operations model. - -.. [2] - OpenECOMP is an open source initiative for ECOMP, www.openecomp.org. - -.. [3] - Softwarization is the transformation of business processes to reflect - characteristics of software centric products, services, lifecycles - and methods. - -.. [4] - “ Virtual Network Functions Architecture” ETSI GS NFV-SWA 001 v1.1.1 - (Dec 2012) - -.. [5] - European Telecommunications Standards Institute or ETSI - (http://www.etsi.org) is a respected standards body providing - standards for information and communications technologies. - -.. [6] - Full set of capabilities of Network Cloud and/or OpenECOMP might not - be needed to support traditional IT like workloads. - -.. [7] - xRAN (http://www.xran.org/) - -.. [8] - OpenStack (http://www.openstack.org) - -.. [9] - OpenDaylight (http://www.opendaylight.org) - -.. [10] - OPNFV (http://www.opnfv.org) - -.. [11] - See, e.g., Figure 3 of GS NFV 002, Architectural Framework - -.. [12] - “Architectural Framework”, ETSI GS NFV 002 (v1.1.1) Oct. 2013) - -.. [13] - AT&T, for instance, has announced that it seeks to virtualize and - control 75% of its network functionality by 2020 and that 50% of - AT&T’s software be coming from open source. For AT&T, VNFs have - already been placed in service in the Network Cloud and enterprise - CPE whiteboxes. - -.. [14] - ECOMP (Enhanced Control Orchestration, Management & Policy) - Architecture White Paper - (http://about.att.com/content/dam/snrdocs/ecomp.pdf) - -.. [15] - ECOMP (Enhanced Control Orchestration, Management & Policy) - Architecture White Paper - (http://about.att.com/content/dam/snrdocs/ecomp.pdf) - -.. |image0| image:: VNF_Control_Loop.jpg - :width: 6.56250in - :height: 3.69167in -.. |image1| image:: VNF_Lifecycle.jpg - :width: 6.49000in - :height: 2.23000in -.. |image2| image:: VNF_VNFC_Relation.jpg - :width: 4.26087in - :height: 3.42514in diff --git a/docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF_Lifecycle.jpg b/docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF_Lifecycle.jpg deleted file mode 100644 index 45419e6..0000000 Binary files a/docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF_Lifecycle.jpg and /dev/null differ diff --git a/docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF_VNFC_Relation.jpg b/docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF_VNFC_Relation.jpg deleted file mode 100644 index 0457e86..0000000 Binary files a/docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/VNF_VNFC_Relation.jpg and /dev/null differ diff --git a/docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/index.rst b/docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/index.rst deleted file mode 100644 index 5e37ea5..0000000 --- a/docs/VNF_Guides_for_Network_Cloud_and_OpenEcomp/index.rst +++ /dev/null @@ -1,7 +0,0 @@ -VNF Guides for Network Cloud and OpenEcomp ----------------------------------------------- - -.. toctree:: - :maxdepth: 2 - - VNF_Guidelines_for_Network_Cloud_and_OpenECOMP_2_6_2017_clean \ No newline at end of file diff --git a/docs/VNF_Heat_Templates_for_OpenEcomp/VNF Heat Template Requirements for OpenECOMP 2-15 NO track changes.docx b/docs/VNF_Heat_Templates_for_OpenEcomp/VNF Heat Template Requirements for OpenECOMP 2-15 NO track changes.docx deleted file mode 100644 index 4ed205a..0000000 Binary files a/docs/VNF_Heat_Templates_for_OpenEcomp/VNF Heat Template Requirements for OpenECOMP 2-15 NO track changes.docx and /dev/null differ diff --git a/docs/VNF_Heat_Templates_for_OpenEcomp/VNF_Heat_Template_Requirements_for_OpenECOMP_2_15_NO_track_changes.rst b/docs/VNF_Heat_Templates_for_OpenEcomp/VNF_Heat_Template_Requirements_for_OpenECOMP_2_15_NO_track_changes.rst deleted file mode 100644 index a6147e9..0000000 --- a/docs/VNF_Heat_Templates_for_OpenEcomp/VNF_Heat_Template_Requirements_for_OpenECOMP_2_15_NO_track_changes.rst +++ /dev/null @@ -1,2249 +0,0 @@ -.. contents:: - :depth: 3 -.. - -| VNF -| Heat Template Requirements for -| OpenECOMP - -Revision 1.0 - -Revision Date 2/1/2017 - -**Document Revision History** - -+------------+------------+-----------------------------------------------------------------------+ -| Date | Revision | Description | -+============+============+=======================================================================+ -| 2/1/2017 | 1.0 | Initial publication of VNF Heat Template Requirements for OpenECOMP | -+------------+------------+-----------------------------------------------------------------------+ - -**Table of Contents** - -**Definitions** - -Throughout the document, these terms have the following meaning: - -**MUST** This word, or the terms "REQUIRED" or "SHALL", mean that the -definition is an absolute requirement of the specification. - -**MUST** **NOT** This phrase, or the phrase "SHALL NOT", mean that the -definition is an absolute prohibition of the specification. - -**SHOULD** This word, or the adjective "RECOMMENDED", mean that there -may exist valid reasons in particular circumstances to ignore a -particular item, but the full implications must be understood and -carefully weighed before choosing a different course. - -**SHOULD** **NOT** This phrase, or the phrase "NOT RECOMMENDED" mean -that there may exist valid reasons in particular circumstances when the -particular behavior is acceptable or even useful, but the full -implications should be understood and the case carefully weighed before -implementing any behavior described with this label. - -**MAY** This word, or the adjective "OPTIONAL", mean that an item is -truly optional. One vendor may choose to include the item because a -particular marketplace requires it or because the vendor feels that it -enhances the product while another vendor may omit the same item. An -implementation which does not include a particular option must be -prepared to interoperate with another implementation which does include -the option, though perhaps with reduced functionality. In the same vein -an implementation which does include a particular option must be -prepared to interoperate with another implementation which does not -include the option (except, of course, for the feature the option -provides.) - -Introduction -============ - -This reference document is the **VNF Heat Template Requirements for OpenECOMP** -and supports the first release of OpenECOMP. - -Program and Document Structure ------------------------------- - -This document is part of a hierarchy of documents that describes the -overall Requirements and Guidelines for OpenECOMP. The diagram below -identifies where this document fits in the hierarchy. - -+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| OpenECOMP Requirements and Guidelines | -+===============================================================================================================================================================================================================+ -| VNF Guidelines for Network Cloud and OpenECOMP | Future OpenECOMP Subject Documents | -+------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| VNF Cloud Readiness Requirements for OpenECOMP | VNF Management Requirements for OpenECOMP | VNF Heat Template Requirements for OpenECOMP | Future,VNF Requirements Documents | Future Requirements Documents | -+------------------------------------------------+-------------------------------------------+----------------------------------------------+-----------------------------------+-------------------------------+ - -Document Summary - -**VNF Guidelines for Network Cloud and OpenECOMP** - -- Describes VNF environment and overview of requirements - -*VNF Cloud Readiness Requirements for OpenECOMP* - -- Cloud readiness requirements for VNFs (Design, Resiliency, Security, - and DevOps) - -*VNF Management Requirements for OpenECOMP* - -- Requirements for how VNFs interact and utilize OpenECOMP - -**VNF Heat Template Requirements for OpenECOMP** - -- Provides recommendations and standards for building Heat templates - compatible with OpenECOMP– initial implementations of Network Cloud - are assumed to be OpenStack based. - -Intended Audience ------------------ - -This document is intended for persons developing Heat templates that -will be orchestrated by OpenECOMP. - -Scope ------ - -The first implementations of Network Cloud are assumed to be OpenStack -based and thus OpenECOMP will be supporting Heat Orchestration -Templates, also referred to as Heat templates or Heat in this document. - -OpenECOMP requires the Heat Templates to follow a specific format. This -document provides the mandatory, recommended, and optional requirements -associated with this format. - -In addition, the OpenStack version deployed in the Network Cloud may -impose additional constraints on the Heat. These constraints are not -covered in this document. - -VNF Modularity Overview ------------------------ - -OpenECOMP supports a modular Heat design pattern, referred to as *VNF -Modularity.* With this approach, a single VNF may be composed from one -or more Heat templates, each of which represents some subset of the -overall VNF. These component parts are referred to as “\ *VNF -Modules*\ ”. During orchestration, these modules may be deployed -incrementally to build up the complete VNF. - -A Heat template can be either one of the following types of modules: - -1. Base Module - -2. Incremental Modules - -3. Independent Cinder Volume Modules - -The OpenECOMP Heat template naming convention must be followed (Section -2.1). The naming convention identifies the module type. - -A VNF must be composed of one “base” VNF module (also called a base -module) and zero to many “incremental” or “add on” VNF modules. The base -module must be deployed first, prior to the add-on modules. - -A module can be thought of as equivalent to a Heat template, where a -Heat template is composed of a YAML file and an environment file (also -referred to as an ENV file). A given YAML file must have a corresponding -environment file; OpenECOMP requires it. - -A Heat template is used to create or deploy a Heat stack. Therefore, a -module is also equivalent to a Heat Stack. - -OpenECOMP supports the concept of an optional, independent deployment of -a Cinder volume via separate Heat templates. This allows the volume to -persist after VNF deletion so that the volume can be reused on another -instance (e.g. during a failover activity). - -The scope of a volume module, when it exists, must be 1:1 with the VNF -Module (base or add-on). A single volume module must create only the -volumes needed by a single VNF module (base or add-on). - -These concepts will be described in more detail throughout the document. -This overview is provided to set the stage and help clarify the concepts -that will be introduced. - -General Guidelines -================== - -The Heat templates supported by OpenECOMP must follow the requirements -enumerated in this section. - -Filenames ---------- - -In order to enable OpenECOMP to understand the relationship between Heat -files, the following Heat file naming convention must be followed. - -- The file name for the base module Heat template must include “base” - in the filename. - - - Examples: *base\_xyz.yml* or *base\_xyz.yaml*; *xyz\_base.yml* or - *xyz\_base.yaml* - -- There is no explicit naming convention for the add-on modules. - - - Examples: *module1.yml* or *module1.yaml* - -- All Cinder volume templates must be named the same as the - corresponding Heat template with “\_volume” appended to the file - name. - - - Examples: *base\_xyz\_volume.yml* or *base\_xyz\_volume.yaml*; - *xyz\_base\_volume.yml* or *xyz\_base\_volume.yaml*; - *module1\_volume.yml* or *module1\_volume.yaml* (referencing the - above base module Heat template name) - -- The file name of the environment files must fully match the - corresponding Heat template filename and have *.env* or *.ENV* - extension. - - - Examples: *base\_xyz.env* or *base\_xyz.ENV*; *xyz\_base.env* or - *xyz\_base.ENV*; *base\_xyz\_volume.env* or - *base\_xyz\_volume.ENV*; *module1.env* or *module1.ENV; - module1\_volume.env* or *module1\_volume.ENV* (referencing the - above base module Heat template name) - -- A YAML file must have a corresponding ENV file, even if the ENV file - enumerates no parameters. It is an OpenECOMP requirement. - -Valid YAML Format ------------------ - -A Heat template (a YAML file and its corresponding environment file) -must be formatted in valid YAML. For a description of YAML, refer to the -following OpenStack wiki: -https://wiki.openstack.org/wiki/Heat/YAMLTemplates - -A Heat template must follow a specific format. The OpenStack Heat -Orchestration Template (HOT) specification explains in detail all -elements of the HOT template format. -http://docs.openstack.org/developer/heat/template_guide/hot_spec.html - -Parameter Categories & Specification ------------------------------------- - -Parameter Categories -~~~~~~~~~~~~~~~~~~~~ - -OpenECOMP requires the Heat template parameters to follow certain -requirements in order for it to be orchestrated or deployed. OpenECOMP -classifies parameters into eight broad categories. - -- **OpenECOMP Metadata**: OpenECOMP mandatory and optional metadata - parameters in the resource *OS::Nova::Server*. - - - OpenECOMP dictates the naming convention of these Metadata - parameters and must be adhered to (See Section 4.4). - - - Metadata parameters must not be enumerated in the environment - file. - - - The OpenECOMP Metadata are generated and/or assigned by OpenECOMP - and supplied to the Heat by OpenECOMP at orchestration time. - -- **OpenECOMP Orchestration Parameters**: The data associated with - these parameters are VNF instance specific. - - - OpenECOMP enforces the naming convention of these parameters and - must be adhered to (See Section 4). - - - These parameters must not be enumerated in the environment file. - - - The OpenECOMP Orchestration Parameters are generated and/or - assigned by OpenECOMP and supplied to the Heat by OpenECOMP at - orchestration time. - -- **VNF Orchestration Parameters**: The data associated with these - parameters are VNF instance specific. - - - While OpenECOMP does not enforce a naming convention, the - parameter names should include {vm-type} and {network-role} when - appropriate. (See Section 4) - - - These parameters must not be enumerated in the environment file. - - - The VNF Orchestration Parameters Heat are generated and/or - assigned by OpenECOMP and supplied to the Heat by OpenECOMP at - orchestration time. - -- **OpenECOMP Orchestration Constants**: The data associated with these - parameters must be constant across all VNF instances. - - - OpenECOMP enforces the naming convention of these parameters and - must be adhered to (See Section 4). - - - These parameters must be enumerated in the environment file. - -- **VNF Orchestration Constants**: The data associated with these - parameters must be constant across all VNF instances. - - - While OpenECOMP does not enforce a naming convention, the - parameter names should include {vm-type} and {network-role} when - appropriate. (See Section 4) - - - These parameters must be enumerated in the environment file. - -- **OpenECOMP Base Template Output Parameters** (also referred to as - Base Template Output Parameters): The output section of the base - template allows for specifying output parameters available to add-on - modules once the base template has been instantiated. The parameter - defined in the output section of the base must be identical to the - parameter defined in the add-on module(s) where the parameter is - used. - -- **OpenECOMP Volume Template Output Parameters** (also referred to as - Volume Template Output Parameters): The output section of the volume - template allows for specifying output parameters available to the - corresponding Heat template (base or add-on) once the volume template - has been instantiated. The parameter defined in the output section of - the volume must be identical to the parameter defined in the base or - add-on module. - -- **OpenECOMP Predefined Output Parameters** (also referred to as - Predefined Output Parameters): OpenECOMP will look for a small set of - pre-defined Heat output parameters to capture resource attributes for - inventory in OpenECOMP. These parameters are specified in Section - 4.6. - -The table below summarizes the Parameter Types. If the user is -orchestrating a manual spin up of Heat (e.g. OpenStack command line), -the parameter values that OpenECOMP supplies must be enumerated in the -environment file. However, when the Heat is to be loaded into OpenECOMP -for orchestration, the parameters that OpenECOMP supplies must be -deleted or marked with a comment (i.e., a “#” placed at the beginning of -a line). - -+-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ -| Parameter Type | Naming Convention | Parameter Value Source | -+===============================================+=====================+=================================================================================+ -| OpenECOMP Metadata | Explicit | OpenECOMP | -+-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ -| OpenECOMP Orchestration Parameters | Explicit | OpenECOMP | -+-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ -| VNF Orchestration Parameters | Recommended | OpenECOMP | -+-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ -| OpenECOMP Orchestration Constants | Explicit | Environment File | -+-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ -| VNF Orchestration Constants | Recommended | Environment File | -+-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ -| OpenECOMP Base Template Output Parameters | Recommended | Heat Output Statement for base, OpenECOMP supplied to add-on modules | -+-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ -| OpenECOMP Volume Template Output Parameters | Recommended | Heat Output Statement for volume, OpeneECOMP supplies to corresponding module | -+-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ -| OpenECOMP Predefined Output Parameters | Explicit | Heat Output Statement | -+-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ - -Table 1 Parameter Types - -Parameter Specifications -~~~~~~~~~~~~~~~~~~~~~~~~ - -OpenECOMP METADATA Parameters -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -OpenECOMP defines four “metadata” parameters: vnf\_id, vf\_module\_id, -vnf\_name, vf\_module\_name. These parameters must not define any -constraints in the Heat template, including length restrictions, ranges, -default value and/or allowed patterns. - -OpenECOMP Base Template & Volume Template Output Parameters -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -The base template and volume template output parameters are defined as -input parameters in subsequent modules. When defined as input -parameters, these parameters must not define any constraints in the Heat -template, including length restrictions, ranges, default value and/or -allowed patterns. The parameter name defined in the output statement of -the Heat must be identical to the parameter name defined in the Heat -that is to receive the value. - -OpenECOMP Predefined Output Parameters -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -These parameters must not define any constraints in the Heat template, -including length restrictions, ranges, default value and/or allowed -patterns. - -OpenECOMP Orchestration Parameters, VNF Orchestration Parameters, OpenECOMP Orchestration Constants, VNF Orchestration Constants -^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -OpenECOMP Orchestration Parameters, VNF Orchestration Parameters, -OpenECOMP Orchestration Constants, VNF Orchestration Constants must -adhere to the following: - -- All parameters should be clearly documented in the template, - including expected values. - -- All parameters should be clearly specified, including constraints and - description. - -- Numeric parameter constraints should include range and/or allowed - values. - -- When the parameter type is a string and the parameter name contains - an index, the index must be zero based. That is, the index starts at - zero. - -- When the parameter type is a Comma Delimited List (CDL), the - reference index must start at zero. - -- Default values must only be supplied in a Heat environment file to - keep the template itself as clean as possible. - -- Special characters must not be used in parameter names, as currently - only alphanumeric characters and “\_” underscores are allowed. - -Use of Heat Environments ------------------------- - -A YAML file must have a corresponding environment file (also referred to -as ENV file), even if the environment file defines no parameters. It is -an OpenECOMP requirement. - -The environment file must contain parameter values for the OpenECOMP -Orchestration Constants and VNF Orchestration Constants. These -parameters are identical across all instances of a VNF type, and -expected to change infrequently. The OpenECOMP Orchestration Constants -are associated with OS::Nova::Server image and flavor properties (See -Section 4.3). Examples of VNF Orchestration Constants are the networking -parameters associated with an internal network (e.g. private IP ranges) -and Cinder volume sizes. - -The environment file must not contain parameter values for parameters -that are instance specific (OpenECOMP Orchestration Parameters, VNF -Orchestration Parameters). These parameters are supplied to the Heat by -OpenECOMP at orchestration time. The parameters are generated and/or -assigned by OpenECOMP at orchestration time - -Independent Volume Templates ----------------------------- - -OpenECOMP supports independent deployment of a Cinder volume via -separate Heat templates. This allows the volume to persist after VNF -deletion so that they can be reused on another instance (e.g. during a -failover activity). - -A VNF Incremental Module or Base Module may have an independent volume -module. Use of separate volume modules is optional. A Cinder volume may -be embedded within the Incremental or Base Module if persistence is not -required. - -If a VNF Incremental Module or Base Module has an independent volume -module, the scope of volume templates must be 1:1 with Incremental -module or Base module. A single volume module must create only the -volumes required by a single Incremental module or Base module. - -The following rules apply to independent volume Heat templates: - -- Cinder volumes must be created in a separate Heat template from the - Incremental and Base Modules. - - - A single volume module must include all Cinder volumes needed by - the Incremental/Base module. - - - The volume template must define “outputs” for each Cinder volume - resource universally unique identifier (UUID) (i.e. OpenECOMP - Volume Template Output Parameters). - -- The VNF Incremental Module or Base Module must define input - parameters that match each Volume output parameter (i.e., OpenECOMP - Volume Template Output Parameters). - - - OpenECOMP will supply the volume template outputs automatically to - the bases/incremental template input parameters. - -- Volume modules may utilize nested Heat templates. - -**Example (volume template):** - - In this example, the {vm-type} has been left as a variable. - {vm-type} is described in section 4.1. If the VM was a load - balancer, the {vm-type} could be defined as “lb” - -.. code-block:: python - - parameters: - vm-typevnf\_name: - type: string - {vm-type}\_volume\_size\_0: - type: number - ... - - resources: - {vm-type}\_volume\_0: - type: OS::Cinder::Volume - properties: - name: - str\_replace: - template: VNF\_NAME\_volume\_0 - params: - VNF\_NAME: { get\_param: vnf\_name } - size: {get\_param: {vm-type}\_volume\_size\_0} - ... - -*(+ additional volume definitions)* - -.. code-block:: python - - outputs: - {vm-type}\_volume\_id\_0: - value: {get\_resource: {vm-type}\_volume\_0} - ... - -*(+ additional volume outputs)* - -*Example (VNF module template):* - -.. code-block:: python - - parameters: - {vm-type}\_name\_0: - type: string - {vm-type}\_volume\_id\_0: - type: string - ... - - resources: - {vm-type}\_0: - type: OS::Nova::Server - properties: - name: {get\_param: {vm-type}\_name\_0} - networks: - ... - - {vm-type}\_0\_volume\_attach: - type: OS::Cinder::VolumeAttachment - properties: - instance\_uuid: { get\_resource: {vm-type}\_0 } - volume\_id: { get\_param: {vm-type}\_volume\_id\_0 } - -Nested Heat Templates ---------------------- - -OpenECOMP supports nested Heat templates per the OpenStack -specifications. Nested templates may be suitable for larger VNFs that -contain many repeated instances of the same VM type(s). A common usage -pattern is to create a nested template for each VM type along with its -supporting resources. The master VNF template (or VNF Module template) -may then reference these component templates either statically (by -repeated definition) or dynamically (via *OS::Heat::ResourceGroup*). - -Nested template support in OpenECOMP is subject to the following -limitations: - -- Heat templates for OpenECOMP must only have one level of nesting. - OpenECOMP only supports one level of nesting. - -- Nested templates must be referenced by file name in the master - template - - - i.e. use of *resource\_registry* in the .env file is *not* - currently supported - -- Nested templates must have unique file names within the scope of the - VNF - -- OpenECOMP does not support a directory hierarchy for nested - templates. All templates must be in a single, flat directory (per - VNF) - -- A nested template may be shared by all Modules (i.e., Heat templates) - within a given VNF - -Networking -=========== - -External Networks ------------------ - -VNF templates must not include any resources for external networks -connected to the VNF. In this context, “external” is in relation to the -VNF itself (not with regard to the Network Cloud site). External -networks may also be referred to as “inter-VNF” networks. - -- External networks must be orchestrated separately, so they can be - shared by multiple VNFs and managed independently. When the external - network is created, it must be assigned a unique {network-role} (See - section 4.2). - -- External networks must be passed into the VNF template as parameters, - including the network-id (i.e. the neutron network UUID) and optional - subnet ID. - -- VNF templates must pass the appropriate external network IDs into - nested VM templates when nested Heat is used. - -- VNFs may use DHCP assigned IP addresses or assign fixed IPs when - attaching VMs to an external network. - -- OpenECOMP enforces a naming convention for parameters associated with - external networks. - -- Parameter values associated with an external network will be - generated and/or assigned by OpenECOMP at orchestration time. - -- Parameter values associated with an external network must not be - enumerated in the environment file. - -Internal Networks ------------------ - -Orchestration activities related to internal networks must be included -in VNF templates. In this context, “internal” is in relation to the VNF -itself (not in relation to the Network Cloud site). Internal networks -may also be referred to as “intra-VNF” networks or “private” networks. - -- Internal networks must not attach to any external gateways and/or - routers. Internal networks are for intra-VM communication only. - -- In the modular approach, internal networks must be created in the - Base Module template, with their resource IDs exposed as outputs - (i.e., OpenECOMP Base Template Output Parameters) for use by all - add-on module templates. When the external network is created, it - must be assigned a unique {network-role} (See section 4.2). - -- VNFs may use DHCP assigned IP addresses or assign fixed IPs when - attaching VMs to an internal network. - -- OpenECOMP does not enforce a naming convention for parameters for - internal network, however, a naming convention is provided that - should be followed. - -- Parameter values associated with an internal network must either be - passed as output parameter from the base template (i.e., OpenECOMP - Base Template Output Parameters) into the add-on modules or be - enumerated in the environment file. - -IP Address Assignment ---------------------- - -- VMs connect to external networks using either fixed (e.g. statically - assigned) IP addresses or DHCP assigned IP addresses. - -- VMs connect to internal networks using either fixed (e.g. statically - assigned) IP addresses or DHCP assigned IP addresses. - -- Neutron Floating IPs must not be used. OpenECOMP does not support - Neutron Floating IPs. - -- OpenECOMP supports the OS::Neutron::Port property - “allowed\_address\_pairs.” See Section 4.4.3. - -Parameter Naming Convention -=========================== - -{vm-type} ---------- - -A common *{vm-type}* identifier must be used throughout the Heat -template in naming parameters, for each VM type in the VNF with the -following exceptions: - -- The four OpenECOMP Metadata parameters must not be prefixed with a - common {vm-type} identifier. They are *vnf\_name*, *vnf\_id*, - *vf\_module\_id*, *vf\_module\_name*. - -- Parameters only referring to a network or subnetwork must not be - prefixed with a common {vm-type} identifier. - -- The parameter referring to the OS::Nova::Server property - availability\_zone must not be prefixed with a common {vm-type} - identifier. - -- {vm-type} must be unique to the VNF. It does not have to be globally - unique across all VNFs that OpenECOMP supports. - -{network-role} --------------- - -VNF templates must not include any resources for external networks -connected to the VNF. In this context, “external” is in relation to the -VNF itself (not with regard to the Network Cloud site). External -networks may also be referred to as “inter-VNF” networks. - -External networks must be orchestrated separately, so they can be shared -by multiple VNFs and managed independently. When the external network is -created, it must be assigned a unique {network-role}. - -“External” networks must be passed into the VNF template as parameters. -Examples include the network-id (i.e. the neutron network UUID) and -optional subnet ID. See section 4.4.3. - -Any parameter that is associated with an external network must include -the {network-role} as part of the parameter name. - -Internal network parameters must also define a {network-role}. Any -parameter that is associated with an internal network must include -int\_{network-role} as part of the parameter name. - -Resource: OS::Nova::Server - Parameters ---------------------------------------- - -The following OS::Nova::Server Resource Property Parameter Names must -follow the OpenECOMP parameter Naming Convention. All the parameters -associated with OS::Nova::Server are classified as OpenECOMP -Orchestration Parameters. - -+----------------------+-----------------------------------------+------------------+ -| OS::Nova::Server | -+======================+=========================================+==================+ -| Property | OpenECOMP Parameter Naming Convention | Parameter Type | -+----------------------+-----------------------------------------+------------------+ -| image | {*vm-type*}\_image\_name | string | -+----------------------+-----------------------------------------+------------------+ -| flavor | {*vm-type*}\_flavor\_name | string | -+----------------------+-----------------------------------------+------------------+ -| name | {*vm-type*}\_name\_{*index*} | string | -+----------------------+-----------------------------------------+------------------+ -| | {vm-type}\_names | CDL | -+----------------------+-----------------------------------------+------------------+ -| availability\_zone | availability\_zone\_{index} | string | -+----------------------+-----------------------------------------+------------------+ - -Table 2 Resource Property Parameter Names - -Property: image -~~~~~~~~~~~~~~~ - -Image is an OpenECOMP Orchestration Constant parameter. The image must -be referenced by the Network Cloud Service Provider (NCSP) image name, -with the parameter enumerated in the Heat environment file. - -The parameters must be named *“{vm-type}\_image\_name”* in the VNF. - -Each VM type (e.g., {vm-type}) should have a separate parameter for -images, even if several share the same image. This provides maximum -clarity and flexibility. - -Property: flavor -~~~~~~~~~~~~~~~~ - -Flavor is an OpenECOMP Orchestration Constant parameter. The flavors -must be referenced by the Network Cloud Service Provider (NCSP) flavor -name, with the parameter enumerated in the Heat environment file. - -The parameters must be named *“{vm-type}\_flavor\_name”* for each -*{vm-type}* in the VNF. - -Each VM type should have separate parameters for flavors, even if more -than one VM shares the same flavor. This provides maximum clarity and -flexibility. - -Property: Name -~~~~~~~~~~~~~~ - -Name is an OpenEOMP Orchestration parameter; the value is provided to -the Heat template by OpenECOMP. - -VM names (hostnames) for assignment to VM instances must be passed to -Heat templates either as - -- an array (comma delimited list) for each VM type - -- a set of fixed-index parameters for each VM type instance. - -Each element in the VM Name list should be assigned to successive -instances of that VM type. - -The parameter names must reflect the VM Type (i.e., include the -{vm-type} in the parameter name.) The parameter name format must be one -of the following: - -- If the parameter type is a comma delimited list: {**vm-type**}\_names - -- If the parameter type is a string with a fixed index: - {**vm-type**}\_name\_{**index**} - -If a VNF contains more than three instances of a given {vm-type}, the -CDL form of the parameter name (i.e., *{vm-type}*\ \_names} should be -used to minimize the number of unique parameters defined in the Heat. - -*Examples:* - -.. code-block:: python - - parameters: - {vm-type}\_names: - type: comma\_delimited\_list - description: VM Names for {vm-type} VMs - {vm-type}\_name\_{index}: - type: string - description: VM Name for {vm-type} VM {index} - -*Example (CDL):* - -In this example, the {vm-type} has been defined as “lb” for load -balancer. - -.. code-block:: python - - parameters: - lb\_names: - type: comma\_delimited\_list - description: VM Names for lb VMs - resources: - lb\_0: - type: OS::Nova::Server - properties: - name: { get\_param: [lb\_names, 0] } - ... - - lb\_1: - type: OS::Nova::Server - properties: - name: { get\_param: [lb\_names, 1] } - ... - -**Example (fixed-index):** - -In this example, the {vm-type} has been defined as “lb” for load -balancer. - -.. code-block:: python - - parameters: - lb\_name\_0: - type: string - description: VM Name for lb VM 0 - lb\_name\_1: - type: string - description: VM Name for lb VM 1 - - resources: - lb\_0: - type: OS::Nova::Server - properties: - name: { get\_param: lb\_name\_0 } - ... - - lb\_1: - type: OS::Nova::Server - properties: - name: { get\_param: lb\_name\_1 } - ... - -Property: availability\_zone -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Availability\_zone is an OpenECOMP Orchestration parameter; the value is -provided to the Heat template by OpenECOMP. - -Availability zones must be passed as individual numbered parameters (not -as arrays) so that VNFs with multi-availability zone requirements can -clearly specify that in its parameter definitions. - -The availability zone parameter must be defined as -“availability\_zone\_{index}”, with the {index} starting at zero. - -*Example:* - -In this example, the {vm-type} has been defined as “lb” for load -balancer. - -.. code-block:: python - - parameters: - lb\_names: - type: comma\_delimited\_list - description: VM Names for lb VMs - availability\_zone\_0: - type: string - description: First availability zone ID or Name - - resources: - lb\_0: - type: OS::Nova::Server - properties: - name: { get\_param: [lb\_names, 0] } - availability\_zone: { get\_param: availability\_zone\_0 } - ... - -Resource: OS::Nova::Server - Metadata -------------------------------------- - -This section describes the OpenECOMP Metadata parameters. - -OpenECOMP Heat templates must include the following three parameters -that are used as metadata under the resource OS::Nova:Server: vnf\_id, -vf\_module\_id, vnf\_name - -OpenECOMP Heat templates may include the following parameter that is -used as metadata under the resource OS::Nova:Server: vf\_module\_name. - -These parameters are all classified as OpenECOMP Metadata. - -+---------------------------+------------------+----------------------+ -| Metadata Parameter Name | Parameter Type | Mandatory/Optional | -+===========================+==================+======================+ -| vnf\_id | string | mandatory | -+---------------------------+------------------+----------------------+ -| vf\_module\_id | string | mandatory | -+---------------------------+------------------+----------------------+ -| vnf\_name | string | mandatory | -+---------------------------+------------------+----------------------+ -| vf\_module\_name | string | optional | -+---------------------------+------------------+----------------------+ - - Table 3 OpenECOMP Metadata - -Required Metadata Elements -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The vnf\_id, vf\_module\_id, and vnf\_name metadata elements are -required (must) for *OS::Nova::Server* resources. The metadata -parameters will be used by OpenECOMP to associate the servers with the -VNF instance. - -- vnf\_id - - - *“vnf\_id”* parameter value will be supplied by OpenECOMP. - OpenECOMP generates the UUID that is the vnf\_id and supplies it - to the Heat at orchestration time. - -- vf\_module\_id - - - “\ *vf\_module\_id”* parameter value will be supplied by - OpenECOMP. OpenECOMP generates the UUID that is the vf\_module\_id - and supplies it to the Heat at orchestration time. - -- vnf\_name - - - “\ *vnf\_name”* parameter value will be generated and/or assigned - by OpenECOMP and supplied to the Heat by OpenECOMP at - orchestration time. - -Optional Metadata Elements -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The following metadata element is optional for *OS::Nova::Server* -resources: - -- *vf\_module\_name* - - - The vf\_module\_name is the name of the name of the Heat stack - (e.g., ) in the command “Heat stack-create” (e.g. - Heat stack-create [-f ] [-e ] ). The - needs to be specified as part of the orchestration - process. - - - *“vf\_module\_name”* parameter value, when used, will be supplied - by OpenECOMP to the Heat at orchestration time. The parameter will - be generated and/or assigned by OpenECOMP and supplied to the Heat - by OpenECOMP at orchestration time. - -*Example* - -In this example, the {vm-type} has been defined as “lb” for load -balancer. - -.. code-block:: python - - parameters: - vnf\_name: - type: string - description: Unique name for this VNF instance - vnf\_id: - type: string - description: Unique ID for this VNF instance - vf\_module\_name: - type: string - description: Unique name for this VNF Module instance - vf\_module\_id: - type: string - description: Unique ID for this VNF Module instance - - resources: - lb\_server\_group: - type: OS::Nova::ServerGroup - properties: - name: - str\_replace: - template: VNF\_NAME\_lb\_ServerGroup - params: - VNF\_NAME: { get\_param: VNF\_name } - policies: [ ‘anti-affinity’ ] - - lb\_vm\_0: - type: OS::Nova::Server - properties: - name: { get\_param: lb\_name\_0 } - scheduler\_hints: - group: { get\_resource: lb\_server\_group } - metadata: - vnf\_name: { get\_param: vnf\_name } - vnf\_id: { get\_param: vnf\_id } - vf\_module\_name: { get\_param: vf\_module\_name } - vf\_module\_id: { get\_param: vf\_module\_id } - ... - -Resource: OS::Neutron::Port - Parameters ----------------------------------------- - -The following four OS::Neutron::Port Resource Property Parameters must -adhere to the OpenECOMP parameter naming convention. - -- network - -- subnet - -- fixed\_ips - -- allowed\_address\_pairs - -These four parameters reference a network, which maybe an external -network or an internal network. Thus the parameter will include -{network-role} in its name. - -When the parameter references an external network, the parameter is an -OpenECOMP Orchestration Parameter. The parameter value must be supplied -by OpenECOMP. The parameters must adhere to the OpenECOMP parameter -naming convention. - -+---------------------------+-----------------------------------------------+------------------+ -| OS::Neutron::Port | -+===========================+===============================================+==================+ -| Property | Parameter Name for External Networks | Parameter Type | -+---------------------------+-----------------------------------------------+------------------+ -| Network | {network-role}\_net\_id | string | -+---------------------------+-----------------------------------------------+------------------+ -| | {network-role}\_net\_name | string | -+---------------------------+-----------------------------------------------+------------------+ -| Subnet | {network-role}\_subnet\_id | string | -+---------------------------+-----------------------------------------------+------------------+ -| | {network-role}\_v6\_subnet\_id | string | -+---------------------------+-----------------------------------------------+------------------+ -| fixed\_ips | {vm-type}\_{network-role}\_ip\_{index} | string | -+---------------------------+-----------------------------------------------+------------------+ -| | {vm-type}\_{network-role}\_ips | CDL | -+---------------------------+-----------------------------------------------+------------------+ -| | {vm-type}\_{network-role}\_v6\_ip\_{index} | string | -+---------------------------+-----------------------------------------------+------------------+ -| | {vm-type}\_{network-role}\_v6\_ips | CDL | -+---------------------------+-----------------------------------------------+------------------+ -| allowed\_address\_pairs | {vm-type}\_{network-role}\_floating\_ip | string | -+---------------------------+-----------------------------------------------+------------------+ -| | {vm-type}\_{network-role}\_floating\_v6\_ip | string | -+---------------------------+-----------------------------------------------+------------------+ -| | {vm-type}\_{network-role}\_ip\_{index} | string | -+---------------------------+-----------------------------------------------+------------------+ -| | {vm-type}\_{network-role}\_ips | CDL | -+---------------------------+-----------------------------------------------+------------------+ -| | {vm-type}\_{network-role}\_v6\_ip\_{index} | string | -+---------------------------+-----------------------------------------------+------------------+ -| | {vm-type}\_{network-role}\_v6\_ips | CDL | -+---------------------------+-----------------------------------------------+------------------+ - -Table 4 Port Resource Property Parameters (External Networks) - -When the parameter references an internal network, the parameter is a -VNF Orchestration Parameters. The parameter value(s) must be supplied -either via an output statement(s) in the base module (i.e., OpenECOMP -Base Template Output Parameters) or be enumerated in the environment -file. The parameters must adhere to the following parameter naming -convention. - -+---------------------------+----------------------------------------------------+------------------+ -| OS::Neutron::Port | -+===========================+====================================================+==================+ -| Property | Parameter Name for Internal Networks | Parameter Type | -+---------------------------+----------------------------------------------------+------------------+ -| Network | int\_{network-role}\_net\_id | string | -+---------------------------+----------------------------------------------------+------------------+ -| | int\_{network-role}\_net\_name | string | -+---------------------------+----------------------------------------------------+------------------+ -| Subnet | int\_{network-role}\_subnet\_id | string | -+---------------------------+----------------------------------------------------+------------------+ -| | Int\_{network-role}\_v6\_subnet\_id | string | -+---------------------------+----------------------------------------------------+------------------+ -| fixed\_ips | {vm-type}\_int\_{network-role}\_ip\_{index} | string | -+---------------------------+----------------------------------------------------+------------------+ -| | {vm-type}\_int\_{network-role}\_ips | CDL | -+---------------------------+----------------------------------------------------+------------------+ -| | {vm-type}\_int\_{network-role}\_v6\_ip\_{index} | string | -+---------------------------+----------------------------------------------------+------------------+ -| | {vm-type}\_int\_{network-role}\_v6\_ips | CDL | -+---------------------------+----------------------------------------------------+------------------+ -| allowed\_address\_pairs | {vm-type}\_int\_{network-role}\_floating\_ip | string | -+---------------------------+----------------------------------------------------+------------------+ -| | {vm-type}\_int\_{network-role}\_floating\_v6\_ip | string | -+---------------------------+----------------------------------------------------+------------------+ -| | {vm-type}\_int\_{network-role}\_ip\_{index} | string | -+---------------------------+----------------------------------------------------+------------------+ -| | {vm-type}\_int\_{network-role}\_ips | CDL | -+---------------------------+----------------------------------------------------+------------------+ -| | {vm-type}\_int\_{network-role}\_v6\_ip\_{index} | string | -+---------------------------+----------------------------------------------------+------------------+ -| | {vm-type}\_int\_{network-role}\_v6\_ips | CDL | -+---------------------------+----------------------------------------------------+------------------+ - -Table 5 Port Resource Property Parameters (Internal Networks) - -Property: network & subnet -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The property “networks” in the resource OS::Neutron::Port must be -referenced by Neutron Network ID, a UUID value, or by the network name -defined in OpenStack. - -When the parameter is referencing an “external” network, the parameter -must adhere to the following naming convention - -- *“{*\ network-role}\_net\_id”, for the Neutron network ID - -- “{network-role}\_net\_name”, for the network name in OpenStack - -When the parameter is referencing an “internal” network, the parameter -must adhere to the following naming convention. - -- “\ *int\_{network-role}\_net\_id*\ ”, for the Neutron network ID - -- “\ *int\_{network-role}\_net\_name*\ ”, for the network name in - OpenStack - -The property “subnet\_id” must be used if a DHCP IP address assignment -is being requested and the DHCP IP address assignment is targeted at a -specific subnet. - -The property “subnet\_id” should not be used if all IP assignments are -fixed, or if the DHCP assignment does not target a specific subnet - -When the parameter is referencing an “external” network subnet, the -“subnet\_id” parameter must adhere to the following naming convention. - -- “\ *{network-role}\_subnet\_id*\ ” if the subnet is an IPv4 subnet - -- “\ *{network-role}\_v6\_subnet\_id”* if the subnet is an IPv6 subnet - -When the parameter is referencing an “internal” network subnet, the -“subnet\_id” parameter must adhere to the following naming convention. - -- “\ *int\_{network-role}\_subnet\_id*\ ” if the subnet is an IPv4 - subnet - -- “\ *int\_{network-role}\_v6\_subnet\_id*\ ” if the subnet is an IPv6 - subnet - -*Example:* - -.. code-block:: python - - parameters: - {network-role}\_net\_id: - type: string - description: Neutron UUID for the {network-role} network - {network-role}\_net\_name: - type: string - description: Neutron name for the {network-role} network - {network-role}\_subnet\_id: - type: string - description: Neutron subnet UUID for the {network-role} network - {network-role}\_v6\_subnet\_id: - type: string - description: Neutron subnet UUID for the {network-role} network - -*Example:* - -In this example, the {network-role} has been defined as “oam” to -represent an oam network and the {vm-type} has been defined as “lb” for -load balancer. - -.. code-block:: python - - parameters: - oam\_net\_id: - type: string - description: Neutron UUID for the oam network - - resources: - lb\_port\_1: - type: OS::Neutron::Port - network: { get\_param: oam\_net\_id } - -Property: fixed\_ips -~~~~~~~~~~~~~~~~~~~~ - -The property “fixed\_ips” in the resource OS::Neutron::Port must be used -when statically assigning IP addresses. - -An IP address is assigned to a port on a type of VM (i.e., {vm-type}) -that is connected to a type of network (i.e., {network-role}). These two -tags are components of the parameter name. - -When the “fixed\_ips” parameter is referencing an “external” network, -the parameter must adhere to the naming convention below. The parameter -may be a comma delimited list or a string. - -There must be a different parameter name for IPv4 IP addresses and IPv6 -addresses - -- **Comma-delimited list:** Each element in the IP list should be - assigned to successive instances of that VM type on that network. - - - *Format for IPv4 addresses:* {vm-type}\_{network-role}\_ips - - - *Format for IPv6 addresses:* {vm-type}\_{network-role}\_v6\_ips - -- **A set of fixed-index parameters:** In this case, the parameter - should have “\ *type: string*\ ” and must be repeated for every IP - expected for each {vm-type} + {network-role} pair. - - - *Format for IPv4 addresses:* - {vm-type}\_{network-role}\_ip\_{index} - - - *Format for IPv6 addresses:* - {vm-type}\_{network-role}\_v6\_ip\_{index} - -When the “fixed\_ips” parameter is referencing an “internal” network, -the parameter must adhere to the naming convention below. The parameter -may be a comma delimited list or a string. - -There must be a different parameter name for IPv4 IP addresses and IPv6 -addresses - -- **Comma-delimited list:** Each element in the IP list should be - assigned to successive instances of that VM type on that network. - - - *Format for IPv4 addresses:* {vm-type}\_int\_{network-role}\_ips - - - *Format for IPv6 addresses:* - {vm-type}\_int\_{network-role}\_v6\_ips - -- **A set of fixed-index parameters:** In this case, the parameter - should have “\ *type: string*\ ” and must be repeated for every IP - expected for each {vm-type} and {network-role}pair. - - - *Format for IPv4 addresses:* - {vm-type}\_int\_{network-role}\_ip\_{index} - - - *Format for IPv6 addresses:* - {vm-type}\_int\_{network-role}\_v6\_ip\_{index} - -If a VNF contains more than three IP addresses for a given {vm-type} and -{network-role} combination, the CDL form of the parameter name should be -used to minimize the number of unique parameters defined in the Heat. - -*Example (external network)* - -.. code-block:: python - - parameters: - {vm-type}\_{network-role}\_ips: - type: comma\_delimited\_list - description: Fixed IPv4 assignments for {vm-type} VMs on the - {network-role} network - {vm-type}\_{network-role}\_v6\_ips: - type: comma\_delimited\_list - description: Fixed IPv6 assignments for {vm-type} VMs on the - {network-role} network - {vm-type}\_{network-role}\_ip\_{index}: - type: string - description: Fixed IPv4 assignment for {vm-type} VM {index} on the - {network-role} network - {vm-type}\_{network-role}\_v6\_ip\_{index}: - type: string - description: Fixed IPv6 assignment for {vm-type} VM {index} on the - {network-role} network - -*Example (CDL parameter for IPv4 Address Assignments to an external -network):* - -In this example, the {network-role} has been defined as “oam” to -represent an oam network and the {vm-type} has been defined as “db” for -database. - -.. code-block:: python - - parameters: - oam\_net\_id: - type: string - description: Neutron UUID for a oam network - db\_oam\_ips: - type: comma\_delimited\_list - description: Fixed IP assignments for db VMs on the oam network - - resources: - db\_0\_port\_1: - type: OS::Neutron::Port - network: { get\_param: oam\_net\_id } - fixed\_ips: [ { “ip\_address”: {get\_param: [ db\_oam\_ips, 0] - }}] - db\_1\_port\_1: - type: OS::Neutron::Port - network: { get\_param: oam\_net\_id } - fixed\_ips: [ { “ip\_address”: {get\_param: [ db\_oam\_ips, 1] - }}] - -*Example (string parameters for IPv4 Address Assignments to an external -network):* - -In this example, the {network-role} has been defined as “oam” to -represent an oam network and the {vm-type} has been defined as “db” for -database. - -.. code-block:: python - - parameters: - oam\_net\_id: - type: string - description: Neutron UUID for an OAM network - db\_oam\_ip\_0: - type: string - description: First fixed IP assignment for db VMs on the OAM network - db\_oam\_ip\_1: - type: string - description: Second fixed IP assignment for db VMs on the OAM network - - resources: - db\_0\_port\_1: - type: OS::Neutron::Port - network: { get\_param: oam\_net\_id } - fixed\_ips: [ { “ip\_address”: {get\_param: db\_oam\_ip\_0}}] - db\_1\_port\_1: - type: OS::Neutron::Port - network: { get\_param: oam\_net\_id } - fixed\_ips: [ { “ip\_address”: {get\_param: db\_oam\_ip\_1}}] - -Property: allowed\_address\_pairs -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The property “allowed\_address\_pairs” in the resource OS::Neutron::Port -allows the user to specify mac\_address/ip\_address (CIDR) pairs that -pass through a port regardless of subnet. This enables the use of -protocols such as VRRP, which floats an IP address between two instances -to enable fast data plane failover. An “allowed\_address\_pairs” is -unique to a {vm-type} and {network-role} combination. The management of -these IP addresses (i.e. transferring ownership between active and -standby VMs) is the responsibility of the application itself. - -Note that these parameters are *not* intended to represent Neutron -“Floating IP” resources, for which OpenStack manages a pool of public IP -addresses that are mapped to specific VM ports. In that case, the -individual VMs are not even aware of the public IPs, and all assignment -of public IPs to VMs is via OpenStack commands. OpenECOMP does not -support Neutron-style Floating IPs. - -Both IPv4 and IPv6 “allowed\_address\_pairs” addresses are supported. - -If property “allowed\_address\_pairs” is used with an external network, -the parameter name must adhere to the following convention: - -- *Format for IPv4 addresses: {vm-type}\_{network-role}\_floating\_ip* - -- *Format for IPv6 addresses: - {vm-type}\_{network-role}\_floating\_v6\_ip* - -*Example:* - -.. code-block:: python - - parameters: - {vm-type}\_{network-role}\_floating\_ip: - type: string - description: VIP for {vm-type} VMs on the {network-role} network - {vm-type}\_{network-role}\_floating\_v6\_ip: - type: string - description: VIP for {vm-type} VMs on the {network-role} network - -*Example:* - -In this example, the {network-role} has been defined as “oam” to -represent an oam network and the {vm-type} has been defined as “db” for -database. - -.. code-block:: python - - parameters: - db\_oam\_ips: - type: comma\_delimited\_list - description: Fixed IPs for db VMs on the oam network - db\_oam\_floating\_ip: - type: string - description: Floating IP for db VMs on the oam network - resources: - db\_0\_port\_0: - type: OS::Neutron::Port - network: { get\_param: oam\_net\_id } - fixed\_ips: [ { “ip\_address”: {get\_param: [db\_oam\_ips,0] }}] - allowed\_address\_pairs: [ - { “ip\_address”: {get\_param: db\_oam\_floating\_ip}}] - db\_1\_port\_0: - type: OS::Neutron::Port - network: { get\_param: oam\_net\_id } - fixed\_ips: [ { “ip\_address”: {get\_param: [db\_oam\_ips,1] }}] - allowed\_address\_pairs: [ - { “ip\_address”: {get\_param: db\_oam\_floating\_ip}}] - -If property “allowed\_address\_pairs” is used with an internal network, -the parameter name should adhere to the following convention: - -- *Format for IPv4 addresses: - {vm-type}\_int\_{network-role}\_floating\_ip* - -- *Format for IPv6 addresses: - {vm-type}\_int\_{network-role}\_floating\_v6\_ip* - -Using the parameter *{vm-type}\_{network-role}\_floating\_ip* or -*{vm-type}\_{network-role}\_floating\_v6\_ip* provides only one floating -IP per Vm-type{vm-type} and {network-role} pair. If there is a need for -multiple floating IPs (e.g., Virtual IPs (VIPs)) for a given {vm-type} -and {network-role} combination within a VNF, then the parameter names -defined for the “fixed\_ips” should be used with the -“allowed\_address\_pairs” property. The examples below illustrate this. - -Below example reflects two load balancer pairs in a single VNF. Each -pair has one VIP. - -*Example: A VNF has four load balancers. Each pair has a unique VIP.* - -*Pair 1:* lb\_0 and lb\_1 share a unique VIP - -*Pair 2:* lb\_2 and lb\_3 share a unique VIP - -In this example, the {network-role} has been defined as “oam” to -represent an oam network and the {vm-type} has been defined as “lb” for -load balancer. - -.. code-block:: python - - resources: - lb\_0\_port\_0: -      type: OS::Neutron::Port -         network: { get\_param: oam\_net\_id } -         fixed\_ips: [ { “ip\_address”: {get\_param: [lb\_oam\_ips,0] }}] -         allowed\_address\_pairs: [{ “ip\_address”: {get\_param: [lb\_oam\_ips,2] }}] - - lb\_1\_port\_0: -         type: OS::Neutron::Port -         network: { get\_param: oam\_net\_id } -         fixed\_ips: [ { “ip\_address”: {get\_param: [lb\_oam\_ips,1] }}] -         allowed\_address\_pairs: [{ “ip\_address”: {get\_param: [lb\_oam\_ips,2] }}] - -       lb\_2\_port\_0: -        type: OS::Neutron::Port -         network: { get\_param: oam\_net\_id } -         fixed\_ips: [ { “ip\_address”: {get\_param: [lb\_oam\_ips,3] }}] -         allowed\_address\_pairs: [{ “ip\_address”: {get\_param: [lb\_oam\_ips,5] }}] - - lb\_3\_port\_0: -     type: OS::Neutron::Port -         network: { get\_param: oam\_net\_id } -         fixed\_ips: [ { “ip\_address”: {get\_param: [lb\_oam\_ips,4] }}] -         allowed\_address\_pairs: [{ “ip\_address”: {get\_param: [lb\_oam\_ips,5] }}] - -Below example reflects a single app VM pair within a VNF with two VIPs:  - -*Example: A VNF has two load balancers. The pair of load balancers share -two VIPs.* - -In this example, the {network-role} has been defined as “oam” to -represent an oam network and the {vm-type} has been defined as “lb” for -load balancer. - -.. code-block:: python - - resources: - lb\_0\_port\_0: -      type: OS::Neutron::Port -         network: { get\_param: oam\_net\_id } -         fixed\_ips: [ { “ip\_address”: {get\_param: [lb\_oam\_ips,0] }}] -         allowed\_address\_pairs: [{ "ip\_address": {get\_param: [lb\_oam\_ips,2] }, {get\_param: [lb\_oam\_ips,3] }}] - - lb\_1\_port\_0: - type: OS::Neutron::Port -         network: { get\_param: oam\_net\_id } -     fixed\_ips: [ { “ip\_address”: {get\_param: [lb\_oam\_ips,1] }}] -        allowed\_address\_pairs: [{ "ip\_address": {get\_param: [lb\_oam\_ips,2] }, {get\_param: [lb\_oam\_ips,3] }}] - -As a general rule, provide the fixed IPs for the VMs indexed first in -the CDL and then the VIPs as shown in the examples above. - -Resource Property: name ------------------------ - -The parameter naming standard for the resource OS::Nova::Server has been -defined in Section 4.3.3. This section describes how the name property -of all other resources must be defined. - -Heat templates must use the Heat “str\_replace” function in conjunction -with the OpenECOMP supplied metadata parameter *vnf\_name* or -*vnf\_module\_id* to generate a unique name for each VNF instance. This -prevents the use of unique parameters values for resource “name” -properties to be enumerated in a per instance environment file. - -Note that - -- In most cases, only the use of the vnf\_name is necessary to create a - unique name - -- the Heat pseudo parameter 'OS::stack\_name’ can also be used in the - ‘str\_replace’ construct to generate a unique name when the vnf\_name - does not provide uniqueness - -.. code-block:: python - - type: OS::Cinder::Volume - properities: - name: - str\_replace: -          template: VF\_NAME\_STACK\_NAME\_oam\_volume -           params: -             VF\_NAME: { get\_param: vnf\_name } -             STACK\_NAME: { get\_param: 'OS::stack\_name'  } - - type: OS::Neutron::SecurityGroup - properties: - description: Security Group of Firewall - name: - str\_replace: - template: VNF\_NAME\_Firewall\_SecurityGroup - params: - VNF\_NAME: { get\_param: vnf\_name } - -Output Parameters ------------------ - -OpenECOMP defines three type of Output Parameters. - -Base Template Output Parameters: -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The base template output parameters are available for use as input -parameters in all add-on modules. The add-on modules may (or may not) -use these parameters. - -Volume Template Output Parameters: -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The volume template output parameters are only available only for the -module (base or add on) that the volume is associated with. - -Predefined Output Parameters -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -OpenECOMP currently defines one predefined output parameter. - -OAM Management IP Addresses -^^^^^^^^^^^^^^^^^^^^^^^^^^^ - -Many VNFs will have a management interface for application controllers -to interact with and configure the VNF. Typically, this will be via a -specific VM that performs a VNF administration function. The IP address -of this interface must be captured and inventoried by OpenECOMP. This -might be a VIP if the VNF contains an HA pair of management VMs, or may -be a single IP address assigned to one VM. - -The Heat template may define either (or both) of the following Output -parameters to identify the management IP address. - -- *oam\_management\_v4\_address* - -- *oam\_management\_v6\_address* - -*Notes*: - -- The Management IP Address should be defined only once per VNF, so it - would only appear in one Module template - -- If a fixed IP for the admin VM is passed as an input parameter, it - may be echoed in the output parameters - -- If the IP for the admin VM is obtained via DHCP, it may be obtained - from the resource attributes - -*Example:* - -.. code-block:: python - - resources: - admin\_server: - type: OS::Nova::Server - properties: - networks: - - network: {get\_param: oam\_net\_id } - ... - - Outputs: - oam\_management\_v4\_address: - value: {get\_attr: [admin\_server, networks, {get\_param: oam\_net\_id}, 0] } - -Heat Template Constructs -======================== - -External References -------------------- - -Heat templates *should not* reference any HTTP-based resource -definitions, any HTTP-based nested configurations, or any HTTP-based -environment files. - -- During orchestration, OpenECOMP *should not* retrieve any such - resources from external/untrusted/unknown sources. - -- VNF images should not contain such references in user-data or other - configuration/operational scripts that are specified via Heat or - encoded into the VNF image itself. - -*Note:* HTTP-based references are acceptable if the HTTP-based reference -is accessing information with the VM private/internal network. - -Heat Files Support (get\_file) ------------------------------- - -Heat Templates may contain the inclusion of text files into Heat -templates via the Heat “get\_file” directive. This may be used, for -example, to define a common “user-data” script, or to inject files into -a VM on startup via the “personality” property. - -Support for Heat Files is subject to the following limitations: - -- The ‘get\_files’ targets must be referenced in Heat templates by file - name, and the corresponding files should be delivered to OpenECOMP - along with the Heat templates. - - - URL-based file retrieval must not be used; it is not supported. - -- The included files must have unique file names within the scope of - the VNF. - -- OpenECOMP does not support a directory hierarchy for included files. - - - All files must be in a single, flat directory per VNF. - -- Included files may be used by all Modules within a given VNF. - -- get\_file directives may be used in both non-nested and nested - templates - -Use of Heat ResourceGroup -------------------------- - -The *OS::Heat::ResourceGroup* is a useful Heat element for creating -multiple instances of a given resource or collection of resources. -Typically it is used with a nested Heat template, to create, for -example, a set of identical *OS::Nova::Server* resources plus their -related *OS::Neutron::Port* resources via a single resource in a master -template. - -*ResourceGroup* may be used in OpenECOMP to simplify the structure of a -Heat template that creates multiple instances of the same VM type. -However, there are important caveats to be aware of. - -*ResourceGroup* does not deal with structured parameters -(comma-delimited-list and json) as one might typically expect. In -particular, when using a list-based parameter, where each list element -corresponds to one instance of the *ResourceGroup*, it is not possible -to use the intrinsic “loop variable” %index% in the *ResourceGroup* -definition. - -For instance, the following is **not** valid Heat for a *ResourceGroup*: - -.. code-block:: python - - type: OS::Heat::ResourceGroup - resource: -      type: my\_nested\_vm\_template.yaml -      properties: -          name: {get\_param: [vm\_name\_list, %index%]} - -Although this appears to use the nth entry of the *vm\_name\_list* list -for the nth element of the *ResourceGroup*, it will in fact result in a -Heat exception. When parameters are provided as a list (one for each -element of a *ResourceGroup*), you must pass the complete parameter to -the nested template along with the current index as separate parameters. - -Below is an example of an **acceptable** Heat Syntax for a -*ResourceGroup*: - -.. code-block:: python - - type: OS::Heat::ResourceGroup - resource: -     type: my\_nested\_vm\_template.yaml -     properties: -         names: {get\_param: vm\_name\_list} -         index: %index% - -You can then reference within the nested template as: - -{ get\_param: [names, {get\_param: index} ] } - -Note that this is workaround has very important limitations. Since the -entire list parameter is passed to the nested template, any change to -that list (e.g., adding an additional element) will cause Heat to treat -the entire parameter as updated within the context of the nested -template (i.e., for each *ResourceGroup* element).  As a result, if -*ResourceGroup* is ever used for scaling (e.g., increment the count and -include an additional element to each list parameter), Heat will often -rebuild every existing element in addition to adding the “deltas”. For -this reason, use of *ResourceGroup* for scaling in this manner is not -supported. - -Key Pairs ---------- - -When Nova Servers are created via Heat templates, they may be passed a -“keypair” which provides an ssh key to the ‘root’ login on the newly -created VM. This is often done so that an initial root key/password does -not need to be hard-coded into the image. - -Key pairs are unusual in OpenStack, because they are the one resource -that is owned by an OpenStack User as opposed to being owned by an -OpenStack Tenant. As a result, they are usable only by the User that -created the keypair. This causes a problem when a Heat template attempts -to reference a keypair by name, because it assumes that the keypair was -previously created by a specific OpenECOMP user ID. - -When a keypair is assigned to a server, the SSH public-key is -provisioned on the VMs at instantiation time. They keypair itself is not -referenced further by the VM (i.e. if the keypair is updated with a new -public key, it would only apply to subsequent VMs created with that -keypair). - -Due to this behavior, the recommended usage of keypairs is in a more -generic manner which does not require the pre-requisite creation of a -keypair. The Heat should be structured in such a way as to: - -- Pass a public key as a parameter value instead of a keypair name - -- Create a new keypair within the VNF Heat templates (in the base - module) for use within that VNF - -By following this approach, the end result is the same as pre-creating -the keypair using the public key – i.e., that public key will be -provisioned in the new VM. However, this recommended approach also makes -sure that a known public key is supplied (instead of having OpenStack -generate a public/private pair to be saved and tracked outside of -OpenECOMP). It also removes any access/ownership issues over the created -keypair. - -The public keys may be enumerated as a VNF Orchestration Constant in the -environment file (since it is public, it is not a secret key), or passed -at run-time as an instance-specific parameters. OpenECOMP will never -automatically assign a public/private key pair. - -*Example (create keypair with an existing ssh public-key for {vm-type} -of lb (for load balancer)):* - -.. code-block:: python - - parameters: - vnf\_name: - type: string - ssh\_public\_key: - type: string - resources: - my\_keypair: - type: OS::Nova::Keypair - properties: - name: - str\_replace: - template: VNF\_NAME\_key\_pair - params: - VNF\_NAME: { get\_param: vnf\_name } - public\_key: {get\_param: lb\_ssh\_public\_key} - save\_private\_key: false - -Security Groups ---------------- - -OpenStack allows a tenant to create Security groups and define rules -within the security groups. - -Security groups, with their rules, may either be created in the Heat -template or they can be pre-created in OpenStack and referenced within -the Heat template via parameter(s). There can be a different approach -for security groups assigned to ports on internal (intra-VNF) networks -or external networks (inter-VNF). Furthermore, there can be a common -security group across all VMs for a specific network or it can vary by -VM (i.e., {vm-type}) and network type (i.e., {network-role}). - -Anti-Affinity and Affinity Rules --------------------------------- - -Anti-affinity or affinity rules are supported using normal OpenStack -*“OS::Nova::ServerGroup”* resources. Separate ServerGroups are typically -created for each VM type to prevent them from residing on the same host, -but they can be applied to multiple VM types to extend the -affinity/anti-affinity across related VM types as well. - -*Example:* - -In this example, the {network-role} has been defined as “oam” to -represent an oam network and the {vm-type} have been defined as “lb” for -load balancer and “db” for database. - -.. code-block:: python - - resources: - db\_server\_group: - type: OS::Nova::ServerGroup - properties: - name: - str\_replace: - params: - $vnf\_name: {get\_param: vnf\_name} - template: $vnf\_name-server\_group1 - policies: - - *anti-affinity* - - lb\_server\_group: - type: OS::Nova::ServerGroup - properties: - name: - str\_replace: - params: - $vnf\_name: {get\_param: vnf\_name} - template: $vnf\_name-server\_group2 - policies: - - *affinity* - - *db\_0:* - *type: OS::Nova::Server* - *properties:* - *...* - scheduler\_hints: - group: {get\_param: db\_server\_group} - - db\_1: - type: OS::Nova::Server - properties: - ... - scheduler\_hints: - group: {get\_param: db\_server\_group} - - lb\_0: - type: OS::Nova::Server - properties: - ... - scheduler\_hints: - group: {get\_param: lb\_server\_group}  - -Design Pattern: VNF Modularity -============================== - -OpenECOMP supports the concept of *VNF Modularity*. With this approach, -a single VNF may be composed from one or more Heat templates, each of -which represents some subset of the overall VNF. These component parts -are referred to as “\ *VNF Modules*\ ”. During orchestration, these -modules may be deployed incrementally to build up the complete VNF. - -A Heat template can be either one for the following types of modules - -1. Base Module - -2. Incremental Modules - -3. Independent Cinder Volume Modules - -The OpenECOMP Heat template naming convention must be followed (Section -2.1). The naming convention identifies the module type. - -A VNF must be composed of one “base” VNF module (also called a base -module) and zero to many “incremental” or “add on” VNF modules. The base -module must be deployed first prior to the add-on modules. - -A module can be thought of as equivalent to a Heat template, where a -Heat template is composed of a YAML file and an environment file. A -given YAML file must have a corresponding environment file; OpenECOMP -requires it. A Heat template is used to create or deploy a Heat stack. -Therefore, a module is also equivalent to a Heat Stack. - -However, there are cases where a module maybe composed of more than one -Heat stack and/or more than one YAML file. - -As discussed in Section 2.5, Independent Volume Templates, each VNF -Module may have an associated Volume template. - -- When a volume template is utilized, it must correspond 1:1 with - add-on module template or base template it is associated with - -- A Cinder volume may be embedded within the add-on module template - and/or base template if persistence is not required, thus not - requiring the optional Volume template. - -A VNF module may support nested templates. In this case, there will be -one or more additional YAML files. - -Any shared resource defined in the base module template and used across -the entire VNF (e.g., private networks, server groups), must be exposed -to the incremental or add-on modules by declaring their resource UUIDs -as Heat outputs (i.e., OpenECOMP Base Template Output Parameter in the -output section of the Heat template). Those outputs will be provided by -OpenECOMP as input parameter values to all add-on module Heat templates -in the VNF that have declared the parameter in the template. - -*Note:* A Cinder volume is *not* considered a shared resource. A volume -template must correspond 1:1 with a base template or add-on module -template. - -There are two suggested usage patterns for modular VNFs, though any -variation is supported. - -A. **Modules per VNFC type** - - a. Group all VMs (VNFCs) of a given type into its own module - - b. Build up the VNF one VNFC type at a time - - c. Base module contains only the shared resources (and possibly - initial Admin VMs) - - d. Suggest one or two modules per VNFC type - - i. one for initial count - - ii. one for scaling increment (if different from initial count) - -B. **Base VNF + Growth Units** - - a. Base module (template) contains a complete initial VNF instance - - b. Growth modules for incremental scaling units - - i. May contain VMs of multiple types in logical scaling - combinations - - ii. May be separated by VM type for multi-dimensional scaling - - c. With no growth units, this is equivalent to the “\ *One Heat - Template per VNF*\ ” model - -Note that modularization of VNFs is not required. A single Heat template -(a base template) may still define a complete VNF, which might be -appropriate for smaller VNFs without a lot of scaling options. - -There are some rules to follow when building modular VNF templates: - -1. All VNFs must have one Base VNF Module (template) that must be the - first one deployed. The base template: - - a. Must include all shared resources (e.g., private networks, server - groups, security groups) - - b. Must expose all shared resources (by UUID) as “outputs” in its - associated Heat template (i.e., OpenECOMP Base Template Output - Parameters) - - c. May include initial set of VMs - - d. May be operational as a stand-alone “minimum” configuration of the - VNF - -2. VNFs may have one or more Add-On VNF Modules (templates) which: - - a. Defines additional resources that can be added to an existing VNF - - b. Must be complete Heat templates - - i. i.e. not snippets to be incorporated into some larger template - - c. Should define logical growth-units or sub-components of an overall - VNF - - d. On creation, receives all Base VNF Module outputs as parameters - - i. Provides access to all shared resources (by UUID) - - ii. must not be dependent on other Add-On VNF Modules - - e. Multiple instances of an Add-On VNF Module type may be added to - the same VNF (e.g. incrementally grow a VNF by a fixed “add-on” - growth units) - -3. Each VNF Module (base or add-on) may have (optional) an associated - Volume template (*see Section 2.5*) - - a. Volume templates should correspond 1:1 with Module (base or - add-on) templates - - b. A Cinder volume may be embedded within the Module template (base - or add-on) if persistence is not required - -4. Shared resource UUIDs are passed between the base template and add-on - template via Heat Outputs Parameters (i.e., Base Template Output - Parameters) - - a. The output parameter name in the base must match the parameter - name in the add-on module - -*Examples:* - -In this example, the {vm-type} have been defined as “lb” for load -balancer and “admin” for admin server. - -1. **Base VNF Module Heat Template (partial)** - -Heat\_template\_version: 2013-05-23 - -.. code-block:: python - - parameters: - admin\_name\_0: -     type: string - - resources: - int\_oam\_network: - type: OS::Neutron::Network - properties: - name: {… } - - admin\_server: - type: OS::Nova::Server - properties: - name: {get\_param: admin\_name\_0} - image: ... - - outputs: - int\_oam\_net\_id: - value: {get\_resource: int\_oam\_network } - - -2. **Add-on VNF Module Heat Template (partial)** - -Heat\_template\_version: 2013-05-23 - -.. code-block:: python - - Parameters: - int\_oam\_net\_id: - type: string - description: ID of shared private network from Base template - lb\_name\_0: - type: string - description: name for the add-on VM instance - - Resources: - lb\_server: - type: OS::Nova::Server - properties: - name: {get\_param: lb\_name\_0} - networks: - - port: { get\_resource: lb\_port } -         ... - - lb\_port: - type: OS::Neutron::Port - properties: - network\_id: { get\_param: int\_oam\_net\_id } - ... - -Scaling Considerations -====================== - -Scaling of a VNF may be manually driven to add new capacity (**static -scaling**) or it may be driven in near real-time by the OpenECOMP -controllers based on a real-time need **(dynamic scaling).** - -With VNF Modularity, the recommended approach for scaling is to provide -additional “growth unit” templates that can be used to create additional -resources in logical scaling increments. This approach is very -straightforward, and has minimal impact on the currently running VNFCs -and must comply with the following: - -- Combine resources into reasonable-sized scaling increments; do not - just scale by one VM at a time in potentially large VNFs. - -- Combine related resources into the same growth template where - appropriate, e.g. if VMs of different types are always deployed in - pairs, include them in a single growth template. - -- Growth templates can use the private networks and other shared - resources exposed by the Base Module template. - -VNF Modules may also be updated “in-place” using the OpenStack Heat -Update capability, by deploying an updated Heat template with different -VM counts to an existing stack. This method requires another VNF module -template that includes the new resources *in addition to all resources -contained in the original module template*. Note that this also requires -re-specification of all existing parameters as well as new ones. - -*For this approach:* - -- Use a fixed number of pre-defined VNF module configurations - -- Successively larger templates must be identical to the next smaller - one, plus add the additional VMs of the scalable type(s) - -- VNF is scalable by sending a stack-update with a different template - -*Please do note that:* - -- If properties do not change for existing VMs, those VMs should remain - unchanged - -- If the update is performed with a smaller template, the Heat engine - recognizes and deletes no-longer-needed VMs (and associated - resources) - -- Nested templates for the various server types will simplify reuse - across multiple configurations - -- Per the section on Use of Heat ResourceGroup, if *ResourceGroup* is - ever used for scaling (e.g. increment the count and include an - additional element to each list parameter), Heat will often rebuild - every existing element in addition to adding the “deltas”.  For this - reason, use of *ResourceGroup* for scaling in this manner is not - supported. - -High Availability -================== - -VNF/VM parameters may include availability zone IDs for VNFs that -require high availability. - -The Heat must comply with the following requirements to specific -availability zone IDs: - -- The Heat template should spread Nova and Cinder resources across the - availability zones as desired - -Resource Data Synchronization -============================== - -For cases where synchronization is required in the orchestration of Heat -resources, two approaches are recommended: - -- Standard Heat *“depends\_on”* property for resources - - - Assures that one resource completes before the dependent resource - is orchestrated. - - - Definition of completeness to OpenStack may not be sufficient - (e.g., a VM is considered complete by OpenStack when it is ready - to be booted, not when the application is up and running). - -- Use of Heat Notifications - - - Create *OS::Heat::WaitCondition* and - *OS::Heat::WaitConditionHandle* resources. - - - Pre-requisite resources issue *wc\_notify* commands in user\_data. - - - Dependent resource define *“depends\_on”* in the - *OS::Heat::WaitCondition* resource. - -*Example: “depends\_on” case* - -In this example, the {network-role} has been defined as “oam” to -represent an oam network and the {vm-type} has been defined as “oam” to -represent an oam server. - -.. code-block:: python - - oam\_server\_01: -     type: OS::Nova::Server -     properties: -      name: {get\_param: [oam\_ names, 0]} -       image: {get\_param: oam\_image\_name} -       flavor: {get\_param: oam\_flavor\_name} -       availability\_zone: {get\_param: availability\_zone\_0} -       networks: -         - port: {get\_resource: oam01\_port\_0} -         - port: {get\_resource: oam01\_port\_1} -       user\_data: -       scheduler\_hints: {group: {get\_resource: oam\_servergroup}} -       user\_data\_format:  RAW - - oam\_01\_port\_0: -     type: OS::Neutron::Port -     properties: -      network: {get\_resource: oam\_net\_name} -       fixed\_ips: [{"ip\_address": {get\_param: [oam\_oam\_net\_ips, 1]}}] -       security\_groups: [{get\_resource: oam\_security\_group}] - - oam\_01\_port\_1: -     type: OS::Neutron::Port -     properties: -      network: {get\_param: oam\_net\_name} -       fixed\_ips: [{"ip\_address": {get\_param: [oam\_oam\_net\_ips, 2]}}] -       security\_groups: [{get\_resource: oam\_security\_group}] - -   - - oam\_01\_vol\_attachment: -     type: OS::Cinder::VolumeAttachment -     depends\_on: oam\_server\_01 -     properties: - volume\_id: {get\_param: oam\_vol\_1} -       mountpoint: /dev/vdb -       instance\_uuid: {get\_resource: oam\_server\_01} - -Appendix A - Glossary -====================== - -**VM** Virtual Machine (VM) is a virtualized computation environment -that behaves very much like a physical computer/server. A VM has all its -ingredients (processor, memory/storage, interfaces/ports) of a physical -computer/server and is generated by a hypervisor, which partitions the -underlying physical resources and allocates them to VMs. Virtual -Machines are capable of hosting a virtual network function component -(VNFC). - -**VNF** Virtual Network Function (VNF) is the software implementation of -a function that can be deployed on a Network Cloud. It includes network -functions that provide transport and forwarding. It also includes other -functions when used to support network services, such as -network-supporting web servers and database. - -**VNFC** Virtual Network Function Component (VNFC) are the -sub-components of a VNF providing a VNF Provider a defined sub-set of -that VNF's functionality, with the main characteristic that a single -instance of this component maps 1:1 against a single Virtualization -Container. See **Figure 1** for the relationship between VNFC and -VNFs. - -|image0| - -Figure 1. Virtual Function Entity Relationship - -**Copyright 2017 AT&T Intellectual Property. All Rights Reserved.** - -This paper is licensed to you under the Creative Commons License: - -**Creative Commons Attribution-ShareAlike 4.0 International Public -License** - -You may obtain a copy of the License at: - -https://creativecommons.org/licenses/by-sa/4.0/legalcode - -**You are free to:** - -- Share — copy and redistribute the material in any medium or format - -- Adapt — remix, transform, and build upon the material for any - purpose, even commercially. - -- The licensor cannot revoke these freedoms as long as you follow the - license terms. - -**Under the following terms:** - -- Attribution — You must give appropriate credit, provide a link to the - license, and indicate if changes were made. You may do so in any - reasonable manner, but **not** in any way that suggests the - licensor endorses you or your use. - -- ShareAlike — If you remix, transform, or build upon the material, you - must distribute your contributions under the same license as the - original. - -- No additional restrictions — You may not apply legal terms or - technological measures that legally restrict others from doing - anything the license permits. - -**Notices:** - -- You do not have to comply with the license for elements of the - material in the public domain or where your use is permitted by an - applicable exception or limitation. - -- No warranties are given. The license may not give you all of the - permissions necessary for your intended use. For example, other - rights such as publicity, privacy, or moral rights may limit how you - use the material. - -.. |image0| image:: VNF_VNFC_Relation.jpg - :width: 4.26181in - :height: 3.42847in - \ No newline at end of file diff --git a/docs/VNF_Heat_Templates_for_OpenEcomp/VNF_VNFC_Relation.jpg b/docs/VNF_Heat_Templates_for_OpenEcomp/VNF_VNFC_Relation.jpg deleted file mode 100644 index 0457e86..0000000 Binary files a/docs/VNF_Heat_Templates_for_OpenEcomp/VNF_VNFC_Relation.jpg and /dev/null differ diff --git a/docs/VNF_Heat_Templates_for_OpenEcomp/index.rst b/docs/VNF_Heat_Templates_for_OpenEcomp/index.rst deleted file mode 100644 index 51e1391..0000000 --- a/docs/VNF_Heat_Templates_for_OpenEcomp/index.rst +++ /dev/null @@ -1,7 +0,0 @@ -VNF Heat Templates for OpenEcomp ------------------------------------ - -.. toctree:: - :maxdepth: 2 - - VNF_Heat_Template_Requirements_for_OpenECOMP_2_15_NO_track_changes \ No newline at end of file diff --git a/docs/VNF_Mgmt_Requirements_for_OpenEcomp/VNF Management Requirements for OpenECOMP 2-6-2017.docx b/docs/VNF_Mgmt_Requirements_for_OpenEcomp/VNF Management Requirements for OpenECOMP 2-6-2017.docx deleted file mode 100644 index f2d8341..0000000 Binary files a/docs/VNF_Mgmt_Requirements_for_OpenEcomp/VNF Management Requirements for OpenECOMP 2-6-2017.docx and /dev/null differ diff --git a/docs/VNF_Mgmt_Requirements_for_OpenEcomp/VNF_Management_Requirements_for_OpenECOMP_2_6_2017.rst b/docs/VNF_Mgmt_Requirements_for_OpenEcomp/VNF_Management_Requirements_for_OpenECOMP_2_6_2017.rst deleted file mode 100644 index bad95a5..0000000 --- a/docs/VNF_Mgmt_Requirements_for_OpenEcomp/VNF_Management_Requirements_for_OpenECOMP_2_6_2017.rst +++ /dev/null @@ -1,1262 +0,0 @@ -.. contents:: - :depth: 3 -.. - -**VNF Management Requirements for OpenECOMP** - -+-----------------+------------+ -+-----------------+------------+ -| Revision | 1.0 | -+-----------------+------------+ -| Revision Date | 2/1/2017 | -+-----------------+------------+ - -**Document Revision History** - -+------------+------------+--------------------------------------------------------------------------+ -| Date | Revision | Description | -+============+============+==========================================================================+ -| 2/1/2017 | 1.0 | Initial publication defining VNF Management Requirements for OpenECOMP | -+------------+------------+--------------------------------------------------------------------------+ - -Introduction -============ - -This document is part of a hierarchy of documents that describes the -overall Requirements and Guidelines for OpenECOMP. The diagram below -identifies where this document fits in the hierarchy. - -+--------------------------------------------------+---------------------------------------------+------------------------------------------------+------------------------------+---------------------------------+ -| OpenECOMP Requirements and Guidelines | | -+==================================================+=============================================+================================================+==============================+=================================+ -| VNF Guidelines for Network Cloud and OpenECOMP | Future OpenECOMP Subject Documents | | -+--------------------------------------------------+---------------------------------------------+------------------------------------------------+------------------------------+---------------------------------+ -| VNF Cloud Readiness Requirements for OpenECOMP | VNF Management Requirements for OpenECOMP | VNF Heat Template Requirements for OpenECOMP | Future | Future Requirements Documents | -| | | | VNF Requirements Documents | | -+--------------------------------------------------+---------------------------------------------+------------------------------------------------+------------------------------+---------------------------------+ - -Document summary: - -*VNF Guidelines for Network Cloud and OpenECOMP* - -- Describes VNF environment and overview of requirements - -*VNF Cloud Readiness Requirements for OpenECOMP* - -- Cloud readiness requirements for VNFs (Design, Resiliency, Security, - and DevOps) - -**VNF Management Requirements for OpenECOMP** - -- Requirements for how VNFs interact and utilize OpenECOMP - -*VNF Heat Template Requirements for OpenECOMP* - -- Provides recommendations and standards for building Heat templates - compatible with OpenECOMP– initial implementations of Network Cloud - are assumed to be OpenStack based. - -The OpenECOMP (Enhanced Control, Orchestration, Management and Policy) -platform is the part of the larger Network Function -Virtualization/Software Defined Network (NFV/SDN) ecosystem that is -responsible for the efficient control, operation and management of -Virtual Network Function (VNF) capabilities and functions. It specifies -standardized abstractions and interfaces that enable efficient -interoperation of the NVF/SDN ecosystem components. It enables -product/service independent capabilities for design, creation and -runtime lifecycle management (includes all aspects of installation, -change management, assurance, and retirement) of resources in NFV/SDN -environment (see `ECOMP white paper `__\ [1]_). -These capabilities are provided using two major architectural -frameworks: (1) a Design Time Framework to design, define and program -the platform (uniform onboarding), and (2) a Runtime Execution Framework -to execute the logic programmed in the design environment (uniform -delivery and runtime lifecycle management). The platform delivers an -integrated information model based on the VNF package to express the -characteristics and behavior of these resources in the Design Time -Framework. The information model is utilized by Runtime Execution -Framework to manage the runtime lifecycle of the VNFs. The management -processes are orchestrated across various modules of OpenECOMP to -instantiate, configure, scale, monitor, and reconfigure the VNFs using a -set of standard APIs provided by the VNF developers. - -Design Definition -================= - -The OpenECOMP Design Time Framework provides the ability to design NFV -resources including VNFs, Services, and products. The vendor must -provide VNF packages that include a rich set of recipes, management and -functional interfaces, policies, configuration parameters, and -infrastructure requirements that can be utilized by the OpenECOMP Design -module to onboard and catalog these resources. Initially this -information may be provided in documents, but in the near future a -method will be developed to automate as much of the transfer of data as -possible to satisfy its long term requirements. - -The current VNF Package Requirement is based on a subset of the -Requirements contained in the ETSI Document: ETSI GS NFV-MAN 001 v1.1.1 -and GS NFV IFA011 V0.3.0 (2015-10) - Network Functions Virtualization -(NFV), Management and Orchestration, VNF Packaging Specification. - -Table 1. VNF Package - -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| **Principle** | **Description** | **Type** | **ID #** | -+========================+===================================================================================================================================================================================================================================================================================================================================================================+============+============+ -| 2.0.1 | The VNF Vendor must provide a Manifest File that contains a list of all the components in the VNF package. | Must | 10010 | -| | | | | -| Resource | | | | -| | | | | -| Description | | | | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The package must include VNF Identification Data to uniquely identify the resource for a given Vendor. The identification data must include: an identifier for the VNF, the name of the VNF as was given by the VNF Vendor, VNF description, VNF Vendor, and version. | Must | 10020 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The VNF Vendor must provide documentation describing VNF Management APIs. The document must include information and tools for: | Must | 10030 | -| | | | | -| | - OpenECOMP to deploy and configure (initially and ongoing) the VNF application(s) (e.g., NETCONF APIs). Includes description of configurable parameters for the VNF and whether the parameters can be configured after VNF instantiation. | | | -| | | | | -| | - OpenECOMP to monitor the health of the VNF (conditions that require healing and/or scaling responses). Includes a description of: | | | -| | | | | -| | - Parameters that can be monitored for the VNF and event records (status, fault, flow, session, call, control plane, etc.) generated by the VNF after instantiation. | | | -| | | | | -| | - Runtime lifecycle events and related actions (e.g., control responses, tests) which can be performed for the VNF. | | | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The VNF package must include documentation describing VNF Functional APIs that are utilized to build network and application services. Provides the externally exposed functional inputs and outputs for the VNF, including interface format and protocols supported. | Must | 10040 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The VNF Vendor must provide documentation describing VNF Functional Capabilities that are utilized to operationalize the VNF and compose complex services. | Must | 10050 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The VNF Vendor must provide information regarding any dependency with other VNFs and resources. | Must | 10060 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| 2.0.2 | The VNF Vendor must provide a Resource/Device YANG model as a foundation for creating the YANG model for configuration. This will include VNF attributes/parameters and valid values/attributes configurable by policy. | Must | 10070 | -| | | | | -| Resource | | | | -| | | | | -| Configuration | | | | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The VNF Package must include configuration scripts for boot sequence and configuration. | Must | 10080 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The VNF Vendor must provide configurable parameters (if unable to conform to YANG model) including VNF attributes/parameters and valid values, dynamic attributes and cross parameter dependencies (e.g., customer provisioning data). | Must | 10090 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| 2.0.3 | The VNF Vendor must provide documentation for the VNF Policy Description to manage the VNF runtime lifecycle. The document must include a description of how the policies (conditions and actions) are implemented in the VNF. | Must | 10100 | -| | | | | -| Resource | | | | -| | | | | -| Control Loop | | | | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The VNF Package must include documentation describing the fault, performance, capacity events/alarms and other event records that are made available by the VNF. The document must include: | Must | 10110 | -| | | | | -| | - A unique identification string for the specific VNF, a description of the problem that caused the error, and steps or procedures to perform Root Cause Analysis and resolve the issue. | | | -| | | | | -| | - All events, severity level (e.g., informational, warning, error) and descriptions including causes/fixes if applicable for the event. | | | -| | | | | -| | - All events (fault, measurement for VNF Scaling, Syslogs, State Change and Mobile Flow), that need to be collected at each VM, VNFC (defined in *VNF Guidelines for Network Cloud and OpenECOMP*) and for the overall VNF. | | | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The VNF Vendor must provide an XML file that contains a list of VNF error codes, descriptions of the error, and possible causes/corrective action. | Must | 10120 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | Provide documentation describing all parameters that are available to monitor the VNF after instantiation (includes all counters, OIDs, PM data, KPIs, etc., that must be collected for reporting purposes. The documentation must include a list of: | Must | 10130 | -| | | | | -| | - Monitoring parameters/counters exposed for virtual resource management and VNF application management. | | | -| | | | | -| | - KPIs and metrics that need to be collected at each VM for capacity planning purposes. | | | -| | | | | -| | - For each KPI, provide lower and upper limits. | | | -| | | | | -| | - When relevant, provide a threshold crossing alert point for each KPI at which time scaling rules will apply. | | | -| | | | | -| | - For each KPI, identify the suggested actions that need to be performed when a threshold crossing alert event is recorded. | | | -| | | | | -| | - Describe any requirements for the monitoring component of tools for Network Cloud automation and management to provide these records to components of the VNF. | | | -| | | | | -| | - When applicable, provide calculators needed to convert raw data into appropriate reporting artifacts. | | | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The VNF Package must include documentation describing supported VNF scaling capabilities and capacity limits (e.g., number of users, bandwidth, throughput, concurrent calls). | Must | 10140 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The VNF Package must include documentation describing the characteristics for the VNF reliability and high availability. | Must | 10150 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| 2.0.4 | The VNF Package must include VNF topology that describes basic network and application connectivity internal and external to the VNF including Link type, KPIs, Bandwidth, QoS (if applicable) for each interface. | Must | 10160 | -| | | | | -| Compute, | | | | -| | | | | -| Network, | | | | -| | | | | -| Storage | | | | -| | | | | -| Requirements | | | | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The VNF Package must include VM requirements via a Heat template that provides the necessary data for: | Must | 10170 | -| | | | | -| | - VM specifications for all VNF components - for hypervisor, CPU, memory, storage. | | | -| | | | | -| | - Network connections, interface connections, internal and external to VNF. | | | -| | | | | -| | - High availability redundancy model. | | | -| | | | | -| | - Static scaling/growth VM specifications. | | | -| | | | | -| | Note1: Must comply with the *Heat Template Requirements for Virtual Network Functions*. | | | -| | | | | -| | Note2: Must comply with the Network Cloud Specifications defined in *Example Implementation of Network Cloud.* | | | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The VNF Vendor must provide the binaries and images needed to instantiate the VNF (VNF and VNFC images). | Must | 10180 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The VNF Vendor must describe scaling capabilities to manage scaling characteristics of the VNF. | Must | 10190 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| 2.0.5 | The VNF Package must include documentation describing the tests that were conducted by the Vendor and the test results. | Must | 10200 | -| | | | | -| Testing | | | | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The VNF Vendor must provide their testing scripts to support testing. | Must | 10210 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The VNF Vendor must provide software components that can be packaged with/near the VNF, if needed, to simulate any functions or systems that connect to the VNF system under test. This component is necessary only if the existing testing environment does not have the necessary simulators. | Must | 10220 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| 2.0.6 | VNFs must provide metrics (e.g., number of sessions, number of subscribers, number of seats, etc.) to OpenECOMP for tracking every license. | Must | 10230 | -| | | | | -| Licensing Guidelines | | | | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | Contract shall define the reporting process and the available reporting tools. The vendor will have to agree to the process that can be met by Service Provider reporting infrastructure. | Must | 10240 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | VNF vendors shall enumerate all of the open source licenses their VNF(s) incorporate. | Must | 10250 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | Audits of Service Provider’s business must not be required. | Must | 10260 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | Vendor functions and metrics that require additional infrastructure such as a vendor license server for deployment shall not be supported. | Must | 10270 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | Provide clear measurements for licensing purposes to allow automated scale up/down by the management system. | Must | 10280 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The vendor must provide the ability to scale up a vendor supplied product during growth and scale down a vendor supplied product during decline without “real-time” restrictions based upon vendor permissions. | Must | 10290 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | A universal license key must be provided per VNF to be used as needed by services (i.e., not tied to a VM instance) as the recommended solution. The vendor may provide pools of Unique VNF License Keys, where there is a unique key for each VNF instance as an alternate solution. Licensing issues should be resolved without interrupting in-service VNFs. | Must | 10300 | -+------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ - -Configuration Management -======================== - -OpenECOMP interacts directly with VNFs through its Network and -Application Adapters to perform configuration activities within NFV -environment. These activities include service and resource -configuration/reconfiguration, automated scaling of resources, service -and resource removal to support runtime lifecycle management of VNFs and -services. The Adapters employ a model driven approach along with -standardized APIs provided by the VNF developers to configure resources -and manage their runtime lifecycle. - -NETCONF Standards and Capabilities ----------------------------------- - -OpenECOMP Controllers and their Adapters utilize device YANG model and -NETCONF APIs to make the required changes in the VNF state and -configuration. The VNF providers must provide the Device YANG model and -NETCONF server supporting NETCONF APIs to comply with target OpenECOMP -and industry standards. - -**Table 2. VNF Configuration** - -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| **Principle** | **Description** | **Type** | **ID #** | -+=================+=======================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+============+============+ -| 3.1.1 | Virtual Network functions (VNFs) must include a NETCONF server enabling runtime configuration and lifecycle management capabilities. The NETCONF server embedded in VNFs shall provide a NETCONF interface fully defined by supplied YANG models. | Must | 11010 | -| | | | | -| Configuration | | | | -| | | | | -| Management | | | | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| 3.1.2 | NETCONF server connection parameters shall be configurable during virtual machine instantiation through Heat templates where SSH keys, usernames, passwords, SSH service and SSH port numbers are Heat template parameters. | Must | 11020 | -| | | | | -| NETCONF | | | | -| | | | | -| Server | | | | -| | | | | -| Requirements | | | | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | Following protocol operations must be implemented: | Must | 11030 | -| | | | | -| | **close-session()**- Gracefully close the current session. | | | -| | | | | -| | **commit(confirmed, confirm-timeout)** - Commit candidate configuration datastore to the running configuration. | | | -| | | | | -| | **copy-config(target, source) -** Copy the content of the configuration datastore source to the configuration datastore target. | | | -| | | | | -| | **delete-config(target) -** Delete the named configuration datastore target. | | | -| | | | | -| | **discard-changes()** - Revert the candidate configuration datastore to the running configuration | | | -| | | | | -| | **edit-config(target, default-operation, test-option, error-option, config)** - Edit the target configuration datastore by merging, replacing, creating, or deleting new config elements. | | | -| | | | | -| | **get(filter)** - Retrieve (a filtered subset of a) the running configuration and device state information. This should include the list of VNF supported schemas. | | | -| | | | | -| | **get-config(source, filter)** - Retrieve a (filtered subset of a) configuration from the configuration datastore source. | | | -| | | | | -| | **kill-session(session)** - Force the termination of **session**. | | | -| | | | | -| | **lock(target)** - Lock the configuration datastore target. | | | -| | | | | -| | **unlock(target)** - Unlock the configuration datastore target. | | | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | Following protocol operations should be implemented: | Should | 11040 | -| | | | | -| | **copy-config(target, source) -** Copy the content of the configuration datastore source to the configuration datastore target. | | | -| | | | | -| | **delete-config(target) -** Delete the named configuration datastore target. | | | -| | | | | -| | **get-schema(identifier, version, format) -** Retrieve the Yang schema. | | | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | All configuration data shall be editable through a NETCONF <*edit-config*> operation. Proprietary NETCONF RPCs that make configuration changes are not sufficient. | Must | 11050 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | By default, the entire configuration of the VNF must be retrievable via NETCONF's and , independently of whether it was configured via NETCONF or other mechanisms. | Must | 11060 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The **:partial-lock** and **:partial-unlock** capabilities, defined in RFC 5717 must be supported. This allows multiple independent clients to each write to a different part of the configuration at the same time. | Must | 11070 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The **:rollback-on-error** value for the parameter to the operation must be supported. If any error occurs during the requested edit operation, then the target database (usually the running configuration) will be left affected. This provides an 'all-or-nothing' edit mode for a single request. | Must | 11080 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The server must support the **:startup** capability. It will allow the running configuration to be copied to this special database. It can also be locked, and unlocked. | Must | 11090 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The **:url** value must be supported to specify protocol operation source and target parameters. The capability URI for this feature will indicate which schemes (e.g., file, https, sftp) that the server supports within a particular URL value. The 'file' scheme allows for editable local configuration databases. The other schemes allow for remote storage of configuration databases. | Must | 11100 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | At least one of the capabilities **:candidate** or **:writable-running** must be implemented. If both **:candidate** and **:writable-running** are provided then two locks should be supported. | Must | 11110 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The server must fully support the XPath 1.0 specification for filtered retrieval of configuration and other database contents. The 'type' attribute within the parameter for and operations may be set to 'xpath'. The 'select' attribute (which contains the XPath expression) will also be supported by the server. A server may support partial XPath retrieval filtering, but it cannot advertise the **:xpath** capability unless the entire XPath 1.0 specification is supported. | Must | 11120 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The **:validate** capability must be implemented. | Must | 11130 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | If **:candidate** is supported, **:confirmed-commit** must be implemented. | Must | 11140 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The **:with-defaults** capability [RFC6243] shall be implemented. | Must | 11150 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | Data model discovery and download as defined in [RFC6022] shall be implemented. | Must | 11160 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | NETCONF Event Notifications [RFC5277] should be implemented. | Should | 11170 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | All data models shall be defined in YANG [RFC6020], and the mapping to NETCONF shall follow the rules defined in this RFC. | Must | 11180 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The data model upgrade rules defined in [RFC6020] section 10 should be followed. All deviations from section 10 rules shall be handled by a built-in automatic upgrade mechanism. | Must | 11190 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The VNF must support parallel and simultaneous configuration of separate objects within itself. | Must | 11200 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | Locking is required if a common object is being manipulated by two simultaneous NETCONF configuration operations on the same VNF within the context of the same writable running data store (e.g., if an interface parameter is being configured then it should be locked out for configuration by a simultaneous configuration operation on that same interface parameter). | Must | 11210 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | Locking must be applied based on the sequence of NETCONF operations, with the first configuration operation locking out all others until completed. | Must | 11220 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | If a VNF needs to lock an object for configuration, the lock must be permitted at the finest granularity to avoid blocking simultaneous configuration operations on unrelated objects (e.g., BGP configuration should not be locked out if an interface is being configured, Entire Interface configuration should not be locked out if a non-overlapping parameter on the interface is being configured). The granularity of the lock must be able to be specified via a restricted or full XPath expression. | Must | 11230 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | All simultaneous configuration operations should guarantee the VNF configuration integrity (for example: if a change is attempted to the BUM filter rate from multiple interfaces on the same EVC, then they need to be sequenced in the VNF without locking either configuration method out) | Must | 11240 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | To prevent permanent lock-outs, locks must be released: | Must | 11250 | -| | | | | -| | a. when/if a session applying the lock is terminated (e.g., SSH session is terminated) | | | -| | | | | -| | b. the corresponding operation succeeds | | | -| | | | | -| | c. a user configured timer has expired forcing the NETCONF SSH Session termination (i.e., product must expose a configuration knob for a user setting of a lock expiration timer) | | | -| | | | | -| | Additionally, to guard against hung NETCONF sessions, another NETCONF session should be able to initiate the release of the lock by killing the session owning the lock, using the operation. | | | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The VNF should support simultaneous operations within the context of this locking requirements framework. | Must | 11260 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The supplied YANG code and associated NETCONF servers shall support all operations, administration and management (OAM) functions available from the supplier for VNFs. | Must | 11270 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | Sub tree filtering must be supported. | Must | 11280 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | Heartbeat via a with null filter shall be supported. | Must | 11290 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | Get-schema (ietf-netconf-monitoring) must be supported to pull YANG model over session. | Must | 11300 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The supplied YANG code shall be validated using the open source pyang [2]_ program using the following commands: | Must | 11310 | -| | | | | -| | $ pyang --verbose --strict | | | -| | | | | -| | $ echo $! | | | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The echo command must return a zero value otherwise the validation has failed. | Must | 11320 | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The supplier shall demonstrate mounting the NETCONF server on OpenDaylight (client) and: | Must | 11330 | -| | | | | -| | - Modify, update, change, rollback configurations using each configuration data element. | | | -| | | | | -| | - Query each state (non-configuration) data element. | | | -| | | | | -| | - Execute each YANG RPC. | | | -| | | | | -| | - Receive data through each notification statement. | | | -+-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ - -The following table provides the Yang models that suppliers must -conform, and those where applicable, that suppliers need to use. - -Table 3. YANG Models - -+------------+------------------------------------------------------------------------------------+------------+------------+ -| **RFC** | **Description** | **Type** | **ID #** | -+============+====================================================================================+============+============+ -| RFC 6020 | YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF) | Must | 12010 | -+------------+------------------------------------------------------------------------------------+------------+------------+ -| RFC 6022 | YANG module for NETCONF monitoring | Must | 12020 | -+------------+------------------------------------------------------------------------------------+------------+------------+ -| RFC 6470 | NETCONF Base Notifications | Must | 12030 | -+------------+------------------------------------------------------------------------------------+------------+------------+ -| RFC 6244 | An Architecture for Network Management Using NETCONF and YANG | Must | 12040 | -+------------+------------------------------------------------------------------------------------+------------+------------+ -| RFC 6087 | Guidelines for Authors and Reviewers of YANG Data Model Documents | Must | 12050 | -+------------+------------------------------------------------------------------------------------+------------+------------+ -| RFC 6991 | Common YANG Data Types | Should | 12060 | -+------------+------------------------------------------------------------------------------------+------------+------------+ -| RFC 6536 | NETCONF Access Control Model | Should | 12070 | -+------------+------------------------------------------------------------------------------------+------------+------------+ -| RFC 7223 | A YANG Data Model for Interface Management | Should | 12080 | -+------------+------------------------------------------------------------------------------------+------------+------------+ -| RFC 7224 | IANA Interface Type YANG Module | Should | 12090 | -+------------+------------------------------------------------------------------------------------+------------+------------+ -| RFC 7277 | A YANG Data Model for IP Management | Should | 12100 | -+------------+------------------------------------------------------------------------------------+------------+------------+ -| RFC 7317 | A YANG Data Model for System Management | Should | 12110 | -+------------+------------------------------------------------------------------------------------+------------+------------+ -| RFC 7407 | A YANG Data Model for SNMP Configuration | Should | 12120 | -+------------+------------------------------------------------------------------------------------+------------+------------+ - -The NETCONF server interface shall fully conform to the following -NETCONF RFCs. - -Table 4. NETCONF RFCs - -+------------+--------------------------------------------------------------------+------------+------------+ -| **RFC** | **Description** | **Type** | **ID #** | -+============+====================================================================+============+============+ -| RFC 4741 | NETCONF Configuration Protocol | Must | 12130 | -+------------+--------------------------------------------------------------------+------------+------------+ -| RFC 4742 | Using the NETCONF Configuration Protocol over Secure Shell (SSH) | Must | 12140 | -+------------+--------------------------------------------------------------------+------------+------------+ -| RFC 5277 | NETCONF Event Notification | Must | 12150 | -+------------+--------------------------------------------------------------------+------------+------------+ -| RFC 5717 | Partial Lock Remote Procedure Call | Must | 12160 | -+------------+--------------------------------------------------------------------+------------+------------+ -| RFC 6241 | NETCONF Configuration Protocol | Must | 12170 | -+------------+--------------------------------------------------------------------+------------+------------+ -| RFC 6242 | Using the Network Configuration Protocol over Secure Shell | Must | 12180 | -+------------+--------------------------------------------------------------------+------------+------------+ - -VNF REST APIs --------------- - -Healthcheck is a command for which no NETCONF support exists. Therefore, -this must be supported using a RESTful interface which we have defined. - -The VNF must provide two REST formatted RPCs to support Healthcheck -queries via the GET method over HTTP(s). - -**Table 5. VNF REST APIs** - -+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| **Principal** | **Description** | **Type** | **ID #** | -+=================+================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+============+============+ -| 3.2.1 | **GET /check** - The **/check** RPC, executes a vendor-defined VNF Healthcheck over the scope of the entire VNF (e.g if there are multiple VMs, then run a health check, as appropriate, for all VMs). /check returns a 200 OK if the test passes and a 50x response if the test fails. The precise failure code may depend upon type of failure (process error, overload etc.). A JSON object is returned indicating state, scope identifier, time-stamp and info field as well as an optional fault field. | Must | 12190 | -| | | | | -| REST APIs | For example: | | | -| | | | | -| | 503 Threshold Exceeded | | | -| | | | | -| | { | | | -| | | | | -| | "identifier": "scope represented", | | | -| | | | | -| | "info": "System threshold exceeded details", | | | -| | | | | -| | "fault": | | | -| | | | | -| | { | | | -| | | | | -| | "cpuOverall": 0.80, | | | -| | | | | -| | "cpuThreshold": 0.45 | | | -| | | | | -| | }, | | | -| | | | | -| | "time": "01-01-1000:0000" | | | -| | | | | -| | } | | | -+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | **GET /status** - The **/status** RPC returns a 200 OK code and state of the VNF (resources utilized) in the form of a nested JSON response (multiple resources for each VM within the VNF). | Must | 12200 | -| | | | | -| | For example: | | | -| | | | | -| | { | | | -| | | | | -| | "identifier": "scope represented", | | | -| | | | | -| | "stats": | | | -| | | | | -| | { | | | -| | | | | -| | "vm\_123": | | | -| | | | | -| | { | | | -| | | | | -| | "cpuOverall": 0.32 | | | -| | | | | -| | "usedMemory": 1000 | | | -| | | | | -| | "totalMemory": 2000 | | | -| | | | | -| | } | | | -| | | | | -| | }, | | | -| | | | | -| | "time": "01-01-1000:0000" | | | -| | | | | -| | } | | | -+-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ - -OpenECOMP Controller APIs and Behavior --------------------------------------- - -OpenECOMP Controllers support the following operations which act -directly upon the VNF. Most of these utilize the NETCONF interface. -There are additional commands in use but these either act internally on -Controller itself or depend upon network cloud components for -implementation. Those actions do not put any special requirement on the -VNF provider. - -The following table summarizes how the VNF must act in response to -commands from OpenECOMP. - -Table 6. OpenECOMP Controller APIs - -+---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ -| **Action** | **Description** | **VNF Action** | **NETCONF COMMANDs** | -+===============+=================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+========================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+==============================+ -| Action | Queries OpenECOMP Controller for the current state of a previously submitted runtime LCM (Lifecycle Management) action. | Checks if VNF is busy. Current operation depends on a completion code from any previous operation. In the future a positive acknowledgement of busy status may be useful to handle ambiguous conditions. However, at this time none is being used. | | -| | | | | -| Status | | | | -+---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ -| Audit | Compare active configuration against a configuration stored in OpenECOMP’s configuration store. | Retrieve running configuration and device state information. Get-config updates the config tree which can then be compared to the stored current config in the OpenECOMP database. | get-config | -+---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ -| Check | Returns true when the given VNF has been locked. | VnfLock may have been used to lock the VNF. There is currently no way to query lock state in NETCONF so locked state is managed internally by OpenECOMP. | | -| | | | | -| Lock | | | | -+---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ -| Configure | Configures the target VNF or VNFC. | The operation loads all or part of a specified configuration data set to the specified target VNF. | edit-config, commit | -+---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ -| Health | Executes a VNF health check and returns the result. A health check is VNF-specific. | The OpenECOMP health check interface is defined over REST and requires the target VNF to expose a standardized HTTP(S) interface for that purpose. Return the health status of the VNF by performing (via any vendor-specific means) internal checks of needed resources, process states, etc. The specific errors returned can be used to indicate the source of the problem. OpenECOMP will generate error events for all reported health problems. | **REST API** | -| | | | | -| Check | | | GET /check | -| | | | | -| | | | GET /status | -+---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ -| Live | Upgrades the target VNF to a new version without interrupting VNF operation. | Supported today on some VNFs via CLI only (the CLI use is an interim solution) | load, restart | -| | | | | -| Upgrade | | | | -+---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ -| | This is an internal Controller operation used to create config-tree and operations tree in the controller. | OpenECOMP must retrieve a schema definition from the VNF. The NETCONF server returns the requested schema. During session establishment OpenECOMP issues a NETCONF command which will retrieve all running configuration parameters, all running operational parameters and a list of NETCONF schemas. OpenECOMP retrieves the schemas to create a Yang model describing the parameters used by the VNF and legal values for each parameter (patterns or ranges). The schemas tell OpenECOMP what parameters can be set and what constitute legal values for those parameters. | get, get-schema | -+---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ -| Config | The ConfigModify LCM action affects only a subset of the total configuration data of a VNF. It can be used to change specific parameters across a number of separate instances for the same VnfcType without changing instance specific values of each. It can also be used to make successive changes to a number of parameters where those changes are considered cumulative. Thus each ConfigModify invocation leaves previous values untouched and only edits the parameters which are sent to OpenECOMP. | The operation loads only a part of the full set of configuration parameters to the specified target configuration without changing any existing parameters. | edit-config, commit | -| | | | | -| Modify | | | | -+---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ -| Config | Saves a VNF’s running configuration into the configuration store in OpenECOMP, for later retrieval. | (optional) If copy-config to a local file is supported by the VNFC this command is used to store the running config locally in order to save time on any subsequent Reconfigure. To support this action, the VNF must allow to save to a local file and must support subsequent retrieval of the copied configuration back to the running configuration. If this capability is not supported, OpenECOMP will still function, but updates will take longer. | copy-config, delete-config | -| | | | | -| Save | | | | -+---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ -| Reconfigure | Reconfigure a VNF to some previously stored baseline configuration stored by a previous ConfigSetBaseline. | If a previous config has been saved locally, and designated as the baseline configuration, use quick restore ( from file). If the restore fails, fallback to a process of changing the configuration value by value using and referencing the SQL values stored by APP-C. | edit-config or copy-config | -+---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ -| Config | Reconfigure a VNF to some previously stored baseline configuration stored by a previous ConfigSetBaseline. | If a previous config has been saved locally use quick restore ( from file). If the restore fails, fallback to a process of changing the configuration value by value using . | edit-config or copy-config | -| | | | | -| Restore | | | | -+---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ -| Sync | Updates the current configuration of a VNF in OpenECOMP’s SQL configuration storage repository by uploading the running config. Useful if the current and running configurations do not match as determined by a previous Audit call. | Retrieve running config from VNF | get, get-config | -+---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ -| VNFLock | Lock or Unlock a VNF to ensure exclusive access during a series of critical steps. | The lock operation allows the client to lock the configuration system of a device. | lock, unlock | -+---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ - -Monitoring & Management -======================= - -This section addresses data collection and event processing -functionality that is directly dependent on the interfaces provided by -the VNFs’ APIs. These can be in the form of Asynchronous interfaces for -event, fault notifications, and autonomous data streams. They can also -be Synchronous interfaces for on-demand requests to retrieve various -performance, usage, and other event information. - -The target direction for VNF interfaces is to employ APIs that are -implemented utilizing standardized messaging and modeling protocols over -standardized transports. Migrating to a virtualized environment presents -a tremendous opportunity to eliminate the need for proprietary -interfaces for vendor equipment while removing the traditional -boundaries between Network Management Systems and Element Management -Systems. Additionally, VNFs provide the ability to instrument the -networking applications by creating event records to test and monitor -end-to-end data flow through the network, similar to what physical or -virtual probes provide without the need to insert probes at various -points in the network. The VNF vendors must be able to provide the -aforementioned set of required data directly to the OpenECOMP collection -layer using standardized interfaces. - -Transports and Protocols Supporting Resource Interfaces -------------------------------------------------------- - -Delivery of data from VNFs to OpenECOMP must use the same common -transport mechanisms and protocols for all VNFs. Transport mechanisms -and protocols have been selected to enable both high volume and moderate -volume datasets, as well as asynchronous and synchronous communications -over secure connections. The specified encoding provides -self-documenting content, so data fields can be changed as needs evolve, -while minimizing changes to data delivery. - -The term ‘Event Record’ is used throughout this document to represent -various forms instrumentation/telemetry made available by the VNF -including, faults, status events and various other types of VNF -measurements and logs. Headers received by themselves must be used as -heartbeat indicators. The common structure and delivery protocols for -other types of data will be given in future versions of this document as -we get more insight into data volumes and required processing. - -In the following guidelines we provide options for encoding, -serialization and data delivery. Agreements between Service Providers -and VNF vendors shall determine which encoding, serialization and -delivery method to use for particular data sets. The selected methods -must be agreed to prior to the on-boarding of the VNF into OpenECOMP -design studio. - -Table 7. Monitoring & Management - -+----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| **Principle** | **Description** | **Type** | **ID #** | -+==============================================+=====================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+============+============+ -| 4.1.1 | Content delivered from VNFs to OpenECOMP is to be encoded and serialized using JSON (option 1). High-volume data is to be encoded and serialized using Avro, where Avro data format are described using JSON (option 2) [3]_. | Must | 13010 | -| | | | | -| Encoding and Serialization | - JSON plain text format is preferred for moderate volume data sets (option 1), as JSON has the advantage of having well-understood simple processing and being human-readable without additional decoding. Examples of moderate volume data sets include the fault alarms and performance alerts, heartbeat messages, measurements used for VNF scaling and syslogs. | | | -| | | | | -| | - Binary format using Avro is preferred for high volume data sets (option 2) such as mobility flow measurements and other high-volume streaming events (such as mobility signaling events or SIP signaling) or bulk data, as this will significantly reduce the volume of data to be transmitted. As of the date of this document, all events are reported using plain text JSON and REST. | | | -| | | | | -| | - Avro content is self-documented, using a JSON schema. The JSON schema is delivered along with the data content (http://avro.apache.org/docs/current/ ). This means the presence and position of data fields can be recognized automatically, as well as the data format, definition and other attributes. Avro content can be serialized as JSON tagged text or as binary. In binary format, the JSON schema is included as a separate data block, so the content is not tagged, further compressing the volume. For streaming data, Avro will read the schema when the stream is established and apply the schema to the received content. | | | -| | | | | -| | - In the future, we may consider support for other types of encoding & serialization (e.g., gRPC) based on industry demand. | | | -+----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| 4.1.2 | The frequency that asynchronous data is delivered will vary based on the content and how data may be aggregated or grouped together. For example, alarms and alerts are expected to be delivered as soon as they appear. In contrast, other content, such as performance measurements, KPIs or reported network signaling may have various ways of packaging and delivering content. Some content should be streamed immediately; or content may be monitored over a time interval, then packaged as collection of records and delivered as block; or data may be collected until a package of a certain size has been collected; or content may be summarized statistically over a time interval, or computed as a KPI, with the summary or KPI being delivered. | Must | 13020 | -| | | | | -| Reporting Frequency | - We expect the reporting frequency to be configurable depending on the virtual network function’s needs for management. For example, Service Provider may choose to vary the frequency of collection between normal and trouble-shooting scenarios. | | | -| | | | | -| | - Decisions about the frequency of data reporting will affect the size of delivered data sets, recommended delivery method, and how the data will be interpreted by OpenECOMP. However, this should not affect deserialization and decoding of the data, which will be guided by the accompanying JSON schema. | | | -+----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| 4.1.3 | OpenECOMP destinations can be addressed by URLs for RESTful data PUT. Future data sets may also be addressed by host name and port number for TCP streaming, or by host name and landing zone directory for SFTP transfer of bulk files. | Must | 13030 | -| | | | | -| Addressing and Delivery Protocol | - REST using HTTPS delivery of plain text JSON is preferred for moderate sized asynchronous data sets, and for high volume data sets when feasible.  | | | -| | | | | -| | - VNFs must have the capability of maintaining a primary and backup DNS name (URL) for connecting to OpenECOMP collectors, with the ability to switch between addresses based on conditions defined by policy such as time-outs, and buffering to store messages until they can be delivered. At its discretion, the service provider may choose to populate only one collector address for a VNF. In this case, the network will promptly resolve connectivity problems caused by a collector or network failure transparently to the VNF. | | | -| | | | | -| | - VNFs will be configured with initial address(es) to use at deployment time. After that the address(es) may be changed through OpenECOMP-defined policies delivered from OpenECOMP to the VNF using PUTs to a RESTful API, in the same way that other controls over data reporting will be controlled by policy. | | | -| | | | | -| | - Other options are expected to include: | | | -| | | | | -| | - REST delivery of binary encoded data sets. | | | -| | | | | -| | - TCP for high volume streaming asynchronous data sets and for other high volume data sets. TCP delivery can be used for either JSON or binary encoded data sets. | | | -| | | | | -| | - SFTP for asynchronous bulk files, such as bulk files that contain large volumes of data collected over a long time interval or data collected across many VNFs. This is not preferred. Preferred is to reorganize the data into more frequent or more focused data sets, and deliver these by REST or TCP as appropriate. | | | -| | | | | -| | - REST for synchronous data, using RESTCONF (e.g., for VNF state polling). | | | -| | | | | -| | - The OpenECOMP addresses as data destinations for each VNF must be provided by OpenECOMP Policy, and may be changed by Policy while the VNF is in operation. We expect the VNF to be capable of redirecting traffic to changed destinations with no loss of data, for example from one REST URL to another, or from one TCP host and port to another. | | | -+----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| 4.1.4 | VNFs are to deliver asynchronous data as data becomes available, or according to the configured frequency. The delivered data must be encoded using JSON or Avro, addressed and delivered as described in the previous paragraphs. | Must | 13040 | -| | | | | -| Asynchronous and Synchronous Data Delivery | | | | -+----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | VNFs are to respond to data requests from OpenECOMP as soon as those requests are received, as a synchronous response. | Must | 13050 | -+----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | Synchronous communication must leverage the RESTCONF/NETCONF framework used by the OpenECOMP configuration subsystem. This shall include using YANG configuration models and RESTCONF (https://tools.ietf.org/html/draft-ietf-netconf-restconf-09#page-46). | Must | 13060 | -+----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | The VNF must respond with content encoded in JSON, as described in the RESTCONF specification. This way the encoding of a synchronous communication will be consistent with Avro. | Must | 13070 | -+----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | OpenECOMP may request the VNF to deliver the current data for any of the record types defined in Section 4.2 below. The VNF must respond by returning the requested record, populated with the current field values. (Currently the defined record types include fault fields, mobile flow fields, measurements for VNF scaling fields, and syslog fields. Other record types will be added in the future as they become standardized and are available). | Must | 13080 | -+----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | OpenECOMP may request the VNF to deliver granular data on device or subsystem status or performance, referencing the YANG configuration model for the VNF. The VNF must respond by returning the requested data elements. | Must | 13090 | -+----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | YANG models can be translated to and from JSON (https://trac.tools.ietf.org/id/draft-lhotka-netmod-yang-json-00.html), meaning YANG configuration and content can be represented via JSON, consistent with Avro, as described in “Encoding and Serialization” section. | Must | 13100 | -+----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| 4.1.5 | VNFs must support secure connections and transports. | Must | 13110 | -| | | | | -| Security | | | | -+----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | Access to OpenECOMP and to VNFs, and creation of connections, must be controlled through secure credentials, log-on and exchange mechanisms. | Must | 13120 | -+----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | Data in motion must be carried only over secure connections. | Must | 13130 | -+----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ -| | Service Providers require that any content containing Sensitive Personal Information (SPI) or certain proprietary data must be encrypted, in addition to applying the regular procedures for securing access and delivery. | Must | 13140 | -+----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ - -Data Model for Event Records ------------------------------ - -This section describes the data model for the collection of telemetry -data from VNFs by Service Providers (SPs) to manage VNF health and -runtime lifecycle. This data model is referred to as the VNF Event -Streaming (VES) specifications. OPNFV has a VES project [4]_ that -provides a holistic solution for OpenStack’s internal telemetry to -manage Application (VNFs), Physical and virtual infrastructure (compute, -storage, network devices), and virtual infrastructure managers (cloud -controllers, SDN controllers). Note that any configurable parameters for -these data records (e.g., frequency, granularity, policy-based -configuration) will be managed using the “Configuration” framework -described in the prior sections. - -The Data Model consists of: - -- Common Header Record: This precedes each of the domain-specific - records. - -- Domain Specific Event Records. This version of the document specifies - the model for Fault, Performance, Syslog, State Change, and Mobile - Flow records. In the future, these will be extended to support other - types of records (e.g., Signaling or control plane messages, - probe-less monitoring records, Status Records, Security records, - etc.). Each of these records allows additional fields (name value - pairs) for extensibility. The VNF vendors can use these VNF-specific - additional fields to provide additional information that may be - relevant to the managing systems. - -Figure 1. Data Model for Event Records - -Event Records - Data Structure Description ------------------------------------------- - -The data structure for event records consists of a Header Block and zero -(heartbeat would only have header) or more event domain blocks (e.g., -Common Fault Event domain, Common Performance Event domain, Common -Syslog Event domain, Specialized Mobile Flow Event Domain, etc.). The -tables in Appendix A present the details for the Common Header and other -specific record types. - -Common Event Header -~~~~~~~~~~~~~~~~~~~ - -The common header that precedes any of the domain-specific records -contains information identifying the type of record to follow, -information about the sender and other identifying characteristics -related to timestamp, sequence number, etc. The table A.1 in Appendix A -describes the structure for the common header. - -Event Data Structure – Fault Fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The Fault Record, describing a condition in the Fault domain, contains -information about the fault such as the entity under fault, the -severity, resulting status, etc. The table A.2 in Appendix A describes -the structure for the fault record. - -Event Data Structure – Measurements for VNF Scaling Fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The VNF Scaling Record contains information about VNF resource structure -and its condition to help in the management of the resources for -purposes of elastic scaling. The table A.3 in Appendix A describes the -structure for the VNF Scaling record. - -Event Data Structure – Syslog Fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The Syslog Record provides a structure for communicating any type of -information that may be logged by the VNF. It can contain information -about system internal events, status, errors, etc. The table A.4 in -Appendix A describes the structure for the Syslog record. - -Event Data Structure – State Change Fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The State change domain provides a structure for communicating -information about data flow through the VNF. It can contain information -about state change related to Physical device that is reported by VNF. -As an example when cards or port name of the entity that has changed -state. The table A.5 in Appendix A describes the structure of the State -Change record. - -Event Data Structure – Mobile Flow Fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The Mobile Flow Record provides a structure for communicating -information about data flow through the VNF. It can contain information -about connectivity and data flows between serving elements for mobile -service, such as between LTE reference points, etc. The table A.6 in -Appendix A describes the structure for the Mobile Flow record. - -Appendix A – Data Record Format -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The following provides additional information on the event record -formats for the following data structures (for complete information, -please refer to AT&T Service Specification; Service: VES Event Listener, -revision 4.0, dated Jan 5\ :sup:`th`, 2017): - -- Common Event Header - -- Fault Fields - -- Measurements for VF Scaling Fields - -- Syslog Fields - -- State Change Fields - -- Mobile Flow Fields - -A.1 EVENT RECORDS – Common Event Header -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -+-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Field | Type | Required? | Description | -+=========================+===========+=============+================================================================================================================================================================================================================================================================================+ -| version | number | No | Version of the event header (currently: 2.0) | -+-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| eventType | string | No | Unique event topic name | -+-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| domain | string | Yes | Event domain enumeration: ‘fault’, ‘heartbeat’, ‘measurementsForVfScaling’, ‘mobileFlow’, ‘other’, ‘stateChange’, ‘syslog’, ‘thresholdCrossingAlert’ | -+-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| eventId | string | Yes | Event key that is unique to the event source | -+-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| sourceId | string | No | UUID identifying the entity experiencing the event issue (note: the AT&T internal enrichment process shall ensure that this field is populated) | -+-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| sourceName | string | Yes | Name of the entity experiencing the event issue | -+-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| functionalRole | string | Yes | Function of the event source e.g., eNodeB, MME, PCRF | -+-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| reportingEntityId | string | No | UUID identifying the entity reporting the event, for example an OAM VM (note: the AT&T internal enrichment process shall ensure that this field is populated) | -+-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| reportingEntityName | string | Yes | Name of the entity reporting the event, for example, an OAM VM | -+-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| priority | string | Yes | Processing priority enumeration: ‘High’, ‘Medium’, ‘Normal’, ‘Low’ | -+-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| startEpochMicrosec | number | Yes | the earliest unix time aka epoch time associated with the event from any component--as microseconds elapsed since 1 Jan 1970 not including leap seconds | -+-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| lastEpochMicrosec | number | Yes | the latest unix time aka epoch time associated with the event from any component--as microseconds elapsed since 1 Jan 1970 not including leap seconds | -+-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| sequence | integer | Yes | Ordering of events communicated by an event source instance (or 0 if not needed) | -+-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| internalHeader Fields | object | No | Fields (not supplied by event sources) that the VES Event Listener service can use to enrich the event if needed for efficient internal processing. This is an empty object which is intended to be defined separately by each provider implementing the VES Event Listener. | -+-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -A.2 EVENT RECORDS – Fault Fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -+-------------------------------+--------------------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Field | Type | Required? | Description | -+===============================+================================+=============+=================================================================================================================================================================================================================================================================================================================================================+ -| faultFieldsVersion | number | No | Version of the faultFields block (currently: 1.1) | -+-------------------------------+--------------------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| eventSeverity | string | Yes | Event severity or priority enumeration: ‘CRITICAL’, ‘MAJOR’, ‘MINOR’, ‘WARNING’, ‘NORMAL’ | -+-------------------------------+--------------------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| eventSourceType | string | Yes | Examples: ‘other’, ‘router’, ‘switch’, ‘host’, ‘card’, ‘port’, ‘slotThreshold’, ‘portThreshold’, ‘virtualMachine’, ‘virtualNetworkFunction’ | -+-------------------------------+--------------------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| alarmCondition | string | Yes | Alarm condition reported by the device | -+-------------------------------+--------------------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| specificProblem | string | Yes | Short description of the alarm or problem | -+-------------------------------+--------------------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| vfStatus | string | Yes | Virtual function status enumeration: ‘Active’, ‘Idle’, ‘Preparing to terminate’, ‘Ready to terminate’, ‘Requesting Termination’ | -+-------------------------------+--------------------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| alarmtInterfaceA | string | No | Card, port, channel or interface name of the device generating the alarm | -+-------------------------------+--------------------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| alarmAdditional Information | Name-value pair object array | No | Expressed as an array of name-value pairs which can be used to describe additional Information related to Alarm, such as Repair Action, Remedy code….May by serialized alarm payload: varbind list, original syslog message, notification parameters, etc. when event is generated via other means, should provide raw detail out of element. | -+-------------------------------+--------------------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -A.3 EVENT RECORDS – Measurements for VF Scaling Fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Field | Type | Required? | Description | -+=========================================+================+=============+==============================================================================================================================================================================================================================================================================================+ -| measurementsForVfScalingFieldsVersion | number | No | Version of the measurementsForVfScalingFields block (currently: 1.1) | -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| additionalMeasurements | object array | No | Expressed as an array of measurementGroup objects, each of which contains a measurement group along with an array of name-value pair fields. Can be used to provide additional measurement fields | -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| aggregateCpuUsage | number | No | Aggregate CPU usage of the VM on which the VNFC reporting the event is running | -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| codecUsageArray | Array | No | Expressed as an array of codecsInUse objects, each of which contains a string identifying the codec, along with a number indicating the number of such codecs in use. | -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| concurrentSessions | number | No | Peak concurrent sessions for the VM or VNF (depending on the context) over the measurementInterval | -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| configuredEntities | number | No | Depending on the context over the measurementInterval: peak total number of users, subscribers, devices, adjacencies, etc., for the VM, or peak total number of subscribers, devices, etc., for the VNF | -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| cpuUsageArray | object array | No | Expressed as an array of cpuUsage objects, each of which contains a string identifying the cpu, along with a number indicating the cpu usage percentage. | -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| errors | object | No | Provides receive and transmit errors and discards | -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| featureUsageArray | object array | No | Expressed as an array of featuresInUse objects, each of which contains a string identifying the feature, along with a number indicating the number of times the feature was used. | -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| filesystemUsageArray | object array | No | Expressed as an array of filesystemUsage objects, each of which contains a string identifying the filesystem, along with numbers indicating the configured and used block and ephemeral capacity in GB, along with the input-output operations per second for block and ephemeral storage. | -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| latencyDistribution | object array | No | Expressed as an array of latencyBucketMeasure objects, defined by two numbers indicating the low end and high end of the latency bucket (in ms), plus a number indicating the number of counts in that bucket. | -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| meanRequestLatency | number | No | Mean seconds required to respond to each request for the VM on which the VNFC reporting the event is running | -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| measurementInterval | number | Yes | Interval over which measurements are being reported in seconds | -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| memoryConfigured | number | No | Memory in MB configured in the VM on which the VNFC reporting the event is running | -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| memoryUsed | number | No | Memory usage in MB of the VM on which the VNFC reporting the event is running | -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numberOfMediaPortsInUse | Number | No | Number of media ports in use | -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| requestRate | number | No | Peak rate of service requests per second to the VNF over the measurementInterval | -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| vnfcScalingMetric | number | No | Represents busy-ness of the VNF from 0 to 100 as reported by the VNFC | -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| vNicUsageArray | object array | No | Expressed as an array of vNicUsage objects, each of which contains a string identifying the vNic, along with numbers indicating the unicast, multicast, broadcast and total number of packets received and sent, plus the total number of bytes in and out of the vNic (in MB). | -+-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -A.4 EVENT RECORDS – Syslog Fields ---------------------------------- - -+-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ -| Field | Type | Required? | Description | -+=======================+================================+=============+===============================================================================================================================================+ -| syslogFieldsVersion | number | No | Version of the syslogFields block (currently: 2.0) | -+-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ -| additionalFields | Name-value pair object array | No | Expressed as an array of name-value pairs which can be used to describe additional syslog fields if needed | -+-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ -| eventSourceHost | string | No | Hostname of the device | -+-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ -| eventSourceType | string | Yes | Examples: ‘other’, ‘router’, ‘switch’, ‘host’, ‘card’, ‘port’, ‘slotThreshold’, ‘portThreshold’, ‘virtualMachine’, ‘virtualNetworkFunction’ | -+-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ -| syslogFacility | number | No | Numeric code from 0 to 23 for facility: | -| | | | | -| | | | 0 kernel messages | -| | | | | -| | | | 1 user-level messages | -| | | | | -| | | | 2 mail system | -| | | | | -| | | | 3 system daemons | -| | | | | -| | | | 4 security/authorization messages | -| | | | | -| | | | 5 messages generated internally by syslogd | -| | | | | -| | | | 6 line printer subsystem | -| | | | | -| | | | 7 network news subsystem | -| | | | | -| | | | 8 UUCP subsystem | -| | | | | -| | | | 9 clock daemon | -| | | | | -| | | | 10 security/authorization messages | -| | | | | -| | | | 11 FTP daemon | -| | | | | -| | | | 12 NTP subsystem | -| | | | | -| | | | 13 log audit | -| | | | | -| | | | 14 log alert | -| | | | | -| | | | 15 clock daemon (note 2) | -| | | | | -| | | | 16 local use 0 (local0) | -| | | | | -| | | | 17 local use 1 (local1) | -| | | | | -| | | | 18 local use 2 (local2) | -| | | | | -| | | | 19 local use 3 (local3) | -| | | | | -| | | | 20 local use 4 (local4) | -| | | | | -| | | | 21 local use 5 (local5) | -| | | | | -| | | | 22 local use 6 (local6) | -| | | | | -| | | | 23 local use 7 (local7 ) | -+-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ -| syslogMsg | string | Yes | Syslog message | -+-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ -| syslogPri | number | No | 0-192 | -| | | | | -| | | | Combined Severity and Facility | -+-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ -| syslogProc | string | No | Identifies the application that originated the message | -+-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ -| syslogProcId | number | No | A change in the value of this field indicates a discontinuity in syslog reporting | -+-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ -| syslogSData | string | No | Syslog structured data consisting of a structured data Id followed by a set of key value pairs (see below for an example) | -| | | | | -| | | | \*\*Note: SD-ID may not be present if syslogSdId is populated | -+-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ -| syslogSdId | string | No | 0-32 char in format name@number, | -| | | | | -| | | | ie ourSDID@32473 | -+-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ -| syslogSev | string | No | Numerical Code for Severity | -| | | | | -| | | | (derived from syslogPri: remaider of syslogPri / 8) | -| | | | | -| | | | 0 Emergency: system is unusable | -| | | | | -| | | | 1 Alert: action must be taken immediately | -| | | | | -| | | | 2 Critical: critical conditions | -| | | | | -| | | | 3 Error: error conditions | -| | | | | -| | | | 4 Warning: warning conditions | -| | | | | -| | | | 5 Notice: normal but significant condition | -| | | | | -| | | | 6 Informational: informational messages | -| | | | | -| | | | 7 Debug: debug-level messages | -+-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ -| syslogTag | string | Yes | MsgId indicating the type of message such as ‘TCPOUT’ or ‘TCPIN’; ‘NILVALUE’ should be used when no other value can be provided | -+-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ -| syslogVer | number | No | IANA assigned version of the syslog protocol specification (typically ‘1’) | -+-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ - -A.5 EVENT RECORDS – State Change Fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -+----------------------------+--------------------------------+-------------+--------------------------------------------------------------------------------------------------------------------+ -| Field | Type | Required? | Description | -+============================+================================+=============+====================================================================================================================+ -| stateChangeFieldsVersion | number | No | Version of the stateChangeFields block (currently: 1.1) | -+----------------------------+--------------------------------+-------------+--------------------------------------------------------------------------------------------------------------------+ -| additionalFields | Name-value pair object array | No | Expressed as an array of name-value pairs which can be used to describe additional state change fields if needed | -+----------------------------+--------------------------------+-------------+--------------------------------------------------------------------------------------------------------------------+ -| newState | string | Yes | New state of the entity: ‘inService’, ‘maintenance’, ‘outOfService’ | -+----------------------------+--------------------------------+-------------+--------------------------------------------------------------------------------------------------------------------+ -| oldState | string | Yes | Previous state of the entity: ‘inService’, ‘maintenance’, ‘outOfService’ | -+----------------------------+--------------------------------+-------------+--------------------------------------------------------------------------------------------------------------------+ -| stateInterface | string | Yes | Card or port name of the entity that changed state | -+----------------------------+--------------------------------+-------------+--------------------------------------------------------------------------------------------------------------------+ - -A.6 EVENT RECORDS – Mobile Flow Fields -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Field | Type | Required? | Description | -+===============================================+=====================+=============+===================================================================================================================================================================================================================+ -| mobileFlowFieldsVersion | number | No | Version of the mobileFlowFields block (currently: 1.2) | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| additionalFields | field | No | Additional mobileFlow fields if needed Similar to adddiotnalFileds in fault domain | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| applicationType | string | No | Application type inferred | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| appProtocolType | string | No | Application protocol | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| appProtocolVersion | string | No | Application version | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| cid | string | No | Cell Id | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| connectionType | string | No | Abbreviation referencing a 3GPP reference point e.g., S1-U, S11, etc | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| ecgi | string | No | Evolved Cell Global Id | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| flowDirection | string | Yes | Flow direction, indicating if the reporting node is the source of the flow or destination for the flow | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| gtpPerFlowMetrics | object | Yes | Mobility GTP Protocol per flow metrics (see below) | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| gtpProtocolType | string | No | GTP protocol | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| gtpVersion | string | No | GTP protocol version | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| httpHeader | string | No | HTTP request header, if the flow connects to a node referenced by HTTP | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Imei | string | No | IMEI for the subscriber UE used in this flow, if the flow connects to a mobile device | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Imsi | string | No | IMSI for the subscriber UE used in this flow, if the flow connects to a mobile device | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| ipProtocolType | string | Yes | IP protocol type e.g., TCP, UDP, RTP... | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| ipVersion | string | Yes | IP protocol version e.g., IPv4, IPv6 | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Lac | string | No | Location area code | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Mcc | string | No | Mobile country code | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Mnc | string | No | Mobile network code | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| msisdn | string | No | MSISDN for the subscriber UE used in this flow, as an integer, if the flow connects to a mobile device | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| otherEndpointIpAddress | string | Yes | IP address for the other endpoint, as used for the flow being reported on | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| otherEndpointPort | string | Yes | IP Port for the reporting entity, as used for the flow being reported on | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| otherFunctionalRole | string | No | Functional role of the other endpoint for the flow being reported on e.g., MME, S-GW, P-GW, PCRF... | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Rac | string | No | Routing area code | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| radioAccessTechnology | string | No | Radio Access Technology e.g., 2G, 3G, LTE | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| reportingEndpointIpAddr | string | Yes | IP address for the reporting entity, as used for the flow being reported on | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| reportingEndpointPort | string | Yes | IP port for the reporting entity, as used for the flow being reported on | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Sac | string | No | Service area code | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| samplingAlgorithm | string | No | Integer identifier for the sampling algorithm or rule being applied in calculating the flow metrics if metrics are calculated based on a sample of packets, or 0 if no sampling is applied | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| Tac | string | No | Transport area code | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| tunnelId | string | No | Tunnel identifier | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| vlanId | string | No | VLAN identifier used by this flow | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| gtpPerFlowMetrics Object (referenced above) | | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| avgBitErrorRate | number | Yes | Average bit error rate | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| avgPacketDelayVariation | number | Yes | Average packet delay variation or jitter in milliseconds for received packets: Average difference between the packet timestamp and time received for all pairs of consecutive packets | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| avgPacketLatency | number | Yes | Average delivery latency | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| avgReceiveThroughput | number | Yes | Average receive throughput | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| avgTransmitThroughput | number | Yes | Average transmit throughput | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| durConnectionFailedStatus | number | No | Duration of failed state in milliseconds, computed as the cumulative time between a failed echo request and the next following successful error request, over this reporting interval | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| durTunnelFailedStatus | number | No | Duration of errored state, computed as the cumulative time between a tunnel error indicator and the next following non-errored indicator, over this reporting interval | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| flowActivatedBy | string | No | Endpoint activating the flow | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| flowActivationEpoch | number | Yes | Time the connection is activated in the flow (connection) being reported on, or transmission time of the first packet if activation time is not available | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| flowActivationMicrosec | number | Yes | Integer microseconds for the start of the flow connection | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| flowActivationTime | datetime | No | Time the connection is activated in the flow being reported on, or transmission time of the first packet if activation time is not available; with RFC 2822 compliant format: ‘Sat, 13 Mar 2010 11:29:05 -0800’ | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| flowDeactivatedBy | string | No | Endpoint deactivating the flow | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| flowDeactivationEpoch | number | Yes | Time for the start of the flow connection, in integer UTC epoch time aka UNIX time | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| flowDeactivationMicrosec | number | Yes | Integer microseconds for the start of the flow connection | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| flowDeactivationTime | datetime | Yes | Transmission time of the first packet in the flow connection being reported on; with RFC 2822 compliant format: ‘Sat, 13 Mar 2010 11:29:05 -0800’ | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| flowStatus | string | Yes | Connection status at reporting time as a working / inactive / failed indicator value | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| gtpConnectionStatus | string | No | Current connection state at reporting time | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| gtpTunnelStatus | string | No | Current tunnel state at reporting time | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| ipTosCountList | associative array | No | Array of key: value pairs where the keys are drawn from the IP Type-of-Service identifiers which range from '0' to '255', and the values are the count of packets that had those ToS identifiers in the flow | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| ipTosList | string | No | Array of unique IP Type-of-Service values observed in the flow where values range from '0' to '255' | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| largePacketRtt | number | No | large packet round trip time | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| largePacketThreshold | number | No | large packet threshold being applied | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| maxPacketDelayVariation | number | Yes | Maximum packet delay variation or jitter in milliseconds for received packets: Maximum of the difference between the packet timestamp and time received for all pairs of consecutive packets | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| maxReceiveBitRate | number | No | maximum receive bit rate" | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| maxTransmitBitRate | number | No | maximum transmit bit rate | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| mobileQciCosCountList | associative array | No | array of key: value pairs where the keys are drawn from LTE QCI or UMTS class of service strings, and the values are the count of packets that had those strings in the flow | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| mobileQciCosList | string | No | Array of unique LTE QCI or UMTS class-of-service values observed in the flow | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numActivationFailures | number | Yes | Number of failed activation requests, as observed by the reporting node | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numBitErrors | number | Yes | number of errored bits | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numBytesReceived | number | Yes | number of bytes received, including retransmissions | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numBytesTransmitted | number | Yes | number of bytes transmitted, including retransmissions | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numDroppedPackets | number | Yes | number of received packets dropped due to errors per virtual interface | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numGtpEchoFailures | number | No | Number of Echo request path failures where failed paths are defined in 3GPP TS 29.281 sec 7.2.1 and 3GPP TS 29.060 sec. 11.2 | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numGtpTunnelErrors | number | No | Number of tunnel error indications where errors are defined in 3GPP TS 29.281 sec 7.3.1 and 3GPP TS 29.060 sec. 11.1 | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numHttpErrors | number | No | Http error count | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numL7BytesReceived | number | Yes | number of tunneled layer 7 bytes received, including retransmissions | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numL7BytesTransmitted | number | Yes | number of tunneled layer 7 bytes transmitted, excluding retransmissions | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numLostPackets | number | Yes | number of lost packets | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numOutOfOrderPackets | number | Yes | number of out-of-order packets | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numPacketErrors | number | Yes | number of errored packets | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numPacketsReceivedExclRetrans | number | Yes | number of packets received, excluding retransmission | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numPacketsReceivedInclRetrans | number | Yes | number of packets received, including retransmission | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numPacketsTransmittedInclRetrans | number | Yes | number of packets transmitted, including retransmissions | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numRetries | number | Yes | number of packet retries | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numTimeouts | number | Yes | number of packet timeouts | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| numTunneledL7BytesReceived | number | Yes | number of tunneled layer 7 bytes received, excluding retransmissions | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| roundTripTime | number | Yes | Round Trip time | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| tcpFlagCountList | associative array | No | Array of key: value pairs where the keys are drawn from TCP Flags and the values are the count of packets that had that TCP Flag in the flow | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| tcpFlagList | string | No | Array of unique TCP Flags observed in the flow | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| timeToFirstByte | number | Yes | Time in milliseconds between the connection activation and first byte received | -+-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ - -**Copyright 2017 AT&T Intellectual Property. All Rights Reserved.** - -This paper is licensed to you under the Creative Commons License: - -**Creative Commons Attribution-ShareAlike 4.0 International Public -License** - -You may obtain a copy of the License at: - -https://creativecommons.org/licenses/by-sa/4.0/legalcode - -**You are free to:** - -- Share — copy and redistribute the material in any medium or format - -- Adapt — remix, transform, and build upon the material for any - purpose, even commercially. - -- The licensor cannot revoke these freedoms as long as you follow the - license terms. - -**Under the following terms:** - -- Attribution — You must give appropriate credit, provide a link to the - license, and indicate if changes were made. You may do so in any - reasonable manner, but **not** in any way that suggests the - licensor endorses you or your use. - -- ShareAlike — If you remix, transform, or build upon the material, you - must distribute your contributions under the same license as the - original. - -- No additional restrictions — You may not apply legal terms or - technological measures that legally restrict others from doing - anything the license permits. - -**Notices:** - -- You do not have to comply with the license for elements of the - material in the public domain or where your use is permitted by an - applicable exception or limitation. - -- No warranties are given. The license may not give you all of the - permissions necessary for your intended use. For example, other - rights such as publicity, privacy, or moral rights may limit how you - use the material. - -.. [1] - ECOMP (Enhanced Control Orchestration, Management & Policy) - Architecture White Paper - (http://about.att.com/content/dam/snrdocs/ecomp.pdf) - -.. [2] - https://github.com/mbj4668/pyang - -.. [3] - This option is not currently supported in OpenECOMP and it is - currently under consideration. - -.. [4] - https://wiki.opnfv.org/display/PROJ/VNF+Event+Stream diff --git a/docs/VNF_Mgmt_Requirements_for_OpenEcomp/index.rst b/docs/VNF_Mgmt_Requirements_for_OpenEcomp/index.rst deleted file mode 100644 index c6fc1cd..0000000 --- a/docs/VNF_Mgmt_Requirements_for_OpenEcomp/index.rst +++ /dev/null @@ -1,7 +0,0 @@ -VNF Mgmt Requirements for OpenEcomp --------------------------------------- - -.. toctree:: - :maxdepth: 2 - - VNF_Management_Requirements_for_OpenECOMP_2_6_2017 \ No newline at end of file diff --git a/docs/all_vnfrqts_seed_docs/index.rst b/docs/all_vnfrqts_seed_docs/index.rst new file mode 100644 index 0000000..c6bfe37 --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/index.rst @@ -0,0 +1,8 @@ +All VNFRQTS Project Seed Documentation +---------------------------------------- + +.. toctree:: + :titlesonly: + + open_ecomp/index + openO/index \ No newline at end of file diff --git a/docs/all_vnfrqts_seed_docs/openO/index.rst b/docs/all_vnfrqts_seed_docs/openO/index.rst new file mode 100644 index 0000000..53f1780 --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/openO/index.rst @@ -0,0 +1,7 @@ +Open-O Seed Documentation +-------------------------- + +.. toctree:: + :titlesonly: + + inital_seed_openO/index \ No newline at end of file diff --git a/docs/all_vnfrqts_seed_docs/openO/inital_seed_openO/index.rst b/docs/all_vnfrqts_seed_docs/openO/inital_seed_openO/index.rst new file mode 100644 index 0000000..8179d26 --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/openO/inital_seed_openO/index.rst @@ -0,0 +1,6 @@ +Inital Open-O Seed Documentation +--------------------------------- + +.. toctree:: + :titlesonly: + diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/index.rst b/docs/all_vnfrqts_seed_docs/open_ecomp/index.rst new file mode 100644 index 0000000..9e0c3b0 --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/open_ecomp/index.rst @@ -0,0 +1,8 @@ +Open ECOMP Seed Documentation +---------------------------------------- + +.. toctree:: + :titlesonly: + + inital_seed_ecomp/index + q2_ecomp/index diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Cloud_Readiness_Requirements_for_OpenECOMP/VNF Cloud Readiness Requirements for OpenECOMP 2-17-2017 clean.docx b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Cloud_Readiness_Requirements_for_OpenECOMP/VNF Cloud Readiness Requirements for OpenECOMP 2-17-2017 clean.docx new file mode 100644 index 0000000..ce29b3a Binary files /dev/null and b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Cloud_Readiness_Requirements_for_OpenECOMP/VNF Cloud Readiness Requirements for OpenECOMP 2-17-2017 clean.docx differ diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Cloud_Readiness_Requirements_for_OpenECOMP/VNF_Cloud_Readiness_Requirements_for_OpenECOMP_2_17_2017_clean.rst b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Cloud_Readiness_Requirements_for_OpenECOMP/VNF_Cloud_Readiness_Requirements_for_OpenECOMP_2_17_2017_clean.rst new file mode 100644 index 0000000..5ffbe7a --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Cloud_Readiness_Requirements_for_OpenECOMP/VNF_Cloud_Readiness_Requirements_for_OpenECOMP_2_17_2017_clean.rst @@ -0,0 +1,950 @@ +.. contents:: + :depth: 3 +.. + +**VNF Cloud Readiness Requirements for OpenECOMP** + +**Revision 1.0** + +**Revision Date 2/1/2017** + +**Document Revision History** + ++------------+------------+-----------------------------------------------------------------------------+ +| Date | Revision | Description | ++============+============+=============================================================================+ +| 2/1/2017 | 1.0 | Initial public release of VNF Cloud Readiness Requirements for OpenECOMP | ++------------+------------+-----------------------------------------------------------------------------+ + + +**Definitions** + +Throughout the document the terms have the following meaning: + +**MUST** This word, or the terms "REQUIRED" or "SHALL", mean that the +definition is an absolute requirement of the specification. + +**MUST** **NOT** This phrase, or the phrase "SHALL NOT", mean that the +definition is an absolute prohibition of the specification. + +**SHOULD** This word, or the adjective "RECOMMENDED", mean that there +may exist valid reasons in particular circumstances to ignore a +particular item, but the full implications must be understood and +carefully weighed before choosing a different course. + +**SHOULD** **NOT** This phrase, or the phrase "NOT RECOMMENDED" mean +that there may exist valid reasons in particular circumstances when the +particular behavior is acceptable or even useful, but the full +implications should be understood and the case carefully weighed before +implementing any behavior described with this label. + +**MAY** This word, or the adjective "OPTIONAL", mean that an item is +truly optional. One vendor may choose to include the item because a +particular marketplace requires it or because the vendor feels that it +enhances the product while another vendor may omit the same item. An +implementation which does not include a particular option MUST be +prepared to interoperate with another implementation which does include +the option, though perhaps with reduced functionality. In the same vein +an implementation which does include a particular option MUST be +prepared to interoperate with another implementation which does not +include the option (except, of course, for the feature the option +provides.) + +Introduction +============ + +This document is part of a hierarchy of documents that describes the +overall Requirements and Guidelines for OpenECOMP. The diagram below +identifies where this document fits in the hierarchy. + ++--------------------------------------------------+---------------------------------------------+------------------------------------------------+------------------------------+---------------------------------+ +| OpenECOMP Requirements and Guidelines | ++==================================================+=============================================+================================================+==============================+=================================+ +| VNF Guidelines for Network Cloud and OpenECOMP | Future OpenECOMP Subject Documents | ++--------------------------------------------------+---------------------------------------------+------------------------------------------------+------------------------------+---------------------------------+ +| VNF Cloud Readiness Requirements for OpenECOMP | VNF Management Requirements for OpenECOMP | VNF Heat Template Requirements for OpenECOMP | Future | Future Requirements Documents | +| | | | VNF Requirements Documents | | ++--------------------------------------------------+---------------------------------------------+------------------------------------------------+------------------------------+---------------------------------+ + +Document summary: + +*VNF Guidelines for Network Cloud and OpenECOMP* + +- Describes VNF environment and overview of requirements + +**VNF Cloud Readiness Requirements for OpenECOMP** + +- Cloud readiness requirements for VNFs (Design, Resiliency, Security, + and DevOps) + +*VNF Management Requirements for OpenECOMP* + +- Requirements for how VNFs interact and utilize OpenECOMP + +*VNF Heat Template Requirements for OpenECOMP* + +- Provides recommendations and standards for building Heat templates + compatible with OpenECOMP– initial implementations of Network Cloud + are assumed to be OpenStack based. + +This reference document lists the requirements that are the supporting +details for the Virtual Network Function (VNF) characteristics outlined +in the *VNF Guidelines for Network Cloud and OpenECOMP*. These +requirements are grouped into the following categories: VNF Design, +Resiliency, Security, and DevOps. Specific requirements for OpenECOMP +can be found in the *VNF Management Requirements for OpenECOMP* +reference document. + +This section outlines the guidelines for VNFs to be compliant with +running on a multi-tenant, Network Cloud infrastructure. VNFs must be +virtualized, software-based, execute in a multi-tenant cloud, and be +de-coupled from the cloud hardware. To achieve interoperability between +VNFs, open and standard interfaces and APIs must be used. The set of +reusable VNFs forms the basis of a VNF catalog that is made available to +service designers to compose new (service chained) services that can +include service-specific custom parameters and QoS policies. Use of open +source technologies to leverage industry innovation is important in the +design of virtualized services. Equally important is the re-use of +common technologies (e.g., virtualized load balancers, firewalls, etc.) +that are provided by the platform. + +VNF Design +========== + +Services are composed of VNFs and common components and are designed to +be agnostic of the location to leverage capacity where it exists in the +Network Cloud. VNFs can be instantiated in any location that meets the +performance and latency requirements of the service. + +A key design principle for virtualizing services is decomposition of +network functions using NFV concepts into granular VNFs. This enables +instantiating and customizing only essential functions as needed for the +service, thereby making service delivery more nimble. It provides +flexibility of sizing and scaling and also provides flexibility with +packaging and deploying VNFs as needed for the service. It enables +grouping functions in a common cloud data center to minimize +inter-component latency. The VNFs should be designed with a goal of +being modular and reusable to enable using best-in-breed vendors + +Section 4.1.1 in *VNF Guidelines for Network Cloud and OpenECOMP* +describes the overall guidelines for designing VNFs from VNF Components +(VNFCs). Below are more detailed requirements for composing VNFs. + ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| VNF Design Requirements | Type | ID # | ++================================================================================================================================================================================================================================+==========+=========+ +| Decompose VNFs into granular re-usable VNFCs | Should | 20010 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Decompose if the functions have significantly different scaling characteristics (e.g., signaling versus media functions, control versus data plane functions). | Must | 20020 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Decomposition of the VNF must enable instantiating only the functionality that is needed for the VNF (e.g., if transcoding is not needed it should not be instantiated). | Must | 20030 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Design VNFC as a standalone, executable process. | Must | 20040 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Create a single component VNF for VNFCs that can be used by other VNFs. | Should | 20050 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Design to scale horizontally (more instances of a VNF or VNFC) and not vertically (moving the existing instances to larger VMs or increasing the resources within a VM) to achieve effective utilization of cloud resources. | Must | 20060 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize cloud provided infrastructure and VNFs (e.g., virtualized Local Load Balancer) as part of the VNF so that the cloud can manage and provide a consistent service resiliency and methods across all VNF's. | Must | 20070 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| VNFCs should be independently deployed, configured, upgraded, scaled, monitored, and administered by OpenECOMP. | Should | 20080 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide API versioning to allow for independent upgrades of VNFC. | Must | 20090 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Minimize the use of state within a VNFC to facilitate the movement of traffic from one instance to another. | Should | 20100 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Maintain state in a geographically redundant datastore that may, in fact, be its own VNFC. | Should | 20110 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Decouple persistent data from the VNFC and keep it in its own datastore that can be reached by all instances of the VNFC requiring the data. | Should | 20120 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize virtualized, scalable open source database software that can meet the performance/latency requirements of the service for all datastores. | Must | 20130 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Failure of a VNFC instance must not terminate stable sessions. | Must | 20140 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Enable DPDK in the guest OS for VNF’s requiring high packets/sec performance. High packet throughput is defined as greater than 500K packets/sec. | Must | 20150 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| When using DPDK, use the NCSP’s supported library and compute flavor that supports DPDK to optimize network efficiency. [1]_ | Must | 20160 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Do not use technologies that bypass virtualization layers (such as SR-IOV) unless approved by the NCSP (e.g., if necessary to meet functional or performance requirements). | Must | 20170 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Limit the size of application data packets to no larger than 907400 bytes for SDN network-based tunneling when guest data packets are transported between tunnel endpoints that support guest logical networks. | Must | 20180 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Do not require the use of a dynamic routing protocol unless necessary to meet functional requirements. | Must | 20190 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +Resiliency +========== + +The VNF is responsible for meeting its resiliency goals and must factor +in expected availability of the targeted virtualization environment. +This is likely to be much lower than found in a traditional data center. +Resiliency is defined as the ability of the VNF to respond to error +conditions and continue to provide the service intended. A number of +software resiliency dimensions have been identified as areas that should +be addressed to increase resiliency. As VNFs are deployed into the +Network Cloud, resiliency must be designed into the VNF software to +provide high availability versus relying on the Network Cloud to achieve +that end. + +Section 4.1.2 in *VNF Guidelines for Network Cloud and OpenECOMP* +describes the overall guidelines for designing VNFs to meet resiliency +goals. Below are more detailed resiliency requirements for VNFs. + +All Layer Redundancy +-------------------- + +Design the VNF to be resilient to the failures of the underlying +virtualized infrastructure (Network Cloud). VNF design considerations +would include techniques such as multiple vLANs, multiple local and +geographic instances, multiple local and geographic data replication, +and virtualized services such as Load Balancers. + ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| All Layer Redundancy Requirements | Type | ID # | ++=====================================================================================================================================================================================================================+========+=========+ +| VNFs are responsible to meet their own resiliency goals and not rely on the Network Cloud. | Must | 30010 | ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Design resiliency into a VNF such that the resiliency deployment model (e.g., active-active) can be chosen at run-time. | Must | 30020 | ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| VNFs must survive any single points of failure within the Network Cloud (e.g., virtual NIC, VM, disk failure). | Must | 30030 | ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| VNFs must survive any single points of software failure internal to the VNF (e.g., in memory structures, JMS message queues). | Must | 30040 | ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Design, build and package VNFs to enable deployment across multiple fault zones (e.g., VNFCs deployed in different servers, racks, OpenStack regions, geographies) to increase the overall resiliency of the VNF. | Must | 30050 | ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Support the ability to failover a VNFC automatically to other geographically redundant sites if not deployed active-active to increase the overall resiliency of the VNF. | Must | 30060 | ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Support the ability of the VNFC to be deployable in multi-zoned cloud sites to allow for site support in the event of cloud zone failure or upgrades. | Must | 30070 | ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ + +Minimize Cross Data-Center Traffic +---------------------------------- + +Avoid performance-sapping data center-to-data center replication delay +by applying techniques such as caching and persistent transaction paths +- Eliminate replication delay impact between data centers by using a +concept of stickiness (i.e., once a client is routed to data center "A", +the client will stay with Data center “A” until the entire session is +completed). + ++------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Minimize Cross Data-Center Traffic Requirements | Type | ID # | ++==================================================================================================================+==========+=========+ +| Minimize the propagation of state information across multiple data centers to avoid cross data center traffic. | Should | 31010 | ++------------------------------------------------------------------------------------------------------------------+----------+---------+ + +Application Resilient Error Handling +------------------------------------ + +Ensure an application communicating with a downstream peer is equipped +to intelligently handle all error conditions. Make sure code can handle +exceptions seamlessly - implement smart retry logic and implement +multi-point entry (multiple data centers) for back-end system +applications. + ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Application Resilient Error Handling Requirements | Type | ID # | ++==============================================================================================================================================================================================================================================================================================================================+========+=========+ +| Detect connectivity failure for inter VNFC instance and intra/inter VNF and re-establish connectivity automatically to maintain the VNF without manual intervention to provide service continuity. | Must | 32010 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Handle the restart of a single VNFC instance without requiring all VNFC instances to be restarted. | Must | 32020 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Handle the start or restart of VNFC instances in any order with each VNFC instance establishing or re-establishing required connections or relationships with other VNFC instances and/or VNFs required to perform the VNF function/role without requiring VNFC instance(s) to be started/restarted in a particular order. | Must | 32030 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Handle errors and exceptions so that they do not interrupt processing of incoming VNF requests to maintain service continuity. | Must | 32040 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Provide the ability to modify the number of retries, the time between retries and the behavior/action taken after the retries have been exhausted for exception handling to allow the Network Cloud Service Provider to control that behavior. | Must | 32050 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Fully exploit exception handling to the extent that resources (e.g., threads and memory) are released when no longer needed regardless of programming language. | Must | 32060 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Handle replication race conditions both locally and geo-located in the event of a data base instance failure to maintain service continuity. | Must | 32070 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Automatically retry/resubmit failed requests made by the software to its downstream system to increase the success rate. | Must | 32080 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ + +System Resource Optimization +---------------------------- + +Ensure an application is using appropriate system resources for the task +at hand; for example, do not use network or IO operations inside +critical sections, which could end up blocking other threads or +processes or eating memory if they are unable to complete. Critical +sections should only contain memory operation, and should not contain +any network or IO operation. + ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| System Resource Optimization Requirements | Type | ID # | ++=================================================================================================================================================================================================================================================+==========+=========+ +| Do not execute long running tasks (e.g., IO, database, network operations, service calls) in a critical section of code, so as to minimize blocking of other operations and increase concurrent throughput. | Must | 33010 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Automatically advertise newly scaled components so there is no manual intervention required. | Must | 33020 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize FQDNs (and not IP address) for both Service Chaining and scaling. | Must | 33030 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Deliver any and all functionality from any VNFC in the pool. The VNFC pool member should be transparent to the client. Upstream and downstream clients should only recognize the function being performed, not the member performing it. | Must | 33040 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Automatically enable/disable added/removed sub-components or component so there is no manual intervention required. | Should | 33050 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support the ability to scale down a VNFC pool without jeopardizing active sessions. Ideally, an active session should not be tied to any particular VNFC instance. | Should | 33060 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support load balancing and discovery mechanisms in resource pools containing VNFC instances. | Should | 33070 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize resource pooling (threads, connections, etc.) within the VNF application so that resources are not being created and destroyed resulting in resource management overhead. | Should | 33080 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use techniques such as “lazy loading” when initialization includes loading catalogues and/or lists which can grow over time, so that the VNF startup time does not grow at a rate proportional to that of the list. | Should | 33090 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Release and clear all shared assets (memory, database operations, connections, locks, etc.) as soon as possible, especially before long running sync and asynchronous operations, so as to not prevent use of these assets by other entities. | Should | 33100 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +Application Configuration Management +------------------------------------ + +Leverage configuration management audit capability to drive conformity +to develop gold configurations for technologies like Java, Python, etc. + ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Application Configuration Management Requirements | Type | ID # | ++===================================================================================================================================================================================+========+=========+ +| Allow configurations and configuration parameters to be managed under version control to ensure consistent configuration deployment, traceability and rollback. | Must | 34010 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Allow configurations and configuration parameters to be managed under version control to ensure the ability to rollback to a known valid configuration. | Must | 34020 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Allow changes of configuration parameters to be consumed by the VNF without requiring the VNF or its sub-components to be bounced so that the VNF availability is not effected. | Must | 34030 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ + +Intelligent Transaction Distribution & Management +------------------------------------------------- + +Leverage Intelligent Load Balancing and redundant components (hardware +and modules) for all transactions, such that at any point in the +transaction: front end, middleware, back end -- a failure in any one +component does not result in a failure of the application or system; +i.e., transactions will continue to flow, albeit at a possibly reduced +capacity until the failed component restores itself. Create redundancy +in all layers (software and hardware) at local and remote data centers; +minimizing interdependencies of components (i.e. data replication, +deploying non-related elements in the same container). + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Intelligent Transaction Distribution & Management Requirements | Type | ID # | ++==================================================================================================================================================================================================================================+==========+=========+ +| Use intelligent routing by having knowledge of multiple downstream/upstream endpoints that are exposed to it, to ensure there is no dependency on external services (such as load balancers) to switch to alternate endpoints. | Should | 35010 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use redundant connection pooling to connect to any backend data source that can be switched between pools in an automated/scripted fashion to ensure high availability of the connection to the data source. | Should | 35020 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Include control loop mechanisms to notify the consumer of the VNF of their exceeding SLA thresholds so the consumer is able to control its load against the VNF. | Should | 35030 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +Deployment Optimization +----------------------- + +Reduce opportunity for failure, by human or by machine, through smarter +deployment practices and automation. This can include rolling code +deployments, additional testing strategies, and smarter deployment +automation (remove the human from the mix). + ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Deployment Optimization Requirements | Type | ID # | ++=====================================================================================================================================================================================================================================================+==========+=========+ +| Support at least two major versions of the VNF software and/or sub-components to co-exist within production environments at any time so that upgrades can be applied across multiple systems in a staggered manner. | Must | 36010 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support the existence of multiple major/minor versions of the VNF software and/or sub-components and interfaces that support both forward and backward compatibility to be transparent to the Service Provider usage. | Must | 36020 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support staggered/rolling deployments between its redundant instances to allow "soak-time/burn in/slow roll" which can enable the support of low traffic loads to validate the deployment prior to supporting full traffic loads. | Must | 36030 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support the ability of a requestor of the service to determine the version (and therefore capabilities) of the service so that Network Cloud Service Provider can understand the capabilities of the service. | Must | 36040 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Test for adherence to the defined performance budgets at each layer, during each delivery cycle with delivered results, so that the performance budget is measured and the code is adjusted to meet performance budget. | Must | 36050 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Test for adherence to the defined performance budget at each layer, during each delivery cycle so that the performance budget is measured and feedback is provided where the performance budget is not met. | Must | 36060 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Test for adherence to the defined resiliency rating recommendation at each layer, during each delivery cycle with delivered results, so that the resiliency rating is measured and the code is adjusted to meet software resiliency requirements. | Should | 36070 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Test for adherence to the defined resiliency rating recommendation at each layer, during each delivery cycle so that the resiliency rating is measured and feedback is provided where software resiliency requirements are not met. | Should | 36080 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +Monitoring & Dashboard +---------------------- + +Promote dashboarding as a tool to monitor and support the general +operational health of a system. It is critical to the support of the +implementation of many resiliency patterns essential to the maintenance +of the system. It can help identify unusual conditions that might +indicate failure or the potential for failure. This would contribute to +improve Mean Time to Identify (MTTI), Mean Time to Repair (MTTR), and +post-incident diagnostics. + ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Monitoring & Dashboard Requirements | Type | ID # | ++================================================================================================================================================================================================================================================+==========+=========+ +| Provide a method of metrics gathering for each layer's performance to identify/document variances in the allocations so they can be addressed. | Must | 37010 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide unique traceability of a transaction through its life cycle to ensure quick and efficient troubleshooting. | Must | 37020 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide a method of metrics gathering and analysis to evaluate the resiliency of the software from both a granular as well as a holistic standpoint. This includes, but is not limited to thread utilization, errors, timeouts, and retries. | Must | 37030 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide operational instrumentation such as logging, so as to facilitate quick resolution of issues with the VNF to provide service continuity. | Must | 37040 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Monitor for and alert on (both sender and receiver) errant, running longer than expected and missing file transfers, so as to minimize the impact due to file transfer errors. | Must | 37050 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use an appropriately configured logging level that can be changed dynamically, so as to not cause performance degradation of the VNF due to excessive logging. | Should | 37060 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize Cloud health checks, when available from the Network Cloud, from inside the application through APIs to check the network connectivity, dropped packets rate, injection, and auto failover to alternate sites if needed. | Should | 37070 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Conduct a resiliency impact assessment for all inter/intra-connectivity points in the VNF to provide an overall resiliency rating for the VNF to be incorporated into the software design and development of the VNF. | Must | 37080 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +Security +======== + +The objective of this section is to provide the key security +requirements that need to be met by VNFs. The security requirements are +grouped into five areas as listed below. Other security areas will be +addressed in future updates. These security requirements are applicable +to all VNFs. Additional security requirements for specific types of VNFs +will be applicable and are outside the scope of these general +requirements. + +Section 4.1.3 in *VNF Guidelines for Network Cloud and OpenECOMP* +outlines the five broad security areas for VNFs that are detailed in the +following sections: + +- **VNF General Security**: This section addresses general security + requirements for the VNFs that the vendors will need to address. + +- **VNF Identity and Access Management**: This section addresses + security requirements with respect to Identity and Access Management + as these pertain to generic VNFs. + +- **VNF API Security**: This section addresses the generic security + requirements associated with APIs. These requirements are applicable + to those VNFs that use standard APIs for communication and data + exchange. + +- **VNF Security Analytics**: This section addresses the security + requirements associated with analytics for VNFs that deal with + monitoring, data collection and analysis. + +- **VNF Data Protection**: This section addresses the security + requirements associated with data protection. + +VNF General Security Requirements +--------------------------------- + +This section provides details on the VNF general security requirements +on various security areas such as user access control, network security, +ACLs, infrastructure security, and vulnerability management. These +requirements cover topics associated with compliance, security patching, +logging/accounting, authentication, encryption, role-based access +control, least privilege access/authorization. The following security +requirements need to be met by the solution in a virtual environment: + ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| General Security Requirements | Type | ID # | | ++=================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+========================================================================================================================================================================================================================================================================================================================================================================================================================================+=========+=========+ +| Integration and operation within a robust security environment is necessary and expected. The security architecture will include one or more of the following: IDAM (Identity and Access Management) for all system and applications access, Code scanning, network vulnerability scans, OS, Database and application patching, malware detection and cleaning, DDOS prevention, network security gateways (internal and external) operating at various layers, host and application based tools for security compliance validation, aggressive security patch application, tightly controlled software distribution and change control processes and other state of the art security solutions. The VNF is expected to function reliably within such an environment and the developer is expected to understand and accommodate such controls and can expected to supply responsive interoperability support and testing throughout the product’s lifecycle. | Informational | 40010 | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| The VNF must accommodate the security principle of “least privilege” during development, implementation and operation. The importance of “least privilege” cannot be overstated and must be observed in all aspects of VNF development and not limited to security. This is applicable to all sections of this document. | Must | 40020 | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Implement access control list for OA&M services (e.g., restricting access to certain ports or applications). | Must | 40030 | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Implement Data Storage Encryption (database/disk encryption) for Sensitive Personal Information (SPI) and other subscriber identifiable data. Note: subscriber’s SPI/data must be encrypted at rest, and other subscriber identifiable data should be encrypted at rest. Other data protection requirements exist and should be well understood by the developer. | Must | 40040 | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Implement a mechanism for automated and frequent "system configuration (automated provisioning / closed loop)" auditing. | Should | 40050 | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Use both network scanning and application scanning security tools on all code, including underlying OS and related configuration. Scan reports shall be provided. Remediation roadmaps shall be made available for any findings. | Should | 40060 | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Perform source code to scanning tools (e.g., Fortify) and provide reports. | Should | 40070 | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Production code shall be distributed from NCSP internal sources only. No production code, libraries, OS images, etc. shall be distributed from publically accessible depots. | Must | 40080 | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Provide all code/configuration files in a “Locked down” or hardened state or with documented recommendations for such hardening. All unnecessary services will be disabled. Vendor default credentials, community strings and other such artifacts will be removed or disclosed so that they can be modified or removed during provisioning. | Must | 40090 | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Support L3 VPNs that enable segregation of traffic by application (dropping packets not belonging to the VPN) (i.e., AVPN, IPSec VPN for Internet routes). | Should | 40100 | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Interoperate with various access control mechanisms for the Network Cloud execution environment (e.g., Hypervisors, containers). | Should | 40110 | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| VNF should support the use of virtual trusted platform module, hypervisor security testing and standards scanning tools. | Should | 40120 | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Interoperate with the OpenECOMP (SDN) Controller so that it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual routing and forwarding rules. | Must | 40130 | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Support the ability to work with aliases (e.g., gateways, proxies) to protect and encapsulate resources. | Should | 40140 | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| All access to applications (Bearer, signaling and OA&M) will pass through various security tools and platforms from ACLs, stateful firewalls and application layer gateways depending on manner of deployment. The application is expected to function (and in some cases, interwork) with these security tools. | Must | 40150 | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Patch vulnerabilities in VNFs as soon as possible. Patching shall be controlled via change control process with vulnerabilities disclosed along with mitigation recommendations. | Must | 40160 | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Identification, authentication and access control of **customer** or **VNF application users** must be performed by utilizing the NCSP’s IDAM API. | Must | 40170 | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Identification, authentication and access control of **OA&M** and other system level functions must use the NCSP’s IDAM API or comply with the following is expected. | Must | 40180 | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Support User-IDs and passwords to uniquely identify the user/application. VNF needs to have appropriate connectors to the Identity, Authentication and Authorization systems that enables access at OS, Database and Application levels as appropriate. | Must | 40190 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Provide the ability to support Multi-Factor Authentication (e.g., 1st factor = Software token on device (RSA SecureID); 2nd factor = User Name+Password, etc.) for the users. | Must | 40200 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Support Role-Based Access Control to permit/limit the user/application to performing specific activities. | Must | 40210 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Support logging via OpenECOMP for a historical view of “who did what and when”. | Must | 40220 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Encrypt OA&M access (e.g., SSH, SFTP). | Must | 40230 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Enforce a configurable maximum number of Login attempts policy for the users. VNF vendor must comply with "terminate idle sessions" policy. Interactive sessions must be terminated, or a secure, locking screensaver must be activated requiring authentication, after a configurable period of inactivity. The system-based inactivity timeout for the enterprise identity and access management system must also be configurable. | Must | 40240 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Comply with the NCSP’s credential management policy. | Must | 40250 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Password expiration must be required at regular configurable intervals. | Must | 40260 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Comply with "password complexity" policy. When passwords are used, they shall be complex and shall at least meet the following password construction requirements: | Must | 40270 | +| | | | | +| | - Be a minimum configurable number of characters in length. | | | +| | | | | +| | - Include 3 of the 4 following types of characters: upper-case alphabetic, lower-case alphabetic, numeric, and special. | | | +| | | | | +| | - Not be the same as the UserID with which they are associated or other common strings as specified by the environment. | | | +| | | | | +| | - Not contain repeating or sequential characters or numbers. | | | +| | | | | +| | - Not to use special characters that may have command functions. | | | +| | | | | +| | - New passwords must not contain sequences of three (3) or more characters from the previous password. | | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Comply with "password changes (includes default passwords)" policy. Products will support password aging, syntax and other credential management practices on a configurable basis. | Must | 40280 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Support use of common third party authentication and authorization tools such as TACACS+, RADIUS. | Must | 40290 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Comply with "No Self-Signed Certificates" policy. Self-signed certificates must be used for encryption only, using specified and approved encryption protocols such as LS 1.1 or higher or equivalent security protocols such as IPSec, AES. | Must | 40300 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Authenticate system to system communications where one system accesses the resources of another system, and must never conceal individual accountability. | Must | 40310 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ + +VNF Identity and Access Management Requirements +----------------------------------------------- + +The following security requirements for logging, identity, and access +management need to be met by the solution in a virtual environment: + ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Identity and Access Management Requirements | Type | ID # | ++================================================================================================================================================================================================================================================================================================================================================================================================+==========+=========+ +| Access to VNFs will be required at several layers. Hence, VNF vendor needs to be able to host connectors for access to the following layers: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Application | Must | 41010 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. OS (Operating System) | Must | 41020 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Database | Must | 41030 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Manage access to VNF, its OS, or Database by an enterprise access request process. | Must | 41040 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Comply with the following when persons or non-person entities access VNFs: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Individual Accountability (each person must be assigned a unique ID) | Must | 41050 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Least Privilege (no more privilege than required to perform job functions) | Must | 41060 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Segregation of Duties (access to a single layer and no developer may access production without special oversight) | Must | 41070 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Vendors will not be allowed to access VNFs remotely, e.g., VPN | Must | 41080 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Vendors accessing VNFs through a client application API must be authorized by the client application owner and the resource owner of the VNF before provisioning authorization through Role Based Access Control (RBAC), Attribute Based Access Control (ABAC), or other policy based mechanism. | Must | 41090 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Vendor VNF access will be subject to privilege reconciliation tools to prevent access creep and ensure correct enforcement of access policies. | Must | 41100 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide or Support the Identity and Access Management (IDAM) based threat detection data for: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. OWASP Top 10 | Must | 41110 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Password Attacks | Must | 41120 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Phishing / SMishing | Must | 41130 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Malware (Key Logger) | Must | 41140 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Session Hijacking | Must | 41150 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. XSS / CSRF | Must | 41160 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Replay | Must | 41170 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Man in the Middle (MITM) | Must | 41180 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Eavesdropping | Must | 41190 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide Context awareness data (device, location, time, etc.) and be able to integrate with threat detection system. | Must | 41200 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Where a VNF vendor requires the assumption of permissions, such as root or administrator, the vendor user must first log in under their individual user login ID then switch to the other higher level account; or where the individual user login is infeasible, must login with an account with admin privileges in a way that uniquely identifies the individual performing the function. | Must | 41210 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Authenticate system to system access and do not conceal a VNF vendor user’s individual accountability for transactions. | Must | 41220 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Warning Notices: A formal statement of resource intent, i.e., a warning notice, must be made visible upon initial access to a VNF vendor user who accesses private internal networks or Company computer resources, e.g., upon initial logon to an internal web site, system or application which requires authentication. | Must | 41230 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use access controls for VNFs and their supporting computing systems at all times to restrict access to authorized personnel only, e.g., least privilege. These controls could include the use of system configuration or access control software. | Must | 41240 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Initial and default settings for new user accounts must provide minimum privileges only. | Must | 41250 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Default settings for user access to sensitive commands and data must be denied authorization. | Must | 41260 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Privileged users may be created conforming to approved request, workflow authorization, and authorization provisioning requirements. | Must | 41270 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Commands affecting network services, such as commands relating to VNFs, must have greater restrictions for access and execution, such as up to 3 factors of authentication and restricted authorization. | Must | 41280 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Encrypt TCP/IP--HTTPS (e.g., TLS v1.2) transmission of data on internal and external networks. | Must | 41290 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Unnecessary or vulnerable cgi-bin programs must be disabled. | Must | 41300 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| No public or unrestricted access to any data should be provided without the permission of the data owner. All data classification and access controls must be followed. | Must | 41310 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| When in production, vendors or developers must not do the following without authorization of the VNF system owner including: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Install or use systems, tools or utilities capable of capturing or logging data that was not created by them or sent specifically to them; | Must | 41320 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Run security testing tools and programs, e.g., password cracker, port scanners, hacking tools. | Must | 41330 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Authentication credentials must not be included in security audit logs, even if encrypted. | Must | 41340 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| The standard interface for a VNF should be REST APIs exposed to Client Applications for the implementation of OAuth 2.0 Authorization Code Grant and Client Credentials Grant. | Should | 41350 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support hosting connectors for OS Level and Application Access. | Should | 41360 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support SCEP (Simple Certificate Enrollment Protocol). | Should | 41370 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +VNF API Security Requirements +----------------------------- + +This section covers API security requirements when these are used by the +VNFs. Key security areas covered in API security are Access Control, +Authentication, Passwords, PKI Authentication Alarming, Anomaly +Detection, CALEA, Monitoring and Logging, Input Validation, +Cryptography, Business continuity, Biometric Authentication, +Identification, Confidentiality and Integrity, and Denial of Service. + +The solution in a virtual environment needs to meet the following API +security requirements: + ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| API Requirements | Type | ID # | ++==========================================================================================================================================================================================================================================================================================================================+========+=========+ +| Provide a mechanism to restrict access based on the attributes of the VNF and the attributes of the subject. | Must | 42010 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Integrate with external authentication and authorization services (e.g., IDAM). | Must | 42020 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Use certificates issued from publicly recognized Certificate Authorities (CA) for the authentication process where PKI-based authentication is used | Must | 42030 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Validate the CA signature on the certificate, ensure that the date is within the validity period of the certificate, check the Certificate Revocation List (CRL), and recognize the identity represented by the certificate where PKI-based authentication is used. | Must | 42040 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Protect the confidentiality and integrity of data at rest and in transit from unauthorized access and modification. | Must | 42050 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Protect against all denial of service attacks, both volumetric and non-volumetric, or integrate with external denial of service protection tools | Must | 42060 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Implement at minimum the following input validation controls: | | | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Check the size (length) of all input. Do not permit an amount of input so great that it would cause the VNF to fail. Where the input may be a file, the VNF API must enforce a size limit. | Must | 42070 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Do not permit input that contains content or characters inappropriate to the input expected by the design. Inappropriate input, such as SQL insertions, may cause the system to execute undesirable and unauthorized transactions against the database or allow other inappropriate access to the internal network. | Must | 42080 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Validate that any input file has a correct and valid Multipurpose Internet Mail Extensions (MIME) type. Input files should be tested for spoofed MIME types. | Must | 42090 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Validate input at all layers implementing VNF APIs. | Must | 42100 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Comply with NIST standards and industry best practices for all implementations of cryptography | Must | 42110 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Implement all monitoring and logging as described in the Security Analytics section. | Must | 42120 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Restrict changing the criticality level of a system security alarm to administrator(s). | Must | 42130 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection. | Must | 42140 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Support requests for information from law enforcement and government agencies. | Must | 42150 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ + +VNF Security Analytics Requirements +----------------------------------- + +This section covers VNF security analytics requirements that are mostly +applicable to security monitoring. The VNF Security Analytics cover the +collection and analysis of data following key areas of security +monitoring: + +- Anti-virus software + +- Logging + +- Data capture + +- Tasking + +- DPI + +- API based monitoring + +- Detection and notification + +- Resource exhaustion detection + +- Proactive and scalable monitoring + +- Mobility and guest VNF monitoring + +- Closed loop monitoring + +- Interfaces to management and orchestration + +- Malformed packet detections + +- Service chaining + +- Dynamic security control + +- Dynamic load balancing + +The following requirements of security monitoring need to be met by the +solution in a virtual environment. + ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Security Analytics Requirements | Type | ID # | ++==========================================================================================================================================================================================================================================================================================+========+=========+ +| Support the following monitoring features by the VNF: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Real-time detection and notification of security events. | Must | 43010 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Integration functionality via API/Syslog/SNMP to other functional modules in the network (e.g., PCRF, PCEF) that enable dynamic security control by blocking the malicious traffic or malicious end users | Must | 43020 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. API-based monitoring to take care of the scenarios where the control interfaces are not exposed, or are optimized and proprietary in nature | Must | 43030 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Event logging, formats, and delivery tools to provide the required degree of event data to OpenECOMP | Must | 43040 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Detection of malformed packets due to software misconfiguration or software vulnerability | Must | 43050 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Integrated DPI/monitoring functionality as part of VNFs (e.g., PGW, MME) | Must | 43060 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Alternative monitoring capabilities when VNFs do not expose data or control traffic or use proprietary and optimized protocols for inter VNF communication | Must | 43070 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Proactive monitoring to detect and report the attacks on resources so that the VNFs and associated VMs can be isolated, such as detection techniques for resource exhaustion, namely OS resource attacks, CPU attacks, consumption of kernel memory, local storage attacks. | Must | 43080 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Coexist and operate normally with commercial anti-virus software which shall produce alarms every time when there is a security incident. | Must | 43090 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Protect all security audit logs (including API, OS and application-generated logs), security audit software, data, and associated documentation from modification, or unauthorized viewing, by standard OS access control mechanisms, by sending to a remote system, or by encryption. | Must | 43100 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Log the following events: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Successful and unsuccessful login attempts | Must | 43110 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Logoffs | Must | 43120 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Successful and unsuccessful changes to a privilege level | Must | 43130 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Starting and stopping of security logging | Must | 43140 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Creating, removing, or changing the inherent privilege level of users | Must | 43150 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Connections to a network listener of the resource | Must | 43160 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Log, at minimum, the following fields (where applicable and technically feasible) in the security audit logs: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Event type | Must | 43170 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Date/time | Must | 43180 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Protocol | Must | 43190 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Service or program used for access | Must | 43200 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Success/failure | Must | 43210 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Login ID | Must | 43220 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Security audit logs must never contain an authentication credential, e.g., password, even if encrypted. | Must | 43230 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Detect when the security audit log storage medium is approaching capacity (configurable) and issue an alarm via SMS or equivalent as to allow time for proper actions to be taken to pre-empt loss of audit data. | Must | 43240 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Support the capability of online storage of security audit logs. | Must | 43250 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Activate security alarms automatically when the following events, at a minimum, are detected: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Configurable number of consecutive unsuccessful login attempts | Must | 43260 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Successful modification of critical system or application files | Must | 43270 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Unsuccessful attempts to gain permissions or assume the identity of another user | Must | 43280 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Include, at a minimum, the following fields in the Security alarms (where applicable and technically feasible): | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Date | Must | 43290 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Time | Must | 43300 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Service or program used for access | Must | 43310 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Success/failure | Must | 43320 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Login ID | Must | 43330 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Restrict changing the criticality level of a system security alarm to administrator(s). | Must | 43340 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection. | Must | 43350 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Support requests for information from law enforcement and government agencies. | Must | 43360 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Implement “Closed Loop” automatic implementation (without human intervention) for Known Threats with detection rate in low false positives. | Must | 43370 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Perform data capture for security functions. | Must | 43380 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Generate security audit logs that must be sent to Security Analytics Tools for analysis. | Must | 43390 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Provide audit logs that include user ID, dates, times for log-on and log-off, and terminal location at minimum. | Must | 43400 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Provide security audit logs including records of successful and rejected system access data and other resource access attempts. | Must | 43410 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Support the storage of security audit logs for agreed period of time for forensic analysis. | Must | 43420 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Provide the capability of generating security audit logs by interacting with the operating system (OS) as appropriate. | Must | 43430 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Security logging for VNFs and their OSs must be active from initialization. Audit logging includes automatic routines to maintain activity records and cleanup programs to ensure the integrity of the audit/logging systems. | Must | 43440 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ + +VNF Data Protection Requirements +-------------------------------- + +This section covers VNF data protection requirements that are mostly +applicable to security monitoring. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Data Protection Requirements | Type | ID # | ++======================================================================================================================================================================================================================================================================================================================+==========+=========+ +| Provide the capability to restrict read and write access to data. | Must | 44010 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability to restrict access to data to specific users. | Must | 44020 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability to encrypt data in transit on a physical or virtual network. | Must | 44030 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability to encrypt data on non-volatile memory. | Must | 44040 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Where the encryption of non-transient data is required on a device for which the operating system performs paging to virtual memory, then if possible disable the paging of the data requiring encryption, if not the virtual memory should be encrypted. | Should | 44050 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability to integrate with an external encryption service. | Must | 44060 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use industry standard cryptographic algorithms and standard modes of operations when implementing cryptography. | Must | 44070 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use commercial algorithms only when there are no applicable US federal standards for specific cryptographic functions, e.g., public key cryptography, message digests. | Should | 44080 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| The SHA, DSS, MD5, SHA-1 and Skipjack algorithms or other compromised encryption must not be used. | Must | 44090 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use, whenever possible, standard implementations of security applications, protocols, and format, e.g., S/MIME, TLS, SSH, IPSec, X.509 digital certificates for cryptographic implementations. These implementations must be purchased from reputable vendors and must not be developed in-house. | Must | 44100 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| A VNF must provide the ability to migrate to newer versions of cryptographic algorithms and protocols with no impact. | Must | 44110 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use symmetric keys of at least 112 bits in length. | Must | 44120 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use asymmetric keys of at least 2048 bits in length. | Must | 44130 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use commercial tools that comply with X.509 standards and produce x.509 compliant keys for public/private key generation. Keys must not be generated or derived from predictable functions or values, e.g., values considered predictable include user identity information, time of day, stored/transmitted data. | Must | 44140 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability to configure encryption algorithms or devices so that they comply with the laws of the United States and those of any country in which there are plans to use data encryption. | Must | 44150 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability of using certificates issued from a Certificate Authority not provided by the VNF vendor. | Must | 44160 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability of allowing certificate renewal and revocation. | Must | 44170 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability of testing the validity of a digital certificate by performing the following: | | | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. The CA signature on the certificate must be validated | Must | 44180 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. The date the certificate is being used must be within the validity period for the certificate | Must | 44190 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. The Certificate Revocation List (CRL) for the certificates of that type must be checked to ensure that the certificate has not been revoked | Must | 44200 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. The identity represented by the certificate — the "distinguished name" — must be recognized | Must | 44210 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability of encrypting selected data fields stored or bound for security logs. | Must | 44220 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability of deleting data stored in the VNF. | Must | 44230 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability to make data available in order to support requests from law enforcement and government agencies as required by legal or regulatory mandates. Capability must be configurable for MOW deployment. | Must | 44240 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +DevOps +====== + +This section includes guidelines for vendors to ensure that a Network +Cloud Service Provider’s operations personnel have a common and +consistent way to support VNFs and VNFCs. + +NCSPs may elect to support standard images to enable compliance with +security, audit, regulatory and other needs. As part of the overall VNF +software bundle, VNF suppliers using standard images would typically +provide the NCSP with an install package consistent with the default OS +package manager (e.g. aptitude for Ubuntu, yum for Redhat/CentOS). + +Section 4.1.4 in *VNF Guidelines for Network Cloud and OpenECOMP* +describes the DevOps guidelines for VNFs. + +Additional requirements will be included in the next release of the +document. + ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| DevOps Requirements | Type | ID # | ++=======================================================================================================================================================================================================================+==========+=========+ +| Utilize only the Guest OS versions that are supported by the NCSP’s Network Cloud. [2]_ | Must | 50010 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize only NCSP supported Guest OS images.\ :sup:`2` | Should | 50020 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize only NCSP standard compute flavors.\ :sup:`2` | Must | 50030 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Running VMs will not be backed up in the Network Cloud infrastructure. Bringing a VM back up with the configuration required must be accomplished by using appropriate snapshot images or using persistent storage. | Must | 50040 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Install VNFC(s) on non-root file systems, unless software is specifically included with the operating system distribution of the guest image. | Must | 50050 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +**Copyright 2017 AT&T Intellectual Property. All Rights Reserved.** + +This paper is licensed to you under the Creative Commons License: + +**Creative Commons Attribution-ShareAlike 4.0 International Public +License** + +You may obtain a copy of the License at: + +https://creativecommons.org/licenses/by-sa/4.0/legalcode + +**You are free to:** + +- Share — copy and redistribute the material in any medium or format + +- Adapt — remix, transform, and build upon the material for any + purpose, even commercially. + +- The licensor cannot revoke these freedoms as long as you follow the + license terms. + +**Under the following terms:** + +- Attribution — You must give appropriate credit, provide a link to the + license, and indicate if changes were made. You may do so in any + reasonable manner, but **not** in any way that suggests the + licensor endorses you or your use. + +- ShareAlike — If you remix, transform, or build upon the material, you + must distribute your contributions under the same license as the + original. + +- No additional restrictions — You may not apply legal terms or + technological measures that legally restrict others from doing + anything the license permits. + +**Notices:** + +- You do not have to comply with the license for elements of the + material in the public domain or where your use is permitted by an + applicable exception or limitation. + +- No warranties are given. The license may not give you all of the + permissions necessary for your intended use. For example, other + rights such as publicity, privacy, or moral rights may limit how you + use the material. + +.. [1] + Refer to NCSP’s Network Cloud specification + +.. [2] + Refer to NCSP’s Network Cloud specification \ No newline at end of file diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Cloud_Readiness_Requirements_for_OpenECOMP/index.rst b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Cloud_Readiness_Requirements_for_OpenECOMP/index.rst new file mode 100644 index 0000000..d1e697e --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Cloud_Readiness_Requirements_for_OpenECOMP/index.rst @@ -0,0 +1,7 @@ +VNF Cloud Readiness Requirements for OpenECOMP +----------------------------------------------- + +.. toctree:: + :maxdepth: 1 + + VNF_Cloud_Readiness_Requirements_for_OpenECOMP_2_17_2017_clean \ No newline at end of file diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF Guidelines for Network Cloud and OpenECOMP 2-6-2017 clean.docx b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF Guidelines for Network Cloud and OpenECOMP 2-6-2017 clean.docx new file mode 100644 index 0000000..169f9ac Binary files /dev/null and b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF Guidelines for Network Cloud and OpenECOMP 2-6-2017 clean.docx differ diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF_Control_Loop.jpg b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF_Control_Loop.jpg new file mode 100644 index 0000000..73dbcbb Binary files /dev/null and b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF_Control_Loop.jpg differ diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF_Guidelines_for_Network_Cloud_and_OpenECOMP_2_6_2017_clean.rst b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF_Guidelines_for_Network_Cloud_and_OpenECOMP_2_6_2017_clean.rst new file mode 100644 index 0000000..05341e7 --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF_Guidelines_for_Network_Cloud_and_OpenECOMP_2_6_2017_clean.rst @@ -0,0 +1,1114 @@ +.. contents:: + :depth: 3 +.. + +**VNF Guidelines for Network Cloud and OpenECOMP** + +**Version 1.0** + +**February 1, 2017** + +Document Revision History + ++------------+------------+----------------------------------------------------------------------------+ +| Date | Revision | Description | ++============+============+============================================================================+ +| 2/1/2017 | 1.0 | Initial public release of VNF Guidelines for Network Cloud and OpenECOMP | ++------------+------------+----------------------------------------------------------------------------+ + +Table of Contents + +Abstract +======== + +This white paper and the accompanying reference documents set forth +guidelines and requirements for Virtual Network Functions (VNFs) that +run in Network Clouds [1]_ and are managed by OpenECOMP [2]_. This +document set is part of the OpenECOMP community and focuses on setting +and evolving VNF standards that will facilitate industry discussion, +participation, alignment and evolution toward comprehensive and +actionable VNF best practices and standard interfaces. The goal is to +accelerate adoption of VNF best practices which will increase +innovation, minimize customization needed to onboard VNFs as well as +reduce implementation complexity, time and cost for all impacted +stakeholders. The intent is to drive harmonization of VNFs across VNF +providers, Network Cloud Service Providers (NCSPs) and the overall +Network Function Virtualization (NFV) ecosystem by providing both long +term vision as well as short term focus and clarity where no current +open source implementations exist today. + +This first release of the guidelines and requirements, although +applicable in many implementations, is targeted for those +implementations that consist of Network Clouds based on OpenStack. +Future versions of these guidelines are envisioned to include other +targeted virtualization environments, such as Customer Premises or other +single-tenant small scale cloud implementations. + +In addition, given the relative maturity of key technologies involved, +rapid innovation of NFV/SDN and virtualization technologies as well as +the evolving OpenECOMP roadmap, this will be a living package that will +evolve over time. These documents will become part of the OpenECOMP +related requirements documents. The following enhancements are +anticipated to be addressed in the next set of releases: + +- Open source software and demos of simple reference VNFs; + +- Automation of VNF onboarding and other aspects of VNF lifecycle as + supported by OpenECOMP; + +- Consistent VNF packaging for automated onboarding using OpenECOMP; + +- Other implementation examples for targeted virtualization + environments beyond OpenStack based Network Clouds; + +- Incubation and certification environment to provide a self-service + program to gauge maturity and readiness of VNFs. + +Introduction +============ + +Motivation +---------- + +The requirements and guidelines defined herein are intended to +facilitate industry discussion, participation alignment and evolution +toward comprehensive and actionable VNF best practices. Integration +costs are a significant impediment to the development and deployment of +new services. We envision developing open source industry processes and +best practices leading eventually to VNF standards supporting commercial +acquisition of VNFs with minimal integration costs. Traditional PNFs +have all been unique like snowflakes and required expensive custom +integration, whereas VNF products and services should be designed for +easier integration just like Lego\ :sup:`TM` blocks. For example, by +standardizing on common actions and related APIs supported by VNFs, plug +and play integration is assured, jumpstarting automation with management +frameworks. Onboarding VNFs would no longer require complex and +protracted integration or development activities thus maximizing +automation and minimizing integration cost. Creating VNF open source +environments, best practices and standards provides additional benefits +to the NFV ecosystems such as: + +- Larger market for VNF providers + +- Rapid introduction and integration of new capabilities into the + services providers environment + +- Reduced development times and costs for VNF providers + +- Better availability of new capabilities to NCSPs + +- Better distribution of new capabilities to end-user consumers + +- Reduced integration cost (capex) for NCSPs + +- Usage based software licensing for end-user consumers and NCSPs + +Audience +--------- + +The industry transformation associated with softwarization [3]_ results +in a number of changes in traditional approaches for industry +collaboration. Changes from hardware to software, from waterfall to +agile processes and the emergence of industry supported open source +communities imply corresponding changes in processes at many industry +collaboration bodies. With limited operational experience and much more +dynamic requirements, open source communities are expected to evolve +these VNF guidelines further before final documentation of those aspects +necessary for standardization. This white paper and accompanying +reference documents provides VNF providers, NCSPs and other interested +3rd parties a set of guidelines and requirements for the design, build +and overall lifecycle management of VNFs. + +**VNF Providers** + +Both suppliers transitioning from providing physical network functions +(PNFs) to providing VNFs as well as new market entrants should find +these VNF requirements and guidelines a useful introduction to the +requirements to be able to develop VNFs for deployment into a Network +Cloud. VNF Providers may also be interested to test their VNFs in the +context of an open source implementation of the environment. + +**Network Cloud Service Providers (NCSPs)** + +A NCSP provides services based on Network Cloud infrastructure as well +as services above the infrastructure layer, e.g., platform service, +end-to-end services. + +Common approaches to packaging of VNFs enable economies of scale in +their development. As suitable infrastructure becomes deployed, NCSPs +have a common interest in guidelines that support the ease of deployment +of VNFs in each other’s Network Cloud. After reading these VNF +guidelines, NCSPs should be motivated to join AT&T in evolving these +guidelines in the OpenECOMP open source community to meet the industry’s +collective needs. + +**Other interested parties** + +Other parties such as solution providers, open source community, +industry standard bodies, students and researchers of network +technologies, as well as enterprise customers may also be interested in +the VNF Guidelines. Solution Providers focused on specific industry +verticals may find these VNF guidelines useful in the development of +specialized VNFs that can better address the needs of their industry +through deployment of these VNFs in NCSP infrastructure. Open Source +developers can use these VNF guidelines to facilitate the automation of +VNF ingestion and deployment. The emergence of a market for VNFs enables +NCSPs to more rapidly deliver increased functionality, for execution on +white box hardware on customer’s premises – such functionality may be of +particular interest to enterprises supporting similar infrastructure. + +Program and Document Structure +------------------------------ + +This document is part of a hierarchy of documents that describes the +overall Requirements and Guidelines for OpenECOMP. The diagram below +identifies where this document fits in the hierarchy. + ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| OpenECOMP Requirements and Guidelines | ++===============================================================================================================================================================================================================+ +| VNF Guidelines for Network Cloud and OpenECOMP | Future OpenECOMP Subject Documents | ++------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| VNF Cloud Readiness Requirements for OpenECOMP | VNF Management Requirements for OpenECOMP | VNF Heat Template Requirements for OpenECOMP | Future,VNF Requirements Documents | Future Requirements Documents | ++------------------------------------------------+-------------------------------------------+----------------------------------------------+-----------------------------------+-------------------------------+ + +Document summary: + +**VNF Guidelines for Network Cloud and OpenECOMP** + +- Describes VNF environment and overview of requirements + +*VNF Cloud Readiness Requirements for OpenECOMP* + +- Cloud readiness requirements for VNFs (Design, Resiliency, Security, + and DevOps) + +*VNF Management Requirements for OpenECOMP* + +- Requirements for how VNFs interact and utilize OpenECOMP + +*VNF Heat Template Requirements for OpenECOMP* + +- Provides recommendations and standards for building Heat templates + compatible with OpenECOMP– initial implementations of Network Cloud + are assumed to be OpenStack based. + +VNF Context +=========== + +A technology trend towards softwarization is impacting the +communications industry as it has already impacted a number of other +industries. This trend is expected to have some significant impacts on +the products and processes of this industry. The transformation from +products primarily based on hardware to products primarily based on +software has a number of impacts. The completeness of the software +packages to ease integration, usage based licensing to reflect scaling +properties, independence from hardware and location and software +resilience in the presence of underlying hardware failure all gain in +importance compared to prior solutions. The processes supporting +software products and services are also expected to transform from +traditional waterfall methodologies to agile methods. In agile +processes, characteristics such as versioned APIs, rolling upgrades, +automated testing and deployment support with incremental release +schedules become important for these software products and services. +Industry process related to software products and services also change +with the rise of industrially supported open source communities. +Engagement with these open source communities enables sharing of best +practices and collaborative development of open source testing and +integration regimes, open source APIs and open source code bases. + +The term VNF is inspired by the work [4]_ of the ETSI [5]_ Network +Functions Virtualization (NFV) Industry Specification Group (ISG). +ETSI’s VNF definition includes both historically network functions, such +as Virtual Provider Edge (VPE), Virtual Customer Edge (VCE), and Session +Border Controller (SBC), as well as historically non-network functions +when used to support network services, such as network-supporting web +servers and databases. The VNF discussion in these guidelines applies to +all types of virtualized workloads, not just network appliance +workloads. Having a consistent approach to virtualizing any workload +provides more industry value than just virtualizing some workloads. [6]_ + +VNFs are functions that are implemented in Network Clouds. Network +Clouds must support end-to-end high-bandwidth low latency network flows +through VNFs running in virtualization environments. For example, a +Network Cloud is able to provide a firewall service to be created such +that all Internet traffic to a customer premise passes through a virtual +firewall running in the Network Cloud. + +A data center may be the most common target for a virtualization +environment, but it is not the only target. Virtualization environments +are also supported by more constrained resources e.g., Enterprise +Customer Premise Equipment (CPE). Virtualization environments are also +expected to be available at more distributed network locations by +architecting central offices as data centers, or virtualizing functions +located at the edge of the operator infrastructure (e.g., virtualized +Optical Line Termination (vOLT) or xRAN [7]_) and in constrained +resource Access Nodes. Expect detailed requirements to evolve with these +additional virtualization environments. Some VNFs may scale across all +these environments, but all VNFs should onboard through the same process +before deployment to the targeted virtualization environment. + +Business Process Impacts +------------------------- + +Business process changes need to occur in order to realize full benefits +of VNF characteristics: efficiency via automation, open source reliance, +and improved cycle time through careful design. + +**Efficiency via Automation** + +reliant on human labor for critical operational tasks don’t scale. By +aggressively automating all VNF operational procedures, VNFs have lower +operational cost, are more rapidly deployed at scale and are more +consistent in their operation. OpenECOMP provides the automation +framework which VNFs can take advantage of simply by implementing +OpenECOMP compatible interfaces and lifecycle models. This enables +automation which drives operational efficiencies and delivers the +corresponding benefits. + +**Open Source** + +VNFs are expected to run on infrastructure largely enabled by open +source software. For example, OpenStack [8]_ is often used to provide +the virtualized compute, network, and storage capabilities used to host +VNFs. OpenDaylight (ODL) [9]_ can provide the network control plane. The +OPNFV community [10]_ provides a reference platform through integration +of ODL, OpenStack and other relevant open source projects. VNFs also run +in open source operating systems like Linux. VNFs might also utilize +open source software libraries to take advantage of required common but +critical software capabilities where community support is available. +Automation becomes easier, overall costs go down and time to market can +decrease when VNFs can be developed and tested in an open source +reference platform environment prior to on-boarding by the NCSP. All of +these points contribute to a lower cost structure for both VNF providers +and NCSPs. + +**Improved Cycle Time through Careful Design** + +Today’s fast paced world requires businesses to evolve rapidly in order +to stay relevant and competitive. To a large degree VNFs, when used with +the same control, orchestration, management and policy framework (e.g., +OpenECOMP), will improve service development and composition. VNFs +should enable NCSPs to exploit recursive nesting of VNFs to acquire VNFs +at the smallest appropriate granularity so that new VNFs and network +services can be composed. The ETSI NFV Framework [11]_ envisages such +recursive assembly of VNFs, but many current implementations fail to +support such features. Designing for VNF reuse often requires that +traditional appliance based PNFs be refactored into multiple individual +VNFs where each does one thing particularly well. While the original +appliance based PNF can be replicated virtually by the right combination +and organization of lower level VNFs, the real advantage comes in +creating new services composed of different combinations of lower level +VNFs (possibly from many providers) organized in new ways. Easier and +faster service creation often generates real value for businesses. As +softwarization trends progress towards more agile processes, VNFs, +OpenECOMP and Network Clouds are all expected to evolve towards +continuous integration, testing and deployment of small incremental +changes to de-risk the upgrade process. + +ETSI Network Function Virtualization (NFV) comparison +----------------------------------------------------- + +ETSI defines a VNF as an implementation of a network function that can +be deployed on a Network Function Virtualization Infrastructure (NFVI). +Service instances may be composed of an assembly of VNFs. In turn, a VNF +may also be assembled from VNF components (VNFCs) that each provide a +reusable set of functionality. VNFs are expected to take advantage of +platform provided common services. + +VNF management and control under OpenECOMP is different than management +and control exposed in the ETSI MANO model. With OpenECOMP, there is +only a single management and control plane. In ETSI’s Framework [12]_, +architectural options exist for preserving legacy systems that increase +integration costs e.g., different VNFs can be controlled by VNF Managers +(VNFMs) and Element Management Systems (EMSs) provided by different +software providers. OpenECOMP addresses the concern that multiple VNFMs +in this space will hinder VNF reuse and increase VNF and service +integration costs. Asking all VNF providers to take advantage of and +interoperate with common control software mitigates related reuse and +integration challenges. The common, SDN based, control platform +(OpenECOMP) is being made available as an open source project to reduce +friction for VNF providers and enable new network functions to get to +market faster and with lower costs. + +Also under OpenECOMP, VNF providers do not provide their own proprietary +VNF Managers (VNFM) or Element Management Systems (EMS). Those +capabilities are provided by OpenECOMP. Hence, VNFs are required to +consume open interfaces to OpenECOMP in support of management and +control. The VNF Package must include the appropriate data models for +integration with OpenECOMP to enable management and control of the +VNFCs. + +**Figure 1** shows a simplified OpenECOMP and Infrastructure view to +highlight how individual Virtual Network Functions plug into the +OpenECOMP control loops. + +|image0| + +\ **Figure 1. Control Loop** + +In the control loop view in **Figure 1**, the VNF provides an event +data stream via an API to Data Collection, Analytics and Events (DCAE). +DCAE analyzes and aggregates the data stream and when particular +conditions are detected, uses policy to enable what, if any, action +should be triggered. Some of the triggered actions may require a +controller to make changes to the VNF through a VNF provided API. + +For a detailed comparison between ETSI NFV and OpenECOMP, refer to +Appendix C - Comparison between VNF Guidelines and ETSI GS NFV-SWA 001. + +Evolving VNF Related Industry Activities +---------------------------------------- + +Many existing industry collaboration bodies are structured around a +particular service or segment of the network. VNFs are intended to +operate across multiple services and execute on commodity targeted +virtualization environments. With the NCSPs transformation to acquiring +products and services based on location and hardware independent VNFs, +the opportunity exists for instances of those VNFs to be deployed across +multiple network locations and services where suitable virtualization +infrastructure is available. + +The rise of industry-supported open source communities has created new +opportunities for collaboration and challenges for existing industry +communities such as Standards Developing Organizations (SDOs). +Collaboration in many SDOs defers intellectual property issues. Most +industrially-supported open source communities resolve intellectual +property issues between collaborators through explicit contribution +licensing agreements. Common infrastructure software components (e.g., +SDN Controllers, Cloud Management Systems) are expected to be available +through industrially supported open source communities (e.g., Open +Daylight and OpenStack). Whether VNFs are open or proprietary, they +should use open APIs, test and integration capabilities developed in +industrially supported open source communities (e.g., OpenECOMP, OPNFV). + +The migration path for operator’s existing processes and services to +effectively utilize VNFs may be operator specific. The requirements for +VNFs may be expected to evolve rapidly as the industry develops +experience with operational and development best practices for VNFs. In +particular, industry operations procedures are expected to evolve +towards agile software methodologies, DevOps, continuous integration and +continuous deployment (CI/CD). In this environment of changing and +context-dependent VNF requirements, agile, pragmatic approaches focused +on delivering functionality in the near term and evolving it towards +targeted VNF characteristics are preferred over lengthy waterfall +industry standardization processes. Demonstrating functionality and +interoperability of appropriate VNF-related APIs in open source +communities is considered a pre-requisite to starting industry +specification work documenting stable interfaces. + +While multiple open source communities exist supporting particular +infrastructure software options, the market success of any particular +option combination cannot be assured. Integration communities such as +OPNFV provide an approach enabling VNF providers to test their products +and services against a variety of expected configurations available in +the industry. + +Evolving towards VNFs +--------------------- + +In order to deploy VNFs, a target virtualization environment must +already be in place. The NCSPs scale necessitates a phased rollout of +virtualization infrastructure and then of VNFs upon that infrastructure. +Some VNF use cases may require greenfield infrastructure deployments, +others may start brownfield deployments in centralized data centers and +then scale deployment more widely as infrastructure becomes available. +Some service providers have been very public and proactive in setting +transformation targets associated with VNFs [13]_. + +Because of the complexity of migration and integration issues, the +requirements for VNFs in the short term may need to be contextualized to +the specific service and transition planning. + +Much of the existing VNF work has been based on corresponding network +function definitions and requirements developed for PNFs. Many of the +assumptions about PNFs do not apply to VNFs and the modularity of the +functionality is expected to be significantly different. In addition, +the increased service velocity objectives of NFV are based on new types +of VNFs being developed to support new services being deployed in +virtualized environments. Much of the functionality associated with 5G +(e.g., IoT, augmented reality/virtual reality) is thus expected to be +deployed as VNFs in targeted virtualization infrastructure towards the +edge of the network. + +VNF Characteristics +=================== + +VNFs need to be constructed using a distributed systems architecture +that we will call "Network Cloud Ready". They need to interact with the +orchestration and control platform provided by OpenECOMP and address the +new security challenges that come in this environment. + +The main goal of a Network Cloud Ready VNF is to run ‘well’ on any +Network Cloud (public or private) over any network (carrier or +enterprise). In addition, for optimal performance and efficiency, VNFs +will be designed to take advantage of Network Clouds. This requires +careful engineering in both VNFs and candidate Network Cloud computing +frameworks. + +To ensure Network Cloud capabilities are leveraged and VNF resource +consumption meets engineering and economic targets, VNF performance and +efficiency will be benchmarked in a controlled lab environment. In line +with the principles and practices laid out in ETSI GS NFV-PER 001, +efficiency testing will consist of benchmarking VNF performance with a +reference workload and associated performance metrics on a reference +Network Cloud (or, when appropriate, additional benchmarking on a bare +metal reference platform). + +Network Cloud Ready VNF characteristics and design consideration can be +grouped into three areas: + +- Cloud Readiness + +- OpenECOMP Ready + +- Virtualization Environment Ready + +Detailed requirements are contained in the reference documents that are +listed in Appendix B - References. + +Cloud Readiness +--------------- + +VNFs should be designed to operate within a cloud environment from the +first stages of the development. The VNF provider should think clearly +about how the VNF should be decomposed into various modules. Resiliency +within a cloud environment is very different than in a physical +environment and the developer should give early thought as to how the +Network Cloud Service Provider will ensure the level of resiliency +required by the VNF and then provide the capabilities needed within that +VNF. Scaling and Security should also be well thought out at design time +so that the VNF runs well in a virtualized environment. Finally, the VNF +Provider also needs to think about how they will integrate and deploy +new versions of the VNF. Since the cloud environment is very dynamic, +the developer should utilize DevOps practices to deploy new software. + +Requirements for Cloud Readiness can be found in the *VNF Common +Requirements for OpenECOMP* document. + +VNF Design +~~~~~~~~~~ + +A VNF may be a large construct and therefore when designing it, it is +important to think about the components from which it will be composed. +The ETSI SWA 001 document gives a good overview of the architecture of a +VNF in Chapter 4 as well as some good examples of how to compose a VNF +in its Annex B. When laying out the components of the VNF it is +important to keep in mind the following principles: Single Capability, +Independence, State and the APIs. + +Many Network Clouds will use Heat to describe orchestration templates +for instantiating VNFs and VNFCs. Heat has a useful abstraction called a +“module” that can contain one or more VNFCs. A module can be thought of +as a deployment unit. In general the goal should be for each module to +contain a single VNFC. + +Single Capability +^^^^^^^^^^^^^^^^^ + +VNFs should be carefully decomposed into loosely coupled, granular, +re-usable VNFCs that can be distributed and scaled on a Network Cloud. +VNFCs should be responsible for a single capability. + +The Network Cloud will define several flavors of VMs for a VNF designer +to choose from for instantiating a VNFC. The best practice is to keep +the VNFCs as lightweight as possible while still fulfilling the business +requirements for the "single capability", however the VNFC should not be +so small that the overhead of constructing, maintaining, and operating +the service outweighs its utility. + +Independence +^^^^^^^^^^^^ + +VNFCs should be independently deployed, configured, upgraded, scaled, +monitored, and administered (by OpenECOMP). The VNFC must be a +standalone executable process. + +API versioning is one of the biggest enablers of independence. To be +able to independently evolve a component, versioning must ensure +existing clients of the component are not forced to flash-cut with each +interface change. API versioning enables smoother evolution while +preserving backward compatibility. + +Scaling +^^^^^^^ + +Each VNFC within a VNF must support independent horizontal scaling, by +adding/removing instances, in response to demand loads on that VNFC. The +Network Cloud is not expected to support adding/removing resources +(compute, memory, storage) to an existing instance of a VNFC (vertical +scaling). A VNF should be designed such that its components can scale +independently of each other. Scaling one component should not require +another component to be scaled at the same time. All scaling will be +controlled by OpenECOMP. + +Managing State +^^^^^^^^^^^^^^ + +VNFCs and their interfaces should isolate and manage state to allow for +high-reliability, scalability, and performance in a Network Cloud +environment. The use of state should be minimized as much as possible to +facilitate the movement of traffic from one instance of a VNFC to +another. Where state is required it should be maintained in a +geographically redundant data store that may in fact be its own VNFC. + +This concept of decoupling state data can be extended to all persistent +data. Persistent data should be held in a loosely coupled database. +These decoupled databases need to be engineered and placed correctly to +still meet all the performance and resiliency requirements of the +service. + +Lightweight and Open APIs +^^^^^^^^^^^^^^^^^^^^^^^^^ + +Key functions are accessible via open APIs, which align to Industry API +Standards and supported by an open and extensible information/data +model. + +Reusability +^^^^^^^^^^^ + +Properly (de)composing a VNF requires thinking about “reusability”. +Components should be designed to be reusable within the VNF as well as +by other VNFs. The “single capability” principle aids in this +requirement. If a VNFC could be reusable by other VNFs then it should be +designed as its own single component VNF that may then be chained with +other VNFs. Likewise, a VNF provider should make use of other common +platform VNFs such as firewalls and load balancers, instead of building +their own. + +Resiliency +~~~~~~~~~~ + +The VNF is responsible for meeting its resiliency goals and must factor +in expected availability of the targeted virtualization environment. +This is likely to be much lower than found in a traditional data center. +The VNF developer should design the function in such a way that if there +is a platform problem the VNF will continue working as needed and meet +the SLAs of that function. VNFs should be designed to survive single +failure platform problems including: hypervisor, server, datacenter +outages, etc. There will also be significant planned downtime for the +Network Cloud as the infrastructure goes through hardware and software +upgrades. The VNF should support tools for gracefully meeting the +service needs such as methods for migrating traffic between instances +and draining traffic from an instance. The VNF needs to rapidly respond +to the changing conditions of the underlying infrastructure. + +VNF resiliency can typically be met through redundancy often supported +by distributed systems architectures. This is another reason for +favoring smaller VNFCs. By having more instances of smaller VNFCs it is +possible to spread the instance out across servers, racks, datacenters, +and geographic regions. This level of redundancy can mitigate most +failure scenarios and has the potential to provide a service with even +greater availability than the old model. Careful consideration of VNFC +modularity also minimizes the impact of failures when an instance does +fail. + +Security +~~~~~~~~ + +Security must be integral to the VNF through its design, development, +instantiation, operation, and retirement phases. VNF architectures +deliver new security capabilities that make it easier to maximize +responsiveness during a cyber-attack and minimize service interruption +to the customers. SDN enables the environment to expand and adapt for +additional traffic and incorporation of security solutions. Further, +additional requirements will exist to support new security capabilities +as well as provide checks during the development and production stages +to assure the expected advantages are present and compensating controls +exist to mitigate new risks. + +New security requirements will evolve along with the new architecture. +Initially, these requirements will fall into the following categories: + +- VNF General Security Requirements + +- VNF Identity and Access Management Requirements + +- VNF API Security Requirements + +- VNF Security Analytics Requirements + +- VNF Data Protection Requirements + +DevOps +~~~~~~ + +The OpenECOMP software development and deployment methodology is +evolving toward a DevOps model. VNF development and deployment should +evolve in the same direction, enabling agile delivering of end-to-end +services. Following these same principles better positions OpenECOMP and +VNF development to coevolve in the same direction. + +Testing +^^^^^^^ + +VNF packages should provide comprehensive automated regression, +performance and reliability testing with VNFs based on open industry +standard testing tools and methodologies. VNF packages should provide +acceptance and diagnostic tests and in-service instrumentation to be +used in production to validate VNF operation. + +Build and Deployment Processes +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +VNF packages should include continuous integration and continuous +deployment (CI/CD) software artifacts that utilize automated open +industry standard system and container build tools. The VNF package +should include parameterized configuration variables to enable automated +build customization. Don’t create unique (snowflake) VNFs requiring any +manual work or human attention to deploy. Do create standardized (Lego™) +VNFs that can be deployed in a fully automated way. + +OpenECOMP will orchestrate updates and upgrades of VNFs. The target +method for updates and upgrades is to onboard and validate the new +version, then build a new instance with the new version of software, +transfer traffic to that instance and kill the old instance. There +should be no need for the VNF or its components to provide an +update/upgrade mechanism. + +Automation +^^^^^^^^^^ + +Increased automation is enabled by VNFs and VNF design and composition. +VNF and VNFCs should provide the following automation capabilities, as +triggered or managed via OpenECOMP: + +- Events and alarms + +- Lifecycle events + +- Zero-Touch rolling upgrades and downgrades + +- Configuration + +OpenECOMP Ready +--------------- + +OpenECOMP is the “brain” providing the lifecycle management and control +of software-centric network resources, infrastructure and services. +OpenECOMP is critical in achieving the objectives to increase the value +of the Network Cloud to customers by rapidly on-boarding new services, +enabling the creation of a new ecosystem of consumer and enterprise +services, reducing capital and operational expenditures, and providing +operations efficiencies. It delivers enhanced customer experience by +allowing them in near real-time to reconfigure their network, services, +and capacity. + +For more details, refer to the `ECOMP Architecture White +Paper `__\ [14]_. + +One of the main OpenECOMP responsibilities is to rapidly onboard and +enrich VNFs to be cataloged as resources to allow composition and +deployment of services in a multi-vendor plug and play environment. It +is also extremely important to be able to automatically manage the VNF +run-time lifecycle to fully realize benefits of NFV. The VNF run-time +lifecycle includes aspects such as instantiation, configuration, elastic +scaling, automatic recovery from resource failures, and resource +allocation. It is therefore imperative to provide VNFs that are equipped +with well-defined capabilities that comply with OpenECOMP standards to +allow rapid onboarding and automatic lifecycle management of these +resources when deploying services as depicted in **Figure 2**. + +|image1| + +\ **Figure 2. VNF Complete Lifecycle Stages** + +In order to realize these capabilities within the OpenECOMP platform, it +is important to adhere to a set of key principles (listed below) for +VNFs to integrate into OpenECOMP. + +Requirements for OpenECOMP Ready can be found in the *VNF Management +Requirements for OpenECOMP* document. + +Design Definition +~~~~~~~~~~~~~~~~~ + +Onboarding automation will be facilitated by applying standards-based +approaches to VNF packaging to describe the VNF’s infrastructure +resource requirements, topology, licensing model, design constraints, +and other dependencies to enable successful VNF deployment and +management of VNF configuration and operational behavior. + +The current VNF Package Requirement is based on a subset of the +Requirements contained in the ETSI Document: ETSI GS NFV-MAN 001 v1.1.1 +and GS NFV IFA011 V0.3.0 (2015-10) - Network Functions Virtualization +(NFV), Management and Orchestration, VNF Packaging Specification. + +Configuration Management +~~~~~~~~~~~~~~~~~~~~~~~~ + +OpenECOMP must be able to orchestrate and manage the VNF configuration +to provide fully automated environment for rapid service provisioning +and modification. VNF configuration/reconfiguration must be allowed +directly through standardized APIs without the need for an EMS. + +Monitoring and Management +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The end-to-end service reliability and availability in a virtualized +environment will greatly depend on the ability to monitor and manage the +behavior of Virtual Network Functions in real-time. OpenECOMP platform +must be able to monitor the health of the network and VNFs through +collection of event and performance data directly from network resources +utilizing standardized APIs without the need for an EMS. The VNF +provider must provide visibility into VNF performance and fault at the +VNFC level (VNFC is the smallest granularity of functionality in our +architecture) to allow OpenECOMP to proactively monitor, test, diagnose +and trouble shoot the health and behavior of VNFs at their source. + +Virtualization Environment Ready +-------------------------------- + +Every Network Cloud Service Provider will have a different set of +resources and capabilities for their Network Cloud, but there are some +common resources and capabilities that nearly every NCSP will offer. + +Network Cloud +~~~~~~~~~~~~~ + +VNFCs should be agnostic to the details of the Network Cloud (such as +hardware, host OS, Hypervisor or container technology) and must run on +the Network Cloud with acknowledgement to the paradigm that the Network +Cloud will continue to rapidly evolve and the underlying components of +the platform will change regularly. VNFs should be prepared to move +VNFCs across VMs, hosts, locations or datacenters, or Network Clouds. + +Overlay Network +~~~~~~~~~~~~~~~ + +VNFs should be compliant with the Network Cloud network virtualization +platform including the specific set of characteristics and features. + +The Network Cloud is expected to be tuned to support VNF performance +requirements. Initially, specifics may differ per Network Cloud +implementation and are expected to evolve over time, especially as the +technology matures. + +Guest Operating Systems +~~~~~~~~~~~~~~~~~~~~~~~ + +VNFs should use the NCSP’s standard set of OS images to enable +compliance with security, audit, regulatory and other needs. + +Compute Flavors +~~~~~~~~~~~~~~~ + +VNFs should take advantage of the standard Network Cloud capabilities in +terms of VM characteristics (often referred to as VM Flavors), VM sizes +and cloud acceleration capabilities aimed at VNFs such as Intel’s Data +Plane Development Kit (DPDK). + +Summary +======= + +The intent of these guidelines and requirements is to provide long term +vision as well as short term focus and clarity where no current open +source implementation exists today. The goal is to accelerate the +adoption of VNFs which will increase innovation, minimize customization +to onboard VNFs, reduce implementation time and complexity as well as +lower overall costs for all stakeholders. It is critical for the +Industry to align on a set of standards and interfaces to quickly +realize the benefits of NFV. AT&T is contributing these guidelines to +the OpenECOMP open source community as a step in moving toward +standards. These guidelines are based on our experience with large scale +deployment and operations of VNFs over the past several years. + +This VNF guidelines document provides a general overview and points to +more detailed requirements documents. The subtending documents provide +more detailed requirements and are listed in Appendix B - References. +All documents are expected to evolve. + +Some of these VNF guidelines may be more broadly applicable in the +industry, e.g., in other open source communities or standards bodies. +The art of VNF architecture and development is expected to mature +rapidly with practical deployment and operations experience from a +broader ecosystem of types of VNFs and different VNF providers. +Individual operators may also choose to provide their own extensions and +enhancements to support their particular operational processes, but +these guidelines are expected to remain broadly applicable across a +number of service providers interested in acquiring VNFs. + +We invite feedback on these VNF Guidelines in the context of the +OpenECOMP Project. We anticipate an ongoing project within the OpenECOMP +Community to maintain similar guidance for VNF developers to enable them +to more easily develop VNFs which are compatible with the evolving +releases of OpenECOMP. Comments on these guidelines should be discussed +there. + +Appendix A - Glossary +====================== + ++-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Heat | Heat is a service to orchestrate composite cloud applications using a declarative template format through an OpenStack-native REST API. | ++-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Network Clouds | Network Clouds are built on a framework containing these essential elements: refactoring hardware elements into software functions running on commodity cloud computing infrastructure; aligning access, core, and edge networks with the traffic patterns created by IP based services; integrating the network and cloud technologies on a software platform that enables rapid, highly automated, deployment and management of services, and software defined control so that both infrastructure and functions can be optimized across change in service demand and infrastructure availability; and increasing competencies in software integration and a DevOps operations model. | ++-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Network Cloud Service Provider | Network Cloud Service Provider (NCSP) is a company or organization, making use of a communications network to provide Network Cloud services on a commercial basis to third parties. | ++-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| SDOs | Standards Developing Organizations are organizations which are active in the development of standards intended to address the needs of a group of affected adopters. | ++-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Softwarization | Softwarization is the transformation of business processes to reflect characteristics of software centric products, services, lifecycles, and methods. | ++-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Targeted Virtualization Environment | Targeted Virtualization Environment is the execution environment for VNFs. While Network Clouds located in datacenters are a common execution environment, VNFs can and will be deployed in various locations (e.g., non-datacenter environments) and form factors (e.g., enterprise Customer Premise Equipment). Non-datacenter environments are expected to be available at more distributed network locations including central offices and at the edge of the NCSP’s infrastructure. | ++-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| VM | Virtual Machine (VM) is a virtualized computation environment that behaves very much like a physical computer/server. A VM has all its ingredients (processor, memory/storage, interfaces/ports) of a physical computer/server and is generated by a hypervisor, which partitions the underlying physical resources and allocates them to VMs. Virtual Machines are capable of hosting a virtual network function component (VNFC). | ++-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| VNF | Virtual Network Function (VNF) is the software implementation of a function that can be deployed on a Network Cloud. It includes network functions that provide transport and forwarding. It also includes other functions when used to support network services, such as network-supporting web servers and database. | ++-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| VNFC | Virtual Network Function Component (VNFC) are the sub-components of a VNF providing a VNF Provider a defined sub-set of that VNF's functionality, with the main characteristic that a single instance of this component maps 1:1 against a single Virtualization Container. See Figure 3 for the relationship between VNFC and VNFs. | +| | |image2| | ++-------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Appendix B - References +======================= + +1. VNF Cloud Readiness Requirements for OpenECOMP + +2. VNF Management Requirements for OpenECOMP + +3. VNF Heat Template Requirements for OpenECOMP + +Appendix C - Comparison between VNF Guidelines and ETSI GS NFV-SWA 001 +====================================================================== + +The VNF guidelines presented in this document (VNF Guidelines) overlap +with the ETSI GS NFV-SWA 001 (Network Functions Virtualization (NFV); +Virtual Network Function Architecture) document. For convenience we will +just refer to this document as SWA 001. + +The SWA 001 document is a survey of the landscape for architecting a +VNF. It includes many different options for building a VNF that take +advantage of the ETSI MANO architecture. + +The Network Cloud and OpenECOMP have similarities to ETSI’s MANO, but +also have differences described in earlier sections. The result is +differences in the VNF requirements. Since these VNF Guidelines are for +a specific implementation of an architecture they are narrower in scope +than what is specified in the SWA 001 document. + +The VNF Guidelines primarily overlaps the SWA 001 in Sections 4 and 5. +The other sections of the SWA 001 document lie outside the scope of the +VNF Guidelines. + +This appendix will describe the differences between these two documents +indexed on the SWA 001 sections + +Section 4 Overview of VNF in the NFV Architecture +------------------------------------------------- + +This section provides an overview of the ETSI NFVI architecture and how +it interfaces with the VNF architecture. Because of the differences +between infrastructure architectures there will naturally be some +differences in how it interfaces with the VNF. + +A high level view of the differences in architecture can be found in the +main body of this document and a more detailed analysis can be found in +the ECOMP Architecture White Paper\ [15]_. + +Section 4.3 Interfaces +~~~~~~~~~~~~~~~~~~~~~~ + +Since OpenECOMP provides the VNFM and EMS functionality for all VNFs the +SWA-3 and SWA-4 interfaces are OpenECOMP interfaces. All OpenECOMP +interfaces are described in this package of documents. + +Section 5 VNF Design Patterns and Properties +-------------------------------------------- + +This section of the SWA 001 document gives a broad view of all the +possible design patterns of VNFs. The VNF Guidelines do not generally +differ from this section. The VNF Guidelines address a more specific +scope than what is allowed in the SWA 001 document. + +Section 5.1 VNF Design Patterns +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The following are differences between the VNF Guidelines and SWA-001: + +- 5.1.2 - The Network Cloud does not recognize the distinction between + “parallelizable” and “non-parallelizable” VNFCs, where parallelizable + means that there can be multiple instances of the VNFC. In the VNF + Guidelines, all VNFCs should support multiple instances and therefore + be parallelizable. + +- 5.1.3 - The VNF Guidelines encourages the use of stateless VNFCs. + However, where state is needed it should be kept external to the VNFC + to enable easier failover + +- 5.1.5 - The VNF Guidelines only accepts horizontal scaling (scale + out/in) by VNFC. Vertical scaling (scale up/down) is not supported by + OpenECOMP. + +- 5.1.5 - Since OpenECOMP provides all EMS and VNFM functionality + On-Demand scaling is accomplished through OpenECOMP and not directly + by the VNF + +Section 5.2 VNF Update and Upgrade +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- 5.2.2 - OpenECOMP will orchestrate updates and upgrades. The + preferred method for updates and upgrades is to build a new instance + with the new version of software, transfer traffic to that instance + and kill the old instance + +Section 5.3 VNF Properties +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The following are differences between the VNF Guidelines and SWA-001: + +- 5.3.1 - In a Network Cloud all VNFs must be only “COTS-Ready”. The + VNF Guidelines does not support “Partly COTS-READY” or “Hardware + Dependent”. + +- 5.3.2 – The only virtualization environment currently supported by + OpenECOMP is “Virtual Machines”. The VNF Guidelines state that all + VNFs should be hypervisor agnostic. Other virtualized environment + options such as containers are not currently supported. However, + container technology is targeted to be supported in the future. + +- 5.3.3 - All VNFs must scale horizontally (scale out/in) within the + Network Cloud. Vertical (scale up/down) is not supported. + +- 5.3.5 - The VNF Guidelines state that OpenECOMP will provide full + policy management for all VNFs. The VNF will not provide its own + policy management for provisioning and management. + +- 5.3.7 - The VNF Guidelines recognizes both stateless and stateful + VNFCs but it encourages the minimization of stateful VNFCs. + +- 5.3.11 - The VNF Guidelines only allows for OpenECOMP management of + the VNF. It does not allow a proprietary management interface for use + with a 3rd party EMS + +Section 5.4 Attributes describing VNF Requirements +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Attributes described in the VNF Guidelines and reference documents +include those attributes defined in this section of the SWA 001 document +but also include additional attributes. + +**Copyright 2017 AT&T Intellectual Property. All Rights Reserved.** + +This paper is licensed to you under the Creative Commons License: + +**Creative Commons Attribution-ShareAlike 4.0 International Public +License** + +You may obtain a copy of the License at: + +https://creativecommons.org/licenses/by-sa/4.0/legalcode + +**You are free to:** + +- Share — copy and redistribute the material in any medium or format + +- Adapt — remix, transform, and build upon the material for any + purpose, even commercially. + +- The licensor cannot revoke these freedoms as long as you follow the + license terms. + +**Under the following terms:** + +- Attribution — You must give appropriate credit, provide a link to the + license, and indicate if changes were made. You may do so in any + reasonable manner, but **not** in any way that suggests the + licensor endorses you or your use. + +- ShareAlike — If you remix, transform, or build upon the material, you + must distribute your contributions under the same license as the + original. + +- No additional restrictions — You may not apply legal terms or + technological measures that legally restrict others from doing + anything the license permits. + +**Notices:** + +- You do not have to comply with the license for elements of the + material in the public domain or where your use is permitted by an + applicable exception or limitation. + +- No warranties are given. The license may not give you all of the + permissions necessary for your intended use. For example, other + rights such as publicity, privacy, or moral rights may limit how you + use the material. + +.. [1] + Network Clouds are built on a framework containing these essential + elements: refactoring hardware elements into software functions + running on commodity cloud computing infrastructure; aligning access, + core, and edge networks with the traffic patterns created by IP based + services; integrating the network and cloud technologies on a + software platform that enables rapid, highly automated, deployment + and management of services, and software defined control so that both + infrastructure and functions can be optimized across change in + service demand and infrastructure availability; and increasing + competencies in software integration and a DevOps operations model. + +.. [2] + OpenECOMP is an open source initiative for ECOMP, www.openecomp.org. + +.. [3] + Softwarization is the transformation of business processes to reflect + characteristics of software centric products, services, lifecycles + and methods. + +.. [4] + “ Virtual Network Functions Architecture” ETSI GS NFV-SWA 001 v1.1.1 + (Dec 2012) + +.. [5] + European Telecommunications Standards Institute or ETSI + (http://www.etsi.org) is a respected standards body providing + standards for information and communications technologies. + +.. [6] + Full set of capabilities of Network Cloud and/or OpenECOMP might not + be needed to support traditional IT like workloads. + +.. [7] + xRAN (http://www.xran.org/) + +.. [8] + OpenStack (http://www.openstack.org) + +.. [9] + OpenDaylight (http://www.opendaylight.org) + +.. [10] + OPNFV (http://www.opnfv.org) + +.. [11] + See, e.g., Figure 3 of GS NFV 002, Architectural Framework + +.. [12] + “Architectural Framework”, ETSI GS NFV 002 (v1.1.1) Oct. 2013) + +.. [13] + AT&T, for instance, has announced that it seeks to virtualize and + control 75% of its network functionality by 2020 and that 50% of + AT&T’s software be coming from open source. For AT&T, VNFs have + already been placed in service in the Network Cloud and enterprise + CPE whiteboxes. + +.. [14] + ECOMP (Enhanced Control Orchestration, Management & Policy) + Architecture White Paper + (http://about.att.com/content/dam/snrdocs/ecomp.pdf) + +.. [15] + ECOMP (Enhanced Control Orchestration, Management & Policy) + Architecture White Paper + (http://about.att.com/content/dam/snrdocs/ecomp.pdf) + +.. |image0| image:: VNF_Control_Loop.jpg + :width: 6.56250in + :height: 3.69167in +.. |image1| image:: VNF_Lifecycle.jpg + :width: 6.49000in + :height: 2.23000in +.. |image2| image:: VNF_VNFC_Relation.jpg + :width: 4.26087in + :height: 3.42514in diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF_Lifecycle.jpg b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF_Lifecycle.jpg new file mode 100644 index 0000000..45419e6 Binary files /dev/null and b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF_Lifecycle.jpg differ diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF_VNFC_Relation.jpg b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF_VNFC_Relation.jpg new file mode 100644 index 0000000..0457e86 Binary files /dev/null and b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/VNF_VNFC_Relation.jpg differ diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/index.rst b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/index.rst new file mode 100644 index 0000000..7a900f9 --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/index.rst @@ -0,0 +1,7 @@ +VNF Guidelines for Network Cloud and OpenEcomp +---------------------------------------------- + +.. toctree:: + :maxdepth: 2 + + VNF_Guidelines_for_Network_Cloud_and_OpenECOMP_2_6_2017_clean \ No newline at end of file diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Heat_Templates_for_OpenEcomp/VNF Heat Template Requirements for OpenECOMP 2-15 NO track changes.docx b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Heat_Templates_for_OpenEcomp/VNF Heat Template Requirements for OpenECOMP 2-15 NO track changes.docx new file mode 100644 index 0000000..4ed205a Binary files /dev/null and b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Heat_Templates_for_OpenEcomp/VNF Heat Template Requirements for OpenECOMP 2-15 NO track changes.docx differ diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Heat_Templates_for_OpenEcomp/VNF_Heat_Template_Requirements_for_OpenECOMP_2_15_NO_track_changes.rst b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Heat_Templates_for_OpenEcomp/VNF_Heat_Template_Requirements_for_OpenECOMP_2_15_NO_track_changes.rst new file mode 100644 index 0000000..d022032 --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Heat_Templates_for_OpenEcomp/VNF_Heat_Template_Requirements_for_OpenECOMP_2_15_NO_track_changes.rst @@ -0,0 +1,2249 @@ +.. contents:: + :depth: 3 +.. + +| VNF +| Heat Template Requirements for +| OpenECOMP + +Revision 1.0 + +Revision Date 2/1/2017 + +**Document Revision History** + ++------------+------------+-----------------------------------------------------------------------+ +| Date | Revision | Description | ++============+============+=======================================================================+ +| 2/1/2017 | 1.0 | Initial publication of VNF Heat Template Requirements for OpenECOMP | ++------------+------------+-----------------------------------------------------------------------+ + +**Table of Contents** + +**Definitions** + +Throughout the document, these terms have the following meaning: + +**MUST** This word, or the terms "REQUIRED" or "SHALL", mean that the +definition is an absolute requirement of the specification. + +**MUST** **NOT** This phrase, or the phrase "SHALL NOT", mean that the +definition is an absolute prohibition of the specification. + +**SHOULD** This word, or the adjective "RECOMMENDED", mean that there +may exist valid reasons in particular circumstances to ignore a +particular item, but the full implications must be understood and +carefully weighed before choosing a different course. + +**SHOULD** **NOT** This phrase, or the phrase "NOT RECOMMENDED" mean +that there may exist valid reasons in particular circumstances when the +particular behavior is acceptable or even useful, but the full +implications should be understood and the case carefully weighed before +implementing any behavior described with this label. + +**MAY** This word, or the adjective "OPTIONAL", mean that an item is +truly optional. One vendor may choose to include the item because a +particular marketplace requires it or because the vendor feels that it +enhances the product while another vendor may omit the same item. An +implementation which does not include a particular option must be +prepared to interoperate with another implementation which does include +the option, though perhaps with reduced functionality. In the same vein +an implementation which does include a particular option must be +prepared to interoperate with another implementation which does not +include the option (except, of course, for the feature the option +provides.) + +Introduction +============ + +This reference document is the **VNF Heat Template Requirements for OpenECOMP** +and supports the first release of OpenECOMP. + +Program and Document Structure +------------------------------ + +This document is part of a hierarchy of documents that describes the +overall Requirements and Guidelines for OpenECOMP. The diagram below +identifies where this document fits in the hierarchy. + ++---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| OpenECOMP Requirements and Guidelines | ++===============================================================================================================================================================================================================+ +| VNF Guidelines for Network Cloud and OpenECOMP | Future OpenECOMP Subject Documents | ++------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| VNF Cloud Readiness Requirements for OpenECOMP | VNF Management Requirements for OpenECOMP | VNF Heat Template Requirements for OpenECOMP | Future,VNF Requirements Documents | Future Requirements Documents | ++------------------------------------------------+-------------------------------------------+----------------------------------------------+-----------------------------------+-------------------------------+ + +Document Summary + +**VNF Guidelines for Network Cloud and OpenECOMP** + +- Describes VNF environment and overview of requirements + +*VNF Cloud Readiness Requirements for OpenECOMP* + +- Cloud readiness requirements for VNFs (Design, Resiliency, Security, + and DevOps) + +*VNF Management Requirements for OpenECOMP* + +- Requirements for how VNFs interact and utilize OpenECOMP + +**VNF Heat Template Requirements for OpenECOMP** + +- Provides recommendations and standards for building Heat templates + compatible with OpenECOMP– initial implementations of Network Cloud + are assumed to be OpenStack based. + +Intended Audience +----------------- + +This document is intended for persons developing Heat templates that +will be orchestrated by OpenECOMP. + +Scope +----- + +The first implementations of Network Cloud are assumed to be OpenStack +based and thus OpenECOMP will be supporting Heat Orchestration +Templates, also referred to as Heat templates or Heat in this document. + +OpenECOMP requires the Heat Templates to follow a specific format. This +document provides the mandatory, recommended, and optional requirements +associated with this format. + +In addition, the OpenStack version deployed in the Network Cloud may +impose additional constraints on the Heat. These constraints are not +covered in this document. + +VNF Modularity Overview +----------------------- + +OpenECOMP supports a modular Heat design pattern, referred to as *VNF +Modularity.* With this approach, a single VNF may be composed from one +or more Heat templates, each of which represents some subset of the +overall VNF. These component parts are referred to as “\ *VNF +Modules*\ ”. During orchestration, these modules may be deployed +incrementally to build up the complete VNF. + +A Heat template can be either one of the following types of modules: + +1. Base Module + +2. Incremental Modules + +3. Independent Cinder Volume Modules + +The OpenECOMP Heat template naming convention must be followed (Section +2.1). The naming convention identifies the module type. + +A VNF must be composed of one “base” VNF module (also called a base +module) and zero to many “incremental” or “add on” VNF modules. The base +module must be deployed first, prior to the add-on modules. + +A module can be thought of as equivalent to a Heat template, where a +Heat template is composed of a YAML file and an environment file (also +referred to as an ENV file). A given YAML file must have a corresponding +environment file; OpenECOMP requires it. + +A Heat template is used to create or deploy a Heat stack. Therefore, a +module is also equivalent to a Heat Stack. + +OpenECOMP supports the concept of an optional, independent deployment of +a Cinder volume via separate Heat templates. This allows the volume to +persist after VNF deletion so that the volume can be reused on another +instance (e.g. during a failover activity). + +The scope of a volume module, when it exists, must be 1:1 with the VNF +Module (base or add-on). A single volume module must create only the +volumes needed by a single VNF module (base or add-on). + +These concepts will be described in more detail throughout the document. +This overview is provided to set the stage and help clarify the concepts +that will be introduced. + +General Guidelines +================== + +The Heat templates supported by OpenECOMP must follow the requirements +enumerated in this section. + +Filenames +--------- + +In order to enable OpenECOMP to understand the relationship between Heat +files, the following Heat file naming convention must be followed. + +- The file name for the base module Heat template must include “base” + in the filename. + + - Examples: *base\_xyz.yml* or *base\_xyz.yaml*; *xyz\_base.yml* or + *xyz\_base.yaml* + +- There is no explicit naming convention for the add-on modules. + + - Examples: *module1.yml* or *module1.yaml* + +- All Cinder volume templates must be named the same as the + corresponding Heat template with “\_volume” appended to the file + name. + + - Examples: *base\_xyz\_volume.yml* or *base\_xyz\_volume.yaml*; + *xyz\_base\_volume.yml* or *xyz\_base\_volume.yaml*; + *module1\_volume.yml* or *module1\_volume.yaml* (referencing the + above base module Heat template name) + +- The file name of the environment files must fully match the + corresponding Heat template filename and have *.env* or *.ENV* + extension. + + - Examples: *base\_xyz.env* or *base\_xyz.ENV*; *xyz\_base.env* or + *xyz\_base.ENV*; *base\_xyz\_volume.env* or + *base\_xyz\_volume.ENV*; *module1.env* or *module1.ENV; + module1\_volume.env* or *module1\_volume.ENV* (referencing the + above base module Heat template name) + +- A YAML file must have a corresponding ENV file, even if the ENV file + enumerates no parameters. It is an OpenECOMP requirement. + +Valid YAML Format +----------------- + +A Heat template (a YAML file and its corresponding environment file) +must be formatted in valid YAML. For a description of YAML, refer to the +following OpenStack wiki: +https://wiki.openstack.org/wiki/Heat/YAMLTemplates + +A Heat template must follow a specific format. The OpenStack Heat +Orchestration Template (HOT) specification explains in detail all +elements of the HOT template format. +http://docs.openstack.org/developer/heat/template_guide/hot_spec.html + +Parameter Categories & Specification +------------------------------------ + +Parameter Categories +~~~~~~~~~~~~~~~~~~~~ + +OpenECOMP requires the Heat template parameters to follow certain +requirements in order for it to be orchestrated or deployed. OpenECOMP +classifies parameters into eight broad categories. + +- **OpenECOMP Metadata**: OpenECOMP mandatory and optional metadata + parameters in the resource *OS::Nova::Server*. + + - OpenECOMP dictates the naming convention of these Metadata + parameters and must be adhered to (See Section 4.4). + + - Metadata parameters must not be enumerated in the environment + file. + + - The OpenECOMP Metadata are generated and/or assigned by OpenECOMP + and supplied to the Heat by OpenECOMP at orchestration time. + +- **OpenECOMP Orchestration Parameters**: The data associated with + these parameters are VNF instance specific. + + - OpenECOMP enforces the naming convention of these parameters and + must be adhered to (See Section 4). + + - These parameters must not be enumerated in the environment file. + + - The OpenECOMP Orchestration Parameters are generated and/or + assigned by OpenECOMP and supplied to the Heat by OpenECOMP at + orchestration time. + +- **VNF Orchestration Parameters**: The data associated with these + parameters are VNF instance specific. + + - While OpenECOMP does not enforce a naming convention, the + parameter names should include {vm-type} and {network-role} when + appropriate. (See Section 4) + + - These parameters must not be enumerated in the environment file. + + - The VNF Orchestration Parameters Heat are generated and/or + assigned by OpenECOMP and supplied to the Heat by OpenECOMP at + orchestration time. + +- **OpenECOMP Orchestration Constants**: The data associated with these + parameters must be constant across all VNF instances. + + - OpenECOMP enforces the naming convention of these parameters and + must be adhered to (See Section 4). + + - These parameters must be enumerated in the environment file. + +- **VNF Orchestration Constants**: The data associated with these + parameters must be constant across all VNF instances. + + - While OpenECOMP does not enforce a naming convention, the + parameter names should include {vm-type} and {network-role} when + appropriate. (See Section 4) + + - These parameters must be enumerated in the environment file. + +- **OpenECOMP Base Template Output Parameters** (also referred to as + Base Template Output Parameters): The output section of the base + template allows for specifying output parameters available to add-on + modules once the base template has been instantiated. The parameter + defined in the output section of the base must be identical to the + parameter defined in the add-on module(s) where the parameter is + used. + +- **OpenECOMP Volume Template Output Parameters** (also referred to as + Volume Template Output Parameters): The output section of the volume + template allows for specifying output parameters available to the + corresponding Heat template (base or add-on) once the volume template + has been instantiated. The parameter defined in the output section of + the volume must be identical to the parameter defined in the base or + add-on module. + +- **OpenECOMP Predefined Output Parameters** (also referred to as + Predefined Output Parameters): OpenECOMP will look for a small set of + pre-defined Heat output parameters to capture resource attributes for + inventory in OpenECOMP. These parameters are specified in Section + 4.6. + +The table below summarizes the Parameter Types. If the user is +orchestrating a manual spin up of Heat (e.g. OpenStack command line), +the parameter values that OpenECOMP supplies must be enumerated in the +environment file. However, when the Heat is to be loaded into OpenECOMP +for orchestration, the parameters that OpenECOMP supplies must be +deleted or marked with a comment (i.e., a “#” placed at the beginning of +a line). + ++-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ +| Parameter Type | Naming Convention | Parameter Value Source | ++===============================================+=====================+=================================================================================+ +| OpenECOMP Metadata | Explicit | OpenECOMP | ++-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ +| OpenECOMP Orchestration Parameters | Explicit | OpenECOMP | ++-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ +| VNF Orchestration Parameters | Recommended | OpenECOMP | ++-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ +| OpenECOMP Orchestration Constants | Explicit | Environment File | ++-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ +| VNF Orchestration Constants | Recommended | Environment File | ++-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ +| OpenECOMP Base Template Output Parameters | Recommended | Heat Output Statement for base, OpenECOMP supplied to add-on modules | ++-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ +| OpenECOMP Volume Template Output Parameters | Recommended | Heat Output Statement for volume, OpeneECOMP supplies to corresponding module | ++-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ +| OpenECOMP Predefined Output Parameters | Explicit | Heat Output Statement | ++-----------------------------------------------+---------------------+---------------------------------------------------------------------------------+ + +Table 1 Parameter Types + +Parameter Specifications +~~~~~~~~~~~~~~~~~~~~~~~~ + +OpenECOMP METADATA Parameters +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +OpenECOMP defines four “metadata” parameters: vnf\_id, vf\_module\_id, +vnf\_name, vf\_module\_name. These parameters must not define any +constraints in the Heat template, including length restrictions, ranges, +default value and/or allowed patterns. + +OpenECOMP Base Template & Volume Template Output Parameters +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The base template and volume template output parameters are defined as +input parameters in subsequent modules. When defined as input +parameters, these parameters must not define any constraints in the Heat +template, including length restrictions, ranges, default value and/or +allowed patterns. The parameter name defined in the output statement of +the Heat must be identical to the parameter name defined in the Heat +that is to receive the value. + +OpenECOMP Predefined Output Parameters +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +These parameters must not define any constraints in the Heat template, +including length restrictions, ranges, default value and/or allowed +patterns. + +OpenECOMP Orchestration Parameters, VNF Orchestration Parameters, OpenECOMP Orchestration Constants, VNF Orchestration Constants +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +OpenECOMP Orchestration Parameters, VNF Orchestration Parameters, +OpenECOMP Orchestration Constants, VNF Orchestration Constants must +adhere to the following: + +- All parameters should be clearly documented in the template, + including expected values. + +- All parameters should be clearly specified, including constraints and + description. + +- Numeric parameter constraints should include range and/or allowed + values. + +- When the parameter type is a string and the parameter name contains + an index, the index must be zero based. That is, the index starts at + zero. + +- When the parameter type is a Comma Delimited List (CDL), the + reference index must start at zero. + +- Default values must only be supplied in a Heat environment file to + keep the template itself as clean as possible. + +- Special characters must not be used in parameter names, as currently + only alphanumeric characters and “\_” underscores are allowed. + +Use of Heat Environments +------------------------ + +A YAML file must have a corresponding environment file (also referred to +as ENV file), even if the environment file defines no parameters. It is +an OpenECOMP requirement. + +The environment file must contain parameter values for the OpenECOMP +Orchestration Constants and VNF Orchestration Constants. These +parameters are identical across all instances of a VNF type, and +expected to change infrequently. The OpenECOMP Orchestration Constants +are associated with OS::Nova::Server image and flavor properties (See +Section 4.3). Examples of VNF Orchestration Constants are the networking +parameters associated with an internal network (e.g. private IP ranges) +and Cinder volume sizes. + +The environment file must not contain parameter values for parameters +that are instance specific (OpenECOMP Orchestration Parameters, VNF +Orchestration Parameters). These parameters are supplied to the Heat by +OpenECOMP at orchestration time. The parameters are generated and/or +assigned by OpenECOMP at orchestration time + +Independent Volume Templates +---------------------------- + +OpenECOMP supports independent deployment of a Cinder volume via +separate Heat templates. This allows the volume to persist after VNF +deletion so that they can be reused on another instance (e.g. during a +failover activity). + +A VNF Incremental Module or Base Module may have an independent volume +module. Use of separate volume modules is optional. A Cinder volume may +be embedded within the Incremental or Base Module if persistence is not +required. + +If a VNF Incremental Module or Base Module has an independent volume +module, the scope of volume templates must be 1:1 with Incremental +module or Base module. A single volume module must create only the +volumes required by a single Incremental module or Base module. + +The following rules apply to independent volume Heat templates: + +- Cinder volumes must be created in a separate Heat template from the + Incremental and Base Modules. + + - A single volume module must include all Cinder volumes needed by + the Incremental/Base module. + + - The volume template must define “outputs” for each Cinder volume + resource universally unique identifier (UUID) (i.e. OpenECOMP + Volume Template Output Parameters). + +- The VNF Incremental Module or Base Module must define input + parameters that match each Volume output parameter (i.e., OpenECOMP + Volume Template Output Parameters). + + - OpenECOMP will supply the volume template outputs automatically to + the bases/incremental template input parameters. + +- Volume modules may utilize nested Heat templates. + +**Example (volume template):** + + In this example, the {vm-type} has been left as a variable. + {vm-type} is described in section 4.1. If the VM was a load + balancer, the {vm-type} could be defined as “lb” + +.. code-block:: python + + parameters: + vm-typevnf\_name: + type: string + {vm-type}\_volume\_size\_0: + type: number + ... + + resources: + {vm-type}\_volume\_0: + type: OS::Cinder::Volume + properties: + name: + str\_replace: + template: VNF\_NAME\_volume\_0 + params: + VNF\_NAME: { get\_param: vnf\_name } + size: {get\_param: {vm-type}\_volume\_size\_0} + ... + +*(+ additional volume definitions)* + +.. code-block:: python + + outputs: + {vm-type}\_volume\_id\_0: + value: {get\_resource: {vm-type}\_volume\_0} + ... + +*(+ additional volume outputs)* + +*Example (VNF module template):* + +.. code-block:: python + + parameters: + {vm-type}\_name\_0: + type: string + {vm-type}\_volume\_id\_0: + type: string + ... + + resources: + {vm-type}\_0: + type: OS::Nova::Server + properties: + name: {get\_param: {vm-type}\_name\_0} + networks: + ... + + {vm-type}\_0\_volume\_attach: + type: OS::Cinder::VolumeAttachment + properties: + instance\_uuid: { get\_resource: {vm-type}\_0 } + volume\_id: { get\_param: {vm-type}\_volume\_id\_0 } + +Nested Heat Templates +--------------------- + +OpenECOMP supports nested Heat templates per the OpenStack +specifications. Nested templates may be suitable for larger VNFs that +contain many repeated instances of the same VM type(s). A common usage +pattern is to create a nested template for each VM type along with its +supporting resources. The master VNF template (or VNF Module template) +may then reference these component templates either statically (by +repeated definition) or dynamically (via *OS::Heat::ResourceGroup*). + +Nested template support in OpenECOMP is subject to the following +limitations: + +- Heat templates for OpenECOMP must only have one level of nesting. + OpenECOMP only supports one level of nesting. + +- Nested templates must be referenced by file name in the master + template + + - i.e. use of *resource\_registry* in the .env file is *not* + currently supported + +- Nested templates must have unique file names within the scope of the + VNF + +- OpenECOMP does not support a directory hierarchy for nested + templates. All templates must be in a single, flat directory (per + VNF) + +- A nested template may be shared by all Modules (i.e., Heat templates) + within a given VNF + +Networking +=========== + +External Networks +----------------- + +VNF templates must not include any resources for external networks +connected to the VNF. In this context, “external” is in relation to the +VNF itself (not with regard to the Network Cloud site). External +networks may also be referred to as “inter-VNF” networks. + +- External networks must be orchestrated separately, so they can be + shared by multiple VNFs and managed independently. When the external + network is created, it must be assigned a unique {network-role} (See + section 4.2). + +- External networks must be passed into the VNF template as parameters, + including the network-id (i.e. the neutron network UUID) and optional + subnet ID. + +- VNF templates must pass the appropriate external network IDs into + nested VM templates when nested Heat is used. + +- VNFs may use DHCP assigned IP addresses or assign fixed IPs when + attaching VMs to an external network. + +- OpenECOMP enforces a naming convention for parameters associated with + external networks. + +- Parameter values associated with an external network will be + generated and/or assigned by OpenECOMP at orchestration time. + +- Parameter values associated with an external network must not be + enumerated in the environment file. + +Internal Networks +----------------- + +Orchestration activities related to internal networks must be included +in VNF templates. In this context, “internal” is in relation to the VNF +itself (not in relation to the Network Cloud site). Internal networks +may also be referred to as “intra-VNF” networks or “private” networks. + +- Internal networks must not attach to any external gateways and/or + routers. Internal networks are for intra-VM communication only. + +- In the modular approach, internal networks must be created in the + Base Module template, with their resource IDs exposed as outputs + (i.e., OpenECOMP Base Template Output Parameters) for use by all + add-on module templates. When the external network is created, it + must be assigned a unique {network-role} (See section 4.2). + +- VNFs may use DHCP assigned IP addresses or assign fixed IPs when + attaching VMs to an internal network. + +- OpenECOMP does not enforce a naming convention for parameters for + internal network, however, a naming convention is provided that + should be followed. + +- Parameter values associated with an internal network must either be + passed as output parameter from the base template (i.e., OpenECOMP + Base Template Output Parameters) into the add-on modules or be + enumerated in the environment file. + +IP Address Assignment +--------------------- + +- VMs connect to external networks using either fixed (e.g. statically + assigned) IP addresses or DHCP assigned IP addresses. + +- VMs connect to internal networks using either fixed (e.g. statically + assigned) IP addresses or DHCP assigned IP addresses. + +- Neutron Floating IPs must not be used. OpenECOMP does not support + Neutron Floating IPs. + +- OpenECOMP supports the OS::Neutron::Port property + “allowed\_address\_pairs.” See Section 4.4.3. + +Parameter Naming Convention +=========================== + +{vm-type} +--------- + +A common *{vm-type}* identifier must be used throughout the Heat +template in naming parameters, for each VM type in the VNF with the +following exceptions: + +- The four OpenECOMP Metadata parameters must not be prefixed with a + common {vm-type} identifier. They are *vnf\_name*, *vnf\_id*, + *vf\_module\_id*, *vf\_module\_name*. + +- Parameters only referring to a network or subnetwork must not be + prefixed with a common {vm-type} identifier. + +- The parameter referring to the OS::Nova::Server property + availability\_zone must not be prefixed with a common {vm-type} + identifier. + +- {vm-type} must be unique to the VNF. It does not have to be globally + unique across all VNFs that OpenECOMP supports. + +{network-role} +-------------- + +VNF templates must not include any resources for external networks +connected to the VNF. In this context, “external” is in relation to the +VNF itself (not with regard to the Network Cloud site). External +networks may also be referred to as “inter-VNF” networks. + +External networks must be orchestrated separately, so they can be shared +by multiple VNFs and managed independently. When the external network is +created, it must be assigned a unique {network-role}. + +“External” networks must be passed into the VNF template as parameters. +Examples include the network-id (i.e. the neutron network UUID) and +optional subnet ID. See section 4.4.3. + +Any parameter that is associated with an external network must include +the {network-role} as part of the parameter name. + +Internal network parameters must also define a {network-role}. Any +parameter that is associated with an internal network must include +int\_{network-role} as part of the parameter name. + +Resource: OS::Nova::Server - Parameters +--------------------------------------- + +The following OS::Nova::Server Resource Property Parameter Names must +follow the OpenECOMP parameter Naming Convention. All the parameters +associated with OS::Nova::Server are classified as OpenECOMP +Orchestration Parameters. + ++----------------------+-----------------------------------------+------------------+ +| OS::Nova::Server | ++======================+=========================================+==================+ +| Property | OpenECOMP Parameter Naming Convention | Parameter Type | ++----------------------+-----------------------------------------+------------------+ +| image | {*vm-type*}\_image\_name | string | ++----------------------+-----------------------------------------+------------------+ +| flavor | {*vm-type*}\_flavor\_name | string | ++----------------------+-----------------------------------------+------------------+ +| name | {*vm-type*}\_name\_{*index*} | string | ++----------------------+-----------------------------------------+------------------+ +| | {vm-type}\_names | CDL | ++----------------------+-----------------------------------------+------------------+ +| availability\_zone | availability\_zone\_{index} | string | ++----------------------+-----------------------------------------+------------------+ + +Table 2 Resource Property Parameter Names + +Property: image +~~~~~~~~~~~~~~~ + +Image is an OpenECOMP Orchestration Constant parameter. The image must +be referenced by the Network Cloud Service Provider (NCSP) image name, +with the parameter enumerated in the Heat environment file. + +The parameters must be named *“{vm-type}\_image\_name”* in the VNF. + +Each VM type (e.g., {vm-type}) should have a separate parameter for +images, even if several share the same image. This provides maximum +clarity and flexibility. + +Property: flavor +~~~~~~~~~~~~~~~~ + +Flavor is an OpenECOMP Orchestration Constant parameter. The flavors +must be referenced by the Network Cloud Service Provider (NCSP) flavor +name, with the parameter enumerated in the Heat environment file. + +The parameters must be named *“{vm-type}\_flavor\_name”* for each +*{vm-type}* in the VNF. + +Each VM type should have separate parameters for flavors, even if more +than one VM shares the same flavor. This provides maximum clarity and +flexibility. + +Property: Name +~~~~~~~~~~~~~~ + +Name is an OpenEOMP Orchestration parameter; the value is provided to +the Heat template by OpenECOMP. + +VM names (hostnames) for assignment to VM instances must be passed to +Heat templates either as + +- an array (comma delimited list) for each VM type + +- a set of fixed-index parameters for each VM type instance. + +Each element in the VM Name list should be assigned to successive +instances of that VM type. + +The parameter names must reflect the VM Type (i.e., include the +{vm-type} in the parameter name.) The parameter name format must be one +of the following: + +- If the parameter type is a comma delimited list: {**vm-type**}\_names + +- If the parameter type is a string with a fixed index: + {**vm-type**}\_name\_{**index**} + +If a VNF contains more than three instances of a given {vm-type}, the +CDL form of the parameter name (i.e., *{vm-type}*\ \_names} should be +used to minimize the number of unique parameters defined in the Heat. + +*Examples:* + +.. code-block:: python + + parameters: + {vm-type}\_names: + type: comma\_delimited\_list + description: VM Names for {vm-type} VMs + {vm-type}\_name\_{index}: + type: string + description: VM Name for {vm-type} VM {index} + +*Example (CDL):* + +In this example, the {vm-type} has been defined as “lb” for load +balancer. + +.. code-block:: python + + parameters: + lb\_names: + type: comma\_delimited\_list + description: VM Names for lb VMs + resources: + lb\_0: + type: OS::Nova::Server + properties: + name: { get\_param: [lb\_names, 0] } + ... + + lb\_1: + type: OS::Nova::Server + properties: + name: { get\_param: [lb\_names, 1] } + ... + +**Example (fixed-index):** + +In this example, the {vm-type} has been defined as “lb” for load +balancer. + +.. code-block:: python + + parameters: + lb\_name\_0: + type: string + description: VM Name for lb VM 0 + lb\_name\_1: + type: string + description: VM Name for lb VM 1 + + resources: + lb\_0: + type: OS::Nova::Server + properties: + name: { get\_param: lb\_name\_0 } + ... + + lb\_1: + type: OS::Nova::Server + properties: + name: { get\_param: lb\_name\_1 } + ... + +Property: availability\_zone +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Availability\_zone is an OpenECOMP Orchestration parameter; the value is +provided to the Heat template by OpenECOMP. + +Availability zones must be passed as individual numbered parameters (not +as arrays) so that VNFs with multi-availability zone requirements can +clearly specify that in its parameter definitions. + +The availability zone parameter must be defined as +“availability\_zone\_{index}”, with the {index} starting at zero. + +*Example:* + +In this example, the {vm-type} has been defined as “lb” for load +balancer. + +.. code-block:: python + + parameters: + lb\_names: + type: comma\_delimited\_list + description: VM Names for lb VMs + availability\_zone\_0: + type: string + description: First availability zone ID or Name + + resources: + lb\_0: + type: OS::Nova::Server + properties: + name: { get\_param: [lb\_names, 0] } + availability\_zone: { get\_param: availability\_zone\_0 } + ... + +Resource: OS::Nova::Server - Metadata +------------------------------------- + +This section describes the OpenECOMP Metadata parameters. + +OpenECOMP Heat templates must include the following three parameters +that are used as metadata under the resource OS::Nova:Server: vnf\_id, +vf\_module\_id, vnf\_name + +OpenECOMP Heat templates may include the following parameter that is +used as metadata under the resource OS::Nova:Server: vf\_module\_name. + +These parameters are all classified as OpenECOMP Metadata. + ++---------------------------+------------------+----------------------+ +| Metadata Parameter Name | Parameter Type | Mandatory/Optional | ++===========================+==================+======================+ +| vnf\_id | string | mandatory | ++---------------------------+------------------+----------------------+ +| vf\_module\_id | string | mandatory | ++---------------------------+------------------+----------------------+ +| vnf\_name | string | mandatory | ++---------------------------+------------------+----------------------+ +| vf\_module\_name | string | optional | ++---------------------------+------------------+----------------------+ + + Table 3 OpenECOMP Metadata + +Required Metadata Elements +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The vnf\_id, vf\_module\_id, and vnf\_name metadata elements are +required (must) for *OS::Nova::Server* resources. The metadata +parameters will be used by OpenECOMP to associate the servers with the +VNF instance. + +- vnf\_id + + - *“vnf\_id”* parameter value will be supplied by OpenECOMP. + OpenECOMP generates the UUID that is the vnf\_id and supplies it + to the Heat at orchestration time. + +- vf\_module\_id + + - “\ *vf\_module\_id”* parameter value will be supplied by + OpenECOMP. OpenECOMP generates the UUID that is the vf\_module\_id + and supplies it to the Heat at orchestration time. + +- vnf\_name + + - “\ *vnf\_name”* parameter value will be generated and/or assigned + by OpenECOMP and supplied to the Heat by OpenECOMP at + orchestration time. + +Optional Metadata Elements +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The following metadata element is optional for *OS::Nova::Server* +resources: + +- *vf\_module\_name* + + - The vf\_module\_name is the name of the name of the Heat stack + (e.g., ) in the command “Heat stack-create” (e.g. + Heat stack-create [-f ] [-e ] ). The + needs to be specified as part of the orchestration + process. + + - *“vf\_module\_name”* parameter value, when used, will be supplied + by OpenECOMP to the Heat at orchestration time. The parameter will + be generated and/or assigned by OpenECOMP and supplied to the Heat + by OpenECOMP at orchestration time. + +*Example* + +In this example, the {vm-type} has been defined as “lb” for load +balancer. + +.. code-block:: python + + parameters: + vnf\_name: + type: string + description: Unique name for this VNF instance + vnf\_id: + type: string + description: Unique ID for this VNF instance + vf\_module\_name: + type: string + description: Unique name for this VNF Module instance + vf\_module\_id: + type: string + description: Unique ID for this VNF Module instance + + resources: + lb\_server\_group: + type: OS::Nova::ServerGroup + properties: + name: + str\_replace: + template: VNF\_NAME\_lb\_ServerGroup + params: + VNF\_NAME: { get\_param: VNF\_name } + policies: [ ‘anti-affinity’ ] + + lb\_vm\_0: + type: OS::Nova::Server + properties: + name: { get\_param: lb\_name\_0 } + scheduler\_hints: + group: { get\_resource: lb\_server\_group } + metadata: + vnf\_name: { get\_param: vnf\_name } + vnf\_id: { get\_param: vnf\_id } + vf\_module\_name: { get\_param: vf\_module\_name } + vf\_module\_id: { get\_param: vf\_module\_id } + ... + +Resource: OS::Neutron::Port - Parameters +---------------------------------------- + +The following four OS::Neutron::Port Resource Property Parameters must +adhere to the OpenECOMP parameter naming convention. + +- network + +- subnet + +- fixed\_ips + +- allowed\_address\_pairs + +These four parameters reference a network, which maybe an external +network or an internal network. Thus the parameter will include +{network-role} in its name. + +When the parameter references an external network, the parameter is an +OpenECOMP Orchestration Parameter. The parameter value must be supplied +by OpenECOMP. The parameters must adhere to the OpenECOMP parameter +naming convention. + ++---------------------------+-----------------------------------------------+------------------+ +| OS::Neutron::Port | ++===========================+===============================================+==================+ +| Property | Parameter Name for External Networks | Parameter Type | ++---------------------------+-----------------------------------------------+------------------+ +| Network | {network-role}\_net\_id | string | ++---------------------------+-----------------------------------------------+------------------+ +| | {network-role}\_net\_name | string | ++---------------------------+-----------------------------------------------+------------------+ +| Subnet | {network-role}\_subnet\_id | string | ++---------------------------+-----------------------------------------------+------------------+ +| | {network-role}\_v6\_subnet\_id | string | ++---------------------------+-----------------------------------------------+------------------+ +| fixed\_ips | {vm-type}\_{network-role}\_ip\_{index} | string | ++---------------------------+-----------------------------------------------+------------------+ +| | {vm-type}\_{network-role}\_ips | CDL | ++---------------------------+-----------------------------------------------+------------------+ +| | {vm-type}\_{network-role}\_v6\_ip\_{index} | string | ++---------------------------+-----------------------------------------------+------------------+ +| | {vm-type}\_{network-role}\_v6\_ips | CDL | ++---------------------------+-----------------------------------------------+------------------+ +| allowed\_address\_pairs | {vm-type}\_{network-role}\_floating\_ip | string | ++---------------------------+-----------------------------------------------+------------------+ +| | {vm-type}\_{network-role}\_floating\_v6\_ip | string | ++---------------------------+-----------------------------------------------+------------------+ +| | {vm-type}\_{network-role}\_ip\_{index} | string | ++---------------------------+-----------------------------------------------+------------------+ +| | {vm-type}\_{network-role}\_ips | CDL | ++---------------------------+-----------------------------------------------+------------------+ +| | {vm-type}\_{network-role}\_v6\_ip\_{index} | string | ++---------------------------+-----------------------------------------------+------------------+ +| | {vm-type}\_{network-role}\_v6\_ips | CDL | ++---------------------------+-----------------------------------------------+------------------+ + +Table 4 Port Resource Property Parameters (External Networks) + +When the parameter references an internal network, the parameter is a +VNF Orchestration Parameters. The parameter value(s) must be supplied +either via an output statement(s) in the base module (i.e., OpenECOMP +Base Template Output Parameters) or be enumerated in the environment +file. The parameters must adhere to the following parameter naming +convention. + ++---------------------------+----------------------------------------------------+------------------+ +| OS::Neutron::Port | ++===========================+====================================================+==================+ +| Property | Parameter Name for Internal Networks | Parameter Type | ++---------------------------+----------------------------------------------------+------------------+ +| Network | int\_{network-role}\_net\_id | string | ++---------------------------+----------------------------------------------------+------------------+ +| | int\_{network-role}\_net\_name | string | ++---------------------------+----------------------------------------------------+------------------+ +| Subnet | int\_{network-role}\_subnet\_id | string | ++---------------------------+----------------------------------------------------+------------------+ +| | Int\_{network-role}\_v6\_subnet\_id | string | ++---------------------------+----------------------------------------------------+------------------+ +| fixed\_ips | {vm-type}\_int\_{network-role}\_ip\_{index} | string | ++---------------------------+----------------------------------------------------+------------------+ +| | {vm-type}\_int\_{network-role}\_ips | CDL | ++---------------------------+----------------------------------------------------+------------------+ +| | {vm-type}\_int\_{network-role}\_v6\_ip\_{index} | string | ++---------------------------+----------------------------------------------------+------------------+ +| | {vm-type}\_int\_{network-role}\_v6\_ips | CDL | ++---------------------------+----------------------------------------------------+------------------+ +| allowed\_address\_pairs | {vm-type}\_int\_{network-role}\_floating\_ip | string | ++---------------------------+----------------------------------------------------+------------------+ +| | {vm-type}\_int\_{network-role}\_floating\_v6\_ip | string | ++---------------------------+----------------------------------------------------+------------------+ +| | {vm-type}\_int\_{network-role}\_ip\_{index} | string | ++---------------------------+----------------------------------------------------+------------------+ +| | {vm-type}\_int\_{network-role}\_ips | CDL | ++---------------------------+----------------------------------------------------+------------------+ +| | {vm-type}\_int\_{network-role}\_v6\_ip\_{index} | string | ++---------------------------+----------------------------------------------------+------------------+ +| | {vm-type}\_int\_{network-role}\_v6\_ips | CDL | ++---------------------------+----------------------------------------------------+------------------+ + +Table 5 Port Resource Property Parameters (Internal Networks) + +Property: network & subnet +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The property “networks” in the resource OS::Neutron::Port must be +referenced by Neutron Network ID, a UUID value, or by the network name +defined in OpenStack. + +When the parameter is referencing an “external” network, the parameter +must adhere to the following naming convention + +- *“{*\ network-role}\_net\_id”, for the Neutron network ID + +- “{network-role}\_net\_name”, for the network name in OpenStack + +When the parameter is referencing an “internal” network, the parameter +must adhere to the following naming convention. + +- “\ *int\_{network-role}\_net\_id*\ ”, for the Neutron network ID + +- “\ *int\_{network-role}\_net\_name*\ ”, for the network name in + OpenStack + +The property “subnet\_id” must be used if a DHCP IP address assignment +is being requested and the DHCP IP address assignment is targeted at a +specific subnet. + +The property “subnet\_id” should not be used if all IP assignments are +fixed, or if the DHCP assignment does not target a specific subnet + +When the parameter is referencing an “external” network subnet, the +“subnet\_id” parameter must adhere to the following naming convention. + +- “\ *{network-role}\_subnet\_id*\ ” if the subnet is an IPv4 subnet + +- “\ *{network-role}\_v6\_subnet\_id”* if the subnet is an IPv6 subnet + +When the parameter is referencing an “internal” network subnet, the +“subnet\_id” parameter must adhere to the following naming convention. + +- “\ *int\_{network-role}\_subnet\_id*\ ” if the subnet is an IPv4 + subnet + +- “\ *int\_{network-role}\_v6\_subnet\_id*\ ” if the subnet is an IPv6 + subnet + +*Example:* + +.. code-block:: python + + parameters: + {network-role}\_net\_id: + type: string + description: Neutron UUID for the {network-role} network + {network-role}\_net\_name: + type: string + description: Neutron name for the {network-role} network + {network-role}\_subnet\_id: + type: string + description: Neutron subnet UUID for the {network-role} network + {network-role}\_v6\_subnet\_id: + type: string + description: Neutron subnet UUID for the {network-role} network + +*Example:* + +In this example, the {network-role} has been defined as “oam” to +represent an oam network and the {vm-type} has been defined as “lb” for +load balancer. + +.. code-block:: python + + parameters: + oam\_net\_id: + type: string + description: Neutron UUID for the oam network + + resources: + lb\_port\_1: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + +Property: fixed\_ips +~~~~~~~~~~~~~~~~~~~~ + +The property “fixed\_ips” in the resource OS::Neutron::Port must be used +when statically assigning IP addresses. + +An IP address is assigned to a port on a type of VM (i.e., {vm-type}) +that is connected to a type of network (i.e., {network-role}). These two +tags are components of the parameter name. + +When the “fixed\_ips” parameter is referencing an “external” network, +the parameter must adhere to the naming convention below. The parameter +may be a comma delimited list or a string. + +There must be a different parameter name for IPv4 IP addresses and IPv6 +addresses + +- **Comma-delimited list:** Each element in the IP list should be + assigned to successive instances of that VM type on that network. + + - *Format for IPv4 addresses:* {vm-type}\_{network-role}\_ips + + - *Format for IPv6 addresses:* {vm-type}\_{network-role}\_v6\_ips + +- **A set of fixed-index parameters:** In this case, the parameter + should have “\ *type: string*\ ” and must be repeated for every IP + expected for each {vm-type} + {network-role} pair. + + - *Format for IPv4 addresses:* + {vm-type}\_{network-role}\_ip\_{index} + + - *Format for IPv6 addresses:* + {vm-type}\_{network-role}\_v6\_ip\_{index} + +When the “fixed\_ips” parameter is referencing an “internal” network, +the parameter must adhere to the naming convention below. The parameter +may be a comma delimited list or a string. + +There must be a different parameter name for IPv4 IP addresses and IPv6 +addresses + +- **Comma-delimited list:** Each element in the IP list should be + assigned to successive instances of that VM type on that network. + + - *Format for IPv4 addresses:* {vm-type}\_int\_{network-role}\_ips + + - *Format for IPv6 addresses:* + {vm-type}\_int\_{network-role}\_v6\_ips + +- **A set of fixed-index parameters:** In this case, the parameter + should have “\ *type: string*\ ” and must be repeated for every IP + expected for each {vm-type} and {network-role}pair. + + - *Format for IPv4 addresses:* + {vm-type}\_int\_{network-role}\_ip\_{index} + + - *Format for IPv6 addresses:* + {vm-type}\_int\_{network-role}\_v6\_ip\_{index} + +If a VNF contains more than three IP addresses for a given {vm-type} and +{network-role} combination, the CDL form of the parameter name should be +used to minimize the number of unique parameters defined in the Heat. + +*Example (external network)* + +.. code-block:: python + + parameters: + {vm-type}\_{network-role}\_ips: + type: comma\_delimited\_list + description: Fixed IPv4 assignments for {vm-type} VMs on the + {network-role} network + {vm-type}\_{network-role}\_v6\_ips: + type: comma\_delimited\_list + description: Fixed IPv6 assignments for {vm-type} VMs on the + {network-role} network + {vm-type}\_{network-role}\_ip\_{index}: + type: string + description: Fixed IPv4 assignment for {vm-type} VM {index} on the + {network-role} network + {vm-type}\_{network-role}\_v6\_ip\_{index}: + type: string + description: Fixed IPv6 assignment for {vm-type} VM {index} on the + {network-role} network + +*Example (CDL parameter for IPv4 Address Assignments to an external +network):* + +In this example, the {network-role} has been defined as “oam” to +represent an oam network and the {vm-type} has been defined as “db” for +database. + +.. code-block:: python + + parameters: + oam\_net\_id: + type: string + description: Neutron UUID for a oam network + db\_oam\_ips: + type: comma\_delimited\_list + description: Fixed IP assignments for db VMs on the oam network + + resources: + db\_0\_port\_1: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + fixed\_ips: [ { “ip\_address”: {get\_param: [ db\_oam\_ips, 0] + }}] + db\_1\_port\_1: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + fixed\_ips: [ { “ip\_address”: {get\_param: [ db\_oam\_ips, 1] + }}] + +*Example (string parameters for IPv4 Address Assignments to an external +network):* + +In this example, the {network-role} has been defined as “oam” to +represent an oam network and the {vm-type} has been defined as “db” for +database. + +.. code-block:: python + + parameters: + oam\_net\_id: + type: string + description: Neutron UUID for an OAM network + db\_oam\_ip\_0: + type: string + description: First fixed IP assignment for db VMs on the OAM network + db\_oam\_ip\_1: + type: string + description: Second fixed IP assignment for db VMs on the OAM network + + resources: + db\_0\_port\_1: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + fixed\_ips: [ { “ip\_address”: {get\_param: db\_oam\_ip\_0}}] + db\_1\_port\_1: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + fixed\_ips: [ { “ip\_address”: {get\_param: db\_oam\_ip\_1}}] + +Property: allowed\_address\_pairs +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The property “allowed\_address\_pairs” in the resource OS::Neutron::Port +allows the user to specify mac\_address/ip\_address (CIDR) pairs that +pass through a port regardless of subnet. This enables the use of +protocols such as VRRP, which floats an IP address between two instances +to enable fast data plane failover. An “allowed\_address\_pairs” is +unique to a {vm-type} and {network-role} combination. The management of +these IP addresses (i.e. transferring ownership between active and +standby VMs) is the responsibility of the application itself. + +Note that these parameters are *not* intended to represent Neutron +“Floating IP” resources, for which OpenStack manages a pool of public IP +addresses that are mapped to specific VM ports. In that case, the +individual VMs are not even aware of the public IPs, and all assignment +of public IPs to VMs is via OpenStack commands. OpenECOMP does not +support Neutron-style Floating IPs. + +Both IPv4 and IPv6 “allowed\_address\_pairs” addresses are supported. + +If property “allowed\_address\_pairs” is used with an external network, +the parameter name must adhere to the following convention: + +- *Format for IPv4 addresses: {vm-type}\_{network-role}\_floating\_ip* + +- *Format for IPv6 addresses: + {vm-type}\_{network-role}\_floating\_v6\_ip* + +*Example:* + +.. code-block:: python + + parameters: + {vm-type}\_{network-role}\_floating\_ip: + type: string + description: VIP for {vm-type} VMs on the {network-role} network + {vm-type}\_{network-role}\_floating\_v6\_ip: + type: string + description: VIP for {vm-type} VMs on the {network-role} network + +*Example:* + +In this example, the {network-role} has been defined as “oam” to +represent an oam network and the {vm-type} has been defined as “db” for +database. + +.. code-block:: python + + parameters: + db\_oam\_ips: + type: comma\_delimited\_list + description: Fixed IPs for db VMs on the oam network + db\_oam\_floating\_ip: + type: string + description: Floating IP for db VMs on the oam network + resources: + db\_0\_port\_0: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + fixed\_ips: [ { “ip\_address”: {get\_param: [db\_oam\_ips,0] }}] + allowed\_address\_pairs: [ + { “ip\_address”: {get\_param: db\_oam\_floating\_ip}}] + db\_1\_port\_0: + type: OS::Neutron::Port + network: { get\_param: oam\_net\_id } + fixed\_ips: [ { “ip\_address”: {get\_param: [db\_oam\_ips,1] }}] + allowed\_address\_pairs: [ + { “ip\_address”: {get\_param: db\_oam\_floating\_ip}}] + +If property “allowed\_address\_pairs” is used with an internal network, +the parameter name should adhere to the following convention: + +- *Format for IPv4 addresses: + {vm-type}\_int\_{network-role}\_floating\_ip* + +- *Format for IPv6 addresses: + {vm-type}\_int\_{network-role}\_floating\_v6\_ip* + +Using the parameter *{vm-type}\_{network-role}\_floating\_ip* or +*{vm-type}\_{network-role}\_floating\_v6\_ip* provides only one floating +IP per Vm-type{vm-type} and {network-role} pair. If there is a need for +multiple floating IPs (e.g., Virtual IPs (VIPs)) for a given {vm-type} +and {network-role} combination within a VNF, then the parameter names +defined for the “fixed\_ips” should be used with the +“allowed\_address\_pairs” property. The examples below illustrate this. + +Below example reflects two load balancer pairs in a single VNF. Each +pair has one VIP. + +*Example: A VNF has four load balancers. Each pair has a unique VIP.* + +*Pair 1:* lb\_0 and lb\_1 share a unique VIP + +*Pair 2:* lb\_2 and lb\_3 share a unique VIP + +In this example, the {network-role} has been defined as “oam” to +represent an oam network and the {vm-type} has been defined as “lb” for +load balancer. + +.. code-block:: python + + resources: + lb\_0\_port\_0: +      type: OS::Neutron::Port +         network: { get\_param: oam\_net\_id } +         fixed\_ips: [ { “ip\_address”: {get\_param: [lb\_oam\_ips,0] }}] +         allowed\_address\_pairs: [{ “ip\_address”: {get\_param: [lb\_oam\_ips,2] }}] + + lb\_1\_port\_0: +         type: OS::Neutron::Port +         network: { get\_param: oam\_net\_id } +         fixed\_ips: [ { “ip\_address”: {get\_param: [lb\_oam\_ips,1] }}] +         allowed\_address\_pairs: [{ “ip\_address”: {get\_param: [lb\_oam\_ips,2] }}] + +       lb\_2\_port\_0: +        type: OS::Neutron::Port +         network: { get\_param: oam\_net\_id } +         fixed\_ips: [ { “ip\_address”: {get\_param: [lb\_oam\_ips,3] }}] +         allowed\_address\_pairs: [{ “ip\_address”: {get\_param: [lb\_oam\_ips,5] }}] + + lb\_3\_port\_0: +     type: OS::Neutron::Port +         network: { get\_param: oam\_net\_id } +         fixed\_ips: [ { “ip\_address”: {get\_param: [lb\_oam\_ips,4] }}] +         allowed\_address\_pairs: [{ “ip\_address”: {get\_param: [lb\_oam\_ips,5] }}] + +Below example reflects a single app VM pair within a VNF with two VIPs:  + +*Example: A VNF has two load balancers. The pair of load balancers share +two VIPs.* + +In this example, the {network-role} has been defined as “oam” to +represent an oam network and the {vm-type} has been defined as “lb” for +load balancer. + +.. code-block:: python + + resources: + lb\_0\_port\_0: +      type: OS::Neutron::Port +         network: { get\_param: oam\_net\_id } +         fixed\_ips: [ { “ip\_address”: {get\_param: [lb\_oam\_ips,0] }}] +         allowed\_address\_pairs: [{ "ip\_address": {get\_param: [lb\_oam\_ips,2] }, {get\_param: [lb\_oam\_ips,3] }}] + + lb\_1\_port\_0: + type: OS::Neutron::Port +         network: { get\_param: oam\_net\_id } +     fixed\_ips: [ { “ip\_address”: {get\_param: [lb\_oam\_ips,1] }}] +        allowed\_address\_pairs: [{ "ip\_address": {get\_param: [lb\_oam\_ips,2] }, {get\_param: [lb\_oam\_ips,3] }}] + +As a general rule, provide the fixed IPs for the VMs indexed first in +the CDL and then the VIPs as shown in the examples above. + +Resource Property: name +----------------------- + +The parameter naming standard for the resource OS::Nova::Server has been +defined in Section 4.3.3. This section describes how the name property +of all other resources must be defined. + +Heat templates must use the Heat “str\_replace” function in conjunction +with the OpenECOMP supplied metadata parameter *vnf\_name* or +*vnf\_module\_id* to generate a unique name for each VNF instance. This +prevents the use of unique parameters values for resource “name” +properties to be enumerated in a per instance environment file. + +Note that + +- In most cases, only the use of the vnf\_name is necessary to create a + unique name + +- the Heat pseudo parameter 'OS::stack\_name’ can also be used in the + ‘str\_replace’ construct to generate a unique name when the vnf\_name + does not provide uniqueness + +.. code-block:: python + + type: OS::Cinder::Volume + properities: + name: + str\_replace: +          template: VF\_NAME\_STACK\_NAME\_oam\_volume +           params: +             VF\_NAME: { get\_param: vnf\_name } +             STACK\_NAME: { get\_param: 'OS::stack\_name'  } + + type: OS::Neutron::SecurityGroup + properties: + description: Security Group of Firewall + name: + str\_replace: + template: VNF\_NAME\_Firewall\_SecurityGroup + params: + VNF\_NAME: { get\_param: vnf\_name } + +Output Parameters +----------------- + +OpenECOMP defines three type of Output Parameters. + +Base Template Output Parameters: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The base template output parameters are available for use as input +parameters in all add-on modules. The add-on modules may (or may not) +use these parameters. + +Volume Template Output Parameters: +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The volume template output parameters are only available only for the +module (base or add on) that the volume is associated with. + +Predefined Output Parameters +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +OpenECOMP currently defines one predefined output parameter. + +OAM Management IP Addresses +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Many VNFs will have a management interface for application controllers +to interact with and configure the VNF. Typically, this will be via a +specific VM that performs a VNF administration function. The IP address +of this interface must be captured and inventoried by OpenECOMP. This +might be a VIP if the VNF contains an HA pair of management VMs, or may +be a single IP address assigned to one VM. + +The Heat template may define either (or both) of the following Output +parameters to identify the management IP address. + +- *oam\_management\_v4\_address* + +- *oam\_management\_v6\_address* + +*Notes*: + +- The Management IP Address should be defined only once per VNF, so it + would only appear in one Module template + +- If a fixed IP for the admin VM is passed as an input parameter, it + may be echoed in the output parameters + +- If the IP for the admin VM is obtained via DHCP, it may be obtained + from the resource attributes + +*Example:* + +.. code-block:: python + + resources: + admin\_server: + type: OS::Nova::Server + properties: + networks: + - network: {get\_param: oam\_net\_id } + ... + + Outputs: + oam\_management\_v4\_address: + value: {get\_attr: [admin\_server, networks, {get\_param: oam\_net\_id}, 0] } + +Heat Template Constructs +======================== + +External References +------------------- + +Heat templates *should not* reference any HTTP-based resource +definitions, any HTTP-based nested configurations, or any HTTP-based +environment files. + +- During orchestration, OpenECOMP *should not* retrieve any such + resources from external/untrusted/unknown sources. + +- VNF images should not contain such references in user-data or other + configuration/operational scripts that are specified via Heat or + encoded into the VNF image itself. + +*Note:* HTTP-based references are acceptable if the HTTP-based reference +is accessing information with the VM private/internal network. + +Heat Files Support (get\_file) +------------------------------ + +Heat Templates may contain the inclusion of text files into Heat +templates via the Heat “get\_file” directive. This may be used, for +example, to define a common “user-data” script, or to inject files into +a VM on startup via the “personality” property. + +Support for Heat Files is subject to the following limitations: + +- The ‘get\_files’ targets must be referenced in Heat templates by file + name, and the corresponding files should be delivered to OpenECOMP + along with the Heat templates. + + - URL-based file retrieval must not be used; it is not supported. + +- The included files must have unique file names within the scope of + the VNF. + +- OpenECOMP does not support a directory hierarchy for included files. + + - All files must be in a single, flat directory per VNF. + +- Included files may be used by all Modules within a given VNF. + +- get\_file directives may be used in both non-nested and nested + templates + +Use of Heat ResourceGroup +------------------------- + +The *OS::Heat::ResourceGroup* is a useful Heat element for creating +multiple instances of a given resource or collection of resources. +Typically it is used with a nested Heat template, to create, for +example, a set of identical *OS::Nova::Server* resources plus their +related *OS::Neutron::Port* resources via a single resource in a master +template. + +*ResourceGroup* may be used in OpenECOMP to simplify the structure of a +Heat template that creates multiple instances of the same VM type. +However, there are important caveats to be aware of. + +*ResourceGroup* does not deal with structured parameters +(comma-delimited-list and json) as one might typically expect. In +particular, when using a list-based parameter, where each list element +corresponds to one instance of the *ResourceGroup*, it is not possible +to use the intrinsic “loop variable” %index% in the *ResourceGroup* +definition. + +For instance, the following is **not** valid Heat for a *ResourceGroup*: + +.. code-block:: python + + type: OS::Heat::ResourceGroup + resource: +      type: my\_nested\_vm\_template.yaml +      properties: +          name: {get\_param: [vm\_name\_list, %index%]} + +Although this appears to use the nth entry of the *vm\_name\_list* list +for the nth element of the *ResourceGroup*, it will in fact result in a +Heat exception. When parameters are provided as a list (one for each +element of a *ResourceGroup*), you must pass the complete parameter to +the nested template along with the current index as separate parameters. + +Below is an example of an **acceptable** Heat Syntax for a +*ResourceGroup*: + +.. code-block:: python + + type: OS::Heat::ResourceGroup + resource: +     type: my\_nested\_vm\_template.yaml +     properties: +         names: {get\_param: vm\_name\_list} +         index: %index% + +You can then reference within the nested template as: + +{ get\_param: [names, {get\_param: index} ] } + +Note that this is workaround has very important limitations. Since the +entire list parameter is passed to the nested template, any change to +that list (e.g., adding an additional element) will cause Heat to treat +the entire parameter as updated within the context of the nested +template (i.e., for each *ResourceGroup* element).  As a result, if +*ResourceGroup* is ever used for scaling (e.g., increment the count and +include an additional element to each list parameter), Heat will often +rebuild every existing element in addition to adding the “deltas”. For +this reason, use of *ResourceGroup* for scaling in this manner is not +supported. + +Key Pairs +--------- + +When Nova Servers are created via Heat templates, they may be passed a +“keypair” which provides an ssh key to the ‘root’ login on the newly +created VM. This is often done so that an initial root key/password does +not need to be hard-coded into the image. + +Key pairs are unusual in OpenStack, because they are the one resource +that is owned by an OpenStack User as opposed to being owned by an +OpenStack Tenant. As a result, they are usable only by the User that +created the keypair. This causes a problem when a Heat template attempts +to reference a keypair by name, because it assumes that the keypair was +previously created by a specific OpenECOMP user ID. + +When a keypair is assigned to a server, the SSH public-key is +provisioned on the VMs at instantiation time. They keypair itself is not +referenced further by the VM (i.e. if the keypair is updated with a new +public key, it would only apply to subsequent VMs created with that +keypair). + +Due to this behavior, the recommended usage of keypairs is in a more +generic manner which does not require the pre-requisite creation of a +keypair. The Heat should be structured in such a way as to: + +- Pass a public key as a parameter value instead of a keypair name + +- Create a new keypair within the VNF Heat templates (in the base + module) for use within that VNF + +By following this approach, the end result is the same as pre-creating +the keypair using the public key – i.e., that public key will be +provisioned in the new VM. However, this recommended approach also makes +sure that a known public key is supplied (instead of having OpenStack +generate a public/private pair to be saved and tracked outside of +OpenECOMP). It also removes any access/ownership issues over the created +keypair. + +The public keys may be enumerated as a VNF Orchestration Constant in the +environment file (since it is public, it is not a secret key), or passed +at run-time as an instance-specific parameters. OpenECOMP will never +automatically assign a public/private key pair. + +*Example (create keypair with an existing ssh public-key for {vm-type} +of lb (for load balancer)):* + +.. code-block:: python + + parameters: + vnf\_name: + type: string + ssh\_public\_key: + type: string + resources: + my\_keypair: + type: OS::Nova::Keypair + properties: + name: + str\_replace: + template: VNF\_NAME\_key\_pair + params: + VNF\_NAME: { get\_param: vnf\_name } + public\_key: {get\_param: lb\_ssh\_public\_key} + save\_private\_key: false + +Security Groups +--------------- + +OpenStack allows a tenant to create Security groups and define rules +within the security groups. + +Security groups, with their rules, may either be created in the Heat +template or they can be pre-created in OpenStack and referenced within +the Heat template via parameter(s). There can be a different approach +for security groups assigned to ports on internal (intra-VNF) networks +or external networks (inter-VNF). Furthermore, there can be a common +security group across all VMs for a specific network or it can vary by +VM (i.e., {vm-type}) and network type (i.e., {network-role}). + +Anti-Affinity and Affinity Rules +-------------------------------- + +Anti-affinity or affinity rules are supported using normal OpenStack +*“OS::Nova::ServerGroup”* resources. Separate ServerGroups are typically +created for each VM type to prevent them from residing on the same host, +but they can be applied to multiple VM types to extend the +affinity/anti-affinity across related VM types as well. + +*Example:* + +In this example, the {network-role} has been defined as “oam” to +represent an oam network and the {vm-type} have been defined as “lb” for +load balancer and “db” for database. + +.. code-block:: python + + resources: + db\_server\_group: + type: OS::Nova::ServerGroup + properties: + name: + str\_replace: + params: + $vnf\_name: {get\_param: vnf\_name} + template: $vnf\_name-server\_group1 + policies: + - *anti-affinity* + + lb\_server\_group: + type: OS::Nova::ServerGroup + properties: + name: + str\_replace: + params: + $vnf\_name: {get\_param: vnf\_name} + template: $vnf\_name-server\_group2 + policies: + - *affinity* + + *db\_0:* + *type: OS::Nova::Server* + *properties:* + *...* + scheduler\_hints: + group: {get\_param: db\_server\_group} + + db\_1: + type: OS::Nova::Server + properties: + ... + scheduler\_hints: + group: {get\_param: db\_server\_group} + + lb\_0: + type: OS::Nova::Server + properties: + ... + scheduler\_hints: + group: {get\_param: lb\_server\_group}  + +Design Pattern: VNF Modularity +============================== + +OpenECOMP supports the concept of *VNF Modularity*. With this approach, +a single VNF may be composed from one or more Heat templates, each of +which represents some subset of the overall VNF. These component parts +are referred to as “\ *VNF Modules*\ ”. During orchestration, these +modules may be deployed incrementally to build up the complete VNF. + +A Heat template can be either one for the following types of modules + +1. Base Module + +2. Incremental Modules + +3. Independent Cinder Volume Modules + +The OpenECOMP Heat template naming convention must be followed (Section +2.1). The naming convention identifies the module type. + +A VNF must be composed of one “base” VNF module (also called a base +module) and zero to many “incremental” or “add on” VNF modules. The base +module must be deployed first prior to the add-on modules. + +A module can be thought of as equivalent to a Heat template, where a +Heat template is composed of a YAML file and an environment file. A +given YAML file must have a corresponding environment file; OpenECOMP +requires it. A Heat template is used to create or deploy a Heat stack. +Therefore, a module is also equivalent to a Heat Stack. + +However, there are cases where a module maybe composed of more than one +Heat stack and/or more than one YAML file. + +As discussed in Section 2.5, Independent Volume Templates, each VNF +Module may have an associated Volume template. + +- When a volume template is utilized, it must correspond 1:1 with + add-on module template or base template it is associated with + +- A Cinder volume may be embedded within the add-on module template + and/or base template if persistence is not required, thus not + requiring the optional Volume template. + +A VNF module may support nested templates. In this case, there will be +one or more additional YAML files. + +Any shared resource defined in the base module template and used across +the entire VNF (e.g., private networks, server groups), must be exposed +to the incremental or add-on modules by declaring their resource UUIDs +as Heat outputs (i.e., OpenECOMP Base Template Output Parameter in the +output section of the Heat template). Those outputs will be provided by +OpenECOMP as input parameter values to all add-on module Heat templates +in the VNF that have declared the parameter in the template. + +*Note:* A Cinder volume is *not* considered a shared resource. A volume +template must correspond 1:1 with a base template or add-on module +template. + +There are two suggested usage patterns for modular VNFs, though any +variation is supported. + +A. **Modules per VNFC type** + + a. Group all VMs (VNFCs) of a given type into its own module + + b. Build up the VNF one VNFC type at a time + + c. Base module contains only the shared resources (and possibly + initial Admin VMs) + + d. Suggest one or two modules per VNFC type + + i. one for initial count + + ii. one for scaling increment (if different from initial count) + +B. **Base VNF + Growth Units** + + a. Base module (template) contains a complete initial VNF instance + + b. Growth modules for incremental scaling units + + i. May contain VMs of multiple types in logical scaling + combinations + + ii. May be separated by VM type for multi-dimensional scaling + + c. With no growth units, this is equivalent to the “\ *One Heat + Template per VNF*\ ” model + +Note that modularization of VNFs is not required. A single Heat template +(a base template) may still define a complete VNF, which might be +appropriate for smaller VNFs without a lot of scaling options. + +There are some rules to follow when building modular VNF templates: + +1. All VNFs must have one Base VNF Module (template) that must be the + first one deployed. The base template: + + a. Must include all shared resources (e.g., private networks, server + groups, security groups) + + b. Must expose all shared resources (by UUID) as “outputs” in its + associated Heat template (i.e., OpenECOMP Base Template Output + Parameters) + + c. May include initial set of VMs + + d. May be operational as a stand-alone “minimum” configuration of the + VNF + +2. VNFs may have one or more Add-On VNF Modules (templates) which: + + a. Defines additional resources that can be added to an existing VNF + + b. Must be complete Heat templates + + i. i.e. not snippets to be incorporated into some larger template + + c. Should define logical growth-units or sub-components of an overall + VNF + + d. On creation, receives all Base VNF Module outputs as parameters + + i. Provides access to all shared resources (by UUID) + + ii. must not be dependent on other Add-On VNF Modules + + e. Multiple instances of an Add-On VNF Module type may be added to + the same VNF (e.g. incrementally grow a VNF by a fixed “add-on” + growth units) + +3. Each VNF Module (base or add-on) may have (optional) an associated + Volume template (*see Section 2.5*) + + a. Volume templates should correspond 1:1 with Module (base or + add-on) templates + + b. A Cinder volume may be embedded within the Module template (base + or add-on) if persistence is not required + +4. Shared resource UUIDs are passed between the base template and add-on + template via Heat Outputs Parameters (i.e., Base Template Output + Parameters) + + a. The output parameter name in the base must match the parameter + name in the add-on module + +*Examples:* + +In this example, the {vm-type} have been defined as “lb” for load +balancer and “admin” for admin server. + +1. **Base VNF Module Heat Template (partial)** + +Heat\_template\_version: 2013-05-23 + +.. code-block:: python + + parameters: + admin\_name\_0: +     type: string + + resources: + int\_oam\_network: + type: OS::Neutron::Network + properties: + name: {… } + + admin\_server: + type: OS::Nova::Server + properties: + name: {get\_param: admin\_name\_0} + image: ... + + outputs: + int\_oam\_net\_id: + value: {get\_resource: int\_oam\_network } + + +2. **Add-on VNF Module Heat Template (partial)** + +Heat\_template\_version: 2013-05-23 + +.. code-block:: python + + Parameters: + int\_oam\_net\_id: + type: string + description: ID of shared private network from Base template + lb\_name\_0: + type: string + description: name for the add-on VM instance + + Resources: + lb\_server: + type: OS::Nova::Server + properties: + name: {get\_param: lb\_name\_0} + networks: + - port: { get\_resource: lb\_port } +         ... + + lb\_port: + type: OS::Neutron::Port + properties: + network\_id: { get\_param: int\_oam\_net\_id } + ... + +Scaling Considerations +====================== + +Scaling of a VNF may be manually driven to add new capacity (**static +scaling**) or it may be driven in near real-time by the OpenECOMP +controllers based on a real-time need **(dynamic scaling).** + +With VNF Modularity, the recommended approach for scaling is to provide +additional “growth unit” templates that can be used to create additional +resources in logical scaling increments. This approach is very +straightforward, and has minimal impact on the currently running VNFCs +and must comply with the following: + +- Combine resources into reasonable-sized scaling increments; do not + just scale by one VM at a time in potentially large VNFs. + +- Combine related resources into the same growth template where + appropriate, e.g. if VMs of different types are always deployed in + pairs, include them in a single growth template. + +- Growth templates can use the private networks and other shared + resources exposed by the Base Module template. + +VNF Modules may also be updated “in-place” using the OpenStack Heat +Update capability, by deploying an updated Heat template with different +VM counts to an existing stack. This method requires another VNF module +template that includes the new resources *in addition to all resources +contained in the original module template*. Note that this also requires +re-specification of all existing parameters as well as new ones. + +*For this approach:* + +- Use a fixed number of pre-defined VNF module configurations + +- Successively larger templates must be identical to the next smaller + one, plus add the additional VMs of the scalable type(s) + +- VNF is scalable by sending a stack-update with a different template + +*Please do note that:* + +- If properties do not change for existing VMs, those VMs should remain + unchanged + +- If the update is performed with a smaller template, the Heat engine + recognizes and deletes no-longer-needed VMs (and associated + resources) + +- Nested templates for the various server types will simplify reuse + across multiple configurations + +- Per the section on Use of Heat ResourceGroup, if *ResourceGroup* is + ever used for scaling (e.g. increment the count and include an + additional element to each list parameter), Heat will often rebuild + every existing element in addition to adding the “deltas”.  For this + reason, use of *ResourceGroup* for scaling in this manner is not + supported. + +High Availability +================== + +VNF/VM parameters may include availability zone IDs for VNFs that +require high availability. + +The Heat must comply with the following requirements to specific +availability zone IDs: + +- The Heat template should spread Nova and Cinder resources across the + availability zones as desired + +Resource Data Synchronization +============================== + +For cases where synchronization is required in the orchestration of Heat +resources, two approaches are recommended: + +- Standard Heat *“depends\_on”* property for resources + + - Assures that one resource completes before the dependent resource + is orchestrated. + + - Definition of completeness to OpenStack may not be sufficient + (e.g., a VM is considered complete by OpenStack when it is ready + to be booted, not when the application is up and running). + +- Use of Heat Notifications + + - Create *OS::Heat::WaitCondition* and + *OS::Heat::WaitConditionHandle* resources. + + - Pre-requisite resources issue *wc\_notify* commands in user\_data. + + - Dependent resource define *“depends\_on”* in the + *OS::Heat::WaitCondition* resource. + +*Example: “depends\_on” case* + +In this example, the {network-role} has been defined as “oam” to +represent an oam network and the {vm-type} has been defined as “oam” to +represent an oam server. + +.. code-block:: python + + oam\_server\_01: +     type: OS::Nova::Server +     properties: +      name: {get\_param: [oam\_ names, 0]} +       image: {get\_param: oam\_image\_name} +       flavor: {get\_param: oam\_flavor\_name} +       availability\_zone: {get\_param: availability\_zone\_0} +       networks: +         - port: {get\_resource: oam01\_port\_0} +         - port: {get\_resource: oam01\_port\_1} +       user\_data: +       scheduler\_hints: {group: {get\_resource: oam\_servergroup}} +       user\_data\_format:  RAW + + oam\_01\_port\_0: +     type: OS::Neutron::Port +     properties: +      network: {get\_resource: oam\_net\_name} +       fixed\_ips: [{"ip\_address": {get\_param: [oam\_oam\_net\_ips, 1]}}] +       security\_groups: [{get\_resource: oam\_security\_group}] + + oam\_01\_port\_1: +     type: OS::Neutron::Port +     properties: +      network: {get\_param: oam\_net\_name} +       fixed\_ips: [{"ip\_address": {get\_param: [oam\_oam\_net\_ips, 2]}}] +       security\_groups: [{get\_resource: oam\_security\_group}] + +   + + oam\_01\_vol\_attachment: +     type: OS::Cinder::VolumeAttachment +     depends\_on: oam\_server\_01 +     properties: + volume\_id: {get\_param: oam\_vol\_1} +       mountpoint: /dev/vdb +       instance\_uuid: {get\_resource: oam\_server\_01} + +Appendix A - Glossary +====================== + +**VM** Virtual Machine (VM) is a virtualized computation environment +that behaves very much like a physical computer/server. A VM has all its +ingredients (processor, memory/storage, interfaces/ports) of a physical +computer/server and is generated by a hypervisor, which partitions the +underlying physical resources and allocates them to VMs. Virtual +Machines are capable of hosting a virtual network function component +(VNFC). + +**VNF** Virtual Network Function (VNF) is the software implementation of +a function that can be deployed on a Network Cloud. It includes network +functions that provide transport and forwarding. It also includes other +functions when used to support network services, such as +network-supporting web servers and database. + +**VNFC** Virtual Network Function Component (VNFC) are the +sub-components of a VNF providing a VNF Provider a defined sub-set of +that VNF's functionality, with the main characteristic that a single +instance of this component maps 1:1 against a single Virtualization +Container. See **Figure 1** for the relationship between VNFC and +VNFs. + +|image0| + +Figure 1. Virtual Function Entity Relationship + +**Copyright 2017 AT&T Intellectual Property. All Rights Reserved.** + +This paper is licensed to you under the Creative Commons License: + +**Creative Commons Attribution-ShareAlike 4.0 International Public +License** + +You may obtain a copy of the License at: + +https://creativecommons.org/licenses/by-sa/4.0/legalcode + +**You are free to:** + +- Share — copy and redistribute the material in any medium or format + +- Adapt — remix, transform, and build upon the material for any + purpose, even commercially. + +- The licensor cannot revoke these freedoms as long as you follow the + license terms. + +**Under the following terms:** + +- Attribution — You must give appropriate credit, provide a link to the + license, and indicate if changes were made. You may do so in any + reasonable manner, but **not** in any way that suggests the + licensor endorses you or your use. + +- ShareAlike — If you remix, transform, or build upon the material, you + must distribute your contributions under the same license as the + original. + +- No additional restrictions — You may not apply legal terms or + technological measures that legally restrict others from doing + anything the license permits. + +**Notices:** + +- You do not have to comply with the license for elements of the + material in the public domain or where your use is permitted by an + applicable exception or limitation. + +- No warranties are given. The license may not give you all of the + permissions necessary for your intended use. For example, other + rights such as publicity, privacy, or moral rights may limit how you + use the material. + +.. |image0| image:: VNF_VNFC_Relation.jpg + :width: 4.26181in + :height: 3.42847in + \ No newline at end of file diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Heat_Templates_for_OpenEcomp/VNF_VNFC_Relation.jpg b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Heat_Templates_for_OpenEcomp/VNF_VNFC_Relation.jpg new file mode 100644 index 0000000..0457e86 Binary files /dev/null and b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Heat_Templates_for_OpenEcomp/VNF_VNFC_Relation.jpg differ diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Heat_Templates_for_OpenEcomp/index.rst b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Heat_Templates_for_OpenEcomp/index.rst new file mode 100644 index 0000000..51e1391 --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Heat_Templates_for_OpenEcomp/index.rst @@ -0,0 +1,7 @@ +VNF Heat Templates for OpenEcomp +----------------------------------- + +.. toctree:: + :maxdepth: 2 + + VNF_Heat_Template_Requirements_for_OpenECOMP_2_15_NO_track_changes \ No newline at end of file diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Management_Requirements_for_OpenEcomp/VNF Management Requirements for OpenECOMP 2-6-2017.docx b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Management_Requirements_for_OpenEcomp/VNF Management Requirements for OpenECOMP 2-6-2017.docx new file mode 100644 index 0000000..f2d8341 Binary files /dev/null and b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Management_Requirements_for_OpenEcomp/VNF Management Requirements for OpenECOMP 2-6-2017.docx differ diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Management_Requirements_for_OpenEcomp/VNF_Management_Requirements_for_OpenECOMP_2_6_2017.rst b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Management_Requirements_for_OpenEcomp/VNF_Management_Requirements_for_OpenECOMP_2_6_2017.rst new file mode 100644 index 0000000..a531156 --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Management_Requirements_for_OpenEcomp/VNF_Management_Requirements_for_OpenECOMP_2_6_2017.rst @@ -0,0 +1,1262 @@ +.. contents:: + :depth: 3 +.. + +**VNF Management Requirements for OpenECOMP** + ++-----------------+------------+ ++-----------------+------------+ +| Revision | 1.0 | ++-----------------+------------+ +| Revision Date | 2/1/2017 | ++-----------------+------------+ + +**Document Revision History** + ++------------+------------+--------------------------------------------------------------------------+ +| Date | Revision | Description | ++============+============+==========================================================================+ +| 2/1/2017 | 1.0 | Initial publication defining VNF Management Requirements for OpenECOMP | ++------------+------------+--------------------------------------------------------------------------+ + +Introduction +============ + +This document is part of a hierarchy of documents that describes the +overall Requirements and Guidelines for OpenECOMP. The diagram below +identifies where this document fits in the hierarchy. + ++--------------------------------------------------+---------------------------------------------+------------------------------------------------+------------------------------+---------------------------------+ +| OpenECOMP Requirements and Guidelines | | ++==================================================+=============================================+================================================+==============================+=================================+ +| VNF Guidelines for Network Cloud and OpenECOMP | Future OpenECOMP Subject Documents | | ++--------------------------------------------------+---------------------------------------------+------------------------------------------------+------------------------------+---------------------------------+ +| VNF Cloud Readiness Requirements for OpenECOMP | VNF Management Requirements for OpenECOMP | VNF Heat Template Requirements for OpenECOMP | Future | Future Requirements Documents | +| | | | VNF Requirements Documents | | ++--------------------------------------------------+---------------------------------------------+------------------------------------------------+------------------------------+---------------------------------+ + +Document summary: + +*VNF Guidelines for Network Cloud and OpenECOMP* + +- Describes VNF environment and overview of requirements + +*VNF Cloud Readiness Requirements for OpenECOMP* + +- Cloud readiness requirements for VNFs (Design, Resiliency, Security, + and DevOps) + +**VNF Management Requirements for OpenECOMP** + +- Requirements for how VNFs interact and utilize OpenECOMP + +*VNF Heat Template Requirements for OpenECOMP* + +- Provides recommendations and standards for building Heat templates + compatible with OpenECOMP– initial implementations of Network Cloud + are assumed to be OpenStack based. + +The OpenECOMP (Enhanced Control, Orchestration, Management and Policy) +platform is the part of the larger Network Function +Virtualization/Software Defined Network (NFV/SDN) ecosystem that is +responsible for the efficient control, operation and management of +Virtual Network Function (VNF) capabilities and functions. It specifies +standardized abstractions and interfaces that enable efficient +interoperation of the NVF/SDN ecosystem components. It enables +product/service independent capabilities for design, creation and +runtime lifecycle management (includes all aspects of installation, +change management, assurance, and retirement) of resources in NFV/SDN +environment (see `ECOMP white paper `__\ [1]_). +These capabilities are provided using two major architectural +frameworks: (1) a Design Time Framework to design, define and program +the platform (uniform onboarding), and (2) a Runtime Execution Framework +to execute the logic programmed in the design environment (uniform +delivery and runtime lifecycle management). The platform delivers an +integrated information model based on the VNF package to express the +characteristics and behavior of these resources in the Design Time +Framework. The information model is utilized by Runtime Execution +Framework to manage the runtime lifecycle of the VNFs. The management +processes are orchestrated across various modules of OpenECOMP to +instantiate, configure, scale, monitor, and reconfigure the VNFs using a +set of standard APIs provided by the VNF developers. + +Design Definition +================= + +The OpenECOMP Design Time Framework provides the ability to design NFV +resources including VNFs, Services, and products. The vendor must +provide VNF packages that include a rich set of recipes, management and +functional interfaces, policies, configuration parameters, and +infrastructure requirements that can be utilized by the OpenECOMP Design +module to onboard and catalog these resources. Initially this +information may be provided in documents, but in the near future a +method will be developed to automate as much of the transfer of data as +possible to satisfy its long term requirements. + +The current VNF Package Requirement is based on a subset of the +Requirements contained in the ETSI Document: ETSI GS NFV-MAN 001 v1.1.1 +and GS NFV IFA011 V0.3.0 (2015-10) - Network Functions Virtualization +(NFV), Management and Orchestration, VNF Packaging Specification. + +Table 1. VNF Package + ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| **Principle** | **Description** | **Type** | **ID #** | ++========================+===================================================================================================================================================================================================================================================================================================================================================================+============+============+ +| 2.0.1 | The VNF Vendor must provide a Manifest File that contains a list of all the components in the VNF package. | Must | 10010 | +| | | | | +| Resource | | | | +| | | | | +| Description | | | | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The package must include VNF Identification Data to uniquely identify the resource for a given Vendor. The identification data must include: an identifier for the VNF, the name of the VNF as was given by the VNF Vendor, VNF description, VNF Vendor, and version. | Must | 10020 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide documentation describing VNF Management APIs. The document must include information and tools for: | Must | 10030 | +| | | | | +| | - OpenECOMP to deploy and configure (initially and ongoing) the VNF application(s) (e.g., NETCONF APIs). Includes description of configurable parameters for the VNF and whether the parameters can be configured after VNF instantiation. | | | +| | | | | +| | - OpenECOMP to monitor the health of the VNF (conditions that require healing and/or scaling responses). Includes a description of: | | | +| | | | | +| | - Parameters that can be monitored for the VNF and event records (status, fault, flow, session, call, control plane, etc.) generated by the VNF after instantiation. | | | +| | | | | +| | - Runtime lifecycle events and related actions (e.g., control responses, tests) which can be performed for the VNF. | | | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF package must include documentation describing VNF Functional APIs that are utilized to build network and application services. Provides the externally exposed functional inputs and outputs for the VNF, including interface format and protocols supported. | Must | 10040 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide documentation describing VNF Functional Capabilities that are utilized to operationalize the VNF and compose complex services. | Must | 10050 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide information regarding any dependency with other VNFs and resources. | Must | 10060 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| 2.0.2 | The VNF Vendor must provide a Resource/Device YANG model as a foundation for creating the YANG model for configuration. This will include VNF attributes/parameters and valid values/attributes configurable by policy. | Must | 10070 | +| | | | | +| Resource | | | | +| | | | | +| Configuration | | | | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Package must include configuration scripts for boot sequence and configuration. | Must | 10080 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide configurable parameters (if unable to conform to YANG model) including VNF attributes/parameters and valid values, dynamic attributes and cross parameter dependencies (e.g., customer provisioning data). | Must | 10090 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| 2.0.3 | The VNF Vendor must provide documentation for the VNF Policy Description to manage the VNF runtime lifecycle. The document must include a description of how the policies (conditions and actions) are implemented in the VNF. | Must | 10100 | +| | | | | +| Resource | | | | +| | | | | +| Control Loop | | | | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Package must include documentation describing the fault, performance, capacity events/alarms and other event records that are made available by the VNF. The document must include: | Must | 10110 | +| | | | | +| | - A unique identification string for the specific VNF, a description of the problem that caused the error, and steps or procedures to perform Root Cause Analysis and resolve the issue. | | | +| | | | | +| | - All events, severity level (e.g., informational, warning, error) and descriptions including causes/fixes if applicable for the event. | | | +| | | | | +| | - All events (fault, measurement for VNF Scaling, Syslogs, State Change and Mobile Flow), that need to be collected at each VM, VNFC (defined in *VNF Guidelines for Network Cloud and OpenECOMP*) and for the overall VNF. | | | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide an XML file that contains a list of VNF error codes, descriptions of the error, and possible causes/corrective action. | Must | 10120 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Provide documentation describing all parameters that are available to monitor the VNF after instantiation (includes all counters, OIDs, PM data, KPIs, etc., that must be collected for reporting purposes. The documentation must include a list of: | Must | 10130 | +| | | | | +| | - Monitoring parameters/counters exposed for virtual resource management and VNF application management. | | | +| | | | | +| | - KPIs and metrics that need to be collected at each VM for capacity planning purposes. | | | +| | | | | +| | - For each KPI, provide lower and upper limits. | | | +| | | | | +| | - When relevant, provide a threshold crossing alert point for each KPI at which time scaling rules will apply. | | | +| | | | | +| | - For each KPI, identify the suggested actions that need to be performed when a threshold crossing alert event is recorded. | | | +| | | | | +| | - Describe any requirements for the monitoring component of tools for Network Cloud automation and management to provide these records to components of the VNF. | | | +| | | | | +| | - When applicable, provide calculators needed to convert raw data into appropriate reporting artifacts. | | | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Package must include documentation describing supported VNF scaling capabilities and capacity limits (e.g., number of users, bandwidth, throughput, concurrent calls). | Must | 10140 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Package must include documentation describing the characteristics for the VNF reliability and high availability. | Must | 10150 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| 2.0.4 | The VNF Package must include VNF topology that describes basic network and application connectivity internal and external to the VNF including Link type, KPIs, Bandwidth, QoS (if applicable) for each interface. | Must | 10160 | +| | | | | +| Compute, | | | | +| | | | | +| Network, | | | | +| | | | | +| Storage | | | | +| | | | | +| Requirements | | | | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Package must include VM requirements via a Heat template that provides the necessary data for: | Must | 10170 | +| | | | | +| | - VM specifications for all VNF components - for hypervisor, CPU, memory, storage. | | | +| | | | | +| | - Network connections, interface connections, internal and external to VNF. | | | +| | | | | +| | - High availability redundancy model. | | | +| | | | | +| | - Static scaling/growth VM specifications. | | | +| | | | | +| | Note1: Must comply with the *Heat Template Requirements for Virtual Network Functions*. | | | +| | | | | +| | Note2: Must comply with the Network Cloud Specifications defined in *Example Implementation of Network Cloud.* | | | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide the binaries and images needed to instantiate the VNF (VNF and VNFC images). | Must | 10180 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must describe scaling capabilities to manage scaling characteristics of the VNF. | Must | 10190 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| 2.0.5 | The VNF Package must include documentation describing the tests that were conducted by the Vendor and the test results. | Must | 10200 | +| | | | | +| Testing | | | | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide their testing scripts to support testing. | Must | 10210 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide software components that can be packaged with/near the VNF, if needed, to simulate any functions or systems that connect to the VNF system under test. This component is necessary only if the existing testing environment does not have the necessary simulators. | Must | 10220 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| 2.0.6 | VNFs must provide metrics (e.g., number of sessions, number of subscribers, number of seats, etc.) to OpenECOMP for tracking every license. | Must | 10230 | +| | | | | +| Licensing Guidelines | | | | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Contract shall define the reporting process and the available reporting tools. The vendor will have to agree to the process that can be met by Service Provider reporting infrastructure. | Must | 10240 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | VNF vendors shall enumerate all of the open source licenses their VNF(s) incorporate. | Must | 10250 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Audits of Service Provider’s business must not be required. | Must | 10260 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Vendor functions and metrics that require additional infrastructure such as a vendor license server for deployment shall not be supported. | Must | 10270 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Provide clear measurements for licensing purposes to allow automated scale up/down by the management system. | Must | 10280 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The vendor must provide the ability to scale up a vendor supplied product during growth and scale down a vendor supplied product during decline without “real-time” restrictions based upon vendor permissions. | Must | 10290 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | A universal license key must be provided per VNF to be used as needed by services (i.e., not tied to a VM instance) as the recommended solution. The vendor may provide pools of Unique VNF License Keys, where there is a unique key for each VNF instance as an alternate solution. Licensing issues should be resolved without interrupting in-service VNFs. | Must | 10300 | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ + +Configuration Management +======================== + +OpenECOMP interacts directly with VNFs through its Network and +Application Adapters to perform configuration activities within NFV +environment. These activities include service and resource +configuration/reconfiguration, automated scaling of resources, service +and resource removal to support runtime lifecycle management of VNFs and +services. The Adapters employ a model driven approach along with +standardized APIs provided by the VNF developers to configure resources +and manage their runtime lifecycle. + +NETCONF Standards and Capabilities +---------------------------------- + +OpenECOMP Controllers and their Adapters utilize device YANG model and +NETCONF APIs to make the required changes in the VNF state and +configuration. The VNF providers must provide the Device YANG model and +NETCONF server supporting NETCONF APIs to comply with target OpenECOMP +and industry standards. + +**Table 2. VNF Configuration** + ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| **Principle** | **Description** | **Type** | **ID #** | ++=================+=======================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+============+============+ +| 3.1.1 | Virtual Network functions (VNFs) must include a NETCONF server enabling runtime configuration and lifecycle management capabilities. The NETCONF server embedded in VNFs shall provide a NETCONF interface fully defined by supplied YANG models. | Must | 11010 | +| | | | | +| Configuration | | | | +| | | | | +| Management | | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| 3.1.2 | NETCONF server connection parameters shall be configurable during virtual machine instantiation through Heat templates where SSH keys, usernames, passwords, SSH service and SSH port numbers are Heat template parameters. | Must | 11020 | +| | | | | +| NETCONF | | | | +| | | | | +| Server | | | | +| | | | | +| Requirements | | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Following protocol operations must be implemented: | Must | 11030 | +| | | | | +| | **close-session()**- Gracefully close the current session. | | | +| | | | | +| | **commit(confirmed, confirm-timeout)** - Commit candidate configuration datastore to the running configuration. | | | +| | | | | +| | **copy-config(target, source) -** Copy the content of the configuration datastore source to the configuration datastore target. | | | +| | | | | +| | **delete-config(target) -** Delete the named configuration datastore target. | | | +| | | | | +| | **discard-changes()** - Revert the candidate configuration datastore to the running configuration | | | +| | | | | +| | **edit-config(target, default-operation, test-option, error-option, config)** - Edit the target configuration datastore by merging, replacing, creating, or deleting new config elements. | | | +| | | | | +| | **get(filter)** - Retrieve (a filtered subset of a) the running configuration and device state information. This should include the list of VNF supported schemas. | | | +| | | | | +| | **get-config(source, filter)** - Retrieve a (filtered subset of a) configuration from the configuration datastore source. | | | +| | | | | +| | **kill-session(session)** - Force the termination of **session**. | | | +| | | | | +| | **lock(target)** - Lock the configuration datastore target. | | | +| | | | | +| | **unlock(target)** - Unlock the configuration datastore target. | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Following protocol operations should be implemented: | Should | 11040 | +| | | | | +| | **copy-config(target, source) -** Copy the content of the configuration datastore source to the configuration datastore target. | | | +| | | | | +| | **delete-config(target) -** Delete the named configuration datastore target. | | | +| | | | | +| | **get-schema(identifier, version, format) -** Retrieve the Yang schema. | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | All configuration data shall be editable through a NETCONF <*edit-config*> operation. Proprietary NETCONF RPCs that make configuration changes are not sufficient. | Must | 11050 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | By default, the entire configuration of the VNF must be retrievable via NETCONF's and , independently of whether it was configured via NETCONF or other mechanisms. | Must | 11060 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The **:partial-lock** and **:partial-unlock** capabilities, defined in RFC 5717 must be supported. This allows multiple independent clients to each write to a different part of the configuration at the same time. | Must | 11070 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The **:rollback-on-error** value for the parameter to the operation must be supported. If any error occurs during the requested edit operation, then the target database (usually the running configuration) will be left affected. This provides an 'all-or-nothing' edit mode for a single request. | Must | 11080 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The server must support the **:startup** capability. It will allow the running configuration to be copied to this special database. It can also be locked, and unlocked. | Must | 11090 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The **:url** value must be supported to specify protocol operation source and target parameters. The capability URI for this feature will indicate which schemes (e.g., file, https, sftp) that the server supports within a particular URL value. The 'file' scheme allows for editable local configuration databases. The other schemes allow for remote storage of configuration databases. | Must | 11100 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | At least one of the capabilities **:candidate** or **:writable-running** must be implemented. If both **:candidate** and **:writable-running** are provided then two locks should be supported. | Must | 11110 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The server must fully support the XPath 1.0 specification for filtered retrieval of configuration and other database contents. The 'type' attribute within the parameter for and operations may be set to 'xpath'. The 'select' attribute (which contains the XPath expression) will also be supported by the server. A server may support partial XPath retrieval filtering, but it cannot advertise the **:xpath** capability unless the entire XPath 1.0 specification is supported. | Must | 11120 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The **:validate** capability must be implemented. | Must | 11130 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | If **:candidate** is supported, **:confirmed-commit** must be implemented. | Must | 11140 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The **:with-defaults** capability [RFC6243] shall be implemented. | Must | 11150 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Data model discovery and download as defined in [RFC6022] shall be implemented. | Must | 11160 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | NETCONF Event Notifications [RFC5277] should be implemented. | Should | 11170 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | All data models shall be defined in YANG [RFC6020], and the mapping to NETCONF shall follow the rules defined in this RFC. | Must | 11180 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The data model upgrade rules defined in [RFC6020] section 10 should be followed. All deviations from section 10 rules shall be handled by a built-in automatic upgrade mechanism. | Must | 11190 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF must support parallel and simultaneous configuration of separate objects within itself. | Must | 11200 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Locking is required if a common object is being manipulated by two simultaneous NETCONF configuration operations on the same VNF within the context of the same writable running data store (e.g., if an interface parameter is being configured then it should be locked out for configuration by a simultaneous configuration operation on that same interface parameter). | Must | 11210 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Locking must be applied based on the sequence of NETCONF operations, with the first configuration operation locking out all others until completed. | Must | 11220 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | If a VNF needs to lock an object for configuration, the lock must be permitted at the finest granularity to avoid blocking simultaneous configuration operations on unrelated objects (e.g., BGP configuration should not be locked out if an interface is being configured, Entire Interface configuration should not be locked out if a non-overlapping parameter on the interface is being configured). The granularity of the lock must be able to be specified via a restricted or full XPath expression. | Must | 11230 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | All simultaneous configuration operations should guarantee the VNF configuration integrity (for example: if a change is attempted to the BUM filter rate from multiple interfaces on the same EVC, then they need to be sequenced in the VNF without locking either configuration method out) | Must | 11240 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | To prevent permanent lock-outs, locks must be released: | Must | 11250 | +| | | | | +| | a. when/if a session applying the lock is terminated (e.g., SSH session is terminated) | | | +| | | | | +| | b. the corresponding operation succeeds | | | +| | | | | +| | c. a user configured timer has expired forcing the NETCONF SSH Session termination (i.e., product must expose a configuration knob for a user setting of a lock expiration timer) | | | +| | | | | +| | Additionally, to guard against hung NETCONF sessions, another NETCONF session should be able to initiate the release of the lock by killing the session owning the lock, using the operation. | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF should support simultaneous operations within the context of this locking requirements framework. | Must | 11260 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The supplied YANG code and associated NETCONF servers shall support all operations, administration and management (OAM) functions available from the supplier for VNFs. | Must | 11270 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Sub tree filtering must be supported. | Must | 11280 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Heartbeat via a with null filter shall be supported. | Must | 11290 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Get-schema (ietf-netconf-monitoring) must be supported to pull YANG model over session. | Must | 11300 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The supplied YANG code shall be validated using the open source pyang [2]_ program using the following commands: | Must | 11310 | +| | | | | +| | $ pyang --verbose --strict | | | +| | | | | +| | $ echo $! | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The echo command must return a zero value otherwise the validation has failed. | Must | 11320 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The supplier shall demonstrate mounting the NETCONF server on OpenDaylight (client) and: | Must | 11330 | +| | | | | +| | - Modify, update, change, rollback configurations using each configuration data element. | | | +| | | | | +| | - Query each state (non-configuration) data element. | | | +| | | | | +| | - Execute each YANG RPC. | | | +| | | | | +| | - Receive data through each notification statement. | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ + +The following table provides the Yang models that suppliers must +conform, and those where applicable, that suppliers need to use. + +Table 3. YANG Models + ++------------+------------------------------------------------------------------------------------+------------+------------+ +| **RFC** | **Description** | **Type** | **ID #** | ++============+====================================================================================+============+============+ +| RFC 6020 | YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF) | Must | 12010 | ++------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 6022 | YANG module for NETCONF monitoring | Must | 12020 | ++------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 6470 | NETCONF Base Notifications | Must | 12030 | ++------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 6244 | An Architecture for Network Management Using NETCONF and YANG | Must | 12040 | ++------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 6087 | Guidelines for Authors and Reviewers of YANG Data Model Documents | Must | 12050 | ++------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 6991 | Common YANG Data Types | Should | 12060 | ++------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 6536 | NETCONF Access Control Model | Should | 12070 | ++------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 7223 | A YANG Data Model for Interface Management | Should | 12080 | ++------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 7224 | IANA Interface Type YANG Module | Should | 12090 | ++------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 7277 | A YANG Data Model for IP Management | Should | 12100 | ++------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 7317 | A YANG Data Model for System Management | Should | 12110 | ++------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 7407 | A YANG Data Model for SNMP Configuration | Should | 12120 | ++------------+------------------------------------------------------------------------------------+------------+------------+ + +The NETCONF server interface shall fully conform to the following +NETCONF RFCs. + +Table 4. NETCONF RFCs + ++------------+--------------------------------------------------------------------+------------+------------+ +| **RFC** | **Description** | **Type** | **ID #** | ++============+====================================================================+============+============+ +| RFC 4741 | NETCONF Configuration Protocol | Must | 12130 | ++------------+--------------------------------------------------------------------+------------+------------+ +| RFC 4742 | Using the NETCONF Configuration Protocol over Secure Shell (SSH) | Must | 12140 | ++------------+--------------------------------------------------------------------+------------+------------+ +| RFC 5277 | NETCONF Event Notification | Must | 12150 | ++------------+--------------------------------------------------------------------+------------+------------+ +| RFC 5717 | Partial Lock Remote Procedure Call | Must | 12160 | ++------------+--------------------------------------------------------------------+------------+------------+ +| RFC 6241 | NETCONF Configuration Protocol | Must | 12170 | ++------------+--------------------------------------------------------------------+------------+------------+ +| RFC 6242 | Using the Network Configuration Protocol over Secure Shell | Must | 12180 | ++------------+--------------------------------------------------------------------+------------+------------+ + +VNF REST APIs +-------------- + +Healthcheck is a command for which no NETCONF support exists. Therefore, +this must be supported using a RESTful interface which we have defined. + +The VNF must provide two REST formatted RPCs to support Healthcheck +queries via the GET method over HTTP(s). + +**Table 5. VNF REST APIs** + ++-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| **Principal** | **Description** | **Type** | **ID #** | ++=================+================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+============+============+ +| 3.2.1 | **GET /check** - The **/check** RPC, executes a vendor-defined VNF Healthcheck over the scope of the entire VNF (e.g if there are multiple VMs, then run a health check, as appropriate, for all VMs). /check returns a 200 OK if the test passes and a 50x response if the test fails. The precise failure code may depend upon type of failure (process error, overload etc.). A JSON object is returned indicating state, scope identifier, time-stamp and info field as well as an optional fault field. | Must | 12190 | +| | | | | +| REST APIs | For example: | | | +| | | | | +| | 503 Threshold Exceeded | | | +| | | | | +| | { | | | +| | | | | +| | "identifier": "scope represented", | | | +| | | | | +| | "info": "System threshold exceeded details", | | | +| | | | | +| | "fault": | | | +| | | | | +| | { | | | +| | | | | +| | "cpuOverall": 0.80, | | | +| | | | | +| | "cpuThreshold": 0.45 | | | +| | | | | +| | }, | | | +| | | | | +| | "time": "01-01-1000:0000" | | | +| | | | | +| | } | | | ++-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | **GET /status** - The **/status** RPC returns a 200 OK code and state of the VNF (resources utilized) in the form of a nested JSON response (multiple resources for each VM within the VNF). | Must | 12200 | +| | | | | +| | For example: | | | +| | | | | +| | { | | | +| | | | | +| | "identifier": "scope represented", | | | +| | | | | +| | "stats": | | | +| | | | | +| | { | | | +| | | | | +| | "vm\_123": | | | +| | | | | +| | { | | | +| | | | | +| | "cpuOverall": 0.32 | | | +| | | | | +| | "usedMemory": 1000 | | | +| | | | | +| | "totalMemory": 2000 | | | +| | | | | +| | } | | | +| | | | | +| | }, | | | +| | | | | +| | "time": "01-01-1000:0000" | | | +| | | | | +| | } | | | ++-----------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ + +OpenECOMP Controller APIs and Behavior +-------------------------------------- + +OpenECOMP Controllers support the following operations which act +directly upon the VNF. Most of these utilize the NETCONF interface. +There are additional commands in use but these either act internally on +Controller itself or depend upon network cloud components for +implementation. Those actions do not put any special requirement on the +VNF provider. + +The following table summarizes how the VNF must act in response to +commands from OpenECOMP. + +Table 6. OpenECOMP Controller APIs + ++---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ +| **Action** | **Description** | **VNF Action** | **NETCONF COMMANDs** | ++===============+=================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+========================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+==============================+ +| Action | Queries OpenECOMP Controller for the current state of a previously submitted runtime LCM (Lifecycle Management) action. | Checks if VNF is busy. Current operation depends on a completion code from any previous operation. In the future a positive acknowledgement of busy status may be useful to handle ambiguous conditions. However, at this time none is being used. | | +| | | | | +| Status | | | | ++---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ +| Audit | Compare active configuration against a configuration stored in OpenECOMP’s configuration store. | Retrieve running configuration and device state information. Get-config updates the config tree which can then be compared to the stored current config in the OpenECOMP database. | get-config | ++---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ +| Check | Returns true when the given VNF has been locked. | VnfLock may have been used to lock the VNF. There is currently no way to query lock state in NETCONF so locked state is managed internally by OpenECOMP. | | +| | | | | +| Lock | | | | ++---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ +| Configure | Configures the target VNF or VNFC. | The operation loads all or part of a specified configuration data set to the specified target VNF. | edit-config, commit | ++---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ +| Health | Executes a VNF health check and returns the result. A health check is VNF-specific. | The OpenECOMP health check interface is defined over REST and requires the target VNF to expose a standardized HTTP(S) interface for that purpose. Return the health status of the VNF by performing (via any vendor-specific means) internal checks of needed resources, process states, etc. The specific errors returned can be used to indicate the source of the problem. OpenECOMP will generate error events for all reported health problems. | **REST API** | +| | | | | +| Check | | | GET /check | +| | | | | +| | | | GET /status | ++---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ +| Live | Upgrades the target VNF to a new version without interrupting VNF operation. | Supported today on some VNFs via CLI only (the CLI use is an interim solution) | load, restart | +| | | | | +| Upgrade | | | | ++---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ +| | This is an internal Controller operation used to create config-tree and operations tree in the controller. | OpenECOMP must retrieve a schema definition from the VNF. The NETCONF server returns the requested schema. During session establishment OpenECOMP issues a NETCONF command which will retrieve all running configuration parameters, all running operational parameters and a list of NETCONF schemas. OpenECOMP retrieves the schemas to create a Yang model describing the parameters used by the VNF and legal values for each parameter (patterns or ranges). The schemas tell OpenECOMP what parameters can be set and what constitute legal values for those parameters. | get, get-schema | ++---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ +| Config | The ConfigModify LCM action affects only a subset of the total configuration data of a VNF. It can be used to change specific parameters across a number of separate instances for the same VnfcType without changing instance specific values of each. It can also be used to make successive changes to a number of parameters where those changes are considered cumulative. Thus each ConfigModify invocation leaves previous values untouched and only edits the parameters which are sent to OpenECOMP. | The operation loads only a part of the full set of configuration parameters to the specified target configuration without changing any existing parameters. | edit-config, commit | +| | | | | +| Modify | | | | ++---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ +| Config | Saves a VNF’s running configuration into the configuration store in OpenECOMP, for later retrieval. | (optional) If copy-config to a local file is supported by the VNFC this command is used to store the running config locally in order to save time on any subsequent Reconfigure. To support this action, the VNF must allow to save to a local file and must support subsequent retrieval of the copied configuration back to the running configuration. If this capability is not supported, OpenECOMP will still function, but updates will take longer. | copy-config, delete-config | +| | | | | +| Save | | | | ++---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ +| Reconfigure | Reconfigure a VNF to some previously stored baseline configuration stored by a previous ConfigSetBaseline. | If a previous config has been saved locally, and designated as the baseline configuration, use quick restore ( from file). If the restore fails, fallback to a process of changing the configuration value by value using and referencing the SQL values stored by APP-C. | edit-config or copy-config | ++---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ +| Config | Reconfigure a VNF to some previously stored baseline configuration stored by a previous ConfigSetBaseline. | If a previous config has been saved locally use quick restore ( from file). If the restore fails, fallback to a process of changing the configuration value by value using . | edit-config or copy-config | +| | | | | +| Restore | | | | ++---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ +| Sync | Updates the current configuration of a VNF in OpenECOMP’s SQL configuration storage repository by uploading the running config. Useful if the current and running configurations do not match as determined by a previous Audit call. | Retrieve running config from VNF | get, get-config | ++---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ +| VNFLock | Lock or Unlock a VNF to ensure exclusive access during a series of critical steps. | The lock operation allows the client to lock the configuration system of a device. | lock, unlock | ++---------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------+ + +Monitoring & Management +======================= + +This section addresses data collection and event processing +functionality that is directly dependent on the interfaces provided by +the VNFs’ APIs. These can be in the form of Asynchronous interfaces for +event, fault notifications, and autonomous data streams. They can also +be Synchronous interfaces for on-demand requests to retrieve various +performance, usage, and other event information. + +The target direction for VNF interfaces is to employ APIs that are +implemented utilizing standardized messaging and modeling protocols over +standardized transports. Migrating to a virtualized environment presents +a tremendous opportunity to eliminate the need for proprietary +interfaces for vendor equipment while removing the traditional +boundaries between Network Management Systems and Element Management +Systems. Additionally, VNFs provide the ability to instrument the +networking applications by creating event records to test and monitor +end-to-end data flow through the network, similar to what physical or +virtual probes provide without the need to insert probes at various +points in the network. The VNF vendors must be able to provide the +aforementioned set of required data directly to the OpenECOMP collection +layer using standardized interfaces. + +Transports and Protocols Supporting Resource Interfaces +------------------------------------------------------- + +Delivery of data from VNFs to OpenECOMP must use the same common +transport mechanisms and protocols for all VNFs. Transport mechanisms +and protocols have been selected to enable both high volume and moderate +volume datasets, as well as asynchronous and synchronous communications +over secure connections. The specified encoding provides +self-documenting content, so data fields can be changed as needs evolve, +while minimizing changes to data delivery. + +The term ‘Event Record’ is used throughout this document to represent +various forms instrumentation/telemetry made available by the VNF +including, faults, status events and various other types of VNF +measurements and logs. Headers received by themselves must be used as +heartbeat indicators. The common structure and delivery protocols for +other types of data will be given in future versions of this document as +we get more insight into data volumes and required processing. + +In the following guidelines we provide options for encoding, +serialization and data delivery. Agreements between Service Providers +and VNF vendors shall determine which encoding, serialization and +delivery method to use for particular data sets. The selected methods +must be agreed to prior to the on-boarding of the VNF into OpenECOMP +design studio. + +Table 7. Monitoring & Management + ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| **Principle** | **Description** | **Type** | **ID #** | ++==============================================+=====================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+============+============+ +| 4.1.1 | Content delivered from VNFs to OpenECOMP is to be encoded and serialized using JSON (option 1). High-volume data is to be encoded and serialized using Avro, where Avro data format are described using JSON (option 2) [3]_. | Must | 13010 | +| | | | | +| Encoding and Serialization | - JSON plain text format is preferred for moderate volume data sets (option 1), as JSON has the advantage of having well-understood simple processing and being human-readable without additional decoding. Examples of moderate volume data sets include the fault alarms and performance alerts, heartbeat messages, measurements used for VNF scaling and syslogs. | | | +| | | | | +| | - Binary format using Avro is preferred for high volume data sets (option 2) such as mobility flow measurements and other high-volume streaming events (such as mobility signaling events or SIP signaling) or bulk data, as this will significantly reduce the volume of data to be transmitted. As of the date of this document, all events are reported using plain text JSON and REST. | | | +| | | | | +| | - Avro content is self-documented, using a JSON schema. The JSON schema is delivered along with the data content (http://avro.apache.org/docs/current/ ). This means the presence and position of data fields can be recognized automatically, as well as the data format, definition and other attributes. Avro content can be serialized as JSON tagged text or as binary. In binary format, the JSON schema is included as a separate data block, so the content is not tagged, further compressing the volume. For streaming data, Avro will read the schema when the stream is established and apply the schema to the received content. | | | +| | | | | +| | - In the future, we may consider support for other types of encoding & serialization (e.g., gRPC) based on industry demand. | | | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| 4.1.2 | The frequency that asynchronous data is delivered will vary based on the content and how data may be aggregated or grouped together. For example, alarms and alerts are expected to be delivered as soon as they appear. In contrast, other content, such as performance measurements, KPIs or reported network signaling may have various ways of packaging and delivering content. Some content should be streamed immediately; or content may be monitored over a time interval, then packaged as collection of records and delivered as block; or data may be collected until a package of a certain size has been collected; or content may be summarized statistically over a time interval, or computed as a KPI, with the summary or KPI being delivered. | Must | 13020 | +| | | | | +| Reporting Frequency | - We expect the reporting frequency to be configurable depending on the virtual network function’s needs for management. For example, Service Provider may choose to vary the frequency of collection between normal and trouble-shooting scenarios. | | | +| | | | | +| | - Decisions about the frequency of data reporting will affect the size of delivered data sets, recommended delivery method, and how the data will be interpreted by OpenECOMP. However, this should not affect deserialization and decoding of the data, which will be guided by the accompanying JSON schema. | | | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| 4.1.3 | OpenECOMP destinations can be addressed by URLs for RESTful data PUT. Future data sets may also be addressed by host name and port number for TCP streaming, or by host name and landing zone directory for SFTP transfer of bulk files. | Must | 13030 | +| | | | | +| Addressing and Delivery Protocol | - REST using HTTPS delivery of plain text JSON is preferred for moderate sized asynchronous data sets, and for high volume data sets when feasible.  | | | +| | | | | +| | - VNFs must have the capability of maintaining a primary and backup DNS name (URL) for connecting to OpenECOMP collectors, with the ability to switch between addresses based on conditions defined by policy such as time-outs, and buffering to store messages until they can be delivered. At its discretion, the service provider may choose to populate only one collector address for a VNF. In this case, the network will promptly resolve connectivity problems caused by a collector or network failure transparently to the VNF. | | | +| | | | | +| | - VNFs will be configured with initial address(es) to use at deployment time. After that the address(es) may be changed through OpenECOMP-defined policies delivered from OpenECOMP to the VNF using PUTs to a RESTful API, in the same way that other controls over data reporting will be controlled by policy. | | | +| | | | | +| | - Other options are expected to include: | | | +| | | | | +| | - REST delivery of binary encoded data sets. | | | +| | | | | +| | - TCP for high volume streaming asynchronous data sets and for other high volume data sets. TCP delivery can be used for either JSON or binary encoded data sets. | | | +| | | | | +| | - SFTP for asynchronous bulk files, such as bulk files that contain large volumes of data collected over a long time interval or data collected across many VNFs. This is not preferred. Preferred is to reorganize the data into more frequent or more focused data sets, and deliver these by REST or TCP as appropriate. | | | +| | | | | +| | - REST for synchronous data, using RESTCONF (e.g., for VNF state polling). | | | +| | | | | +| | - The OpenECOMP addresses as data destinations for each VNF must be provided by OpenECOMP Policy, and may be changed by Policy while the VNF is in operation. We expect the VNF to be capable of redirecting traffic to changed destinations with no loss of data, for example from one REST URL to another, or from one TCP host and port to another. | | | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| 4.1.4 | VNFs are to deliver asynchronous data as data becomes available, or according to the configured frequency. The delivered data must be encoded using JSON or Avro, addressed and delivered as described in the previous paragraphs. | Must | 13040 | +| | | | | +| Asynchronous and Synchronous Data Delivery | | | | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | VNFs are to respond to data requests from OpenECOMP as soon as those requests are received, as a synchronous response. | Must | 13050 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Synchronous communication must leverage the RESTCONF/NETCONF framework used by the OpenECOMP configuration subsystem. This shall include using YANG configuration models and RESTCONF (https://tools.ietf.org/html/draft-ietf-netconf-restconf-09#page-46). | Must | 13060 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF must respond with content encoded in JSON, as described in the RESTCONF specification. This way the encoding of a synchronous communication will be consistent with Avro. | Must | 13070 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | OpenECOMP may request the VNF to deliver the current data for any of the record types defined in Section 4.2 below. The VNF must respond by returning the requested record, populated with the current field values. (Currently the defined record types include fault fields, mobile flow fields, measurements for VNF scaling fields, and syslog fields. Other record types will be added in the future as they become standardized and are available). | Must | 13080 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | OpenECOMP may request the VNF to deliver granular data on device or subsystem status or performance, referencing the YANG configuration model for the VNF. The VNF must respond by returning the requested data elements. | Must | 13090 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | YANG models can be translated to and from JSON (https://trac.tools.ietf.org/id/draft-lhotka-netmod-yang-json-00.html), meaning YANG configuration and content can be represented via JSON, consistent with Avro, as described in “Encoding and Serialization” section. | Must | 13100 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| 4.1.5 | VNFs must support secure connections and transports. | Must | 13110 | +| | | | | +| Security | | | | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Access to OpenECOMP and to VNFs, and creation of connections, must be controlled through secure credentials, log-on and exchange mechanisms. | Must | 13120 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Data in motion must be carried only over secure connections. | Must | 13130 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Service Providers require that any content containing Sensitive Personal Information (SPI) or certain proprietary data must be encrypted, in addition to applying the regular procedures for securing access and delivery. | Must | 13140 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ + +Data Model for Event Records +----------------------------- + +This section describes the data model for the collection of telemetry +data from VNFs by Service Providers (SPs) to manage VNF health and +runtime lifecycle. This data model is referred to as the VNF Event +Streaming (VES) specifications. OPNFV has a VES project [4]_ that +provides a holistic solution for OpenStack’s internal telemetry to +manage Application (VNFs), Physical and virtual infrastructure (compute, +storage, network devices), and virtual infrastructure managers (cloud +controllers, SDN controllers). Note that any configurable parameters for +these data records (e.g., frequency, granularity, policy-based +configuration) will be managed using the “Configuration” framework +described in the prior sections. + +The Data Model consists of: + +- Common Header Record: This precedes each of the domain-specific + records. + +- Domain Specific Event Records. This version of the document specifies + the model for Fault, Performance, Syslog, State Change, and Mobile + Flow records. In the future, these will be extended to support other + types of records (e.g., Signaling or control plane messages, + probe-less monitoring records, Status Records, Security records, + etc.). Each of these records allows additional fields (name value + pairs) for extensibility. The VNF vendors can use these VNF-specific + additional fields to provide additional information that may be + relevant to the managing systems. + +Figure 1. Data Model for Event Records + +Event Records - Data Structure Description +------------------------------------------ + +The data structure for event records consists of a Header Block and zero +(heartbeat would only have header) or more event domain blocks (e.g., +Common Fault Event domain, Common Performance Event domain, Common +Syslog Event domain, Specialized Mobile Flow Event Domain, etc.). The +tables in Appendix A present the details for the Common Header and other +specific record types. + +Common Event Header +~~~~~~~~~~~~~~~~~~~ + +The common header that precedes any of the domain-specific records +contains information identifying the type of record to follow, +information about the sender and other identifying characteristics +related to timestamp, sequence number, etc. The table A.1 in Appendix A +describes the structure for the common header. + +Event Data Structure – Fault Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Fault Record, describing a condition in the Fault domain, contains +information about the fault such as the entity under fault, the +severity, resulting status, etc. The table A.2 in Appendix A describes +the structure for the fault record. + +Event Data Structure – Measurements for VNF Scaling Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The VNF Scaling Record contains information about VNF resource structure +and its condition to help in the management of the resources for +purposes of elastic scaling. The table A.3 in Appendix A describes the +structure for the VNF Scaling record. + +Event Data Structure – Syslog Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Syslog Record provides a structure for communicating any type of +information that may be logged by the VNF. It can contain information +about system internal events, status, errors, etc. The table A.4 in +Appendix A describes the structure for the Syslog record. + +Event Data Structure – State Change Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The State change domain provides a structure for communicating +information about data flow through the VNF. It can contain information +about state change related to Physical device that is reported by VNF. +As an example when cards or port name of the entity that has changed +state. The table A.5 in Appendix A describes the structure of the State +Change record. + +Event Data Structure – Mobile Flow Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Mobile Flow Record provides a structure for communicating +information about data flow through the VNF. It can contain information +about connectivity and data flows between serving elements for mobile +service, such as between LTE reference points, etc. The table A.6 in +Appendix A describes the structure for the Mobile Flow record. + +Appendix A – Data Record Format +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The following provides additional information on the event record +formats for the following data structures (for complete information, +please refer to AT&T Service Specification; Service: VES Event Listener, +revision 4.0, dated Jan 5\ :sup:`th`, 2017): + +- Common Event Header + +- Fault Fields + +- Measurements for VF Scaling Fields + +- Syslog Fields + +- State Change Fields + +- Mobile Flow Fields + +A.1 EVENT RECORDS – Common Event Header +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Field | Type | Required? | Description | ++=========================+===========+=============+================================================================================================================================================================================================================================================================================+ +| version | number | No | Version of the event header (currently: 2.0) | ++-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| eventType | string | No | Unique event topic name | ++-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| domain | string | Yes | Event domain enumeration: ‘fault’, ‘heartbeat’, ‘measurementsForVfScaling’, ‘mobileFlow’, ‘other’, ‘stateChange’, ‘syslog’, ‘thresholdCrossingAlert’ | ++-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| eventId | string | Yes | Event key that is unique to the event source | ++-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| sourceId | string | No | UUID identifying the entity experiencing the event issue (note: the AT&T internal enrichment process shall ensure that this field is populated) | ++-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| sourceName | string | Yes | Name of the entity experiencing the event issue | ++-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| functionalRole | string | Yes | Function of the event source e.g., eNodeB, MME, PCRF | ++-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| reportingEntityId | string | No | UUID identifying the entity reporting the event, for example an OAM VM (note: the AT&T internal enrichment process shall ensure that this field is populated) | ++-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| reportingEntityName | string | Yes | Name of the entity reporting the event, for example, an OAM VM | ++-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| priority | string | Yes | Processing priority enumeration: ‘High’, ‘Medium’, ‘Normal’, ‘Low’ | ++-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| startEpochMicrosec | number | Yes | the earliest unix time aka epoch time associated with the event from any component--as microseconds elapsed since 1 Jan 1970 not including leap seconds | ++-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| lastEpochMicrosec | number | Yes | the latest unix time aka epoch time associated with the event from any component--as microseconds elapsed since 1 Jan 1970 not including leap seconds | ++-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| sequence | integer | Yes | Ordering of events communicated by an event source instance (or 0 if not needed) | ++-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| internalHeader Fields | object | No | Fields (not supplied by event sources) that the VES Event Listener service can use to enrich the event if needed for efficient internal processing. This is an empty object which is intended to be defined separately by each provider implementing the VES Event Listener. | ++-------------------------+-----------+-------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +A.2 EVENT RECORDS – Fault Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++-------------------------------+--------------------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Field | Type | Required? | Description | ++===============================+================================+=============+=================================================================================================================================================================================================================================================================================================================================================+ +| faultFieldsVersion | number | No | Version of the faultFields block (currently: 1.1) | ++-------------------------------+--------------------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| eventSeverity | string | Yes | Event severity or priority enumeration: ‘CRITICAL’, ‘MAJOR’, ‘MINOR’, ‘WARNING’, ‘NORMAL’ | ++-------------------------------+--------------------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| eventSourceType | string | Yes | Examples: ‘other’, ‘router’, ‘switch’, ‘host’, ‘card’, ‘port’, ‘slotThreshold’, ‘portThreshold’, ‘virtualMachine’, ‘virtualNetworkFunction’ | ++-------------------------------+--------------------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| alarmCondition | string | Yes | Alarm condition reported by the device | ++-------------------------------+--------------------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| specificProblem | string | Yes | Short description of the alarm or problem | ++-------------------------------+--------------------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| vfStatus | string | Yes | Virtual function status enumeration: ‘Active’, ‘Idle’, ‘Preparing to terminate’, ‘Ready to terminate’, ‘Requesting Termination’ | ++-------------------------------+--------------------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| alarmtInterfaceA | string | No | Card, port, channel or interface name of the device generating the alarm | ++-------------------------------+--------------------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| alarmAdditional Information | Name-value pair object array | No | Expressed as an array of name-value pairs which can be used to describe additional Information related to Alarm, such as Repair Action, Remedy code….May by serialized alarm payload: varbind list, original syslog message, notification parameters, etc. when event is generated via other means, should provide raw detail out of element. | ++-------------------------------+--------------------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +A.3 EVENT RECORDS – Measurements for VF Scaling Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Field | Type | Required? | Description | ++=========================================+================+=============+==============================================================================================================================================================================================================================================================================================+ +| measurementsForVfScalingFieldsVersion | number | No | Version of the measurementsForVfScalingFields block (currently: 1.1) | ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| additionalMeasurements | object array | No | Expressed as an array of measurementGroup objects, each of which contains a measurement group along with an array of name-value pair fields. Can be used to provide additional measurement fields | ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| aggregateCpuUsage | number | No | Aggregate CPU usage of the VM on which the VNFC reporting the event is running | ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| codecUsageArray | Array | No | Expressed as an array of codecsInUse objects, each of which contains a string identifying the codec, along with a number indicating the number of such codecs in use. | ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| concurrentSessions | number | No | Peak concurrent sessions for the VM or VNF (depending on the context) over the measurementInterval | ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| configuredEntities | number | No | Depending on the context over the measurementInterval: peak total number of users, subscribers, devices, adjacencies, etc., for the VM, or peak total number of subscribers, devices, etc., for the VNF | ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| cpuUsageArray | object array | No | Expressed as an array of cpuUsage objects, each of which contains a string identifying the cpu, along with a number indicating the cpu usage percentage. | ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| errors | object | No | Provides receive and transmit errors and discards | ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| featureUsageArray | object array | No | Expressed as an array of featuresInUse objects, each of which contains a string identifying the feature, along with a number indicating the number of times the feature was used. | ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| filesystemUsageArray | object array | No | Expressed as an array of filesystemUsage objects, each of which contains a string identifying the filesystem, along with numbers indicating the configured and used block and ephemeral capacity in GB, along with the input-output operations per second for block and ephemeral storage. | ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| latencyDistribution | object array | No | Expressed as an array of latencyBucketMeasure objects, defined by two numbers indicating the low end and high end of the latency bucket (in ms), plus a number indicating the number of counts in that bucket. | ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| meanRequestLatency | number | No | Mean seconds required to respond to each request for the VM on which the VNFC reporting the event is running | ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| measurementInterval | number | Yes | Interval over which measurements are being reported in seconds | ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| memoryConfigured | number | No | Memory in MB configured in the VM on which the VNFC reporting the event is running | ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| memoryUsed | number | No | Memory usage in MB of the VM on which the VNFC reporting the event is running | ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numberOfMediaPortsInUse | Number | No | Number of media ports in use | ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| requestRate | number | No | Peak rate of service requests per second to the VNF over the measurementInterval | ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| vnfcScalingMetric | number | No | Represents busy-ness of the VNF from 0 to 100 as reported by the VNFC | ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| vNicUsageArray | object array | No | Expressed as an array of vNicUsage objects, each of which contains a string identifying the vNic, along with numbers indicating the unicast, multicast, broadcast and total number of packets received and sent, plus the total number of bytes in and out of the vNic (in MB). | ++-----------------------------------------+----------------+-------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +A.4 EVENT RECORDS – Syslog Fields +--------------------------------- + ++-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ +| Field | Type | Required? | Description | ++=======================+================================+=============+===============================================================================================================================================+ +| syslogFieldsVersion | number | No | Version of the syslogFields block (currently: 2.0) | ++-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ +| additionalFields | Name-value pair object array | No | Expressed as an array of name-value pairs which can be used to describe additional syslog fields if needed | ++-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ +| eventSourceHost | string | No | Hostname of the device | ++-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ +| eventSourceType | string | Yes | Examples: ‘other’, ‘router’, ‘switch’, ‘host’, ‘card’, ‘port’, ‘slotThreshold’, ‘portThreshold’, ‘virtualMachine’, ‘virtualNetworkFunction’ | ++-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ +| syslogFacility | number | No | Numeric code from 0 to 23 for facility: | +| | | | | +| | | | 0 kernel messages | +| | | | | +| | | | 1 user-level messages | +| | | | | +| | | | 2 mail system | +| | | | | +| | | | 3 system daemons | +| | | | | +| | | | 4 security/authorization messages | +| | | | | +| | | | 5 messages generated internally by syslogd | +| | | | | +| | | | 6 line printer subsystem | +| | | | | +| | | | 7 network news subsystem | +| | | | | +| | | | 8 UUCP subsystem | +| | | | | +| | | | 9 clock daemon | +| | | | | +| | | | 10 security/authorization messages | +| | | | | +| | | | 11 FTP daemon | +| | | | | +| | | | 12 NTP subsystem | +| | | | | +| | | | 13 log audit | +| | | | | +| | | | 14 log alert | +| | | | | +| | | | 15 clock daemon (note 2) | +| | | | | +| | | | 16 local use 0 (local0) | +| | | | | +| | | | 17 local use 1 (local1) | +| | | | | +| | | | 18 local use 2 (local2) | +| | | | | +| | | | 19 local use 3 (local3) | +| | | | | +| | | | 20 local use 4 (local4) | +| | | | | +| | | | 21 local use 5 (local5) | +| | | | | +| | | | 22 local use 6 (local6) | +| | | | | +| | | | 23 local use 7 (local7 ) | ++-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ +| syslogMsg | string | Yes | Syslog message | ++-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ +| syslogPri | number | No | 0-192 | +| | | | | +| | | | Combined Severity and Facility | ++-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ +| syslogProc | string | No | Identifies the application that originated the message | ++-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ +| syslogProcId | number | No | A change in the value of this field indicates a discontinuity in syslog reporting | ++-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ +| syslogSData | string | No | Syslog structured data consisting of a structured data Id followed by a set of key value pairs (see below for an example) | +| | | | | +| | | | \*\*Note: SD-ID may not be present if syslogSdId is populated | ++-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ +| syslogSdId | string | No | 0-32 char in format name@number, | +| | | | | +| | | | ie ourSDID@32473 | ++-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ +| syslogSev | string | No | Numerical Code for Severity | +| | | | | +| | | | (derived from syslogPri: remaider of syslogPri / 8) | +| | | | | +| | | | 0 Emergency: system is unusable | +| | | | | +| | | | 1 Alert: action must be taken immediately | +| | | | | +| | | | 2 Critical: critical conditions | +| | | | | +| | | | 3 Error: error conditions | +| | | | | +| | | | 4 Warning: warning conditions | +| | | | | +| | | | 5 Notice: normal but significant condition | +| | | | | +| | | | 6 Informational: informational messages | +| | | | | +| | | | 7 Debug: debug-level messages | ++-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ +| syslogTag | string | Yes | MsgId indicating the type of message such as ‘TCPOUT’ or ‘TCPIN’; ‘NILVALUE’ should be used when no other value can be provided | ++-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ +| syslogVer | number | No | IANA assigned version of the syslog protocol specification (typically ‘1’) | ++-----------------------+--------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------------+ + +A.5 EVENT RECORDS – State Change Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++----------------------------+--------------------------------+-------------+--------------------------------------------------------------------------------------------------------------------+ +| Field | Type | Required? | Description | ++============================+================================+=============+====================================================================================================================+ +| stateChangeFieldsVersion | number | No | Version of the stateChangeFields block (currently: 1.1) | ++----------------------------+--------------------------------+-------------+--------------------------------------------------------------------------------------------------------------------+ +| additionalFields | Name-value pair object array | No | Expressed as an array of name-value pairs which can be used to describe additional state change fields if needed | ++----------------------------+--------------------------------+-------------+--------------------------------------------------------------------------------------------------------------------+ +| newState | string | Yes | New state of the entity: ‘inService’, ‘maintenance’, ‘outOfService’ | ++----------------------------+--------------------------------+-------------+--------------------------------------------------------------------------------------------------------------------+ +| oldState | string | Yes | Previous state of the entity: ‘inService’, ‘maintenance’, ‘outOfService’ | ++----------------------------+--------------------------------+-------------+--------------------------------------------------------------------------------------------------------------------+ +| stateInterface | string | Yes | Card or port name of the entity that changed state | ++----------------------------+--------------------------------+-------------+--------------------------------------------------------------------------------------------------------------------+ + +A.6 EVENT RECORDS – Mobile Flow Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Field | Type | Required? | Description | ++===============================================+=====================+=============+===================================================================================================================================================================================================================+ +| mobileFlowFieldsVersion | number | No | Version of the mobileFlowFields block (currently: 1.2) | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| additionalFields | field | No | Additional mobileFlow fields if needed Similar to adddiotnalFileds in fault domain | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| applicationType | string | No | Application type inferred | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| appProtocolType | string | No | Application protocol | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| appProtocolVersion | string | No | Application version | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| cid | string | No | Cell Id | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| connectionType | string | No | Abbreviation referencing a 3GPP reference point e.g., S1-U, S11, etc | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| ecgi | string | No | Evolved Cell Global Id | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| flowDirection | string | Yes | Flow direction, indicating if the reporting node is the source of the flow or destination for the flow | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| gtpPerFlowMetrics | object | Yes | Mobility GTP Protocol per flow metrics (see below) | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| gtpProtocolType | string | No | GTP protocol | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| gtpVersion | string | No | GTP protocol version | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| httpHeader | string | No | HTTP request header, if the flow connects to a node referenced by HTTP | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Imei | string | No | IMEI for the subscriber UE used in this flow, if the flow connects to a mobile device | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Imsi | string | No | IMSI for the subscriber UE used in this flow, if the flow connects to a mobile device | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| ipProtocolType | string | Yes | IP protocol type e.g., TCP, UDP, RTP... | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| ipVersion | string | Yes | IP protocol version e.g., IPv4, IPv6 | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Lac | string | No | Location area code | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Mcc | string | No | Mobile country code | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Mnc | string | No | Mobile network code | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| msisdn | string | No | MSISDN for the subscriber UE used in this flow, as an integer, if the flow connects to a mobile device | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| otherEndpointIpAddress | string | Yes | IP address for the other endpoint, as used for the flow being reported on | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| otherEndpointPort | string | Yes | IP Port for the reporting entity, as used for the flow being reported on | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| otherFunctionalRole | string | No | Functional role of the other endpoint for the flow being reported on e.g., MME, S-GW, P-GW, PCRF... | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Rac | string | No | Routing area code | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| radioAccessTechnology | string | No | Radio Access Technology e.g., 2G, 3G, LTE | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| reportingEndpointIpAddr | string | Yes | IP address for the reporting entity, as used for the flow being reported on | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| reportingEndpointPort | string | Yes | IP port for the reporting entity, as used for the flow being reported on | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Sac | string | No | Service area code | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| samplingAlgorithm | string | No | Integer identifier for the sampling algorithm or rule being applied in calculating the flow metrics if metrics are calculated based on a sample of packets, or 0 if no sampling is applied | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Tac | string | No | Transport area code | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| tunnelId | string | No | Tunnel identifier | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| vlanId | string | No | VLAN identifier used by this flow | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| gtpPerFlowMetrics Object (referenced above) | | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| avgBitErrorRate | number | Yes | Average bit error rate | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| avgPacketDelayVariation | number | Yes | Average packet delay variation or jitter in milliseconds for received packets: Average difference between the packet timestamp and time received for all pairs of consecutive packets | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| avgPacketLatency | number | Yes | Average delivery latency | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| avgReceiveThroughput | number | Yes | Average receive throughput | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| avgTransmitThroughput | number | Yes | Average transmit throughput | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| durConnectionFailedStatus | number | No | Duration of failed state in milliseconds, computed as the cumulative time between a failed echo request and the next following successful error request, over this reporting interval | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| durTunnelFailedStatus | number | No | Duration of errored state, computed as the cumulative time between a tunnel error indicator and the next following non-errored indicator, over this reporting interval | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| flowActivatedBy | string | No | Endpoint activating the flow | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| flowActivationEpoch | number | Yes | Time the connection is activated in the flow (connection) being reported on, or transmission time of the first packet if activation time is not available | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| flowActivationMicrosec | number | Yes | Integer microseconds for the start of the flow connection | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| flowActivationTime | datetime | No | Time the connection is activated in the flow being reported on, or transmission time of the first packet if activation time is not available; with RFC 2822 compliant format: ‘Sat, 13 Mar 2010 11:29:05 -0800’ | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| flowDeactivatedBy | string | No | Endpoint deactivating the flow | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| flowDeactivationEpoch | number | Yes | Time for the start of the flow connection, in integer UTC epoch time aka UNIX time | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| flowDeactivationMicrosec | number | Yes | Integer microseconds for the start of the flow connection | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| flowDeactivationTime | datetime | Yes | Transmission time of the first packet in the flow connection being reported on; with RFC 2822 compliant format: ‘Sat, 13 Mar 2010 11:29:05 -0800’ | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| flowStatus | string | Yes | Connection status at reporting time as a working / inactive / failed indicator value | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| gtpConnectionStatus | string | No | Current connection state at reporting time | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| gtpTunnelStatus | string | No | Current tunnel state at reporting time | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| ipTosCountList | associative array | No | Array of key: value pairs where the keys are drawn from the IP Type-of-Service identifiers which range from '0' to '255', and the values are the count of packets that had those ToS identifiers in the flow | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| ipTosList | string | No | Array of unique IP Type-of-Service values observed in the flow where values range from '0' to '255' | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| largePacketRtt | number | No | large packet round trip time | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| largePacketThreshold | number | No | large packet threshold being applied | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| maxPacketDelayVariation | number | Yes | Maximum packet delay variation or jitter in milliseconds for received packets: Maximum of the difference between the packet timestamp and time received for all pairs of consecutive packets | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| maxReceiveBitRate | number | No | maximum receive bit rate" | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| maxTransmitBitRate | number | No | maximum transmit bit rate | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| mobileQciCosCountList | associative array | No | array of key: value pairs where the keys are drawn from LTE QCI or UMTS class of service strings, and the values are the count of packets that had those strings in the flow | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| mobileQciCosList | string | No | Array of unique LTE QCI or UMTS class-of-service values observed in the flow | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numActivationFailures | number | Yes | Number of failed activation requests, as observed by the reporting node | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numBitErrors | number | Yes | number of errored bits | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numBytesReceived | number | Yes | number of bytes received, including retransmissions | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numBytesTransmitted | number | Yes | number of bytes transmitted, including retransmissions | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numDroppedPackets | number | Yes | number of received packets dropped due to errors per virtual interface | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numGtpEchoFailures | number | No | Number of Echo request path failures where failed paths are defined in 3GPP TS 29.281 sec 7.2.1 and 3GPP TS 29.060 sec. 11.2 | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numGtpTunnelErrors | number | No | Number of tunnel error indications where errors are defined in 3GPP TS 29.281 sec 7.3.1 and 3GPP TS 29.060 sec. 11.1 | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numHttpErrors | number | No | Http error count | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numL7BytesReceived | number | Yes | number of tunneled layer 7 bytes received, including retransmissions | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numL7BytesTransmitted | number | Yes | number of tunneled layer 7 bytes transmitted, excluding retransmissions | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numLostPackets | number | Yes | number of lost packets | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numOutOfOrderPackets | number | Yes | number of out-of-order packets | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numPacketErrors | number | Yes | number of errored packets | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numPacketsReceivedExclRetrans | number | Yes | number of packets received, excluding retransmission | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numPacketsReceivedInclRetrans | number | Yes | number of packets received, including retransmission | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numPacketsTransmittedInclRetrans | number | Yes | number of packets transmitted, including retransmissions | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numRetries | number | Yes | number of packet retries | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numTimeouts | number | Yes | number of packet timeouts | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| numTunneledL7BytesReceived | number | Yes | number of tunneled layer 7 bytes received, excluding retransmissions | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| roundTripTime | number | Yes | Round Trip time | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| tcpFlagCountList | associative array | No | Array of key: value pairs where the keys are drawn from TCP Flags and the values are the count of packets that had that TCP Flag in the flow | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| tcpFlagList | string | No | Array of unique TCP Flags observed in the flow | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| timeToFirstByte | number | Yes | Time in milliseconds between the connection activation and first byte received | ++-----------------------------------------------+---------------------+-------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +**Copyright 2017 AT&T Intellectual Property. All Rights Reserved.** + +This paper is licensed to you under the Creative Commons License: + +**Creative Commons Attribution-ShareAlike 4.0 International Public +License** + +You may obtain a copy of the License at: + +https://creativecommons.org/licenses/by-sa/4.0/legalcode + +**You are free to:** + +- Share — copy and redistribute the material in any medium or format + +- Adapt — remix, transform, and build upon the material for any + purpose, even commercially. + +- The licensor cannot revoke these freedoms as long as you follow the + license terms. + +**Under the following terms:** + +- Attribution — You must give appropriate credit, provide a link to the + license, and indicate if changes were made. You may do so in any + reasonable manner, but **not** in any way that suggests the + licensor endorses you or your use. + +- ShareAlike — If you remix, transform, or build upon the material, you + must distribute your contributions under the same license as the + original. + +- No additional restrictions — You may not apply legal terms or + technological measures that legally restrict others from doing + anything the license permits. + +**Notices:** + +- You do not have to comply with the license for elements of the + material in the public domain or where your use is permitted by an + applicable exception or limitation. + +- No warranties are given. The license may not give you all of the + permissions necessary for your intended use. For example, other + rights such as publicity, privacy, or moral rights may limit how you + use the material. + +.. [1] + ECOMP (Enhanced Control Orchestration, Management & Policy) + Architecture White Paper + (http://about.att.com/content/dam/snrdocs/ecomp.pdf) + +.. [2] + https://github.com/mbj4668/pyang + +.. [3] + This option is not currently supported in OpenECOMP and it is + currently under consideration. + +.. [4] + https://wiki.opnfv.org/display/PROJ/VNF+Event+Stream diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Management_Requirements_for_OpenEcomp/index.rst b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Management_Requirements_for_OpenEcomp/index.rst new file mode 100644 index 0000000..c6fc1cd --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/VNF_Management_Requirements_for_OpenEcomp/index.rst @@ -0,0 +1,7 @@ +VNF Mgmt Requirements for OpenEcomp +-------------------------------------- + +.. toctree:: + :maxdepth: 2 + + VNF_Management_Requirements_for_OpenECOMP_2_6_2017 \ No newline at end of file diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/index.rst b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/index.rst new file mode 100644 index 0000000..562109e --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/open_ecomp/inital_seed_ecomp/index.rst @@ -0,0 +1,10 @@ +Inital Seed Documents for OpenECOMP +------------------------------------ + +.. toctree:: + :maxdepth: 0 + + VNF_Cloud_Readiness_Requirements_for_OpenECOMP/index + VNF_Guidelines_for_Network_Cloud_and_OpenEcomp/index + VNF_Heat_Templates_for_OpenEcomp/index + VNF_Management_Requirements_for_OpenEcomp/index \ No newline at end of file diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Cloud_Readiness_Requirements_for_ONAP/VNF Cloud Readiness Requirements for ONAP 7-3-17.docx b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Cloud_Readiness_Requirements_for_ONAP/VNF Cloud Readiness Requirements for ONAP 7-3-17.docx new file mode 100644 index 0000000..76cdfb9 Binary files /dev/null and b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Cloud_Readiness_Requirements_for_ONAP/VNF Cloud Readiness Requirements for ONAP 7-3-17.docx differ diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Cloud_Readiness_Requirements_for_ONAP/VNF_Cloud_Readiness_Requirements_for_ONAP.rst b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Cloud_Readiness_Requirements_for_ONAP/VNF_Cloud_Readiness_Requirements_for_ONAP.rst new file mode 100644 index 0000000..e3cdd88 --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Cloud_Readiness_Requirements_for_ONAP/VNF_Cloud_Readiness_Requirements_for_ONAP.rst @@ -0,0 +1,972 @@ +.. contents:: + :depth: 3 +.. + +**VNF Cloud Readiness Requirements for ONAP** + +**Revision 2017-2** + +**Revision Date 6/30/2017** + +**Document Revision History** + ++-------------+------------+-------------------------------------------------------------------------------------------------------------------------+ +| Date | Revision | Description | ++=============+============+=========================================================================================================================+ +| 2/1/2017 | 1.0 | Initial public release of VNF Cloud Readiness Requirements for ONAP | ++-------------+------------+-------------------------------------------------------------------------------------------------------------------------+ +| 3/31/2017 | 1.1 | Update to reflect change from OpenECOMP to ONAP | ++-------------+------------+-------------------------------------------------------------------------------------------------------------------------+ +| 6/30/2017 | 2017-2 | Additional operational requirements 50060 – 50110, minor edits to 30050, 32050, 36030, 44080, 44150, 50020, and 50040 | ++-------------+------------+-------------------------------------------------------------------------------------------------------------------------+ + +**Definitions** + +Throughout the document the terms have the following meaning: + +**MUST** This word, or the terms "REQUIRED" or "SHALL", mean that the +definition is an absolute requirement of the specification. + +**MUST** **NOT** This phrase, or the phrase "SHALL NOT", mean that the +definition is an absolute prohibition of the specification. + +**SHOULD** This word, or the adjective "RECOMMENDED", mean that there +may exist valid reasons in particular circumstances to ignore a +particular item, but the full implications must be understood and +carefully weighed before choosing a different course. + +**SHOULD** **NOT** This phrase, or the phrase "NOT RECOMMENDED" mean +that there may exist valid reasons in particular circumstances when the +particular behavior is acceptable or even useful, but the full +implications should be understood and the case carefully weighed before +implementing any behavior described with this label. + +**MAY** This word, or the adjective "OPTIONAL", mean that an item is +truly optional. One vendor may choose to include the item because a +particular marketplace requires it or because the vendor feels that it +enhances the product while another vendor may omit the same item. An +implementation which does not include a particular option MUST be +prepared to interoperate with another implementation which does include +the option, though perhaps with reduced functionality. In the same vein +an implementation which does include a particular option MUST be +prepared to interoperate with another implementation which does not +include the option (except, of course, for the feature the option +provides.) + +Introduction +============ + +This document is part of a hierarchy of documents that describes the +overall Requirements and Guidelines for ONAP. The diagram below +identifies where this document fits in the hierarchy. + ++---------------------------------------------+----------------------------------------+-------------------------------------------+------------------------------+---------------------------------+ +| ONAP Requirements and Guidelines | ++=============================================+========================================+===========================================+==============================+=================================+ +| VNF Guidelines for Network Cloud and ONAP | Future ONAP Subject Documents | ++---------------------------------------------+----------------------------------------+-------------------------------------------+------------------------------+---------------------------------+ +| VNF Cloud Readiness Requirements for ONAP | VNF Management Requirements for ONAP | VNF Heat Template Requirements for ONAP | Future | Future Requirements Documents | +| | | | VNF Requirements Documents | | ++---------------------------------------------+----------------------------------------+-------------------------------------------+------------------------------+---------------------------------+ + +Document summary: + +*VNF Guidelines for Network Cloud and ONAP* + +- Describes VNF environment and overview of requirements + +**VNF Cloud Readiness Requirements for ONAP** + +- Cloud readiness requirements for VNFs (Design, Resiliency, Security, + and DevOps) + +*VNF Management Requirements for ONAP* + +- Requirements for how VNFs interact and utilize ONAP + +*VNF Heat Template Requirements for ONAP* + +- Provides recommendations and standards for building Heat templates + compatible with ONAP– initial implementations of Network Cloud are + assumed to be OpenStack based. + +Feedback on or questions about the content of this document may be sent +to the following email address: +`VNFGuidelines@list.att.com `__. + +This reference document lists the requirements that are the supporting +details for the Virtual Network Function (VNF) characteristics outlined +in the *VNF Guidelines for Network Cloud and ONAP*. These requirements +are grouped into the following categories: VNF Design, Resiliency, +Security, and DevOps. Specific requirements for ONAP can be found in the +*VNF Management Requirements for ONAP* reference document. + +This section outlines the guidelines for VNFs to be compliant with +running on a multi-tenant, Network Cloud infrastructure. VNFs must be +virtualized, software-based, execute in a multi-tenant cloud, and be +de-coupled from the cloud hardware. To achieve interoperability between +VNFs, open and standard interfaces and APIs must be used. The set of +reusable VNFs forms the basis of a VNF catalog that is made available to +service designers to compose new (service chained) services that can +include service-specific custom parameters and QoS policies. Use of open +source technologies to leverage industry innovation is important in the +design of virtualized services. Equally important is the re-use of +common technologies (e.g., virtualized load balancers, firewalls, etc.) +that are provided by the platform. + +VNF Design +========== + +Services are composed of VNFs and common components and are designed to +be agnostic of the location to leverage capacity where it exists in the +Network Cloud. VNFs can be instantiated in any location that meets the +performance and latency requirements of the service. + +A key design principle for virtualizing services is decomposition of +network functions using NFV concepts into granular VNFs. This enables +instantiating and customizing only essential functions as needed for the +service, thereby making service delivery more nimble. It provides +flexibility of sizing and scaling and also provides flexibility with +packaging and deploying VNFs as needed for the service. It enables +grouping functions in a common cloud data center to minimize +inter-component latency. The VNFs should be designed with a goal of +being modular and reusable to enable using best-in-breed vendors + +Section 4.1.1 in *VNF Guidelines for Network Cloud and ONAP* describes +the overall guidelines for designing VNFs from VNF Components (VNFCs). +Below are more detailed requirements for composing VNFs. + ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| VNF Design Requirements | Type | ID # | ++================================================================================================================================================================================================================================+==========+=========+ +| Decompose VNFs into granular re-usable VNFCs | Should | 20010 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Decompose if the functions have significantly different scaling characteristics (e.g., signaling versus media functions, control versus data plane functions). | Must | 20020 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Decomposition of the VNF must enable instantiating only the functionality that is needed for the VNF (e.g., if transcoding is not needed it should not be instantiated). | Must | 20030 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Design VNFC as a standalone, executable process. | Must | 20040 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Create a single component VNF for VNFCs that can be used by other VNFs. | Should | 20050 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Design to scale horizontally (more instances of a VNF or VNFC) and not vertically (moving the existing instances to larger VMs or increasing the resources within a VM) to achieve effective utilization of cloud resources. | Must | 20060 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize cloud provided infrastructure and VNFs (e.g., virtualized Local Load Balancer) as part of the VNF so that the cloud can manage and provide a consistent service resiliency and methods across all VNF's. | Must | 20070 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| VNFCs should be independently deployed, configured, upgraded, scaled, monitored, and administered by ONAP. | Should | 20080 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide API versioning to allow for independent upgrades of VNFC. | Must | 20090 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Minimize the use of state within a VNFC to facilitate the movement of traffic from one instance to another. | Should | 20100 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Maintain state in a geographically redundant datastore that may, in fact, be its own VNFC. | Should | 20110 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Decouple persistent data from the VNFC and keep it in its own datastore that can be reached by all instances of the VNFC requiring the data. | Should | 20120 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize virtualized, scalable open source database software that can meet the performance/latency requirements of the service for all datastores. | Must | 20130 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Failure of a VNFC instance must not terminate stable sessions. | Must | 20140 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Enable DPDK in the guest OS for VNF’s requiring high packets/sec performance. High packet throughput is defined as greater than 500K packets/sec. | Must | 20150 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| When using DPDK, use the NCSP’s supported library and compute flavor that supports DPDK to optimize network efficiency. [1]_ | Must | 20160 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Do not use technologies that bypass virtualization layers (such as SR-IOV) unless approved by the NCSP (e.g., if necessary to meet functional or performance requirements). | Must | 20170 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Limit the size of application data packets to no larger than 9000 bytes for SDN network-based tunneling when guest data packets are transported between tunnel endpoints that support guest logical networks. | Must | 20180 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Do not require the use of a dynamic routing protocol unless necessary to meet functional requirements. | Must | 20190 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +Resiliency +========== + +The VNF is responsible for meeting its resiliency goals and must factor +in expected availability of the targeted virtualization environment. +This is likely to be much lower than found in a traditional data center. +Resiliency is defined as the ability of the VNF to respond to error +conditions and continue to provide the service intended. A number of +software resiliency dimensions have been identified as areas that should +be addressed to increase resiliency. As VNFs are deployed into the +Network Cloud, resiliency must be designed into the VNF software to +provide high availability versus relying on the Network Cloud to achieve +that end. + +Section 4.1.2 in *VNF Guidelines for Network Cloud and ONAP* describes +the overall guidelines for designing VNFs to meet resiliency goals. +Below are more detailed resiliency requirements for VNFs. + +All Layer Redundancy +-------------------- + +Design the VNF to be resilient to the failures of the underlying +virtualized infrastructure (Network Cloud). VNF design considerations +would include techniques such as multiple vLANs, multiple local and +geographic instances, multiple local and geographic data replication, +and virtualized services such as Load Balancers. + ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| All Layer Redundancy Requirements | Type | ID # | ++=======================================================================================================================================================================================================================================================================================================+========+=========+ +| VNFs are responsible to meet their own resiliency goals and not rely on the Network Cloud. | Must | 30010 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Design resiliency into a VNF such that the resiliency deployment model (e.g., active-active) can be chosen at run-time. | Must | 30020 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| VNFs must survive any single points of failure within the Network Cloud (e.g., virtual NIC, VM, disk failure). | Must | 30030 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| VNFs must survive any single points of software failure internal to the VNF (e.g., in memory structures, JMS message queues). | Must | 30040 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Design, build and package VNFs to enable deployment across multiple fault zones (e.g., VNFCs deployed in different servers, racks, OpenStack regions, geographies) so that in the event of a planned/unplanned downtime of a fault zone, the overall operation/throughput of the VNF is maintained. | Must | 30050 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Support the ability to failover a VNFC automatically to other geographically redundant sites if not deployed active-active to increase the overall resiliency of the VNF. | Must | 30060 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Support the ability of the VNFC to be deployable in multi-zoned cloud sites to allow for site support in the event of cloud zone failure or upgrades. | Must | 30070 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ + +Minimize Cross Data-Center Traffic +---------------------------------- + +Avoid performance-sapping data center-to-data center replication delay +by applying techniques such as caching and persistent transaction paths +- Eliminate replication delay impact between data centers by using a +concept of stickiness (i.e., once a client is routed to data center "A", +the client will stay with Data center “A” until the entire session is +completed). + ++------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Minimize Cross Data-Center Traffic Requirements | Type | ID # | ++==================================================================================================================+==========+=========+ +| Minimize the propagation of state information across multiple data centers to avoid cross data center traffic. | Should | 31010 | ++------------------------------------------------------------------------------------------------------------------+----------+---------+ + +Application Resilient Error Handling +------------------------------------ + +Ensure an application communicating with a downstream peer is equipped +to intelligently handle all error conditions. Make sure code can handle +exceptions seamlessly - implement smart retry logic and implement +multi-point entry (multiple data centers) for back-end system +applications. + ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Application Resilient Error Handling Requirements | Type | ID # | ++==============================================================================================================================================================================================================================================================================================================================+========+=========+ +| Detect connectivity failure for inter VNFC instance and intra/inter VNF and re-establish connectivity automatically to maintain the VNF without manual intervention to provide service continuity. | Must | 32010 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Handle the restart of a single VNFC instance without requiring all VNFC instances to be restarted. | Must | 32020 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Handle the start or restart of VNFC instances in any order with each VNFC instance establishing or re-establishing required connections or relationships with other VNFC instances and/or VNFs required to perform the VNF function/role without requiring VNFC instance(s) to be started/restarted in a particular order. | Must | 32030 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Handle errors and exceptions so that they do not interrupt processing of incoming VNF requests to maintain service continuity. | Must | 32040 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Provide the ability to modify the number of retries, the time between retries and the behavior/action taken after the retries have been exhausted for exception handling to allow the NCSP to control that behavior. | Must | 32050 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Fully exploit exception handling to the extent that resources (e.g., threads and memory) are released when no longer needed regardless of programming language. | Must | 32060 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Handle replication race conditions both locally and geo-located in the event of a data base instance failure to maintain service continuity. | Must | 32070 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Automatically retry/resubmit failed requests made by the software to its downstream system to increase the success rate. | Must | 32080 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ + +System Resource Optimization +---------------------------- + +Ensure an application is using appropriate system resources for the task +at hand; for example, do not use network or IO operations inside +critical sections, which could end up blocking other threads or +processes or eating memory if they are unable to complete. Critical +sections should only contain memory operation, and should not contain +any network or IO operation. + ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| System Resource Optimization Requirements | Type | ID # | ++=================================================================================================================================================================================================================================================+==========+=========+ +| Do not execute long running tasks (e.g., IO, database, network operations, service calls) in a critical section of code, so as to minimize blocking of other operations and increase concurrent throughput. | Must | 33010 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Automatically advertise newly scaled components so there is no manual intervention required. | Must | 33020 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize FQDNs (and not IP address) for both Service Chaining and scaling. | Must | 33030 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Deliver any and all functionality from any VNFC in the pool. The VNFC pool member should be transparent to the client. Upstream and downstream clients should only recognize the function being performed, not the member performing it. | Must | 33040 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Automatically enable/disable added/removed sub-components or component so there is no manual intervention required. | Should | 33050 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support the ability to scale down a VNFC pool without jeopardizing active sessions. Ideally, an active session should not be tied to any particular VNFC instance. | Should | 33060 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support load balancing and discovery mechanisms in resource pools containing VNFC instances. | Should | 33070 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize resource pooling (threads, connections, etc.) within the VNF application so that resources are not being created and destroyed resulting in resource management overhead. | Should | 33080 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use techniques such as “lazy loading” when initialization includes loading catalogues and/or lists which can grow over time, so that the VNF startup time does not grow at a rate proportional to that of the list. | Should | 33090 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Release and clear all shared assets (memory, database operations, connections, locks, etc.) as soon as possible, especially before long running sync and asynchronous operations, so as to not prevent use of these assets by other entities. | Should | 33100 | ++-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +Application Configuration Management +------------------------------------ + +Leverage configuration management audit capability to drive conformity +to develop gold configurations for technologies like Java, Python, etc. + ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Application Configuration Management Requirements | Type | ID # | ++===================================================================================================================================================================================+========+=========+ +| Allow configurations and configuration parameters to be managed under version control to ensure consistent configuration deployment, traceability and rollback. | Must | 34010 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Allow configurations and configuration parameters to be managed under version control to ensure the ability to rollback to a known valid configuration. | Must | 34020 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Allow changes of configuration parameters to be consumed by the VNF without requiring the VNF or its sub-components to be bounced so that the VNF availability is not effected. | Must | 34030 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ + +Intelligent Transaction Distribution & Management +------------------------------------------------- + +Leverage Intelligent Load Balancing and redundant components (hardware +and modules) for all transactions, such that at any point in the +transaction: front end, middleware, back end -- a failure in any one +component does not result in a failure of the application or system; +i.e., transactions will continue to flow, albeit at a possibly reduced +capacity until the failed component restores itself. Create redundancy +in all layers (software and hardware) at local and remote data centers; +minimizing interdependencies of components (i.e. data replication, +deploying non-related elements in the same container). + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Intelligent Transaction Distribution & Management Requirements | Type | ID # | ++==================================================================================================================================================================================================================================+==========+=========+ +| Use intelligent routing by having knowledge of multiple downstream/upstream endpoints that are exposed to it, to ensure there is no dependency on external services (such as load balancers) to switch to alternate endpoints. | Should | 35010 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use redundant connection pooling to connect to any backend data source that can be switched between pools in an automated/scripted fashion to ensure high availability of the connection to the data source. | Should | 35020 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Include control loop mechanisms to notify the consumer of the VNF of their exceeding SLA thresholds so the consumer is able to control its load against the VNF. | Should | 35030 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +Deployment Optimization +----------------------- + +Reduce opportunity for failure, by human or by machine, through smarter +deployment practices and automation. This can include rolling code +deployments, additional testing strategies, and smarter deployment +automation (remove the human from the mix). + ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Deployment Optimization Requirements | Type | ID # | ++=====================================================================================================================================================================================================================================================+==========+=========+ +| Support at least two major versions of the VNF software and/or sub-components to co-exist within production environments at any time so that upgrades can be applied across multiple systems in a staggered manner. | Must | 36010 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support the existence of multiple major/minor versions of the VNF software and/or sub-components and interfaces that support both forward and backward compatibility to be transparent to the Service Provider usage. | Must | 36020 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support hitless staggered/rolling deployments between its redundant instances to allow "soak-time/burn in/slow roll" which can enable the support of low traffic loads to validate the deployment prior to supporting full traffic loads. | Must | 36030 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support the ability of a requestor of the service to determine the version (and therefore capabilities) of the service so that Network Cloud Service Provider can understand the capabilities of the service. | Must | 36040 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Test for adherence to the defined performance budgets at each layer, during each delivery cycle with delivered results, so that the performance budget is measured and the code is adjusted to meet performance budget. | Must | 36050 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Test for adherence to the defined performance budget at each layer, during each delivery cycle so that the performance budget is measured and feedback is provided where the performance budget is not met. | Must | 36060 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Test for adherence to the defined resiliency rating recommendation at each layer, during each delivery cycle with delivered results, so that the resiliency rating is measured and the code is adjusted to meet software resiliency requirements. | Should | 36070 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Test for adherence to the defined resiliency rating recommendation at each layer, during each delivery cycle so that the resiliency rating is measured and feedback is provided where software resiliency requirements are not met. | Should | 36080 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +Monitoring & Dashboard +---------------------- + +Promote dashboarding as a tool to monitor and support the general +operational health of a system. It is critical to the support of the +implementation of many resiliency patterns essential to the maintenance +of the system. It can help identify unusual conditions that might +indicate failure or the potential for failure. This would contribute to +improve Mean Time to Identify (MTTI), Mean Time to Repair (MTTR), and +post-incident diagnostics. + ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Monitoring & Dashboard Requirements | Type | ID # | ++================================================================================================================================================================================================================================================+==========+=========+ +| Provide a method of metrics gathering for each layer's performance to identify/document variances in the allocations so they can be addressed. | Must | 37010 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide unique traceability of a transaction through its life cycle to ensure quick and efficient troubleshooting. | Must | 37020 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide a method of metrics gathering and analysis to evaluate the resiliency of the software from both a granular as well as a holistic standpoint. This includes, but is not limited to thread utilization, errors, timeouts, and retries. | Must | 37030 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide operational instrumentation such as logging, so as to facilitate quick resolution of issues with the VNF to provide service continuity. | Must | 37040 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Monitor for and alert on (both sender and receiver) errant, running longer than expected and missing file transfers, so as to minimize the impact due to file transfer errors. | Must | 37050 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use an appropriately configured logging level that can be changed dynamically, so as to not cause performance degradation of the VNF due to excessive logging. | Should | 37060 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize Cloud health checks, when available from the Network Cloud, from inside the application through APIs to check the network connectivity, dropped packets rate, injection, and auto failover to alternate sites if needed. | Should | 37070 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Conduct a resiliency impact assessment for all inter/intra-connectivity points in the VNF to provide an overall resiliency rating for the VNF to be incorporated into the software design and development of the VNF. | Must | 37080 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +Security +======== + +The objective of this section is to provide the key security +requirements that need to be met by VNFs. The security requirements are +grouped into five areas as listed below. Other security areas will be +addressed in future updates. These security requirements are applicable +to all VNFs. Additional security requirements for specific types of VNFs +will be applicable and are outside the scope of these general +requirements. + +Section 4.1.3 in *VNF Guidelines for Network Cloud and ONAP* outlines +the five broad security areas for VNFs that are detailed in the +following sections: + +- **VNF General Security**: This section addresses general security + requirements for the VNFs that the vendors will need to address. + +- **VNF Identity and Access Management**: This section addresses + security requirements with respect to Identity and Access Management + as these pertain to generic VNFs. + +- **VNF API Security**: This section addresses the generic security + requirements associated with APIs. These requirements are applicable + to those VNFs that use standard APIs for communication and data + exchange. + +- **VNF Security Analytics**: This section addresses the security + requirements associated with analytics for VNFs that deal with + monitoring, data collection and analysis. + +- **VNF Data Protection**: This section addresses the security + requirements associated with data protection. + +VNF General Security Requirements +--------------------------------- + +This section provides details on the VNF general security requirements +on various security areas such as user access control, network security, +ACLs, infrastructure security, and vulnerability management. These +requirements cover topics associated with compliance, security patching, +logging/accounting, authentication, encryption, role-based access +control, least privilege access/authorization. The following security +requirements need to be met by the solution in a virtual environment: + ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| General Security Requirements | Type | ID # | ++=================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+========================================================================================================================================================================================================================================================================================================================================================================================================================================+=========+=========+ +| Integration and operation within a robust security environment is necessary and expected. The security architecture will include one or more of the following: IDAM (Identity and Access Management) for all system and applications access, Code scanning, network vulnerability scans, OS, Database and application patching, malware detection and cleaning, DDOS prevention, network security gateways (internal and external) operating at various layers, host and application based tools for security compliance validation, aggressive security patch application, tightly controlled software distribution and change control processes and other state of the art security solutions. The VNF is expected to function reliably within such an environment and the developer is expected to understand and accommodate such controls and can expected to supply responsive interoperability support and testing throughout the product’s lifecycle. | Informational | 40010 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| The VNF must accommodate the security principle of “least privilege” during development, implementation and operation. The importance of “least privilege” cannot be overstated and must be observed in all aspects of VNF development and not limited to security. This is applicable to all sections of this document. | Must | 40020 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Implement access control list for OA&M services (e.g., restricting access to certain ports or applications). | Must | 40030 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Implement Data Storage Encryption (database/disk encryption) for Sensitive Personal Information (SPI) and other subscriber identifiable data. Note: subscriber’s SPI/data must be encrypted at rest, and other subscriber identifiable data should be encrypted at rest. Other data protection requirements exist and should be well understood by the developer. | Must | 40040 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Implement a mechanism for automated and frequent "system configuration (automated provisioning / closed loop)" auditing. | Should | 40050 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Use both network scanning and application scanning security tools on all code, including underlying OS and related configuration. Scan reports shall be provided. Remediation roadmaps shall be made available for any findings. | Should | 40060 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Perform source code to scanning tools (e.g., Fortify) and provide reports. | Should | 40070 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Production code shall be distributed from NCSP internal sources only. No production code, libraries, OS images, etc. shall be distributed from publically accessible depots. | Must | 40080 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Provide all code/configuration files in a “Locked down” or hardened state or with documented recommendations for such hardening. All unnecessary services will be disabled. Vendor default credentials, community strings and other such artifacts will be removed or disclosed so that they can be modified or removed during provisioning. | Must | 40090 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Support L3 VPNs that enable segregation of traffic by application (dropping packets not belonging to the VPN) (i.e., AVPN, IPSec VPN for Internet routes). | Should | 40100 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Interoperate with various access control mechanisms for the Network Cloud execution environment (e.g., Hypervisors, containers). | Should | 40110 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| VNF should support the use of virtual trusted platform module, hypervisor security testing and standards scanning tools. | Should | 40120 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Interoperate with the ONAP (SDN) Controller so that it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual routing and forwarding rules. | Must | 40130 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Support the ability to work with aliases (e.g., gateways, proxies) to protect and encapsulate resources. | Should | 40140 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| All access to applications (Bearer, signaling and OA&M) will pass through various security tools and platforms from ACLs, stateful firewalls and application layer gateways depending on manner of deployment. The application is expected to function (and in some cases, interwork) with these security tools. | Must | 40150 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Patch vulnerabilities in VNFs as soon as possible. Patching shall be controlled via change control process with vulnerabilities disclosed along with mitigation recommendations. | Must | 40160 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Identification, authentication and access control of **customer** or **VNF application users** must be performed by utilizing the NCSP’s IDAM API. | Must | 40170 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| Identification, authentication and access control of **OA&M** and other system level functions must use the NCSP’s IDAM API or comply with the following is expected. | Must | 40180 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Support User-IDs and passwords to uniquely identify the user/application. VNF needs to have appropriate connectors to the Identity, Authentication and Authorization systems that enables access at OS, Database and Application levels as appropriate. | Must | 40190 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Provide the ability to support Multi-Factor Authentication (e.g., 1st factor = Software token on device (RSA SecureID); 2nd factor = User Name+Password, etc.) for the users. | Must | 40200 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Support Role-Based Access Control to permit/limit the user/application to performing specific activities. | Must | 40210 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Support logging via ONAP for a historical view of “who did what and when”. | Must | 40220 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Encrypt OA&M access (e.g., SSH, SFTP). | Must | 40230 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Enforce a configurable maximum number of Login attempts policy for the users. VNF vendor must comply with "terminate idle sessions" policy. Interactive sessions must be terminated, or a secure, locking screensaver must be activated requiring authentication, after a configurable period of inactivity. The system-based inactivity timeout for the enterprise identity and access management system must also be configurable. | Must | 40240 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Comply with the NCSP’s credential management policy. | Must | 40250 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Password expiration must be required at regular configurable intervals. | Must | 40260 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Comply with "password complexity" policy. When passwords are used, they shall be complex and shall at least meet the following password construction requirements: | Must | 40270 | +| | | | | +| | - Be a minimum configurable number of characters in length. | | | +| | | | | +| | - Include 3 of the 4 following types of characters: upper-case alphabetic, lower-case alphabetic, numeric, and special. | | | +| | | | | +| | - Not be the same as the UserID with which they are associated or other common strings as specified by the environment. | | | +| | | | | +| | - Not contain repeating or sequential characters or numbers. | | | +| | | | | +| | - Not to use special characters that may have command functions. | | | +| | | | | +| | - New passwords must not contain sequences of three (3) or more characters from the previous password. | | | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Comply with "password changes (includes default passwords)" policy. Products will support password aging, syntax and other credential management practices on a configurable basis. | Must | 40280 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Support use of common third party authentication and authorization tools such as TACACS+, RADIUS. | Must | 40290 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Comply with "No Self-Signed Certificates" policy. Self-signed certificates must be used for encryption only, using specified and approved encryption protocols such as LS 1.1 or higher or equivalent security protocols such as IPSec, AES. | Must | 40300 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ +| | Authenticate system to system communications where one system accesses the resources of another system, and must never conceal individual accountability. | Must | 40310 | ++-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+ + +VNF Identity and Access Management Requirements +----------------------------------------------- + +The following security requirements for logging, identity, and access +management need to be met by the solution in a virtual environment: + ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Identity and Access Management Requirements | Type | ID # | ++================================================================================================================================================================================================================================================================================================================================================================================================+==========+=========+ +| Access to VNFs will be required at several layers. Hence, VNF vendor needs to be able to host connectors for access to the following layers: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Application | Must | 41010 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. OS (Operating System) | Must | 41020 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Database | Must | 41030 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Manage access to VNF, its OS, or Database by an enterprise access request process. | Must | 41040 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Comply with the following when persons or non-person entities access VNFs: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Individual Accountability (each person must be assigned a unique ID) | Must | 41050 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Least Privilege (no more privilege than required to perform job functions) | Must | 41060 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Segregation of Duties (access to a single layer and no developer may access production without special oversight) | Must | 41070 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Vendors will not be allowed to access VNFs remotely, e.g., VPN | Must | 41080 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Vendors accessing VNFs through a client application API must be authorized by the client application owner and the resource owner of the VNF before provisioning authorization through Role Based Access Control (RBAC), Attribute Based Access Control (ABAC), or other policy based mechanism. | Must | 41090 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Vendor VNF access will be subject to privilege reconciliation tools to prevent access creep and ensure correct enforcement of access policies. | Must | 41100 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide or Support the Identity and Access Management (IDAM) based threat detection data for: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. OWASP Top 10 | Must | 41110 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Password Attacks | Must | 41120 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Phishing / SMishing | Must | 41130 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Malware (Key Logger) | Must | 41140 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Session Hijacking | Must | 41150 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. XSS / CSRF | Must | 41160 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Replay | Must | 41170 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Man in the Middle (MITM) | Must | 41180 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Eavesdropping | Must | 41190 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide Context awareness data (device, location, time, etc.) and be able to integrate with threat detection system. | Must | 41200 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Where a VNF vendor requires the assumption of permissions, such as root or administrator, the vendor user must first log in under their individual user login ID then switch to the other higher level account; or where the individual user login is infeasible, must login with an account with admin privileges in a way that uniquely identifies the individual performing the function. | Must | 41210 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Authenticate system to system access and do not conceal a VNF vendor user’s individual accountability for transactions. | Must | 41220 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Warning Notices: A formal statement of resource intent, i.e., a warning notice, must be made visible upon initial access to a VNF vendor user who accesses private internal networks or Company computer resources, e.g., upon initial logon to an internal web site, system or application which requires authentication. | Must | 41230 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use access controls for VNFs and their supporting computing systems at all times to restrict access to authorized personnel only, e.g., least privilege. These controls could include the use of system configuration or access control software. | Must | 41240 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Initial and default settings for new user accounts must provide minimum privileges only. | Must | 41250 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Default settings for user access to sensitive commands and data must be denied authorization. | Must | 41260 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Privileged users may be created conforming to approved request, workflow authorization, and authorization provisioning requirements. | Must | 41270 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Commands affecting network services, such as commands relating to VNFs, must have greater restrictions for access and execution, such as up to 3 factors of authentication and restricted authorization. | Must | 41280 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Encrypt TCP/IP--HTTPS (e.g., TLS v1.2) transmission of data on internal and external networks. | Must | 41290 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Unnecessary or vulnerable cgi-bin programs must be disabled. | Must | 41300 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| No public or unrestricted access to any data should be provided without the permission of the data owner. All data classification and access controls must be followed. | Must | 41310 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| When in production, vendors or developers must not do the following without authorization of the VNF system owner including: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Install or use systems, tools or utilities capable of capturing or logging data that was not created by them or sent specifically to them; | Must | 41320 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. Run security testing tools and programs, e.g., password cracker, port scanners, hacking tools. | Must | 41330 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Authentication credentials must not be included in security audit logs, even if encrypted. | Must | 41340 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| The standard interface for a VNF should be REST APIs exposed to Client Applications for the implementation of OAuth 2.0 Authorization Code Grant and Client Credentials Grant. | Should | 41350 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support hosting connectors for OS Level and Application Access. | Should | 41360 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Support SCEP (Simple Certificate Enrollment Protocol). | Should | 41370 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +VNF API Security Requirements +----------------------------- + +This section covers API security requirements when these are used by the +VNFs. Key security areas covered in API security are Access Control, +Authentication, Passwords, PKI Authentication Alarming, Anomaly +Detection, Lawful Intercept, Monitoring and Logging, Input Validation, +Cryptography, Business continuity, Biometric Authentication, +Identification, Confidentiality and Integrity, and Denial of Service. + +The solution in a virtual environment needs to meet the following API +security requirements: + ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| API Requirements | Type | ID # | ++==========================================================================================================================================================================================================================================================================================================================+========+=========+ +| Provide a mechanism to restrict access based on the attributes of the VNF and the attributes of the subject. | Must | 42010 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Integrate with external authentication and authorization services (e.g., IDAM). | Must | 42020 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Use certificates issued from publicly recognized Certificate Authorities (CA) for the authentication process where PKI-based authentication is used | Must | 42030 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Validate the CA signature on the certificate, ensure that the date is within the validity period of the certificate, check the Certificate Revocation List (CRL), and recognize the identity represented by the certificate where PKI-based authentication is used. | Must | 42040 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Protect the confidentiality and integrity of data at rest and in transit from unauthorized access and modification. | Must | 42050 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Protect against all denial of service attacks, both volumetric and non-volumetric, or integrate with external denial of service protection tools | Must | 42060 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Implement at minimum the following input validation controls: | | | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Check the size (length) of all input. Do not permit an amount of input so great that it would cause the VNF to fail. Where the input may be a file, the VNF API must enforce a size limit. | Must | 42070 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Do not permit input that contains content or characters inappropriate to the input expected by the design. Inappropriate input, such as SQL insertions, may cause the system to execute undesirable and unauthorized transactions against the database or allow other inappropriate access to the internal network. | Must | 42080 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Validate that any input file has a correct and valid Multipurpose Internet Mail Extensions (MIME) type. Input files should be tested for spoofed MIME types. | Must | 42090 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Validate input at all layers implementing VNF APIs. | Must | 42100 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Comply with NIST standards and industry best practices for all implementations of cryptography | Must | 42110 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Implement all monitoring and logging as described in the Security Analytics section. | Must | 42120 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Restrict changing the criticality level of a system security alarm to administrator(s). | Must | 42130 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection. | Must | 42140 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Support requests for information from law enforcement and government agencies. | Must | 42150 | ++--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ + +VNF Security Analytics Requirements +----------------------------------- + +This section covers VNF security analytics requirements that are mostly +applicable to security monitoring. The VNF Security Analytics cover the +collection and analysis of data following key areas of security +monitoring: + +- Anti-virus software + +- Logging + +- Data capture + +- Tasking + +- DPI + +- API based monitoring + +- Detection and notification + +- Resource exhaustion detection + +- Proactive and scalable monitoring + +- Mobility and guest VNF monitoring + +- Closed loop monitoring + +- Interfaces to management and orchestration + +- Malformed packet detections + +- Service chaining + +- Dynamic security control + +- Dynamic load balancing + +- Connection attempts to inactive ports (malicious port scanning) + +The following requirements of security monitoring need to be met by the +solution in a virtual environment. + ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Security Analytics Requirements | Type | ID # | ++==========================================================================================================================================================================================================================================================================================+========+=========+ +| Support the following monitoring features by the VNF: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Real-time detection and notification of security events. | Must | 43010 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Integration functionality via API/Syslog/SNMP to other functional modules in the network (e.g., PCRF, PCEF) that enable dynamic security control by blocking the malicious traffic or malicious end users | Must | 43020 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. API-based monitoring to take care of the scenarios where the control interfaces are not exposed, or are optimized and proprietary in nature | Must | 43030 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Event logging, formats, and delivery tools to provide the required degree of event data to ONAP | Must | 43040 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Detection of malformed packets due to software misconfiguration or software vulnerability | Must | 43050 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Integrated DPI/monitoring functionality as part of VNFs (e.g., PGW, MME) | Must | 43060 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Alternative monitoring capabilities when VNFs do not expose data or control traffic or use proprietary and optimized protocols for inter VNF communication | Must | 43070 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Proactive monitoring to detect and report the attacks on resources so that the VNFs and associated VMs can be isolated, such as detection techniques for resource exhaustion, namely OS resource attacks, CPU attacks, consumption of kernel memory, local storage attacks. | Must | 43080 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Coexist and operate normally with commercial anti-virus software which shall produce alarms every time when there is a security incident. | Must | 43090 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Protect all security audit logs (including API, OS and application-generated logs), security audit software, data, and associated documentation from modification, or unauthorized viewing, by standard OS access control mechanisms, by sending to a remote system, or by encryption. | Must | 43100 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Log the following events: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Successful and unsuccessful login attempts | Must | 43110 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Logoffs | Must | 43120 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Successful and unsuccessful changes to a privilege level | Must | 43130 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Starting and stopping of security logging | Must | 43140 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Creating, removing, or changing the inherent privilege level of users | Must | 43150 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Connections to a network listener of the resource | Must | 43160 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Log, at minimum, the following fields (where applicable and technically feasible) in the security audit logs: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Event type | Must | 43170 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Date/time | Must | 43180 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Protocol | Must | 43190 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Service or program used for access | Must | 43200 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Success/failure | Must | 43210 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Login ID | Must | 43220 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Security audit logs must never contain an authentication credential, e.g., password, even if encrypted. | Must | 43230 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Detect when the security audit log storage medium is approaching capacity (configurable) and issue an alarm via SMS or equivalent as to allow time for proper actions to be taken to pre-empt loss of audit data. | Must | 43240 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Support the capability of online storage of security audit logs. | Must | 43250 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Activate security alarms automatically when the following events, at a minimum, are detected: | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Configurable number of consecutive unsuccessful login attempts | Must | 43260 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Successful modification of critical system or application files | Must | 43270 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Unsuccessful attempts to gain permissions or assume the identity of another user | Must | 43280 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Include, at a minimum, the following fields in the Security alarms (where applicable and technically feasible): | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Date | Must | 43290 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Time | Must | 43300 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Service or program used for access | Must | 43310 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Success/failure | Must | 43320 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| a. Login ID | Must | 43330 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Restrict changing the criticality level of a system security alarm to administrator(s). | Must | 43340 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection. | Must | 43350 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Support requests for information from law enforcement and government agencies. | Must | 43360 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Implement “Closed Loop” automatic implementation (without human intervention) for Known Threats with detection rate in low false positives. | Must | 43370 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Perform data capture for security functions. | Must | 43380 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Generate security audit logs that must be sent to Security Analytics Tools for analysis. | Must | 43390 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Provide audit logs that include user ID, dates, times for log-on and log-off, and terminal location at minimum. | Must | 43400 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Provide security audit logs including records of successful and rejected system access data and other resource access attempts. | Must | 43410 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Support the storage of security audit logs for agreed period of time for forensic analysis. | Must | 43420 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Provide the capability of generating security audit logs by interacting with the operating system (OS) as appropriate. | Must | 43430 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ +| Security logging for VNFs and their OSs must be active from initialization. Audit logging includes automatic routines to maintain activity records and cleanup programs to ensure the integrity of the audit/logging systems. | Must | 43440 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+ + +VNF Data Protection Requirements +-------------------------------- + +This section covers VNF data protection requirements that are mostly +applicable to security monitoring. + ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Data Protection Requirements | Type | ID # | ++======================================================================================================================================================================================================================================================================================================================+==========+=========+ +| Provide the capability to restrict read and write access to data. | Must | 44010 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability to restrict access to data to specific users. | Must | 44020 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability to encrypt data in transit on a physical or virtual network. | Must | 44030 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability to encrypt data on non-volatile memory. | Must | 44040 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Where the encryption of non-transient data is required on a device for which the operating system performs paging to virtual memory, then if possible disable the paging of the data requiring encryption, if not the virtual memory should be encrypted. | Should | 44050 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability to integrate with an external encryption service. | Must | 44060 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use industry standard cryptographic algorithms and standard modes of operations when implementing cryptography. | Must | 44070 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use commercial algorithms only when there are no applicable governmental standards for specific cryptographic functions, e.g., public key cryptography, message digests. | Should | 44080 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| The SHA, DSS, MD5, SHA-1 and Skipjack algorithms or other compromised encryption must not be used. | Must | 44090 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use, whenever possible, standard implementations of security applications, protocols, and format, e.g., S/MIME, TLS, SSH, IPSec, X.509 digital certificates for cryptographic implementations. These implementations must be purchased from reputable vendors and must not be developed in-house. | Must | 44100 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| A VNF must provide the ability to migrate to newer versions of cryptographic algorithms and protocols with no impact. | Must | 44110 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use symmetric keys of at least 112 bits in length. | Must | 44120 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use asymmetric keys of at least 2048 bits in length. | Must | 44130 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Use commercial tools that comply with X.509 standards and produce x.509 compliant keys for public/private key generation. Keys must not be generated or derived from predictable functions or values, e.g., values considered predictable include user identity information, time of day, stored/transmitted data. | Must | 44140 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability to configure encryption algorithms or devices so that they comply with the laws of the jurisdiction in which there are plans to use data encryption. | Must | 44150 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability of using certificates issued from a Certificate Authority not provided by the VNF vendor. | Must | 44160 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability of allowing certificate renewal and revocation. | Must | 44170 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability of testing the validity of a digital certificate by performing the following: | | | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. The CA signature on the certificate must be validated | Must | 44180 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. The date the certificate is being used must be within the validity period for the certificate | Must | 44190 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. The Certificate Revocation List (CRL) for the certificates of that type must be checked to ensure that the certificate has not been revoked | Must | 44200 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| a. The identity represented by the certificate — the "distinguished name" — must be recognized | Must | 44210 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability of encrypting selected data fields stored or bound for security logs. | Must | 44220 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability of deleting data stored in the VNF. | Must | 44230 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the capability to make data available in order to support requests from law enforcement and government agencies as required by legal or regulatory mandates. Capability must be configurable for MOW deployment. | Must | 44240 | ++----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +DevOps +====== + +This section includes guidelines for vendors to ensure that a Network +Cloud Service Provider’s operations personnel have a common and +consistent way to support VNFs and VNFCs. + +NCSPs may elect to support standard images to enable compliance with +security, audit, regulatory and other needs. As part of the overall VNF +software bundle, VNF suppliers using standard images would typically +provide the NCSP with an install package consistent with the default OS +package manager (e.g. aptitude for Ubuntu, yum for Redhat/CentOS). + +Section 4.1.4 in *VNF Guidelines for Network Cloud and ONAP* describes +the DevOps guidelines for VNFs. + ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| DevOps Requirements | Type | ID # | ++==============================================================================================================================================================================================================================================================================================================================================================================================================================+==========+=========+ +| Utilize only the Guest OS versions that are supported by the NCSP’s Network Cloud. [2]_ | Must | 50010 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize only NCSP provided Guest OS images.\ :sup:`2` | Should | 50020 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Utilize only NCSP standard compute flavors.\ :sup:`2` | Must | 50030 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Running VMs will not be backed up in the Network Cloud infrastructure. VNF’s are responsible for preserving their persistent data. | Must | 50040 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Install VNFC(s) on non-root file systems, unless software is specifically included with the operating system distribution of the guest image. | Must | 50050 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Be agnostic to the underlying infrastructure (such as hardware, host OS, Hypervisor), any requirements should be provided as specification to be fulfilled by any hardware. | Must | 50060 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Hypervisor-level customization must not be required from the cloud provider. | Must | 50070 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide an automated test suite to validate every new version of the software on the target environment(s). The tests should be of sufficient granularity to independently test various representative VNF use cases throughout its lifecycle. Operations might choose to invoke these tests either on a scheduled basis or on demand to support various operations functions including test, turn-up and troubleshooting. | Should | 50080 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| Provide the ability to test incremental growth of the VNF | Should | 50090 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| If a VNF provides a load balancing function across multiple instances of its VNFCs, then the VNF must respond to a "move traffic"\ :sup:`3` command against a specific VNFC, moving all existing session elsewhere with minimal disruption. | Must | 50100 | +| | | | +| Note: Individual VNF performance aspects (e.g., move duration or disruption scope) may require further constraints. | | | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ +| To support scenarios such as proactive maintenance with no user impact, if a VNF provides a load balancing function across multiple instances of its VNFCs, then the VNF must respond to a "drain VNFC" [3]_ command against a specific VNFC, preventing new session from reaching the targeted VNFC, with no disruption to active sessions on the impacted VNFC. | Must | 50110 | ++------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+ + +**Copyright 2017 AT&T Intellectual Property. All Rights Reserved.** + +This paper is licensed to you under the Creative Commons License: + +**Creative Commons Attribution-ShareAlike 4.0 International Public +License** + +You may obtain a copy of the License at: + +https://creativecommons.org/licenses/by-sa/4.0/legalcode + +**You are free to:** + +- Share — copy and redistribute the material in any medium or format + +- Adapt — remix, transform, and build upon the material for any + purpose, even commercially. + +- The licensor cannot revoke these freedoms as long as you follow the + license terms. + +**Under the following terms:** + +- Attribution — You must give appropriate credit, provide a link to the + license, and indicate if changes were made. You may do so in any + reasonable manner, but **not** in any way that suggests the + licensor endorses you or your use. + +- ShareAlike — If you remix, transform, or build upon the material, you + must distribute your contributions under the same license as the + original. + +- No additional restrictions — You may not apply legal terms or + technological measures that legally restrict others from doing + anything the license permits. + +**Notices:** + +- You do not have to comply with the license for elements of the + material in the public domain or where your use is permitted by an + applicable exception or limitation. + +- No warranties are given. The license may not give you all of the + permissions necessary for your intended use. For example, other + rights such as publicity, privacy, or moral rights may limit how you + use the material. + +.. [1] + Refer to NCSP’s Network Cloud specification + +.. [2] + Refer to NCSP’s Network Cloud specification + +.. [3] + Not currently supported in ONAP release 1 diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Cloud_Readiness_Requirements_for_ONAP/index.rst b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Cloud_Readiness_Requirements_for_ONAP/index.rst new file mode 100644 index 0000000..3c951b6 --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Cloud_Readiness_Requirements_for_ONAP/index.rst @@ -0,0 +1,7 @@ +VNF Cloud Readiness Requirements for ONAP +------------------------------------------ + +.. toctree:: + :maxdepth: 1 + + VNF_Cloud_Readiness_Requirements_for_ONAP diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF Guidelines for Network Cloud and ONAP 7-3-17.docx b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF Guidelines for Network Cloud and ONAP 7-3-17.docx new file mode 100644 index 0000000..93cefda Binary files /dev/null and b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF Guidelines for Network Cloud and ONAP 7-3-17.docx differ diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF_Control_Loop.jpg b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF_Control_Loop.jpg new file mode 100644 index 0000000..73dbcbb Binary files /dev/null and b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF_Control_Loop.jpg differ diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF_Guidelines_for_Network_Cloud_and_ONAP_7_3_17.rst b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF_Guidelines_for_Network_Cloud_and_ONAP_7_3_17.rst new file mode 100644 index 0000000..3eb3268 --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF_Guidelines_for_Network_Cloud_and_ONAP_7_3_17.rst @@ -0,0 +1,1133 @@ +.. contents:: + :depth: 3 +.. + +**VNF Guidelines for Network Cloud and ONAP** + +**Version 2017-2** + +**June 30, 2017** + +Document Revision History + ++-------------+------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Date | Revision | Description | ++=============+============+======================================================================================================================================================================+ +| 2/1/2017 | 1.0 | Initial public release of VNF Guidelines for Network Cloud and OpenECOMP | ++-------------+------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 3/31/2017 | 1.1 | Updates to reflect name change from OpenECOMP to ONAP | ++-------------+------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| 6/30/2017 | 2017-2 | Corrected the reference for DPDK, clarified VNF Modularity in 4.1.1, added contact information for feedback, cited reference to the ONAP VNF Requirements project. | ++-------------+------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Table of Contents + +Abstract +======== + +This white paper and the accompanying reference documents set forth +guidelines and requirements for Virtual Network Functions (VNFs) that +run in Network Clouds [1]_ and are managed by ONAP (Open Network +Automation Platform) [2]_. This document set is part of the ONAP +community and focuses on setting and evolving VNF standards that will +facilitate industry discussion, participation, alignment and evolution +toward comprehensive and actionable VNF best practices and standard +interfaces. The goal is to accelerate adoption of VNF best practices +which will increase innovation, minimize customization needed to onboard +VNFs as well as reduce implementation complexity, time and cost for all +impacted stakeholders. The intent is to drive harmonization of VNFs +across VNF providers, Network Cloud Service Providers (NCSPs) and the +overall Network Function Virtualization (NFV) ecosystem by providing +both long term vision as well as short term focus and clarity where no +current open source implementations exist today. + +This first release of the guidelines and requirements, although +applicable in many implementations, is targeted for those +implementations that consist of Network Clouds based on OpenStack. +Future versions of these guidelines are envisioned to include other +targeted virtualization environments, such as Customer Premises or other +single-tenant small scale cloud implementations. + +In addition, given the relative maturity of key technologies involved, +rapid innovation of NFV/SDN and virtualization technologies as well as +the evolving ONAP roadmap, this will be a living package that will +evolve over time. These documents will become part of the ONAP related +requirements documents. The following enhancements are anticipated to be +addressed in the next set of releases: + +- Open source software and demos of simple reference VNFs; + +- Automation of VNF onboarding and other aspects of VNF lifecycle as + supported by ONAP; + +- Consistent VNF packaging for automated onboarding using ONAP; + +- Other implementation examples for targeted virtualization + environments beyond OpenStack based Network Clouds; + +- Incubation and certification environment to provide a self-service + program to gauge maturity and readiness of VNFs. + +Introduction +============ + +Motivation +---------- + +The requirements and guidelines defined herein are intended to +facilitate industry discussion, participation alignment and evolution +toward comprehensive and actionable VNF best practices. Integration +costs are a significant impediment to the development and deployment of +new services. We envision developing open source industry processes and +best practices leading eventually to VNF standards supporting commercial +acquisition of VNFs with minimal integration costs. Traditional PNFs +have all been unique like snowflakes and required expensive custom +integration, whereas VNF products and services should be designed for +easier integration just like Lego\ :sup:`TM` blocks. For example, by +standardizing on common actions and related APIs supported by VNFs, plug +and play integration is assured, jumpstarting automation with management +frameworks. Onboarding VNFs would no longer require complex and +protracted integration or development activities thus maximizing +automation and minimizing integration cost. Creating VNF open source +environments, best practices and standards provides additional benefits +to the NFV ecosystems such as: + +- Larger market for VNF providers + +- Rapid introduction and integration of new capabilities into the + services provider’s environment + +- Reduced development times and costs for VNF providers + +- Better availability of new capabilities to NCSPs + +- Better distribution of new capabilities to end-user consumers + +- Reduced integration cost (capex) for NCSPs + +- Usage based software licensing for end-user consumers and NCSPs + +Audience +--------- + +The industry transformation associated with softwarization [3]_ results +in a number of changes in traditional approaches for industry +collaboration. Changes from hardware to software, from waterfall to +agile processes and the emergence of industry supported open source +communities imply corresponding changes in processes at many industry +collaboration bodies. With limited operational experience and much more +dynamic requirements, open source communities are expected to evolve +these VNF guidelines further before final documentation of those aspects +necessary for standardization. This white paper and accompanying +reference documents provides VNF providers, NCSPs and other interested +3rd parties a set of guidelines and requirements for the design, build +and overall lifecycle management of VNFs. + +**VNF Providers** + +Both suppliers transitioning from providing physical network functions +(PNFs) to providing VNFs as well as new market entrants should find +these VNF requirements and guidelines a useful introduction to the +requirements to be able to develop VNFs for deployment into a Network +Cloud. VNF Providers may also be interested to test their VNFs in the +context of an open source implementation of the environment. + +**Network Cloud Service Providers (NCSPs)** + +A NCSP provides services based on Network Cloud infrastructure as well +as services above the infrastructure layer, e.g., platform service, +end-to-end services. + +Common approaches to packaging of VNFs enable economies of scale in +their development. As suitable infrastructure becomes deployed, NCSPs +have a common interest in guidelines that support the ease of deployment +of VNFs in each other’s Network Cloud. After reading these VNF +guidelines, NCSPs should be motivated to join AT&T in evolving these +guidelines in the ONAP open source community to meet the industry’s +collective needs. + +**Other interested parties** + +Other parties such as solution providers, open source community, +industry standard bodies, students and researchers of network +technologies, as well as enterprise customers may also be interested in +the VNF Guidelines. Solution Providers focused on specific industry +verticals may find these VNF guidelines useful in the development of +specialized VNFs that can better address the needs of their industry +through deployment of these VNFs in NCSP infrastructure. Open Source +developers can use these VNF guidelines to facilitate the automation of +VNF ingestion and deployment. The emergence of a market for VNFs enables +NCSPs to more rapidly deliver increased functionality, for execution on +white box hardware on customer’s premises – such functionality may be of +particular interest to enterprises supporting similar infrastructure. + +Program and Document Structure +------------------------------ + +This document is part of a hierarchy of documents that describes the +overall Requirements and Guidelines for ONAP. The diagram below +identifies where this document fits in the hierarchy. + ++---------------------------------------------+----------------------------------------+-------------------------------------------+------------------------------+---------------------------------+ +| ONAP Requirements and Guidelines | ++=============================================+========================================+===========================================+==============================+=================================+ +| VNF Guidelines for Network Cloud and ONAP | Future ONAP Subject Documents | ++---------------------------------------------+----------------------------------------+-------------------------------------------+------------------------------+---------------------------------+ +| VNF Cloud Readiness Requirements for ONAP | VNF Management Requirements for ONAP | VNF Heat Template Requirements for ONAP | Future | Future Requirements Documents | +| | | | VNF Requirements Documents | | ++---------------------------------------------+----------------------------------------+-------------------------------------------+------------------------------+---------------------------------+ + +Document summary: + +**VNF Guidelines for Network Cloud and ONAP** + +- Describes VNF environment and overview of requirements + +*VNF Cloud Readiness Requirements for ONAP* + +- Cloud readiness requirements for VNFs (Design, Resiliency, Security, + and DevOps) + +*VNF Management Requirements for ONAP* + +- Requirements for how VNFs interact and utilize ONAP + +*VNF Heat Template Requirements for ONAP* + +- Provides recommendations and standards for building Heat templates + compatible with ONAP– initial implementations of Network Cloud are + assumed to be OpenStack based. + +VNF Context +=========== + +A technology trend towards softwarization is impacting the +communications industry as it has already impacted a number of other +industries. This trend is expected to have some significant impacts on +the products and processes of this industry. The transformation from +products primarily based on hardware to products primarily based on +software has a number of impacts. The completeness of the software +packages to ease integration, usage based licensing to reflect scaling +properties, independence from hardware and location and software +resilience in the presence of underlying hardware failure all gain in +importance compared to prior solutions. The processes supporting +software products and services are also expected to transform from +traditional waterfall methodologies to agile methods. In agile +processes, characteristics such as versioned APIs, rolling upgrades, +automated testing and deployment support with incremental release +schedules become important for these software products and services. +Industry process related to software products and services also change +with the rise of industrially supported open source communities. +Engagement with these open source communities enables sharing of best +practices and collaborative development of open source testing and +integration regimes, open source APIs and open source code bases. + +The term VNF is inspired by the work [4]_ of the ETSI [5]_ Network +Functions Virtualization (NFV) Industry Specification Group (ISG). +ETSI’s VNF definition includes both historically network functions, such +as Virtual Provider Edge (VPE), Virtual Customer Edge (VCE), and Session +Border Controller (SBC), as well as historically non-network functions +when used to support network services, such as network-supporting web +servers and databases. The VNF discussion in these guidelines applies to +all types of virtualized workloads, not just network appliance +workloads. Having a consistent approach to virtualizing any workload +provides more industry value than just virtualizing some workloads. [6]_ + +VNFs are functions that are implemented in Network Clouds. Network +Clouds must support end-to-end high-bandwidth low latency network flows +through VNFs running in virtualization environments. For example, a +Network Cloud is able to provide a firewall service to be created such +that all Internet traffic to a customer premise passes through a virtual +firewall running in the Network Cloud. + +A data center may be the most common target for a virtualization +environment, but it is not the only target. Virtualization environments +are also supported by more constrained resources e.g., Enterprise +Customer Premise Equipment (CPE). Virtualization environments are also +expected to be available at more distributed network locations by +architecting central offices as data centers, or virtualizing functions +located at the edge of the operator infrastructure (e.g., virtualized +Optical Line Termination (vOLT) or xRAN [7]_) and in constrained +resource Access Nodes. Expect detailed requirements to evolve with these +additional virtualization environments. Some VNFs may scale across all +these environments, but all VNFs should onboard through the same process +before deployment to the targeted virtualization environment. + +Business Process Impacts +------------------------- + +Business process changes need to occur in order to realize full benefits +of VNF characteristics: efficiency via automation, open source reliance, +and improved cycle time through careful design. + +**Efficiency via Automation** + +reliant on human labor for critical operational tasks don’t scale. By +aggressively automating all VNF operational procedures, VNFs have lower +operational cost, are more rapidly deployed at scale and are more +consistent in their operation. ONAP provides the automation framework +which VNFs can take advantage of simply by implementing ONAP compatible +interfaces and lifecycle models. This enables automation which drives +operational efficiencies and delivers the corresponding benefits. + +**Open Source** + +VNFs are expected to run on infrastructure largely enabled by open +source software. For example, OpenStack [8]_ is often used to provide +the virtualized compute, network, and storage capabilities used to host +VNFs. OpenDaylight (ODL) [9]_ can provide the network control plane. The +OPNFV community [10]_ provides a reference platform through integration +of ODL, OpenStack and other relevant open source projects. VNFs also run +in open source operating systems like Linux. VNFs might also utilize +open source software libraries to take advantage of required common but +critical software capabilities where community support is available. +Automation becomes easier, overall costs go down and time to market can +decrease when VNFs can be developed and tested in an open source +reference platform environment prior to on-boarding by the NCSP. All of +these points contribute to a lower cost structure for both VNF providers +and NCSPs. + +**Improved Cycle Time through Careful Design** + +Today’s fast paced world requires businesses to evolve rapidly in order +to stay relevant and competitive. To a large degree VNFs, when used with +the same control, orchestration, management and policy framework (e.g., +ONAP), will improve service development and composition. VNFs should +enable NCSPs to exploit recursive nesting of VNFs to acquire VNFs at the +smallest appropriate granularity so that new VNFs and network services +can be composed. The ETSI NFV Framework [11]_ envisages such recursive +assembly of VNFs, but many current implementations fail to support such +features. Designing for VNF reuse often requires that traditional +appliance based PNFs be refactored into multiple individual VNFs where +each does one thing particularly well. While the original appliance +based PNF can be replicated virtually by the right combination and +organization of lower level VNFs, the real advantage comes in creating +new services composed of different combinations of lower level VNFs +(possibly from many providers) organized in new ways. Easier and faster +service creation often generates real value for businesses. As +softwarization trends progress towards more agile processes, VNFs, ONAP +and Network Clouds are all expected to evolve towards continuous +integration, testing and deployment of small incremental changes to +de-risk the upgrade process. + +ETSI Network Function Virtualization (NFV) comparison +----------------------------------------------------- + +ETSI defines a VNF as an implementation of a network function that can +be deployed on a Network Function Virtualization Infrastructure (NFVI). +Service instances may be composed of an assembly of VNFs. In turn, a VNF +may also be assembled from VNF components (VNFCs) that each provide a +reusable set of functionality. VNFs are expected to take advantage of +platform provided common services. + +VNF management and control under ONAP is different than management and +control exposed in the ETSI MANO model. With ONAP, there is only a +single management and control plane. In ETSI’s Framework [12]_, +architectural options exist for preserving legacy systems that increase +integration costs e.g., different VNFs can be controlled by VNF Managers +(VNFMs) and Element Management Systems (EMSs) provided by different +software providers. ONAP addresses the concern that multiple VNFMs in +this space will hinder VNF reuse and increase VNF and service +integration costs. Asking all VNF providers to take advantage of and +interoperate with common control software mitigates related reuse and +integration challenges. The common, SDN based, control platform (ONAP) +is being made available as an open source project to reduce friction for +VNF providers and enable new network functions to get to market faster +and with lower costs. + +Also under ONAP, VNF providers do not provide their own proprietary VNF +Managers (VNFM) or Element Management Systems (EMS). Those capabilities +are provided by ONAP. Hence, VNFs are required to consume open +interfaces to ONAP in support of management and control. The VNF Package +must include the appropriate data models for integration with ONAP to +enable management and control of the VNFCs. + +**Figure 1** shows a simplified ONAP and Infrastructure view to +highlight how individual Virtual Network Functions plug into the ONAP +control loops. + +|image0| + +**Figure 1. Control Loop** + +In the control loop view in **Figure 1**, the VNF provides an event +data stream via an API to Data Collection, Analytics and Events (DCAE). +DCAE analyzes and aggregates the data stream and when particular +conditions are detected, uses policy to enable what, if any, action +should be triggered. Some of the triggered actions may require a +controller to make changes to the VNF through a VNF provided API. + +For a detailed comparison between ETSI NFV and ONAP, refer to Appendix C +- Comparison between VNF Guidelines and ETSI GS NFV-SWA 001. + +Evolving VNF Related Industry Activities +---------------------------------------- + +Many existing industry collaboration bodies are structured around a +particular service or segment of the network. VNFs are intended to +operate across multiple services and execute on commodity targeted +virtualization environments. With the NCSPs transformation to acquiring +products and services based on location and hardware independent VNFs, +the opportunity exists for instances of those VNFs to be deployed across +multiple network locations and services where suitable virtualization +infrastructure is available. + +The rise of industry-supported open source communities has created new +opportunities for collaboration and challenges for existing industry +communities such as Standards Developing Organizations (SDOs). +Collaboration in many SDOs defers intellectual property issues. Most +industrially-supported open source communities resolve intellectual +property issues between collaborators through explicit contribution +licensing agreements. Common infrastructure software components (e.g., +SDN Controllers, Cloud Management Systems) are expected to be available +through industrially supported open source communities (e.g., Open +Daylight and OpenStack). Whether VNFs are open or proprietary, they +should use open APIs, test and integration capabilities developed in +industrially supported open source communities (e.g., ONAP, OPNFV). + +The migration path for operator’s existing processes and services to +effectively utilize VNFs may be operator specific. The requirements for +VNFs may be expected to evolve rapidly as the industry develops +experience with operational and development best practices for VNFs. In +particular, industry operations procedures are expected to evolve +towards agile software methodologies, DevOps, continuous integration and +continuous deployment (CI/CD). In this environment of changing and +context-dependent VNF requirements, agile, pragmatic approaches focused +on delivering functionality in the near term and evolving it towards +targeted VNF characteristics are preferred over lengthy waterfall +industry standardization processes. Demonstrating functionality and +interoperability of appropriate VNF-related APIs in open source +communities is considered a pre-requisite to starting industry +specification work documenting stable interfaces. + +While multiple open source communities exist supporting particular +infrastructure software options, the market success of any particular +option combination cannot be assured. Integration communities such as +OPNFV provide an approach enabling VNF providers to test their products +and services against a variety of expected configurations available in +the industry. + +Evolving towards VNFs +--------------------- + +In order to deploy VNFs, a target virtualization environment must +already be in place. The NCSPs scale necessitates a phased rollout of +virtualization infrastructure and then of VNFs upon that infrastructure. +Some VNF use cases may require greenfield infrastructure deployments, +others may start brownfield deployments in centralized data centers and +then scale deployment more widely as infrastructure becomes available. +Some service providers have been very public and proactive in setting +transformation targets associated with VNFs [13]_. + +Because of the complexity of migration and integration issues, the +requirements for VNFs in the short term may need to be contextualized to +the specific service and transition planning. + +Much of the existing VNF work has been based on corresponding network +function definitions and requirements developed for PNFs. Many of the +assumptions about PNFs do not apply to VNFs and the modularity of the +functionality is expected to be significantly different. In addition, +the increased service velocity objectives of NFV are based on new types +of VNFs being developed to support new services being deployed in +virtualized environments. Much of the functionality associated with 5G +(e.g., IoT, augmented reality/virtual reality) is thus expected to be +deployed as VNFs in targeted virtualization infrastructure towards the +edge of the network. + +VNF Characteristics +=================== + +VNFs need to be constructed using a distributed systems architecture +that we will call "Network Cloud Ready". They need to interact with the +orchestration and control platform provided by ONAP and address the new +security challenges that come in this environment. + +The main goal of a Network Cloud Ready VNF is to run well on any Network +Cloud (public or private) over any network (carrier or enterprise). In +addition, for optimal performance and efficiency, VNFs will be designed +to take advantage of Network Clouds. This requires careful engineering +in both VNFs and candidate Network Cloud computing frameworks. + +To ensure Network Cloud capabilities are leveraged and VNF resource +consumption meets engineering and economic targets, VNF performance and +efficiency will be benchmarked in a controlled lab environment. In line +with the principles and practices laid out in ETSI GS NFV-PER 001, +efficiency testing will consist of benchmarking VNF performance with a +reference workload and associated performance metrics on a reference +Network Cloud (or, when appropriate, additional benchmarking on a bare +metal reference platform). + +Network Cloud Ready VNF characteristics and design consideration can be +grouped into three areas: + +- Cloud Readiness + +- ONAP Ready + +- Virtualization Environment Ready + +Detailed requirements are contained in the reference documents that are +listed in Appendix B - References. + +Cloud Readiness +--------------- + +VNFs should be designed to operate within a cloud environment from the +first stages of the development. The VNF provider should think clearly +about how the VNF should be decomposed into various modules. Resiliency +within a cloud environment is very different than in a physical +environment and the developer should give early thought as to how the +Network Cloud Service Provider will ensure the level of resiliency +required by the VNF and then provide the capabilities needed within that +VNF. Scaling and Security should also be well thought out at design time +so that the VNF runs well in a virtualized environment. Finally, the VNF +Provider also needs to think about how they will integrate and deploy +new versions of the VNF. Since the cloud environment is very dynamic, +the developer should utilize DevOps practices to deploy new software. + +Requirements for Cloud Readiness can be found in the *VNF Common +Requirements for ONAP* document. + +VNF Design +~~~~~~~~~~ + +A VNF may be a large construct and therefore when designing it, it is +important to think about the components from which it will be composed. +The ETSI SWA 001 document gives a good overview of the architecture of a +VNF in Chapter 4 as well as some good examples of how to compose a VNF +in its Annex B. VNFCs are expected to evolve towards microservices, as +an architectural style so when laying out the components of the VNF it +is important to keep in mind the following principles: Single +Capability, Independence, State and the APIs. + +Many Network Clouds will use Heat to describe orchestration templates +for instantiating VNFs and VNFCs. The *VNF Heat Template Requirements +for ONAP* document defines a modular Heat design pattern referred to as +“VNF Modularity”. With this approach, a single VNF may be composed from +one or more Heat Orchestration Templates (modules), each of which +represents a subset of the overall VNF. A module can be thought of as a +deployment unit. In general, the goal should be for each module to +contain a single VNFC. + +Single Capability +^^^^^^^^^^^^^^^^^ + +VNFs should be carefully decomposed into loosely coupled, granular, +re-usable VNFCs that can be distributed and scaled on a Network Cloud. +VNFCs should be responsible for a single capability. The behavior of +microservice VNFCs is focused on a single capability with independent +operation and encapsulation + +The Network Cloud will define several flavors of VMs for a VNF designer +to choose from for instantiating a VNFC. The best practice is to keep +the VNFCs as lightweight as possible while still fulfilling the business +requirements for the "single capability", however the VNFC should not be +so small that the overhead of constructing, maintaining, and operating +the service outweighs its utility. + +Independence +^^^^^^^^^^^^ + +VNFCs should be independently deployed, configured, upgraded, scaled, +monitored, and administered (by ONAP). The VNFC must be a standalone +executable process. + +API versioning is one of the biggest enablers of independence. To be +able to independently evolve a component, versioning must ensure +existing clients of the component are not forced to flash-cut with each +interface change. API versioning enables smoother evolution while +preserving backward compatibility. + +Scaling +^^^^^^^ + +Each VNFC within a VNF must support independent horizontal scaling, by +adding/removing instances, in response to demand loads on that VNFC. The +Network Cloud is not expected to support adding/removing resources +(compute, memory, storage) to an existing instance of a VNFC (vertical +scaling). A VNF should be designed such that its components can scale +independently of each other. Scaling one component should not require +another component to be scaled at the same time. All scaling will be +controlled by ONAP. + +Managing State +^^^^^^^^^^^^^^ + +VNFCs and their interfaces should isolate and manage state to allow for +high-reliability, scalability, and performance in a Network Cloud +environment. The use of state should be minimized as much as possible to +facilitate the movement of traffic from one instance of a VNFC to +another. Where state is required it should be maintained in a +geographically redundant data store that may in fact be its own VNFC. + +This concept of decoupling state data can be extended to all persistent +data. Persistent data should be held in a loosely coupled database. +These decoupled databases need to be engineered and placed correctly to +still meet all the performance and resiliency requirements of the +service. + +Lightweight and Open APIs +^^^^^^^^^^^^^^^^^^^^^^^^^ + +Controllable microservice VNFCs have lightweight communications, are +discoverable and designed for automation. Key functions are accessible +via open APIs, which align to Industry API Standards and supported by an +open and extensible information/data model. + +Reusability +^^^^^^^^^^^ + +Properly (de)composing a VNF requires thinking about “reusability”. +Reusable microservice VNFCs are infrastructure agnostic and designed for +the consumer of their services. Components should be designed to be +reusable within the VNF as well as by other VNFs. The “single +capability” principle aids in this requirement. If a VNFC could be +reusable by other VNFs then it should be designed as its own single +component VNF that may then be chained with other VNFs. Likewise, a VNF +provider should make use of other common platform VNFs such as firewalls +and load balancers, instead of building their own. + +Resiliency +~~~~~~~~~~ + +The VNF is responsible for meeting its resiliency goals and must factor +in expected availability of the targeted virtualization environment. +This is likely to be much lower than found in a traditional data center. +The VNF developer should design the function in such a way that if there +is a platform problem the VNF will continue working as needed and meet +the SLAs of that function. VNFs should be designed to survive single +failure platform problems including: hypervisor, server, datacenter +outages, etc. There will also be significant planned downtime for the +Network Cloud as the infrastructure goes through hardware and software +upgrades. The VNF should support tools for gracefully meeting the +service needs such as methods for migrating traffic between instances +and draining traffic from an instance. The VNF needs to rapidly respond +to the changing conditions of the underlying infrastructure. + +Resilient microservice VNFCs are highly observable, highly resilient and +secure. VNF resiliency can typically be met through redundancy often +supported by distributed systems architectures. This is another reason +for favoring smaller VNFCs. By having more instances of smaller VNFCs it +is possible to spread the instance out across servers, racks, +datacenters, and geographic regions. This level of redundancy can +mitigate most failure scenarios and has the potential to provide a +service with even greater availability than the old model. Careful +consideration of VNFC modularity also minimizes the impact of failures +when an instance does fail. + +Security +~~~~~~~~ + +Security must be integral to the VNF through its design, development, +instantiation, operation, and retirement phases. VNF architectures +deliver new security capabilities that make it easier to maximize +responsiveness during a cyber-attack and minimize service interruption +to the customers. SDN enables the environment to expand and adapt for +additional traffic and incorporation of security solutions. Further, +additional requirements will exist to support new security capabilities +as well as provide checks during the development and production stages +to assure the expected advantages are present and compensating controls +exist to mitigate new risks. + +New security requirements will evolve along with the new architecture. +Initially, these requirements will fall into the following categories: + +- VNF General Security Requirements + +- VNF Identity and Access Management Requirements + +- VNF API Security Requirements + +- VNF Security Analytics Requirements + +- VNF Data Protection Requirements + +DevOps +~~~~~~ + +The ONAP software development and deployment methodology is evolving +toward a DevOps model. VNF development and deployment should evolve in +the same direction, enabling agile delivering of end-to-end services. +Following these same principles better positions ONAP and VNF +development to coevolve in the same direction. + +Testing +^^^^^^^ + +VNF packages should provide comprehensive automated regression, +performance and reliability testing with VNFs based on open industry +standard testing tools and methodologies. VNF packages should provide +acceptance and diagnostic tests and in-service instrumentation to be +used in production to validate VNF operation. + +Build and Deployment Processes +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +VNF packages should include continuous integration and continuous +deployment (CI/CD) software artifacts that utilize automated open +industry standard system and container build tools. The VNF package +should include parameterized configuration variables to enable automated +build customization. Don’t create unique (snowflake) VNFs requiring any +manual work or human attention to deploy. Do create standardized (Lego™) +VNFs that can be deployed in a fully automated way. + +ONAP will orchestrate updates and upgrades of VNFs. The target method +for updates and upgrades is to onboard and validate the new version, +then build a new instance with the new version of software, transfer +traffic to that instance and kill the old instance. There should be no +need for the VNF or its components to provide an update/upgrade +mechanism. + +Automation +^^^^^^^^^^ + +Increased automation is enabled by VNFs and VNF design and composition. +VNF and VNFCs should provide the following automation capabilities, as +triggered or managed via ONAP: + +- Events and alarms + +- Lifecycle events + +- Zero-Touch rolling upgrades and downgrades + +- Configuration + +ONAP Ready +---------- + +ONAP is the “brain” providing the lifecycle management and control of +software-centric network resources, infrastructure and services. ONAP is +critical in achieving the objectives to increase the value of the +Network Cloud to customers by rapidly on-boarding new services, enabling +the creation of a new ecosystem of consumer and enterprise services, +reducing capital and operational expenditures, and providing operations +efficiencies. It delivers enhanced customer experience by allowing them +in near real-time to reconfigure their network, services, and capacity. + +For more details, refer to the `*ECOMP Architecture White +Paper* `__\ [14]_ which inspired the ONAP +community effort. + +One of the main ONAP responsibilities is to rapidly onboard and enrich +VNFs to be cataloged as resources to allow composition and deployment of +services in a multi-vendor plug and play environment. It is also +extremely important to be able to automatically manage the VNF run-time +lifecycle to fully realize benefits of NFV. The VNF run-time lifecycle +includes aspects such as instantiation, configuration, elastic scaling, +automatic recovery from resource failures, and resource allocation. It +is therefore imperative to provide VNFs that are equipped with +well-defined capabilities that comply with ONAP standards to allow rapid +onboarding and automatic lifecycle management of these resources when +deploying services as depicted in **Figure 2**. + +|image1| + +**Figure 2. VNF Complete Lifecycle Stages** + +In order to realize these capabilities within the ONAP platform, it is +important to adhere to a set of key principles (listed below) for VNFs +to integrate into ONAP. + +Requirements for ONAP Ready can be found in the *VNF Management +Requirements for ONAP* document. + +Design Definition +~~~~~~~~~~~~~~~~~ + +Onboarding automation will be facilitated by applying standards-based +approaches to VNF packaging to describe the VNF’s infrastructure +resource requirements, topology, licensing model, design constraints, +and other dependencies to enable successful VNF deployment and +management of VNF configuration and operational behavior. + +The current VNF Package Requirement is based on a subset of the +Requirements contained in the ETSI Document: ETSI GS NFV-MAN 001 v1.1.1 +and GS NFV IFA011 V0.3.0 (2015-10) - Network Functions Virtualization +(NFV), Management and Orchestration, VNF Packaging Specification. + +Configuration Management +~~~~~~~~~~~~~~~~~~~~~~~~ + +ONAP must be able to orchestrate and manage the VNF configuration to +provide fully automated environment for rapid service provisioning and +modification. VNF configuration/reconfiguration must be allowed directly +through standardized APIs without the need for an EMS. + +Monitoring and Management +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The end-to-end service reliability and availability in a virtualized +environment will greatly depend on the ability to monitor and manage the +behavior of Virtual Network Functions in real-time. ONAP platform must +be able to monitor the health of the network and VNFs through collection +of event and performance data directly from network resources utilizing +standardized APIs without the need for an EMS. The VNF provider must +provide visibility into VNF performance and fault at the VNFC level +(VNFC is the smallest granularity of functionality in our architecture) +to allow ONAP to proactively monitor, test, diagnose and trouble shoot +the health and behavior of VNFs at their source. + +Virtualization Environment Ready +-------------------------------- + +Every Network Cloud Service Provider will have a different set of +resources and capabilities for their Network Cloud, but there are some +common resources and capabilities that nearly every NCSP will offer. + +Network Cloud +~~~~~~~~~~~~~ + +VNFCs should be agnostic to the details of the Network Cloud (such as +hardware, host OS, Hypervisor or container technology) and must run on +the Network Cloud with acknowledgement to the paradigm that the Network +Cloud will continue to rapidly evolve and the underlying components of +the platform will change regularly. VNFs should be prepared to move +VNFCs across VMs, hosts, locations or datacenters, or Network Clouds. + +Overlay Network +~~~~~~~~~~~~~~~ + +VNFs should be compliant with the Network Cloud network virtualization +platform including the specific set of characteristics and features. + +The Network Cloud is expected to be tuned to support VNF performance +requirements. Initially, specifics may differ per Network Cloud +implementation and are expected to evolve over time, especially as the +technology matures. + +Guest Operating Systems +~~~~~~~~~~~~~~~~~~~~~~~ + +VNFs should use the NCSP’s standard set of OS images to enable +compliance with security, audit, regulatory and other needs. + +Compute Flavors +~~~~~~~~~~~~~~~ + +VNFs should take advantage of the standard Network Cloud capabilities in +terms of VM characteristics (often referred to as VM Flavors), VM sizes +and cloud acceleration capabilities aimed at VNFs such as Data Plane +Development Kit (DPDK [15]_). + +Summary +======= + +The intent of these guidelines and requirements is to provide long term +vision as well as short term focus and clarity where no current open +source implementation exists today. The goal is to accelerate the +adoption of VNFs which will increase innovation, minimize customization +to onboard VNFs, reduce implementation time and complexity as well as +lower overall costs for all stakeholders. It is critical for the +Industry to align on a set of standards and interfaces to quickly +realize the benefits of NFV. AT&T is contributing these guidelines to +the ONAP open source community as a step in moving toward standards. +These guidelines are based on our experience with large scale deployment +and operations of VNFs over the past several years. + +This VNF guidelines document provides a general overview and points to +more detailed requirements documents. The subtending documents provide +more detailed requirements and are listed in Appendix B - References. +All documents are expected to evolve. + +Some of these VNF guidelines may be more broadly applicable in the +industry, e.g., in other open source communities or standards bodies. +The art of VNF architecture and development is expected to mature +rapidly with practical deployment and operations experience from a +broader ecosystem of types of VNFs and different VNF providers. +Individual operators may also choose to provide their own extensions and +enhancements to support their particular operational processes, but +these guidelines are expected to remain broadly applicable across a +number of service providers interested in acquiring VNFs. + +We invite feedback on these VNF Guidelines via +`VNFGuidelines@list.att.com `__. +The ONAP Community has an active project, `VNF +Requirements `__, to +deliver a unified set of VNF Guidelines and Requirements. Interested +parties are encouraged to participate. + +Appendix A - Glossary +====================== + ++-------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| **Heat** | Heat is a service to orchestrate composite cloud applications using a declarative template format through an OpenStack-native REST API. | ++===========================================+===========================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+ +| **Network Clouds** | Network Clouds are built on a framework containing these essential elements: refactoring hardware elements into software functions running on commodity cloud computing infrastructure; aligning access, core, and edge networks with the traffic patterns created by IP based services; integrating the network and cloud technologies on a software platform that enables rapid, highly automated, deployment and management of services, and software defined control so that both infrastructure and functions can be optimized across change in service demand and infrastructure availability; and increasing competencies in software integration and a DevOps operations model. | ++-------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| **Network Cloud Service Provider** | Network Cloud Service Provider (NCSP) is a company or organization, making use of a communications network to provide Network Cloud services on a commercial basis to third parties. | ++-------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| **SDOs** | Standards Developing Organizations are organizations which are active in the development of standards intended to address the needs of a group of affected adopters. | ++-------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| **Softwarization** | Softwarization is the transformation of business processes to reflect characteristics of software centric products, services, lifecycles and methods. | ++-------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| **Targeted Virtualization Environment** | Targeted Virtualization Environment is the execution environment for VNFs. While Network Clouds located in datacenters are a common execution environment, VNFs can and will be deployed in various locations (e.g., non-datacenter environments) and form factors (e.g., enterprise Customer Premise Equipment). Non-datacenter environments are expected to be available at more distributed network locations including central offices and at the edge of the NCSP’s infrastructure. | ++-------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| **VM** | Virtual Machine (VM) is a virtualized computation environment that behaves very much like a physical computer/server. A VM has all its ingredients (processor, memory/storage, interfaces/ports) of a physical computer/server and is generated by a hypervisor, which partitions the underlying physical resources and allocates them to VMs. Virtual Machines are capable of hosting a virtual network function component (VNFC). | ++-------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| **VNF** | Virtual Network Function (VNF) is the software implementation of a function that can be deployed on a Network Cloud. It includes network functions that provide transport and forwarding. It also includes other functions when used to support network services, such as network-supporting web servers and database. | ++-------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| **VNFC** | Virtual Network Function Component (VNFC) are the sub-components of a VNF providing a VNF Provider a defined sub-set of that VNF's functionality, with the main characteristic that a single instance of this component maps 1:1 against a single Virtualization Container. See **Figure 3** for the relationship between VNFC and VNFs. | +| | | +| | |image2| | +| | | +| | \ **Figure 3. Virtual Network Function Entity Relationship** | ++-------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Appendix B - References +======================= + +1. VNF Cloud Readiness Requirements for ONAP + +2. VNF Management Requirements for ONAP + +3. VNF Heat Template Requirements for ONAP + +Appendix C - Comparison between VNF Guidelines and ETSI GS NFV-SWA 001 +====================================================================== + +The VNF guidelines presented in this document (VNF Guidelines) overlap +with the ETSI GS NFV-SWA 001 (Network Functions Virtualization (NFV); +Virtual Network Function Architecture) document. For convenience, we +will just refer to this document as SWA 001. + +The SWA 001 document is a survey of the landscape for architecting a +VNF. It includes many different options for building a VNF that take +advantage of the ETSI MANO architecture. + +The Network Cloud and ONAP have similarities to ETSI’s MANO, but also +have differences described in earlier sections. The result is +differences in the VNF requirements. Since these VNF Guidelines are for +a specific implementation of an architecture they are narrower in scope +than what is specified in the SWA 001 document. + +The VNF Guidelines primarily overlaps the SWA 001 in Sections 4 and 5. +The other sections of the SWA 001 document lie outside the scope of the +VNF Guidelines. + +This appendix will describe the differences between these two documents +indexed on the SWA 001 sections + +Section 4 Overview of VNF in the NFV Architecture +------------------------------------------------- + +This section provides an overview of the ETSI NFVI architecture and how +it interfaces with the VNF architecture. Because of the differences +between infrastructure architectures there will naturally be some +differences in how it interfaces with the VNF. + +A high level view of the differences in architecture can be found in the +main body of this document and a more detailed analysis can be found in +the *ECOMP Architecture White Paper*\ [16]_. + +Section 4.3 Interfaces +~~~~~~~~~~~~~~~~~~~~~~ + +Since ONAP provides the VNFM and EMS functionality for all VNFs the +SWA-3 and SWA-4 interfaces are ONAP interfaces. All ONAP interfaces are +described in this package of documents. + +Section 5 VNF Design Patterns and Properties +-------------------------------------------- + +This section of the SWA 001 document gives a broad view of all the +possible design patterns of VNFs. The VNF Guidelines do not generally +differ from this section. The VNF Guidelines address a more specific +scope than what is allowed in the SWA 001 document. + +Section 5.1 VNF Design Patterns +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The following are differences between the VNF Guidelines and SWA-001: + +- 5.1.2 - The Network Cloud does not recognize the distinction between + “parallelizable” and “non-parallelizable” VNFCs, where parallelizable + means that there can be multiple instances of the VNFC. In the VNF + Guidelines, all VNFCs should support multiple instances and therefore + be parallelizable. + +- 5.1.3 - The VNF Guidelines encourages the use of stateless VNFCs. + However, where state is needed it should be kept external to the VNFC + to enable easier failover + +- 5.1.5 - The VNF Guidelines only accepts horizontal scaling (scale + out/in) by VNFC. Vertical scaling (scale up/down) is not supported by + ONAP. + +- 5.1.5 - Since ONAP provides all EMS and VNFM functionality On-Demand + scaling is accomplished through ONAP and not directly by the VNF + +Section 5.2 VNF Update and Upgrade +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +- 5.2.2 - ONAP will orchestrate updates and upgrades. The preferred + method for updates and upgrades is to build a new instance with the + new version of software, transfer traffic to that instance and kill + the old instance + +Section 5.3 VNF Properties +~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The following are differences between the VNF Guidelines and SWA-001: + +- 5.3.1 - In a Network Cloud all VNFs must be only “COTS-Ready”. The + VNF Guidelines does not support “Partly COTS-READY” or “Hardware + Dependent”. + +- 5.3.2 – The only virtualization environment currently supported by + ONAP is “Virtual Machines”. The VNF Guidelines state that all VNFs + should be hypervisor agnostic. Other virtualized environment options + such as containers are not currently supported. However, container + technology is targeted to be supported in the future. + +- 5.3.3 - All VNFs must scale horizontally (scale out/in) within the + Network Cloud. Vertical (scale up/down) is not supported. + +- 5.3.5 - The VNF Guidelines state that ONAP will provide full policy + management for all VNFs. The VNF will not provide its own policy + management for provisioning and management. + +- 5.3.7 - The VNF Guidelines recognizes both stateless and stateful + VNFCs but it encourages the minimization of stateful VNFCs. + +- 5.3.11 - The VNF Guidelines only allows for ONAP management of the + VNF. It does not allow a proprietary management interface for use + with a 3rd party EMS + +Section 5.4 Attributes describing VNF Requirements +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +Attributes described in the VNF Guidelines and reference documents +include those attributes defined in this section of the SWA 001 document +but also include additional attributes. + +**Copyright 2017 AT&T Intellectual Property. All Rights Reserved.** + +This paper is licensed to you under the Creative Commons License: + +**Creative Commons Attribution-ShareAlike 4.0 International Public +License** + +You may obtain a copy of the License at: + +https://creativecommons.org/licenses/by-sa/4.0/legalcode + +**You are free to:** + +- Share — copy and redistribute the material in any medium or format + +- Adapt — remix, transform, and build upon the material for any + purpose, even commercially. + +- The licensor cannot revoke these freedoms as long as you follow the + license terms. + +**Under the following terms:** + +- Attribution — You must give appropriate credit, provide a link to the + license, and indicate if changes were made. You may do so in any + reasonable manner, but **not** in any way that suggests the + licensor endorses you or your use. + +- ShareAlike — If you remix, transform, or build upon the material, you + must distribute your contributions under the same license as the + original. + +- No additional restrictions — You may not apply legal terms or + technological measures that legally restrict others from doing + anything the license permits. + +**Notices:** + +- You do not have to comply with the license for elements of the + material in the public domain or where your use is permitted by an + applicable exception or limitation. + +- No warranties are given. The license may not give you all of the + permissions necessary for your intended use. For example, other + rights such as publicity, privacy, or moral rights may limit how you + use the material. + +.. [1] + Network Clouds are built on a framework containing these essential + elements: refactoring hardware elements into software functions + running on commodity cloud computing infrastructure; aligning access, + core, and edge networks with the traffic patterns created by IP based + services; integrating the network and cloud technologies on a + software platform that enables rapid, highly automated, deployment + and management of services, and software defined control so that both + infrastructure and functions can be optimized across change in + service demand and infrastructure availability; and increasing + competencies in software integration and a DevOps operations model. + +.. [2] + ONAP is an open source initiative for ECOMP, www.onap.org. + +.. [3] + Softwarization is the transformation of business processes to reflect + characteristics of software centric products, services, lifecycles + and methods. + +.. [4] + “Virtual Network Functions Architecture” ETSI GS NFV-SWA 001 v1.1.1 + (Dec 2012) + +.. [5] + European Telecommunications Standards Institute or ETSI + (http://www.etsi.org) is a respected standards body providing + standards for information and communications technologies. + +.. [6] + Full set of capabilities of Network Cloud and/or ONAP might not be + needed to support traditional IT like workloads. + +.. [7] + xRAN (http://www.xran.org/) + +.. [8] + OpenStack (http://www.openstack.org) + +.. [9] + OpenDaylight (http://www.opendaylight.org) + +.. [10] + OPNFV (http://www.opnfv.org) + +.. [11] + See, e.g., Figure 3 of GS NFV 002, Architectural Framework + +.. [12] + “Architectural Framework”, ETSI GS NFV 002 v1.1.1 (Oct. 2013) + +.. [13] + AT&T, for instance, has announced that it seeks to virtualize and + control 75% of its network functionality by 2020 and that 50% of + AT&T’s software be coming from open source. For AT&T, VNFs have + already been placed in service in the Network Cloud and enterprise + CPE whiteboxes. + +.. [14] + ECOMP (Enhanced Control Orchestration, Management & Policy) + Architecture White Paper + (http://about.att.com/content/dam/snrdocs/ecomp.pdf) + +.. [15] + DPDK is a Linux Foundation Project, developed by hundreds of + contributors, supported by strong leading members, and used in a + growing ecosystem, + `dpdk.org `__. + +.. [16] + ECOMP (Enhanced Control Orchestration, Management & Policy) + Architecture White Paper + (http://about.att.com/content/dam/snrdocs/ecomp.pdf) + +.. |image0| image:: VNF_Control_Loop.jpg + :width: 6.56250in + :height: 3.69167in +.. |image1| image:: VNF_Lifecycle.jpg + :width: 6.49000in + :height: 2.23000in +.. |image2| image:: VNF_VNFC_Relation.jpg + :width: 4.26087in + :height: 3.42514in diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF_Lifecycle.jpg b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF_Lifecycle.jpg new file mode 100644 index 0000000..45419e6 Binary files /dev/null and b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF_Lifecycle.jpg differ diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF_VNFC_Relation.jpg b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF_VNFC_Relation.jpg new file mode 100644 index 0000000..0457e86 Binary files /dev/null and b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/VNF_VNFC_Relation.jpg differ diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/index.rst b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/index.rst new file mode 100644 index 0000000..f8db545 --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Guidelines_for_Network_Cloud_and_ONAP/index.rst @@ -0,0 +1,7 @@ +VNF Guidelines for Network Cloud and ONAP 7/3/17 +------------------------------------------------- + +.. toctree:: + :maxdepth: 1 + + VNF_Guidelines_for_Network_Cloud_and_ONAP_7_3_17 diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Managment_Requirements_for_OpenECOMP/Data_Model_For_Event_Records.png b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Managment_Requirements_for_OpenECOMP/Data_Model_For_Event_Records.png new file mode 100644 index 0000000..1cb7464 Binary files /dev/null and b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Managment_Requirements_for_OpenECOMP/Data_Model_For_Event_Records.png differ diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Managment_Requirements_for_OpenECOMP/VNF Management Requirements for OpenECOMP 7-3-2017.docx b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Managment_Requirements_for_OpenECOMP/VNF Management Requirements for OpenECOMP 7-3-2017.docx new file mode 100644 index 0000000..6d72e35 Binary files /dev/null and b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Managment_Requirements_for_OpenECOMP/VNF Management Requirements for OpenECOMP 7-3-2017.docx differ diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Managment_Requirements_for_OpenECOMP/VNF_Management_Requirements_for_OpenECOMP_7_3_2017.rst b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Managment_Requirements_for_OpenECOMP/VNF_Management_Requirements_for_OpenECOMP_7_3_2017.rst new file mode 100644 index 0000000..81c2eee --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Managment_Requirements_for_OpenECOMP/VNF_Management_Requirements_for_OpenECOMP_7_3_2017.rst @@ -0,0 +1,2013 @@ +.. contents:: + :depth: 3 +.. + +**VNF Management Requirements for ONAP** + ++-----------------+-------------+ ++-----------------+-------------+ +| Revision | 2017-2 | ++-----------------+-------------+ +| Revision Date | 6/30/2017 | ++-----------------+-------------+ + +**Document Revision History** + ++-------------+------------+------------------------------------------------------------------------------------------+ +| Date | Revision | Description | ++=============+============+==========================================================================================+ +| 2/1/2017 | 1.0 | Initial publication defining VNF Management Requirements for ONAP | ++-------------+------------+------------------------------------------------------------------------------------------+ +| 3/31/2017 | 1.1 | Updates to reflect name change from OpenECOMP to ONAP | ++-------------+------------+------------------------------------------------------------------------------------------+ +| 6/30/2017 | 2017-2 | Updates to Monitoring and Management requirements | +| | | | +| | | - Section 4.2 | +| | | | +| | | - Update to verbiage on Data Model | +| | | | +| | | - break out common events and domain-specific events | +| | | | +| | | - update to data model drawing | +| | | | +| | | - Section 4.3 | +| | | | +| | | - new domains and description updates | +| | | | +| | | - re-ordering to sub-sections | +| | | | +| | | Update to Configuration Management requirements to include Chef and Ansible | +| | | | +| | | - Section 2 | +| | | | +| | | - Update Design Definition requirements for resource Configuration | +| | | | +| | | - New Appendix A in support of Chef Design definition requirements | +| | | | +| | | - New Appendix B in support of Ansible Design definition requirements | +| | | | +| | | - Section 3.3 | +| | | | +| | | - New section 3.3 to describe requirements in support of Chef interface to VNFs | +| | | | +| | | - Section 3.4 | +| | | | +| | | - New section 3.4 to describe requirements in support of Ansible interface to VNFs | +| | | | +| | | - New Appendix D in support requirements for optional Ansible Server | +| | | | +| | | - Section 3.5 | +| | | | +| | | - Include VNF operations for support of Chef and Ansible interfaces | +| | | | +| | | Update to Licensing requirements to include Licensing Meta data definition | +| | | | +| | | - Section 2 | +| | | | +| | | - Update Design Definition requirements for Licensing | +| | | | +| | | - New Appendix C to describe Licensing data requirements for Design Definition | ++-------------+------------+------------------------------------------------------------------------------------------+ + +Introduction +============ + +This document is part of a hierarchy of documents that describes the +overall Requirements and Guidelines for ONAP (Open Network Automation +Platform). The diagram below identifies where this document fits in the +hierarchy. + ++---------------------------------------------+----------------------------------------+-------------------------------------------+------------------------------+---------------------------------+ +| ONAP Requirements and Guidelines | ++=============================================+========================================+===========================================+==============================+=================================+ +| VNF Guidelines for Network Cloud and ONAP | Future ONAP Subject Documents | ++---------------------------------------------+----------------------------------------+-------------------------------------------+------------------------------+---------------------------------+ +| VNF Cloud Readiness Requirements for ONAP | VNF Management Requirements for ONAP | VNF Heat Template Requirements for ONAP | Future | Future Requirements Documents | +| | | | VNF Requirements Documents | | ++---------------------------------------------+----------------------------------------+-------------------------------------------+------------------------------+---------------------------------+ + +Document summary: + +*VNF Guidelines for Network Cloud and ONAP* + +- Describes VNF environment and overview of requirements + +*VNF Cloud Readiness Requirements for ONAP* + +- Cloud readiness requirements for VNFs (Design, Resiliency, Security, + and DevOps) + +**VNF Management Requirements for ONAP** + +- Requirements for how VNFs interact and utilize ONAP + +*VNF Heat Template Requirements for ONAP* + +- Provides recommendations and standards for building Heat templates + compatible with ONAP– initial implementations of Network Cloud are + assumed to be OpenStack based. + +Feedback on or questions about the content of this document may be sent +to the following email address: VNFGuidelines@list.att.com. + +The ONAP platform is the part of the larger Network Function +Virtualization/Software Defined Network (NFV/SDN) ecosystem that is +responsible for the efficient control, operation and management of +Virtual Network Function (VNF) capabilities and functions. It specifies +standardized abstractions and interfaces that enable efficient +interoperation of the NVF/SDN ecosystem components. It enables +product/service independent capabilities for design, creation and +runtime lifecycle management (includes all aspects of installation, +change management, assurance, and retirement) of resources in NFV/SDN +environment (see `ECOMP white paper `__\ [1]_). +These capabilities are provided using two major architectural +frameworks: (1) a Design Time Framework to design, define and program +the platform (uniform onboarding), and (2) a Runtime Execution Framework +to execute the logic programmed in the design environment (uniform +delivery and runtime lifecycle management). The platform delivers an +integrated information model based on the VNF package to express the +characteristics and behavior of these resources in the Design Time +Framework. The information model is utilized by Runtime Execution +Framework to manage the runtime lifecycle of the VNFs. The management +processes are orchestrated across various modules of ONAP to +instantiate, configure, scale, monitor, and reconfigure the VNFs using a +set of standard APIs provided by the VNF developers. + +Design Definition +================= + +The ONAP Design Time Framework provides the ability to design NFV +resources including VNFs, Services, and products. The vendor must +provide VNF packages that include a rich set of recipes, management and +functional interfaces, policies, configuration parameters, and +infrastructure requirements that can be utilized by the ONAP Design +module to onboard and catalog these resources. Initially this +information may be provided in documents, but in the near future a +method will be developed to automate as much of the transfer of data as +possible to satisfy its long term requirements. + +The current VNF Package Requirement is based on a subset of the +Requirements contained in the ETSI Document: ETSI GS NFV-MAN 001 v1.1.1 +and GS NFV IFA011 V0.3.0 (2015-10) - Network Functions Virtualization +(NFV), Management and Orchestration, VNF Packaging Specification. + +Table 1. VNF Package + ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| **Principle** | **Description** | **Type** | **ID#** | ++==========================+===================================================================================================================================================================================================================================================================================================================================================================================================================+============+============+ +| Resource | The VNF Vendor must provide a Manifest File that contains a list of all the components in the VNF package. | Must | 10010 | +| | | | | +| Description | | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The package must include VNF Identification Data to uniquely identify the resource for a given Vendor. The identification data must include: an identifier for the VNF, the name of the VNF as was given by the VNF Vendor, VNF description, VNF Vendor, and version. | Must | 10020 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide documentation describing VNF Management APIs. The document must include information and tools for: | Must | 10030 | +| | | | | +| | - ONAP to deploy and configure (initially and ongoing) the VNF application(s) (e.g., NETCONF APIs). Includes description of configurable parameters for the VNF and whether the parameters can be configured after VNF instantiation. | | | +| | | | | +| | - ONAP to monitor the health of the VNF (conditions that require healing and/or scaling responses). Includes a description of: | | | +| | | | | +| | - Parameters that can be monitored for the VNF and event records (status, fault, flow, session, call, control plane, etc.) generated by the VNF after instantiation. | | | +| | | | | +| | - Runtime lifecycle events and related actions (e.g., control responses, tests) which can be performed for the VNF. | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF package must include documentation describing VNF Functional APIs that are utilized to build network and application services. This document describes the externally exposed functional inputs and outputs for the VNF, including interface format and protocols supported. | Must | 10040 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide documentation describing VNF Functional Capabilities that are utilized to operationalize the VNF and compose complex services. | Must | 10050 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide information regarding any dependency (e.g., affinity, anti-affinity) with other VNFs and resources. | Must | 10060 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Resource | The VNF Vendor must support and provide artifacts for configuration management using at least one of the following technologies: | Must | 10070 | +| | | | | +| Configuration | - Netconf/YANG | | | +| | | | | +| | - Chef | | | +| | | | | +| | - Ansible | | | +| | | | | +| | Note: The requirements for Netconf/YANG, Chef, and Ansible protocols are provided separately and must be supported only if the corresponding protocol option is provided by the vendor. | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | **Configuration Management via Netconf/YANG** | Must | 10071 | +| | | | | +| | The VNF Vendor must provide a Resource/Device YANG model as a foundation for creating the YANG model for configuration. This will include VNF attributes/parameters and valid values/attributes configurable by policy. | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | **Configuration Management via Chef** | Must | 10072 | +| | | | | +| | - VNF Vendor must provide cookbooks to be loaded on the appropriate Chef Server. | | | +| | | | | +| | - The VNF Vendor is required to provide a JSON file for each supported action for the VNF. The JSON file must contain key value pairs with all relevant values populated with sample data that illustrates its usage. The fields and their description are defined in Appendix A. | | | +| | | | | +| | Note: Chef support in ONAP is not currently available and planned for 4Q 2017. | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | **Configuration Management via Ansible** | Must | 10073 | +| | | | | +| | - VNF Vendor must provide playbooks to be loaded on the appropriate Ansible Server. | | | +| | | | | +| | - The VNF Vendor is required to provide a JSON file for each supported action for the VNF. The JSON file must contain key value pairs with all relevant values populated with sample data that illustrates its usage. The fields and their description are defined in Appendix B. | | | +| | | | | +| | Note: Ansible support in ONAP is not currently available and planned for 4Q 2017. | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Package must include configuration scripts for boot sequence and configuration. | Must | 10080 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide configurable parameters (if unable to conform to YANG model) including VNF attributes/parameters and valid values, dynamic attributes and cross parameter dependencies (e.g., customer provisioning data). | Must | 10090 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Resource | The VNF Vendor must provide documentation for the VNF Policy Description to manage the VNF runtime lifecycle. The document must include a description of how the policies (conditions and actions) are implemented in the VNF. | Must | 10100 | +| | | | | +| Control Loop | | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Package must include documentation describing the fault, performance, capacity events/alarms and other event records that are made available by the VNF. The document must include: | Must | 10110 | +| | | | | +| | - A unique identification string for the specific VNF, a description of the problem that caused the error, and steps or procedures to perform Root Cause Analysis and resolve the issue. | | | +| | | | | +| | - All events, severity level (e.g., informational, warning, error) and descriptions including causes/fixes if applicable for the event. | | | +| | | | | +| | - All events (fault, measurement for VNF Scaling, Syslogs, State Change and Mobile Flow), that need to be collected at each VM, VNFC (defined in *VNF Guidelines for Network Cloud and ONAP*) and for the overall VNF. | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide an XML file that contains a list of VNF error codes, descriptions of the error, and possible causes/corrective action. | Must | 10120 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Provide documentation describing all parameters that are available to monitor the VNF after instantiation (includes all counters, OIDs, PM data, KPIs, etc.) that must be collected for reporting purposes. The documentation must include a list of: | Must | 10130 | +| | | | | +| | - Monitoring parameters/counters exposed for virtual resource management and VNF application management. | | | +| | | | | +| | - KPIs and metrics that need to be collected at each VM for capacity planning and performance management purposes. | | | +| | | | | +| | - The monitoring parameters must include latencies, success rates, retry rates, load and quality (e.g., DPM) for the key transactions/functions supported by the VNF and those that must be exercised by the VNF in order to perform its function. | | | +| | | | | +| | - For each KPI, provide lower and upper limits. | | | +| | | | | +| | - When relevant, provide a threshold crossing alert point for each KPI and describe the significance of the threshold crossing. | | | +| | | | | +| | - For each KPI, identify the suggested actions that need to be performed when a threshold crossing alert event is recorded. | | | +| | | | | +| | - Describe any requirements for the monitoring component of tools for Network Cloud automation and management to provide these records to components of the VNF. | | | +| | | | | +| | - When applicable, provide calculators needed to convert raw data into appropriate reporting artifacts. | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Package must include documentation describing supported VNF scaling capabilities and capacity limits (e.g., number of users, bandwidth, throughput, concurrent calls). | Must | 10140 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Package must include documentation describing the characteristics for the VNF reliability and high availability. | Must | 10150 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF vendor must provide an artifact per VNF that contains all of the VNF Event Records supported. The artifact should include reference to the specific release of the VNF Event Stream Common Event Data Model document it is based on. ( `AT&T Service Specification; Service: VES Event Listener `__) | Must | 10151 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Compute, | The VNF Package must include VNF topology that describes basic network and application connectivity internal and external to the VNF including Link type, KPIs, Bandwidth, latency, jitter, QoS (if applicable) for each interface. | Must | 10160 | +| | | | | +| Network, | | | | +| | | | | +| Storage | | | | +| | | | | +| Requirements | | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Package must include VM requirements via a Heat template that provides the necessary data for: | Must | 10170 | +| | | | | +| | - VM specifications for all VNF components - for hypervisor, CPU, memory, storage. | | | +| | | | | +| | - Network connections, interface connections, internal and external to VNF. | | | +| | | | | +| | - High availability redundancy model. | | | +| | | | | +| | - Scaling/growth VM specifications. | | | +| | | | | +| | Note: Must comply with the *VNF Heat Template Requirements for ONAP*. | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide the binaries and images needed to instantiate the VNF (VNF and VNFC images). | Must | 10180 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must describe scaling capabilities to manage scaling characteristics of the VNF. | Must | 10190 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Testing | The VNF Package must include documentation describing the tests that were conducted by the Vendor and the test results. | Must | 10200 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide their testing scripts to support testing. | Must | 10210 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must provide software components that can be packaged with/near the VNF, if needed, to simulate any functions or systems that connect to the VNF system under test. This component is necessary only if the existing testing environment does not have the necessary simulators. | Must | 10220 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Licensing Requirements | VNFs must provide metrics (e.g., number of sessions, number of subscribers, number of seats, etc.) to ONAP for tracking every license. | Must | 10230 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Contract shall define the reporting process and the available reporting tools. The vendor will have to agree to the process that can be met by Service Provider reporting infrastructure. | Must | 10240 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | VNF vendors shall enumerate all of the open source licenses their VNF(s) incorporate. | Must | 10250 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Audits of Service Provider’s business must not be required. | Must | 10260 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Vendor functions and metrics that require additional infrastructure such as a vendor license server for deployment shall not be supported. | Must | 10270 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Provide clear measurements for licensing purposes to allow automated scale up/down by the management system. | Must | 10280 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The vendor must provide the ability to scale up a vendor supplied product during growth and scale down a vendor supplied product during decline without “real-time” restrictions based upon vendor permissions. | Must | 10290 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | A universal license key must be provided per VNF to be used as needed by services (i.e., not tied to a VM instance) as the recommended solution. The vendor may provide pools of Unique VNF License Keys, where there is a unique key for each VNF instance as an alternate solution. Licensing issues should be resolved without interrupting in-service VNFs. | Must | 10300 | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF Vendor must support the metadata about licenses (and their applicable entitlements) as defined in this document for VNF software, and any license keys required to authorize use of the VNF software. This metadata will be used to facilitate onboarding the VNF into the ONAP environment and automating processes for putting the licenses into use and managing the full lifecycle of the licenses. | Must | 10310 | +| | | | | +| | The details of this license model are described in Appendix C. | | | +| | | | | +| | Note: License metadata support in ONAP is not currently available and planned for 1Q 2018. | | | ++--------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ + +Configuration Management +======================== + +ONAP interacts directly with VNFs through its Network and Application +Adapters to perform configuration activities within NFV environment. +These activities include service and resource +configuration/reconfiguration, automated scaling of resources, service +and resource removal to support runtime lifecycle management of VNFs and +services. The Adapters employ a model driven approach along with +standardized APIs provided by the VNF developers to configure resources +and manage their runtime lifecycle. + +NETCONF Standards and Capabilities +---------------------------------- + +ONAP Controllers and their Adapters utilize device YANG model and +NETCONF APIs to make the required changes in the VNF state and +configuration. The VNF providers must provide the Device YANG model and +NETCONF server supporting NETCONF APIs to comply with target ONAP and +industry standards. + +**Table 2. VNF Configuration via NETCONF** + ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| **Principle** | **Description** | **Type** | **ID #** | ++=================+=======================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+============+============+ +| Configuration | Virtual Network functions (VNFs) must include a NETCONF server enabling runtime configuration and lifecycle management capabilities. The NETCONF server embedded in VNFs shall provide a NETCONF interface fully defined by supplied YANG models. | Must | 11010 | +| | | | | +| Management | | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| NETCONF | NETCONF server connection parameters shall be configurable during virtual machine instantiation through Heat templates where SSH keys, usernames, passwords, SSH service and SSH port numbers are Heat template parameters. | Must | 11020 | +| | | | | +| Server | | | | +| | | | | +| Requirements | | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Following protocol operations must be implemented: | Must | 11030 | +| | | | | +| | **close-session()**- Gracefully close the current session. | | | +| | | | | +| | **commit(confirmed, confirm-timeout)** - Commit candidate configuration datastore to the running configuration. | | | +| | | | | +| | **discard-changes()** - Revert the candidate configuration datastore to the running configuration | | | +| | | | | +| | **edit-config(target, default-operation, test-option, error-option, config)** - Edit the target configuration datastore by merging, replacing, creating, or deleting new config elements. | | | +| | | | | +| | **get(filter)** - Retrieve (a filtered subset of) the running configuration and device state information. This should include the list of VNF supported schemas. | | | +| | | | | +| | **get-config(source, filter)** - Retrieve a (filtered subset of a) configuration from the configuration datastore source. | | | +| | | | | +| | **kill-session(session)** - Force the termination of **session**. | | | +| | | | | +| | **lock(target)** - Lock the configuration datastore target. | | | +| | | | | +| | **unlock(target)** - Unlock the configuration datastore target. | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Following protocol operations should be implemented: | Should | 11040 | +| | | | | +| | **copy-config(target, source) -** Copy the content of the configuration datastore source to the configuration datastore target. | | | +| | | | | +| | **delete-config(target) -** Delete the named configuration datastore target. | | | +| | | | | +| | **get-schema(identifier, version, format) -** Retrieve the YANG schema. | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | All configuration data shall be editable through a NETCONF <*edit-config*> operation. Proprietary NETCONF RPCs that make configuration changes are not sufficient. | Must | 11050 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | By default, the entire configuration of the VNF must be retrievable via NETCONF's and , independently of whether it was configured via NETCONF or other mechanisms. | Must | 11060 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The **:partial-lock** and **:partial-unlock** capabilities, defined in RFC 5717 must be supported. This allows multiple independent clients to each write to a different part of the configuration at the same time. | Must | 11070 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The **:rollback-on-error** value for the parameter to the operation must be supported. If any error occurs during the requested edit operation, then the target database (usually the running configuration) will be left affected. This provides an 'all-or-nothing' edit mode for a single request. | Must | 11080 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The server must support the **:startup** capability. It will allow the running configuration to be copied to this special database. It can also be locked and unlocked. | Must | 11090 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The **:url** value must be supported to specify protocol operation source and target parameters. The capability URI for this feature will indicate which schemes (e.g., file, https, sftp) that the server supports within a particular URL value. The 'file' scheme allows for editable local configuration databases. The other schemes allow for remote storage of configuration databases. | Must | 11100 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | At least one of the capabilities **:candidate** or **:writable-running** must be implemented. If both **:candidate** and **:writable-running** are provided then two locks should be supported. | Must | 11110 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The server must fully support the XPath 1.0 specification for filtered retrieval of configuration and other database contents. The 'type' attribute within the parameter for and operations may be set to 'xpath'. The 'select' attribute (which contains the XPath expression) will also be supported by the server. A server may support partial XPath retrieval filtering, but it cannot advertise the **:xpath** capability unless the entire XPath 1.0 specification is supported. | Must | 11120 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The **:validate** capability must be implemented. | Must | 11130 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | If **:candidate** is supported, **:confirmed-commit** must be implemented. | Must | 11140 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The **:with-defaults** capability [RFC6243] shall be implemented. | Must | 11150 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Data model discovery and download as defined in [RFC6022] shall be implemented. | Must | 11160 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | NETCONF Event Notifications [RFC5277] should be implemented. | Should | 11170 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | All data models shall be defined in YANG [RFC6020], and the mapping to NETCONF shall follow the rules defined in this RFC. | Must | 11180 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The data model upgrade rules defined in [RFC6020] section 10 should be followed. All deviations from section 10 rules shall be handled by a built-in automatic upgrade mechanism. | Must | 11190 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF must support parallel and simultaneous configuration of separate objects within itself. | Must | 11200 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Locking is required if a common object is being manipulated by two simultaneous NETCONF configuration operations on the same VNF within the context of the same writable running data store (e.g., if an interface parameter is being configured then it should be locked out for configuration by a simultaneous configuration operation on that same interface parameter). | Must | 11210 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Locking must be applied based on the sequence of NETCONF operations, with the first configuration operation locking out all others until completed. | Must | 11220 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | If a VNF needs to lock an object for configuration, the lock must be permitted at the finest granularity to avoid blocking simultaneous configuration operations on unrelated objects (e.g., BGP configuration should not be locked out if an interface is being configured, Entire Interface configuration should not be locked out if a non-overlapping parameter on the interface is being configured). The granularity of the lock must be able to be specified via a restricted or full XPath expression. | Must | 11230 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | All simultaneous configuration operations should guarantee the VNF configuration integrity (e.g., if a change is attempted to the BUM filter rate from multiple interfaces on the same EVC, then they need to be sequenced in the VNF without locking either configuration method out). | Must | 11240 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | To prevent permanent lock-outs, locks must be released: | Must | 11250 | +| | | | | +| | a. when/if a session applying the lock is terminated (e.g., SSH session is terminated) | | | +| | | | | +| | b. when the corresponding operation succeeds | | | +| | | | | +| | c. when a user configured timer has expired forcing the NETCONF SSH Session termination (i.e., product must expose a configuration knob for a user setting of a lock expiration timer) | | | +| | | | | +| | Additionally, to guard against hung NETCONF sessions, another NETCONF session should be able to initiate the release of the lock by killing the session owning the lock, using the operation. | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF should support simultaneous operations within the context of this locking requirements framework. | Must | 11260 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The supplied YANG code and associated NETCONF servers shall support all operations, administration and management (OAM) functions available from the supplier for VNFs. | Must | 11270 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Sub tree filtering must be supported. | Must | 11280 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Heartbeat via a with null filter shall be supported. | Must | 11290 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Get-schema (ietf-netconf-monitoring) must be supported to pull YANG model over session. | Must | 11300 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The supplied YANG code shall be validated using the open source pyang [2]_ program using the following commands: | Must | 11310 | +| | | | | +| | $ pyang --verbose --strict | | | +| | | | | +| | $ echo $! | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The echo command must return a zero value otherwise the validation has failed. | Must | 11320 | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The supplier shall demonstrate mounting the NETCONF server on OpenDaylight (client) and: | Must | 11330 | +| | | | | +| | - Modify, update, change, rollback configurations using each configuration data element. | | | +| | | | | +| | - Query each state (non-configuration) data element. | | | +| | | | | +| | - Execute each YANG RPC. | | | +| | | | | +| | - Receive data through each notification statement. | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ + +The following table provides the Yang models that suppliers must +conform, and those where applicable, that suppliers need to use. + +Table 3. YANG Models + ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| **RFC** | **Description** | **Type** | **ID #** | ++================+====================================================================================+============+============+ +| RFC 6020 | YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF) | Must | 12010 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 6022 | YANG module for NETCONF monitoring | Must | 12020 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 6470 | NETCONF Base Notifications | Must | 12030 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 6244 | An Architecture for Network Management Using NETCONF and YANG | Must | 12040 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 6087 | Guidelines for Authors and Reviewers of YANG Data Model Documents | Must | 12050 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| \*\*RFC 6991 | Common YANG Data Types | Should | 12060 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 6536 | NETCONF Access Control Model | Should | 12070 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 7223 | A YANG Data Model for Interface Management | Should | 12080 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 7224 | IANA Interface Type YANG Module | Should | 12090 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 7277 | A YANG Data Model for IP Management | Should | 12100 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 7317 | A YANG Data Model for System Management | Should | 12110 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ +| RFC 7407 | A YANG Data Model for SNMP Configuration | Should | 12120 | ++----------------+------------------------------------------------------------------------------------+------------+------------+ + +The NETCONF server interface shall fully conform to the following +NETCONF RFCs. + +Table 4. NETCONF RFCs + ++------------+--------------------------------------------------------------------+------------+------------+ +| **RFC** | **Description** | **Type** | **ID #** | ++============+====================================================================+============+============+ +| RFC 4741 | NETCONF Configuration Protocol | Must | 12130 | ++------------+--------------------------------------------------------------------+------------+------------+ +| RFC 4742 | Using the NETCONF Configuration Protocol over Secure Shell (SSH) | Must | 12140 | ++------------+--------------------------------------------------------------------+------------+------------+ +| RFC 5277 | NETCONF Event Notification | Must | 12150 | ++------------+--------------------------------------------------------------------+------------+------------+ +| RFC 5717 | Partial Lock Remote Procedure Call | Must | 12160 | ++------------+--------------------------------------------------------------------+------------+------------+ +| RFC 6241 | NETCONF Configuration Protocol | Must | 12170 | ++------------+--------------------------------------------------------------------+------------+------------+ +| RFC 6242 | Using the Network Configuration Protocol over Secure Shell | Must | 12180 | ++------------+--------------------------------------------------------------------+------------+------------+ + +VNF REST APIs +-------------- + +Healthcheck is a command for which no NETCONF support exists. Therefore, +this must be supported using a RESTful interface which we have defined. + +The VNF must provide a REST formatted GET RPCs to support Healthcheck +queries via the GET method over HTTP(s). + +The port number, url, and other authentication information is provided +by the VNF vendor. + +**Table 5. VNF REST APIs** + ++-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| **Principal** | **Description** | **Type** | **ID #** | ++=================+=======================================================================================================================================================================================================================================================================================================================================================================================================+============+============+ +| REST APIs | The HealthCheck RPC, executes a vendor-defined VNF Healthcheck over the scope of the entire VNF (e.g., if there are multiple VNFCs, then run a health check, as appropriate, for all VNFCs). It returns a 200 OK if the test completes. A JSON object is returned indicating state (healthy, unhealthy), scope identifier, time-stamp and one or more blocks containing info and fault information. | Must | 12190 | +| | | | | +| | If the VNF is unable to run the HealthCheck, return a standard http error code and message. | | | +| | | | | +| | Examples: | | | +| | | | | +| | 200 | | | +| | | | | +| | { | | | +| | | | | +| | "identifier": "scope represented", | | | +| | | | | +| | "state": "healthy", | | | +| | | | | +| | "time": "01-01-1000:0000" | | | +| | | | | +| | } | | | +| | | | | +| | 200 | | | +| | | | | +| | { | | | +| | | | | +| | "identifier": "scope represented", | | | +| | | | | +| | "state": "unhealthy", | | | +| | | | | +| | {[ | | | +| | | | | +| | "info": "System threshold exceeded details", | | | +| | | | | +| | "fault": | | | +| | | | | +| | { | | | +| | | | | +| | "cpuOverall": 0.80, | | | +| | | | | +| | "cpuThreshold": 0.45 | | | +| | | | | +| | } | | | +| | | | | +| | ]}, | | | +| | | | | +| | "time": "01-01-1000:0000" | | | +| | | | | +| | } | | | ++-----------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ + +Chef Standards and Capabilities +------------------------------- + +ONAP will support configuration of VNFs via Chef subject to the +requirements and guidelines defined in this section. + +The Chef configuration management mechanism follows a client-server +model. It requires the presence of a Chef-Client on the VNF that will be +directly managed by a Chef Server. The Chef-client will register with +the appropriate Chef Server and are managed via ‘cookbooks’ and +configuration attributes loaded on the Chef Server which contain all +necessary information to execute the appropriate actions on the VNF via +the Chef-client. + +ONAP will utilize the open source Chef Server, invoke the documented +Chef REST APIs to manage the VNF and requires the use of open source +Chef-Client and Push Jobs Client on the VNF +(https://downloads.chef.io/). + +**Table 6. VNF Configuration via Chef** + ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| **Principle** | **Description** | **Type** | **ID #** | ++============================+===============================================================================================================================================================================================================================================================================================================+============+============+ +| Chef Server Requirements | ONAP will interact with the Chef Server designated to manage a target VNF. ONAP design allows for the VNF to register with the following types of Chef Server [3]_: | Must | 12310 | +| | | | | +| | - **Chef Server hosted by ONAP**: ONAP will provide a Chef Server to manage a VNF. If this choice is used then it is required that the VNF Vendor provide all relevant cookbooks to ONAP to be loaded on the Chef Server. | | | +| | | | | +| | - **Chef Server hosted in Tenant Space**: The Chef Server may also be hosted external to ONAP in tenant space. Same guidelines as ONAP Chef Server apply. In addition, the owner is required to provide appropriate credentials to ONAP in order to interact with the Chef Server. | | | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Chef Client | It is required that as part of the installation process, the chef-client on the VNF be preloaded with validator keys and configuration to register with the designated Chef Server. | Must | 12320 | +| | | | | +| Requirements | | | | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | All the endpoints (VMs) of a VNF that contain chef-clients are required to have routable FQDNs which are used to register with the Chef Server. As part of invoking VNF actions, ONAP will trigger push jobs against FQDNs of endpoints for a VNF, if required. | Must | 12330 | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | It is recommended that each VNF expose a single endpoint that is responsible for all functionality. | May | 12331 | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | It is required that the VNF be installed with | Must | 12340 | +| | | | | +| | - Chef-Client >= 12.0 | | | +| | | | | +| | - Chef push jobs client >= 2.0 | | | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Chef Roles/ | Each VNF Vendor is required to make available for loading on appropriate Chef Server, all relevant Chef artifacts (roles/cookbooks/recipes) required to execute VNF actions requested by ONAP. | Must | 12350 | +| | | | | +| Requirements | | | | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | For each supported VNF action, the VNF Vendor is required to provide a run list of roles/cookbooks/recipes that will perform the desired VNF action in its entirety as specified by ONAP (see Section 3.5 for list of VNF actions and requirements), when triggered by a chef-client run list in JSON file. | Must | 12360 | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Roles/cookbooks/recipes invoked for a VNF action must not contain any instance specific parameters for the VNF. Instead they must accept all necessary instance specific data from the environment or node object attributes. | Must | 12370 | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | It is required that all configurable parameters in the roles, cookbooks and recipes that can be set by ONAP, over-ride any default values. | Must | 12380 | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | It is required that when executing a VNF action, if the chef-client run encounters any critical errors/failures, it update status on the Chef Server appropriately (e.g., via a fail or raise an exception). | Must | 12390 | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | If the VNF action requires the output of a chef-client run be made available (e.g., get running configuration), an attribute, defined as node[‘PushJobOutput’] must be populated with the desired output on all nodes in the push job that execute chef-client run. | Must | 12400 | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | It is recommended that, for actions that change state of the VNF (e.g., configure), the Vendor design appropriate cookbooks that can automatically ‘rollback’ to the original state in case of any errors. | Must | 12410 | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | It is recommended that any chef-client run associated with a VNF action support callback URLs to return information to ONAP upon completion of the chef-client run. | Should | 12420 | +| | | | | +| | - As part of the push job, ONAP will provide two parameters in the environment of the push job JSON object: | | | +| | | | | +| | - ‘RequestId’ a unique Id to be used to identify the request, | | | +| | | | | +| | - ‘CallbackUrl’, the URL to post response back. | | | +| | | | | +| | - If the CallbackUrl field is empty or missing in the push job, then the chef-client run need not post the results back via callback. | | | +| | | | | +| | - If the chef-client run list includes a cookbook/recipe that is callback capable, it is required to, upon completion of the chef-client run, POST back on the callback URL, a JSON object as described in Table A2. | | | +| | | | | +| | - Failure to POST on the Callback Url should not be considered a critical error. That is, if the chef-client successfully completes the VNF action, it should reflect this status on the Chef Server regardless of whether the Callback succeeded or not. | | | ++----------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ + +ONAP Chef API Usage +~~~~~~~~~~~~~~~~~~~ + +This section outlines the workflow that ONAP invokes when it receives an +action request against a Chef managed VNF. + +1. When ONAP receives a request for an action for a Chef Managed VNF, it + retrieves the corresponding template (based on **action** and + **VNF)** from its database and sets necessary values in the + “Environment”, “Node” and “NodeList” keys (if present) from either + the payload of the received action or internal data. + +2. If “Environment” key is present in the updated template, it posts the + corresponding JSON dictionary to the appropriate Environment object + REST endpoint on the Chef Server thus updating the Environment + attributes on the Chef Server. + +3. Next, it creates a Node Object from the “Node” JSON dictionary for + all elements listed in the NodeList (using the FQDN to construct the + endpoint) by replicating it [4]_. As part of this process, it will + set the name field in each Node Object to the corresponding FQDN. + These node objects are then posted on the Chef Server to + corresponding Node Object REST endpoints to update the corresponding + node attributes. + +4. If PushJobFlag is set to “True” in the template, ONAP requests a push + job against all the nodes in the NodeList to trigger + chef-client\ **.** It will not invoke any other command via the push + job. ONAP will include a callback URL in the push job request and a + unique Request Id. An example push job posted by ONAP is listed + below: + + { + + "command": "chef-client", + + "run\_timeout": 300, + + "nodes”: [“node1.vnf\_a.onap.com”, “node2.vnf\_a.onap.com”], + + "env": { + + “RequestId”:”8279-abcd-aksdj-19231”, + + “CallbackUrl”:”https://callback.onap:9333” + + }, + + } + +5. If CallbackCapable field in the template is not present or set to + “False” ONAP will poll the Chef Server to check completion status of + the push job. + +6. If “GetOutputFlag” is set to “True” in the template and + CallbackCapable is not set to “True”, ONAP will retrieve any output + from each node where the push job has finished by accessing the Node + Object attribute node[‘PushJobOutput’]. + +Ansible Standards and Capabilities +---------------------------------- + +ONAP will support configuration of VNFs via Ansible subject to the +requirements and guidelines defined in this section. + +Ansible allows agentless management of VMs via execution of ‘playbooks’ +over ssh. The ‘playbooks’ are a structured set of tasks which contain +all the necessary data and execution capabilities to take the necessary +action on one or more target VMs of the VNF. ONAP will utilize the +framework of an Ansible Server that will host and invoke playbooks to +manage VNFs that support Ansible. + +**Table 7. VNF Configuration via Ansible** + ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| **Principle** | **Description** | **Type** | **ID #** | ++===============================+========================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+============+============+ +| Ansible Server Requirements | ONAP will utilize an Ansible server in order to manage VNFs that support Ansible playbooks. We note that Ansible in general does not require the use of a server. However, this framework has been adopted to align with ONAP architecture, ease of management and scalability. | Must | 12510 | +| | | | | +| | All playbooks for the VNF will be hosted on a designated Ansible Server that meets ONAP Ansible API requirements. ONAP design allows for VNFs to be managed by an Ansible Server in any of the two following forms [5]_: | | | +| | | | | +| | - **Ansible Server hosted by ONAP**: ONAP will provide an Ansible Server to manage a VNF. If this choice is used then it is required that the VNF Vendor provide all relevant playbooks to ONAP to be loaded on the Ansible Server. | | | +| | | | | +| | - **Ansible Server hosted in Tenant Space**: Same guidelines as the ONAP Ansible Server. The Ansible Server must meet the ONAP Ansible Server API Interface requirements. | | | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Ansible Client | The endpoints (VMs) of a VNF on which playbooks will be executed must have routable FQDNs that are reachable via the Ansible Server. ONAP will initiate requests to the Ansible Server for invocation of playbooks against these end points [6]_. | Must | 12520 | +| | | | | +| Requirements | | | | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | It is recommended that a VNF typically have a single endpoint. | May | 12521 | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The endpoint VM(s) of a VNF on which an Ansible playbook will be executed is required to have Python >= 2.7. | Must | 12530 | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The endpoint VM(s) must support SSH and allow SSH access to the Ansible server in line with Network Cloud Service Provider guidelines for authentication and access. | Must | 12540 | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Ansible Playbook | An Ansible playbook is a collection of tasks that is executed on the Ansible server (local host) and/or the target VM (s) in order to complete the desired action. Each VNF Vendor is required to make available (or load on VNF Ansible Server) playbooks that conform to the ONAP requirements. | Must | 12550 | +| | | | | +| Requirements | | | | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | It is required that each VNF action be supported by invocation of **one** playbook [7]_. The playbook will be responsible for executing all necessary tasks (as well as calling other playbooks) to complete the request. | Must | 12560 | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | A playbook must not contain any instance specific parameters. It must utilize information from key value pairs that will be provided by the Ansible Server as extra-vars during invocation to execute the desired VNF action. If the playbook requires files, they must also be supplied using the methodology detailed in the Ansible Server API. | Must | 12570 | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The Ansible Server will determine if a playbook invoked to execute a VNF action finished successfully or not using the “PLAY\_RECAP” summary in Ansible log. The playbook will be considered to successfully finish only if the “PLAY RECAP” section at the end of playbook execution output has no unreachable hosts and no failed tasks. Otherwise, the playbook will be considered to have failed. | Must | 12580 | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | VNF vendor must design playbooks to allow Ansible Server to infer failure or success based on the “PLAY\_RECAP” capability. | Must | 12590 | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | If, as part of a VNF action (e.g., audit), a playbook is required to return any VNF information, it must be written to a specific set of text files that will be retrieved and made available by the Ansible Server. The text files must be written in the same directory as the one from which the playbook is being executed. A text file must be created for each host the playbook is run on, with the name ‘ \_results.txt’ into which any desired output from each respective VM/VNF must be written. | Must | 12600 | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | It is recommended that, for actions that change state of the VNF (e.g., configure), the VNF Vendor design appropriate playbooks that can automatically ‘rollback’ to the original state in case of any errors. | Should | 12610 | +| | | | | +| | NOTE: In case rollback at the playbook level is not supported or possible, vendor shall provide alternative locking mechanism (e.g., for a small VNF the rollback mechanism may rely on workflow to terminate and re-instantiate VNF VMs and then re-run playbook(s)). | | | ++-------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ + +ONAP Controller APIs and Behavior +--------------------------------- + +ONAP Controllers support the following operations which act directly +upon the VNF. Most of these utilize the NETCONF interface. There are +additional commands in use but these either act internally on Controller +itself or depend upon network cloud components for implementation. Those +actions do not put any special requirement on the VNF provider. + +The following table summarizes how the VNF must act in response to +commands from ONAP. + +Table 8. ONAP Controller APIs and NETCONF Commands + ++---------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| **Action** | **Description** | **NETCONF Commands** | ++=====================+==================================================================================================================================================================================================================================================================================+===============================================================================================================================================================================================================================+ +| Action | Queries ONAP Controller for the current state of a previously submitted runtime LCM (Lifecycle Management) action. | There is currently no way to check the request status in NETCONF so action status is managed internally by the ONAP controller. | +| | | | +| Status | | | ++---------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Audit, Sync | Compare active (uploaded) configuration against the current configuration in the ONAP controller. Audit returns failure if different. Sync considers the active (uploaded) configuration as the current configuration. | The operation is used to retrieve the running configuration from the VNF. | ++---------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Lock, | Returns true when the given VNF has been locked. | There is currently no way to query lock state in NETCONF so VNF locking and unlocking is managed internally by the ONAP controller. | +| | | | +| Unlock, | | | +| | | | +| CheckLock | | | ++---------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Configure, | Configure applies a post-instantiation configuration the target VNF or VNFC. ConfigModify updates only a subset of the total configuration parameters of a VNF. | The operation loads all or part of a specified configuration data set to the specified target database. If there is no database, then the target is the database. A follows. | +| | | | +| ConfigModify | | | ++---------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Health | Executes a VNF health check and returns the result. A health check is VNF-specific. | The ONAP health check interface is defined over REST and requires the target VNF to expose a standardized HTTP(S) interface for that purpose. See Section 3.2. | +| | | | +| Check | | | ++---------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| StartApplication, | ONAP requests application to be started or stopped on the VNF or VNFC. These actions do not need to be supported if (1) the application starts automatically after Configure or if the VM’s are started and (2) the application gracefully shuts down if the VM’s are stopped. | These commands have no specific NETCONF RPC action. | +| | | | +| StopApplication | | They can be supported using Ansible or Chef (see Table 9 below). | ++---------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| SoftwareUpload, | Upgrades the target VNF to a new version without interrupting VNF operation. | These commands have no specific NETCONF RPC action. | +| | | | +| LiveUpgrade | | They can be supported using Ansible or Chef (see Table 9 below). | ++---------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Table 9 lists the required Chef and Ansible support for commands from +ONAP. + +Table 9. ONAP Controller APIs and Chef/Ansible Support + ++---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| **Action** | **Chef** | **Ansible** | ++=====================+==================================================================================================================================================================================================================================================================================================+=========================================================================================================================================================================================================================================================+ +| Action | Not needed. ActionStatus is managed internally by the ONAP controller. | Not needed. ActionStatus is managed internally by the ONAP controller. | +| | | | +| Status | | | ++---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Audit, Sync | VNF Vendor must provide any necessary roles, cookbooks, recipes to retrieve the running configuration from a VNF and place it in the respective Node Objects ‘PushJobOutput’ attribute of all nodes in NodeList when triggered by a chef-client run. | VNF Vendor must provide an Ansible playbook to retrieve the running configuration from a VNF and place the output on the Ansible server in a manner aligned with playbook requirements listed in this document. | +| | | | +| | The JSON file for this VNF action is required to set “PushJobFlag” to “True” and “GetOutputFlag” to “True”. The “Node” JSON dictionary must have the run list populated with the necessary sequence of roles, cookbooks, recipes. | The PlaybookName must be provided in the JSON file. | +| | | | +| | The Environment and Node values should contain all appropriate configuration attributes. | NodeList must list FQDNs of an example VNF on which to execute playbook. | +| | | | +| | NodeList must list sample FQDNs that are required to conduct a chef-client run for this VNF Action. | | ++---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Lock, | Not needed. VNF locking and unlocking is managed internally by the ONAP controller. | Not needed. VNF locking and unlocking is managed internally by the ONAP controller. | +| | | | +| Unlock, | | | +| | | | +| CheckLock | | | ++---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Configure, | VNF Vendor must provide any necessary roles, cookbooks, recipes to apply configuration attributes to the VNF when triggered by a chef-client run. All configurable attributes must be obtained from the Environment and Node objects on the Chef Server. | VNF Vendor must provide an Ansible playbook that can configure the VNF with parameters supplied by the Ansible Server. | +| | | | +| ConfigModify | The JSON file for this VNF action should include all configurable attributes in the Environment and/or Node JSON dictionary. | The PlaybookName must be provided in the JSON file. | +| | | | +| | The “PushJobFlag” must be set to “True”. | The “EnvParameters” and/or “FileParameters” field values should be provided and contain all configurable parameters for the VNF. | +| | | | +| | The “Node” JSON dictionary must have the run list populated with necessary sequence of roles, cookbooks, recipes. This action is not expected to return an output. | NodeList must list FQDNs of an example VNF on which to execute playbook. | +| | | | +| | “GetOutputFlag” must be set to “False”. | | +| | | | +| | NodeList must list sample FQDNs that are required to conduct a chef-client run for this VNF Action. | | ++---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| Health | The ONAP health check interface is defined over REST and requires the target VNF to expose a standardized HTTP(S) interface for that purpose. See Section 3.2. | The ONAP health check interface is defined over REST and requires the target VNF to expose a standardized HTTP(S) interface for that purpose. See Section 3.2. | +| | | | +| Check | | | ++---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| StartApplication, | VNF Vendor must provide roles, cookbooks, recipes to start an application on the VNF when triggered by a chef-client run. If application does not start, the run must fail or raise an exception. If application is already started, or starts successfully, the run must finish successfully. | VNF Vendor must provide an Ansible playbook to start the application on the VNF. If application does not start, the playbook must indicate failure. If application is already started, or starts successfully, the playbook must finish successfully. | +| | | | +| StopApplication | For StopApplication, the application must be stopped gracefully (no loss of traffic). | For StopApplication, the application must be stopped gracefully (no loss of traffic). | ++---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| SoftwareUpload, | VNF Vendor must provide any necessary roles, cookbooks, recipes to apply a software upgrade to the VNF when triggered by a chef-client run. | VNF Vendor must provide an Ansible playbook that can apply a software upgrade to the VNF when triggered by the Ansible server | +| | | | +| LiveUpgrade | | | ++---------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +For information purposes, the following ONAP controller functions are +planned in the future: + +Table 10. Planned ONAP Controller Functions + ++------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| ConfigSave, | ConfigSave stores the VNF running configuration to a url or file using a specified name. ConfigRestore replaces the VNF running configuration with the configuration previously stored with a url or file with the specified name. | +| | | +| ConfigRestore | | ++==================+==================================================================================================================================================================================================================================================================================================================+ +| Reconfigure | If the audit fails, Reconfigure may be used to be replace the VNF running configuration using a previously uploaded configuration in the ONAP controller. | ++------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| ConfigStartup | ConfigStartup is used to store a running configuration to be used when a VNF is rebooted. | ++------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| ConfigRecovery | ConfigRecovery is used to replace the running configuration with a recovery configuration. This recovery configuration is stored in the ONAP Controller and is the configuration uploaded after instantiation. It will only be used if there is no other option to restore the VNF to a working configuration. | ++------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ +| StatusQuery | Executes a VNF status query and returns the result. A status query is VNF-specific. | ++------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ + +Monitoring & Management +======================= + +This section addresses data collection and event processing +functionality that is directly dependent on the interfaces provided by +the VNFs’ APIs. These can be in the form of asynchronous interfaces for +event, fault notifications, and autonomous data streams. They can also +be synchronous interfaces for on-demand requests to retrieve various +performance, usage, and other event information. + +The target direction for VNF interfaces is to employ APIs that are +implemented utilizing standardized messaging and modeling protocols over +standardized transports. Migrating to a virtualized environment presents +a tremendous opportunity to eliminate the need for proprietary +interfaces for vendor equipment while removing the traditional +boundaries between Network Management Systems and Element Management +Systems. Additionally, VNFs provide the ability to instrument the +networking applications by creating event records to test and monitor +end-to-end data flow through the network, similar to what physical or +virtual probes provide without the need to insert probes at various +points in the network. The VNF vendors must be able to provide the +aforementioned set of required data directly to the ONAP collection +layer using standardized interfaces. + +Transports and Protocols Supporting Resource Interfaces +------------------------------------------------------- + +Delivery of data from VNFs to ONAP must use the same common transport +mechanisms and protocols for all VNFs. Transport mechanisms and +protocols have been selected to enable both high volume and moderate +volume datasets, as well as asynchronous and synchronous communications +over secure connections. The specified encoding provides +self-documenting content, so data fields can be changed as needs evolve, +while minimizing changes to data delivery. + +The term ‘Event Record’ is used throughout this document to represent +various forms instrumentation/telemetry made available by the VNF +including, faults, status events and various other types of VNF +measurements and logs. Headers received by themselves must be used as +heartbeat indicators. The common structure and delivery protocols for +other types of data will be given in future versions of this document as +we get more insight into data volumes and required processing. + +In the following guidelines, we provide options for encoding, +serialization and data delivery. Agreements between Service Providers +and VNF vendors shall determine which encoding, serialization and +delivery method to use for particular data sets. The selected methods +must be agreed to prior to the on-boarding of the VNF into ONAP design +studio. + +Table 11. Monitoring & Management + ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| **Principle** | **Description** | **Type** | **ID #** | ++==============================================+=====================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+============+============+ +| VNF telemetry via standardized interface | VNFs must provide all telemetry (e.g., fault event records, syslog records, performance records etc.) to ONAP using the model, format and mechanisms described in this section. | Must | 13005 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Encoding and Serialization | Content delivered from VNFs to ONAP is to be encoded and serialized using JSON (option 1). High-volume data is to be encoded and serialized using Avro, where Avro data format are described using JSON (option 2) [8]_. | Must | 13010 | +| | | | | +| | - JSON plain text format is preferred for moderate volume data sets (option 1), as JSON has the advantage of having well-understood simple processing and being human-readable without additional decoding. Examples of moderate volume data sets include the fault alarms and performance alerts, heartbeat messages, measurements used for VNF scaling and syslogs. | | | +| | | | | +| | - Binary format using Avro is preferred for high volume data sets (option 2) such as mobility flow measurements and other high-volume streaming events (such as mobility signaling events or SIP signaling) or bulk data, as this will significantly reduce the volume of data to be transmitted. As of the date of this document, all events are reported using plain text JSON and REST. | | | +| | | | | +| | - Avro content is self-documented, using a JSON schema. The JSON schema is delivered along with the data content (http://avro.apache.org/docs/current/ ). This means the presence and position of data fields can be recognized automatically, as well as the data format, definition and other attributes. Avro content can be serialized as JSON tagged text or as binary. In binary format, the JSON schema is included as a separate data block, so the content is not tagged, further compressing the volume. For streaming data, Avro will read the schema when the stream is established and apply the schema to the received content. | | | +| | | | | +| | - In the future, we may consider support for other types of encoding & serialization (e.g., gRPC) based on industry demand. | | | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Reporting Frequency | The frequency that asynchronous data is delivered will vary based on the content and how data may be aggregated or grouped together. For example, alarms and alerts are expected to be delivered as soon as they appear. In contrast, other content, such as performance measurements, KPIs or reported network signaling may have various ways of packaging and delivering content. Some content should be streamed immediately; or content may be monitored over a time interval, then packaged as collection of records and delivered as block; or data may be collected until a package of a certain size has been collected; or content may be summarized statistically over a time interval, or computed as a KPI, with the summary or KPI being delivered. | Must | 13020 | +| | | | | +| | - We expect the reporting frequency to be configurable depending on the virtual network function’s needs for management. For example, Service Provider may choose to vary the frequency of collection between normal and trouble-shooting scenarios. | | | +| | | | | +| | - Decisions about the frequency of data reporting will affect the size of delivered data sets, recommended delivery method, and how the data will be interpreted by ONAP. However, this should not affect deserialization and decoding of the data, which will be guided by the accompanying JSON schema. | | | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Addressing and Delivery Protocol | ONAP destinations can be addressed by URLs for RESTful data PUT. Future data sets may also be addressed by host name and port number for TCP streaming, or by host name and landing zone directory for SFTP transfer of bulk files. | Must | 13030 | +| | | | | +| | - REST using HTTPS delivery of plain text JSON is preferred for moderate sized asynchronous data sets, and for high volume data sets when feasible.  | | | +| | | | | +| | - VNFs must have the capability of maintaining a primary and backup DNS name (URL) for connecting to ONAP collectors, with the ability to switch between addresses based on conditions defined by policy such as time-outs, and buffering to store messages until they can be delivered. At its discretion, the service provider may choose to populate only one collector address for a VNF. In this case, the network will promptly resolve connectivity problems caused by a collector or network failure transparently to the VNF. | | | +| | | | | +| | - VNFs will be configured with initial address(es) to use at deployment time. After that the address(es) may be changed through ONAP-defined policies delivered from ONAP to the VNF using PUTs to a RESTful API, in the same way that other controls over data reporting will be controlled by policy. | | | +| | | | | +| | - Other options are expected to include: | | | +| | | | | +| | - REST delivery of binary encoded data sets. | | | +| | | | | +| | - TCP for high volume streaming asynchronous data sets and for other high volume data sets. TCP delivery can be used for either JSON or binary encoded data sets. | | | +| | | | | +| | - SFTP for asynchronous bulk files, such as bulk files that contain large volumes of data collected over a long time interval or data collected across many VNFs. This is not preferred. Preferred is to reorganize the data into more frequent or more focused data sets, and deliver these by REST or TCP as appropriate. | | | +| | | | | +| | - REST for synchronous data, using RESTCONF (e.g., for VNF state polling). | | | +| | | | | +| | - The ONAP addresses as data destinations for each VNF must be provided by ONAP Policy, and may be changed by Policy while the VNF is in operation. We expect the VNF to be capable of redirecting traffic to changed destinations with no loss of data, for example from one REST URL to another, or from one TCP host and port to another. | | | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Asynchronous and Synchronous Data Delivery | VNFs are to deliver asynchronous data as data becomes available, or according to the configured frequency. The delivered data must be encoded using JSON or Avro, addressed and delivered as described in the previous paragraphs. | Must | 13040 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | VNFs are to respond to data requests from ONAP as soon as those requests are received, as a synchronous response. | Must | 13050 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Synchronous communication must leverage the RESTCONF/NETCONF framework used by the ONAP configuration subsystem. This shall include using YANG configuration models and RESTCONF (https://tools.ietf.org/html/draft-ietf-netconf-restconf-09#page-46). | Must | 13060 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The VNF must respond with content encoded in JSON, as described in the RESTCONF specification. This way the encoding of a synchronous communication will be consistent with Avro. | Must | 13070 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | ONAP may request the VNF to deliver the current data for any of the record types defined in Section 4.2 below. The VNF must respond by returning the requested record, populated with the current field values. (Currently the defined record types include the common header record, technology independent records such as Fault, Heartbeat, State Change, Syslog, and technology specific records such as Mobile Flow, Signaling and Voice Quality records.  Additional record types will be added in the future as they are standardized and become available.) | Must | 13080 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | ONAP may request the VNF to deliver granular data on device or subsystem status or performance, referencing the YANG configuration model for the VNF. The VNF must respond by returning the requested data elements. | Must | 13090 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | If YANG models need to be translated to and from JSON, (https://trac.tools.ietf.org/id/draft-lhotka-netmod-yang-json-00.html) should be utilized for translation, meaning YANG configuration and content can be represented via JSON, consistent with Avro, as described in “Encoding and Serialization” section. | Should | 13100 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Security | VNFs must support secure connections and transports. | Must | 13110 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Access to ONAP and to VNFs, and creation of connections, must be controlled through secure credentials, log-on and exchange mechanisms. | Must | 13120 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Data in motion must be carried only over secure connections. | Must | 13130 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Service Providers require that any content containing Sensitive Personal Information (SPI) or certain proprietary data must be encrypted, in addition to applying the regular procedures for securing access and delivery. | Must | 13140 | ++----------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ + +Data Model for Event Records +----------------------------- + +This section describes the data model for the collection of telemetry +data from VNFs by Service Providers (SPs) to manage VNF health and +runtime lifecycle. This data model is referred to as the VNF Event +Streaming (VES) specifications. While this document is focused on +specifying some of the records from the ONAP perspective, there may be +other external bodies using the same framework to specify additional +records. For example, OPNFV has a VES project [9]_ that is looking to +specify records for OpenStack’s internal telemetry to manage Application +(VNFs), physical and virtual infrastructure (compute, storage, network +devices), and virtual infrastructure managers (cloud controllers, SDN +controllers). Note that any configurable parameters for these data +records (e.g., frequency, granularity, policy-based configuration) will +be managed using the “Configuration” framework described in the prior +sections of this document. + +The Data Model consists of: + +- Common Header Record: This data structure precedes each of the + Technology Independent and Technology Specific records sections of + the data model. + +- Technology Independent Records: This version of the document + specifies the model for Fault, Heartbeat, State Change, Syslog, + Threshold Crossing Alerts, and VF Scaling\* (short for + measurementForVfScalingFields) records. In the future, these may be + extended to support other types of technology independent records. + Each of these records allows additional fields (name/ value pairs) + for extensibility. The vendors can use these vendor-specific + additional fields to provide additional information that may be + relevant to the managing systems. + +- Technology Specific Records: This version of the document specifies + the model for Mobile Flow records, Signaling and Voice Quality + records. In the future, these may be extended to support other types + of records (e.g., Network Fabric, Security records, etc.). Each of + these records allows additional fields (name/value pairs) for + extensibility. The VNF vendors can use these VNF-specific additional + fields to provide additional information that may be relevant to the + managing systems. A placeholder for additional technology specific + areas of interest to be defined in the future documents has been + depicted. + +|image0| +Figure 1. Data Model for Event Records + +Event Records - Data Structure Description +------------------------------------------ + +The data structure for event records consists of: + +- a Common Event Header block; + +- zero or more technology independent domain blocks; and + + - e.g., Fault domain, State Change domain, Syslog domain, etc. + +- zero or more technology specific domain blocks. + + - e.g., Mobile Flow domain, Signaling domain, Voice Quality domain, + etc. + +Note: Heartbeat records would only have the Common Event Header block. +An optional heartbeat domain is available if required by the heartbeat +implementation. + +Common Event Header +~~~~~~~~~~~~~~~~~~~~~ + +The common header that precedes any of the domain-specific records +contains information identifying the type of record to follow, +information about the sender and other identifying characteristics +related to timestamp, sequence number, etc. + +Technology Independent Records – Fault Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Fault Record, describing a condition in the Fault domain, contains +information about the fault such as the entity under fault, the +severity, resulting status, etc. + +Technology Independent Records – Heartbeat Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Heartbeat Record provides an optional structure for communicating +information about heartbeat or watchdog signaling events. It can contain +information about service intervals, status information etc. as required +by the heartbeat implementation. + +Technology Independent Records – State Change Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The State Change Record provides a structure for communicating +information about data flow through the VNF. It can contain information +about state change related to physical device that is reported by VNF. +As an example, when cards or port name of the entity that has changed +state. + +Technology Independent Records – Syslog Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Syslog Record provides a structure for communicating any type of +information that may be logged by the VNF. It can contain information +about system internal events, status, errors, etc. + +Technology Independent Records – Threshold Crossing Alert Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Threshold Crossing Alert (TCA) Record provides a structure for +communicating information about threshold crossing alerts. It can +contain alert definitions and types, actions, events, timestamps and +physical or logical details. + +Technology Independent Records - VF Scaling Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The VF Scaling\* (short for measurementForVfScalingFields) Record +contains information about VF and VNF resource structure and its +condition to help in the management of the resources for purposes of +elastic scaling. + +Technology Independent Records – otherFields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The otherFields Record defines fields for events belonging to the +otherFields domain of the Technology Independent domain enumeration. +This record provides a mechanism to convey a complex set of fields +(possibly nested or opaque) and is purely intended to address +miscellaneous needs such as addressing time-to-market considerations or +other proof-of-concept evaluations.  Hence, use of this record type is +discouraged and should be minimized. + +Technology Specific Records – Mobile Flow Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Mobile Flow Record provides a structure for communicating +information about data flow through the VNF. It can contain information +about connectivity and data flows between serving elements for mobile +service, such as between LTE reference points, etc. + +Technology Specific Records – Signaling Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Signaling Record provides a structure for communicating information +about signaling messages, parameters and signaling state. It can contain +information about data flows for +`signaling `__ +and controlling +`multimedia `__ communication +`session `__\ s +such as `voice `__ and +`video calls `__. + +Technology Specific Records – Voice Quality Fields +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The Voice Quality Record provides a structure for communicating +information about voice quality statistics including media connection +information, such as transmitted octet and packet counts, packet loss, +packet delay variation, round-trip delay, QoS parameters and codec +selection. + +Technology Specific Records – Future Domains +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +The futureDomains Record is a placeholder for additional technology +specific areas of interest that will be defined and described in the +future documents. + +Data Structure Specification of the Event Record +------------------------------------------------ + +For additional information on the event record formats of the data +structures mentioned above, please refer to `AT&T Service Specification; +Service: VES Event +Listener `__. + +**Appendix A – Chef JSON Key Value Description** + +The following provides the key value pairs that must be contained in the +JSON file supporting Chef action. + +Table A1. Chef JSON File key value description +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------+ +| **Field Name** | **Description** | **Type** | **Comment** | ++===================+===================================================================================================================================================================================================================================================================================================+=============+=========================================================================================================================================+ +| Environment | A JSON dictionary representing a Chef Environment object. If the VNF action requires loading or modifying Chef environment attributes associated with the VNF, all the relevant information must be provided in this JSON dictionary in a structure that conforms to a Chef Environment Object. | Optional | Depends on VNF action. | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------+ +| Node | A JSON dictionary representing a Chef Node Object. | Mandatory | | +| | | | | +| | The Node JSON dictionary must include the run list to be triggered for the desired VNF action by the push job. It should also include any attributes that need to be configured on the Node Object as part of the VNF action. | | | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------+ +| NodeList | Array of FQDNs that correspond to the endpoints (VMs) of a VNF registered with the Chef Server that need to trigger a chef-client run as part of the desired VNF action. | Mandatory | | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------+ +| PushJobFlag | This field indicates whether the VNF action requires a push Job. Push job object will be created by ONAP if required. | Mandatory | If set to “True”, ONAP will request a push job. Ignored otherwise. | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------+ +| CallbackCapable | This field indicates if the chef-client run invoked by push job corresponding to the VNF action is capable of posting results on a callback URL. | Optional | If Chef cookbook is callback capable, VNF owner is required to set it to “True”. Ignored otherwise. | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------+ +| GetOutputFlag | Flag which indicates whether ONAP should retrieve output generated in a chef-client run from Node object attribute node[‘PushJobOutput’] for this VNF action (e.g., in Audit). | Mandatory | ONAP will retrieve output from NodeObject attributes [‘PushJobOutput’] for all nodes in NodeList if set to “True”. Ignored otherwise. | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-----------------------------------------------------------------------------------------------------------------------------------------+ + +Chef Template example: + +“Environment”:{ + + "name": "HAR", + + "description": "VNF Chef environment for HAR", + + "json\_class": "Chef::Environment", + + "chef\_type": "environment", + + "default\_attributes": { }, + + "override\_attributes": { + + “Retry\_Time”:”50”, + + “MemCache”: “1024”, + + “Database\_IP”:”10.10.1.5” + + }, + +} + +} + +“Node”: { + + “name” : “signal.network.com “ + + "chef\_type": "node", + + "json\_class": "Chef::Node", + + "attributes": { + + “IPAddress1”: “192.168.1.2”, + + “IPAddress2”:”135.16.162.5”, + + “MyRole”:”BE” + + }, + + "override": {}, + + "default": {}, + + “normal”:{}, + + “automatic”:{}, + + “chef\_environment” : “\_default” + + "run\_list": [ "configure\_signal" ] + + }, + + “NodeList”:[“node1.vnf\_a.onap.com”, “node2.vnf\_a.onap.com”], + + “PushJobFlag”: “True” + + “CallbackCapable”:True + + “GetOutputFlag” : “False” + +} + +The example JSON file provided by the vendor for each VNF action will be +turned into a template by ONAP, that can be updated with instance +specific values at run-time. + +Some points worth noting regarding the JSON fields: + +a. The JSON file must be created for each action for each VNF. + +b. If a VNF action involves multiple endpoints (VMs) of a VNF, ONAP will + replicate the “Node” JSON dictionary in the template and post it to + each FQDN (i.e., endpoint) in the NodeList after setting the “name” + field in the Node object to be the respective FQDN [10]_. Hence, it + is required that all end points (VMs) of a VNF involved in a VNF + action support the same set of Node Object attributes. + +The following table describes the JSON dictionary to post in Callback. + +Table A2. JSON Dictionary to Post in Callback +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------------------------------------------------------------+ +| **Key** | **Description** | **Type** | **Comment** | ++=================+===========================================================================================================================================================================================================+=============+=============================================================+ +| RequestId | A unique string associated with the original request by ONAP. This key-value pair will be provided by ONAP in the environment of the push job request and must be returned as part of the POST message. | Mandatory | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------------------------------------------------------------+ +| StatusCode | An integer that must be set to | Mandatory | | +| | | | | +| | 200 if chef-client run on the node finished successfully | | | +| | | | | +| | 500 otherwise. | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------------------------------------------------------------+ +| StatusMessage | A string which must be set to | Mandatory | | +| | | | | +| | ‘SUCCESS’ if StatusCode was 200 | | | +| | | | | +| | Appropriate error message otherwise. | | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------------------------------------------------------------+ +| Name | A string which corresponds to the name of the node where push job is run. It is required that the value be retrieved from the node object attributes (where it is always defined). | Mandatory | | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------------------------------------------------------------+ +| PushJobOutput | Any output from the chef-client run that needs to be returned to ONAP. | Optional | Depends on VNF action. If empty, it must not be included. | ++-----------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+-------------------------------------------------------------+ + + +**Appendix B – Ansible JSON Key Value Description** + +The following provides the key value pairs that must be contained in the +JSON file supporting Ansible action. + +Table B1. Ansible JSON File key value description +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+---------------------------------------------------------------------+ +| **Field Name** | **Description** | **Type** | **Comment** | ++==================+============================================================================================================================================================================================================================================================================================+=============+=====================================================================+ +| PlaybookName | VNF Vendor must list name of the playbook used to execute the VNF action. | Mandatory | | ++------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+---------------------------------------------------------------------+ +| Action | Name of VNF action. | Optional | | ++------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+---------------------------------------------------------------------+ +| EnvParameters | A JSON dictionary which should list key value pairs to be passed to the Ansible playbook. These values would correspond to instance specific parameters that a playbook may need to execute an action. | Optional | Depends on the VNF action. | ++------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+---------------------------------------------------------------------+ +| NodeList | A JSON array of FQDNs that the playbook must be executed on. | Optional | If not provided, playbook will be executed on the Ansible Server. | ++------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+---------------------------------------------------------------------+ +| FileParameters | A JSON dictionary where keys are filenames and values are contents of files. The Ansible Server will utilize this feature to generate files with keys as filenames and values as content. This attribute can be used to generate files that a playbook may require as part of execution. | Optional | Depends on the VNF action and playbook design. | ++------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+---------------------------------------------------------------------+ +| Timeout | Time (in seconds) that a playbook is expected to take to finish execution for the VNF. If playbook execution time exceeds this value, Ansible Server will terminate the playbook process. | Optional | | ++------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+---------------------------------------------------------------------+ + +Ansible JSON file example: + +{ + + “Action”:”Configure”, + + "PlaybookName": "Ansible\_configure.yml", + + "NodeList": ["test1.vnf\_b.onap.com", “test2.vnf\_b.onap.com”], + + "Timeout": 60, + + "EnvParameters": {"Retry": 3, "Wait": 5, “ConfigFile”:”config.txt”}, + + “FileParameters”:{“config.txt”:”db\_ip=10.1.1.1, sip\_timer=10000”} + +} + +In the above example, the Ansible Server will: + +a. Process the “FileParameters” dictionary and generate a file named + ‘config.txt’ with contents set to the value of the ‘config.txt’ key. + +b. Execute the playbook named ‘Ansible\_configure.yml’ on nodes with + FQDNs test1.vnf\_b.onap.com and test2.vnf\_b.onap.com respectively + while providing the following key value pairs to the playbook: + Retry=3, Wait=5, ConfigFile=config.txt + +c. If execution time of the playbook exceeds 60 secs (across all hosts), + it will be terminated. + +**Appendix C – VNF License Information Guidelines** + +This Appendix describes the metadata to be supplied for VNF licenses. + +1. General Information + +Table C1 defines the required and optional fields for licenses. + +Table C1. Required Fields for General Information +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++--------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+-------------+ +| **Field Name** | **Description** | **Data Type** | **Type** | ++================================+===========================================================================================================================================================================================================================================================================================================+===================+=============+ +| Vendor Name | The name of the vendor. | String | Mandatory | ++--------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+-------------+ +| Vendor Product | The name of the product to which this agreement applies. | String | Mandatory | +| | | | | +| | Note: a contract/agreement may apply to more than one vendor product. In that case, provide the metadata for each product separately. | | | ++--------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+-------------+ +| Vendor Product Description | A general description of vendor software product. | String | Optional | ++--------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+-------------+ +| Export Control | ECCNs are 5-character alpha-numeric designations used on the Commerce Control List (CCL) to identify dual-use items for export control purposes. An ECCN categorizes items based on the nature of the product, i.e. type of commodity, software, or technology and its respective technical parameters. | String | Mandatory | +| | | | | +| Classification Number (ECCN) | | | | ++--------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+-------------+ +| Reporting Requirements | A list of any reporting requirements on the usage of the software product. | List of strings | Optional | ++--------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+-------------+ + +1. Entitlements + +Entitlements describe software license use rights. The use rights may be +quantified by various metrics: # users, # software instances, # units. +The use rights may be limited by various criteria: location (physical or +logical), type of customer, type of device, time, etc. + +One or more entitlements can be defined; each one consists of the +following fields: + +Table C2. Required Fields for Entitlements +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ +| **Field Name** | **Description** | **Data Type** | **Type** | ++=====================================================+=======================================================================================================================================================================================+===================+===============+ +| Vendor Part Number / Manufacture Reference Number | Identifier for the entitlement as described by the vendor in their price list / catalog / contract. | String | Mandatory | ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ +| Description | Verbiage that describes the entitlement. | String | Optional | ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ +| Entitlement Identifier | Each entitlement defined must be identified by a unique value (e.g., numbered 1, 2, 3….) | String | Mandatory | ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ +| Minimum Order Requirement | The minimum number of entitlements that need to be purchased. For example, the entitlements must be purchased in a block of 100. If no minimum is required, the value will be zero. | Number | Mandatory | ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ +| Unique Reporting Requirements | A list of any reporting requirements on the usage of the software product. (e.g.: quarterly usage reports are required) | List of Strings | Optional | ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ +| License Type | Type of license applicable to the software product. (e.g.: fixed-term, perpetual, trial, subscription.) | String | Mandatory | ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ +| License Duration | Valid values: | String | Conditional | +| | | | | +| | **year**, **quarter**, **month**, **day**. | | | +| | | | | +| | Not applicable when license type is Perpetual. | | | ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ +| License Duration Quantification | Number of years, quarters, months, or days for which the license is valid. | Number | Conditional | +| | | | | +| | Not applicable when license type is Perpetual. | | | ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ +| Limits | see section C.4 for possible values | List | Optional | ++-----------------------------------------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------------+---------------+ + +1. License Keys + +This section defines information on any License Keys associated with the +Software Product. A license key is a data string (or a file) providing a +means to authorize the use of software. License key does not provide +entitlement information. + +License Keys are not required. Optionally, one or more license keys can +be defined; each one consists of the following fields: + +Table C3. Required Fields for License Keys +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++--------------------------+---------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| **Field Name** | **Description** | **Data Type** | **Type** | ++==========================+===============================================================================================================+=================+=============+ +| Description | Verbiage that describes the license key | String | Mandatory | ++--------------------------+---------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| License Key Identifier | Each license key defined must be identified by a unique value (e.g., numbered 1, 2, 3….) | String | Mandatory | ++--------------------------+---------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Key Function | Lifecycle stage (e.g., Instantiation or Activation) at which the license key is applied to the software. | String | Optional | ++--------------------------+---------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| License Key Type | Valid values: | String | Mandatory | +| | | | | +| | **Universal, Unique** | | | +| | | | | +| | **Universal** - a single license key value that may be used with any number of instances of the software. | | | +| | | | | +| | **Unique**- a unique license key value is required for each instance of the software. | | | ++--------------------------+---------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Limits | see section C.4 for possible values | List | Optional | ++--------------------------+---------------------------------------------------------------------------------------------------------------+-----------------+-------------+ + +1. Entitlement and License Key Limits + +Limitations on the use of software entitlements and license keys may be +based on factors such as: features enabled in the product, the allowed +capacity of the product, number of installations, etc... The limits may +generally be categorized as: + +- where (location) + +- when (time) + +- how (usages) + +- who/what (entity) + +- amount (how much) + +Multiple limits may be applicable for an entitlement or license key. +Each limit may further be described by limit behavior, duration, +quantification, aggregation, aggregation interval, start date, end date, +and threshold. + +When the limit is associated with a quantity, the quantity is relative +to an instance of the entitlement or license key. For example: + +- Each entitlement grants the right to 50 concurrent users. If 10 + entitlements are purchased, the total number of concurrent users + permitted would be 500. In this example, the limit category is + **amount**, the limit type is **users**, and the limit + **quantification** is **50.** + + Each license key may be installed on 3 devices. If 5 license keys are + acquired, the total number of devices allowed would be 15. In this + example, the limit category is **usages**, the limit type is + **device**, and the limit **quantification** is **3.** + +1. Location + +Locations may be logical or physical location (e.g., site, country). For +example: + +- use is allowed in Canada + +Table C4. Required Fields for Location +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++------------------------+---------------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| **Field Name** | **Description** | **Data Type** | **Type** | ++========================+=====================================================================================================================+==================+=============+ +| Limit Identifier | Each limit defined for an entitlement or license key must be identified by a unique value (e.g., numbered 1,2,3…) | String | Mandatory | ++------------------------+---------------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Description | Verbiage describing the limit. | String | Mandatory | ++------------------------+---------------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Behavior | Description of the actions taken when the limit boundaries are reached. | String | Mandatory | ++------------------------+---------------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Category | Valid value: **location** | String | Mandatory | ++------------------------+---------------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Type | Valid values: **city, county, state, country, region, MSA, BTA, CLLI** | String | Mandatory | ++------------------------+---------------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit List | List of locations where the Vendor Product can be used or needs to be restricted from use | List of String | Mandatory | ++------------------------+---------------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Set Type | Indicates if the list is an inclusion or exclusion. | String | Mandatory | +| | | | | +| | Valid Values: | | | +| | | | | +| | **Allowed** | | | +| | | | | +| | **Not allowed** | | | ++------------------------+---------------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Quantification | The quantity (amount) the limit expresses. | Number | Optional | ++------------------------+---------------------------------------------------------------------------------------------------------------------+------------------+-------------+ + +1. Time + +Limit on the length of time the software may be used. For example: + +- license key valid for 1 year from activation + +- entitlement valid from 15 May 2018 thru 30 June 2020 + +Table C5. Required Fields for Time +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| **Field Name** | **Description** | **Data Type** | **Type** | ++========================+===============================================================================================================================+==================+===============+ +| Limit Identifier | Each limit defined for an entitlement or license key must be identified by a unique value (e.g., numbered) | String | Mandatory | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| Limit Description | Verbiage describing the limit. | String | Mandatory | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| Limit Behavior | Description of the actions taken when the limit boundaries are reached. | String | Mandatory | +| | | | | +| | The limit behavior may also describe when a time limit takes effect. (e.g., key is valid for 1 year from date of purchase). | | | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| Limit Category | Valid value: **time** | String | Mandatory | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| Limit Type | Valid values: **duration, date** | String | Mandatory | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| Limit List | List of times for which the Vendor Product can be used or needs to be restricted from use | List of String | Mandatory | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| Duration Units | Required when limit type is duration. Valid values: **perpetual, year, quarter, month, day, minute, second, millisecond** | String | Conditional | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| Limit Quantification | The quantity (amount) the limit expresses. | Number | Optional | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| Start Date | Required when limit type is date. | Date | Optional | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ +| End Date | May be used when limit type is date. | Date | Optional | ++------------------------+-------------------------------------------------------------------------------------------------------------------------------+------------------+---------------+ + +1. Usage + +Limits based on how the software is used. For example: + +- use is limited to a specific sub-set of the features/capabilities the + software supports + +- use is limited to a certain environment (e.g., test, development, + production…) + +- use is limited by processor (vm, cpu, core) + +- use is limited by software release + +Table C6. Required Fields for Usage +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| **Field Name** | **Description** | **Data Type** | **Type** | ++========================+==============================================================================================================+==================+=============+ +| Limit Identifier | Each limit defined for an entitlement or license key must be identified by a unique value (e.g., numbered) | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Description | Verbiage describing the limit. | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Behavior | Description of the actions taken when the limit boundaries are reached. | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Category | Valid value: **usages** | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Type | Valid values: **feature, environment, processor, version** | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit List | List of usage limits (e.g., test, development, vm, core, R1.2.1, R1.3.5…) | List of String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Set Type | Indicates if the list is an inclusion or exclusion. | String | Mandatory | +| | | | | +| | Valid Values: | | | +| | | | | +| | **Allowed** | | | +| | | | | +| | **Not allowed** | | | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Quantification | The quantity (amount) the limit expresses. | Number | Optional | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ + +1. Entity + +Limit on the entity (product line, organization, customer) allowed to +make use of the software. For example: + +- allowed to be used in support of wireless products + +- allowed to be used only for government entities + +Table C7. Required Fields for Entity +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| **Field Name** | **Description** | **Data Type** | **Type** | ++========================+==============================================================================================================+==================+=============+ +| Limit Identifier | Each limit defined for an entitlement or license key must be identified by a unique value (e.g., numbered) | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Description | Verbiage describing the limit. | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Behavior | Description of the actions taken when the limit boundaries are reached. | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Category | Valid value: **entity** | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Type | Valid values: **product line, organization, internal customer, external customer** | String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit List | List of entities for which the Vendor Product can be used or needs to be restricted from use | List of String | Mandatory | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Set Type | Indicates if the list is an inclusion or exclusion. | String | Mandatory | +| | | | | +| | Valid Values: | | | +| | | | | +| | **Allowed** | | | +| | | | | +| | **Not allowed** | | | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ +| Limit Quantification | The quantity (amount) the limit expresses. | Number | Optional | ++------------------------+--------------------------------------------------------------------------------------------------------------+------------------+-------------+ + +1. Amount + +These limits describe terms relative to utilization of the functions of +the software (for example, number of named users permitted, throughput, +or capacity). Limits of this type may also be relative to utilization of +other resources (for example, a limit for firewall software is not based +on use of the firewall software, but on the number of network +subscribers). + +The metadata describing this type of limit includes the unit of measure +(e.g., # users, # sessions, # MB, # TB, etc.), the quantity of units, +any aggregation function (e.g., peak or average users), and aggregation +interval (day, month, quarter, year, etc.). + +Table C8. Required Fields for Amount +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| **Field Name** | **Description** | **Data Type** | **Type** | ++========================+================================================================================================================================================================================================================================================================+=================+=============+ +| Limit Identifier | Each limit defined for an entitlement or license key must be identified by a unique value (e.g., numbered) | String | Mandatory | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Limit Description | Verbiage describing the limit. | String | Mandatory | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Limit Behavior | Description of the actions taken when the limit boundaries are reached. | String | Mandatory | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Limit Category | Valid value: **amount** | String | Mandatory | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Limit Type | Valid values: **trunk, user, subscriber, session, token, transactions, seats, KB, MB, TB, GB** | String | Mandatory | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Type of Utilization | Is the limit relative to utilization of the functions of the software or relative to utilization of other resources? | String | Mandatory | +| | | | | +| | Valid values: | | | +| | | | | +| | - **software functions** | | | +| | | | | +| | - **other resources** | | | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Limit Quantification | The quantity (amount) the limit expresses. | Number | Optional | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Aggregation Function | Valid values: **peak, average** | String | Optional | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Aggregation Interval | Time period over which the aggregation is done (e.g., average sessions per quarter). Required when an Aggregation Function is specified. | String | Optional | +| | | | | +| | Valid values: **day, month, quarter, year, minute, second, millisecond** | | | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Aggregation Scope | Is the limit quantity applicable to a single entitlement or license key (each separately)? Or may the limit quantity be combined with others of the same type (resulting in limit amount that is the sum of all the purchased entitlements or license keys)? | String | Optional | +| | | | | +| | Valid values: | | | +| | | | | +| | - **single** | | | +| | | | | +| | - **combined** | | | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ +| Type of User | Describes the types of users of the functionality offered by the software (e.g., authorized, named). This field is included when Limit Type is user. | String | Optional | ++------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-----------------+-------------+ + + +**Appendix D – Ansible Server Specification** + +This section outlines the specifications for an ONAP compliant Ansible +Server that can optionally be provided by the VNF Vendor. The Ansible +Server will be used as a repository to store Ansible playbooks as well +as an execution engine which upon a REST API request, will execute +Ansible playbook against VNFs. + +Table D1. Ansible Server Requirements +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| **Principle** | **Description** | **Type** | **ID #** | ++==============================================+==============================================================================================================================================================================================================================================================================================================================================================================+============+============+ +| Ansible Server Scope | The Ansible Server is required to support storage and execution of playbooks that are in yaml format or a collection of playbooks compressed and uploaded in tar-ball format. | Must | D1000 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The Ansible Server must accept requests for execution of playbooks via a REST interface. The scope of each request will involve exactly one action and will request execution of one playbook. | Must | D1010 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The playbook executed by the Ansible Server will be responsible for execution of the entire action against the VNF (e.g., calling other playbooks, running tasks on multiple VMs in the VNF) and return back the status of the action as well as any necessary output in its entirety after the action is finished. | Must | D1020 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The Ansible Server must support simultaneous execution of multiple playbooks against different VNFs in parallel (i.e., process multiple requests). | Must | D1030 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The Ansible Server will be loaded with all necessary credentials to invoke playbooks against target VNF(s). | Must | D1040 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Ansible Server/ONAP Interface | Load Playbook\ **:** The Ansible Server must expose an authenticated interface to allow loading all necessary playbooks for a target VNF. It should impose an identification mechanism that allows each playbook to be uniquely identified. | Must | D1050 | +| | | | | +| | - It is recommended that the load Playbook API be a REST API. | | | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Request API: The Ansible Server must expose a REST endpoint that accepts a POST message to request execution of the playbook (e.g., https://ansible.test.att.com:8080). The POST request must be a JSON block as outlined in Table D2. | Must | D1060 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | When the Ansible server accepts an authenticated request to execute a playbook, it is required to send back an initial response indicating whether the request is accepted or rejected. The response must be a JSON Object with the key value pairs as described in Table D3. | Must | D1070 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | Result API: If the Ansible Server accepts a request to execute a playbook, it must make available status of the execution of the playbook at a Results REST endpoint indexed by the Id in the request in the form ?Id=&Type=GetResult where is the URL used for submitting requests. For example, https://ansible.test.att.com?Id=10&Type=GetResult. | Must | D1080 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | When a GET is invoked against the Results REST endpoint, the Ansible Server must reply with an appropriate response: | Must | D1090 | +| | | | | +| | - If the Endpoint is invalid (no request, or request expired), reply with a standard HTTP 404 error. | | | +| | | | | +| | - If the playbook execution is still ongoing, then the Ansible Server is required to block on the GET request till the execution finishes or terminates. | | | +| | | | | +| | - Upon completion of execution, the Ansible Server is required to respond to the GET request with the result of the playbook execution in the form of a JSON message as outlined in the Table D4. | | | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| | The dictionary associated with the ‘Results’ key in the Result Response must be a key-value pair where each key corresponds to an entry in the NodeList and the value is a dictionary with the format as outlined in Table D5. | Must | D1100 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Ansible Server Actions | The Ansible Server must take the following actions when triggered by a request to execute a playbook: | Must | D1110 | +| | | | | +| | - Determine if the request is valid, and if so, must send back an initial response message accepting the request. | | | +| | | | | +| | - If the request contains a “FileParameters” key that is not NULL, create all the necessary files. | | | +| | | | | +| | - Invoke the ansible playbook while providing it all appropriate parameters listed in EnvParameters and inventory information listed in NodeList. The playbook will be responsible for execution of all necessary steps required by the VNF action. | | | +| | | | | +| | - If the playbook finishes, use the PLAY\_RECAP functionality to determine whether playbook finished successfully on each endpoint identified in the NodeList. | | | +| | | | | +| | - If the playbook finishes, collect any output returned by the playbook. A playbook conforming to the ONAP vendor requirements document will write out any necessary output to a file named ‘\_results.txt’ in the working directory, where ‘hostname’ is an element of the NodeList where the playbook is being executed. | | | +| | | | | +| | - If the playbook execution exceeds the Timeout value, the playbook execution process is terminated and ansible log that captures the last task executed is stored. | | | +| | | | | +| | - Make results available on the Results REST Endpoint as documented in Table D3. | | | +| | | | | +| | - If Callback url was provided in initial request, post the final response message on the Callback URL along with an additional key additional key “Id “: which corresponds to the request Id sent in the request. | | | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Ansible Server Result Storage Requirements | The Ansible Server must cache and provide results of an execution as well as retain logs for debugging purposes as outlined below: | Must | D1120 | +| | | | | +| | - The results from a playbook execution result must be retained by the Ansible Server and made available through the respective REST endpoint for a duration that is configurable. | | | +| | | | | +| | - Recommended duration is 2 x Timeout. | | | +| | | | | +| | - The log from a playbook must be stored by the Ansible Server, tagged with the Id along with all other parameters in the initial request in a format that allows for examination for debugging purposes. | | | +| | | | | +| | - The results from playbook execution and log files shall be removed after a configurable defined retention period for this type of file. | | | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ +| Ansible Server Locking Mechanism | The Ansible Server shall lock VNF while running playbooks that require exclusive use of a VNF (Configure is an example) and not accept requests to run other playbooks or queue those requests until playbook that requires exclusivity completes | Must | D1130 | ++----------------------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+------------+ + +Table D2. Request Message +~~~~~~~~~~~~~~~~~~~~~~~~~ + ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ +| **Key** | **Description** | **Type** | **Comment** | ++===================+=========================================================================================================================================================================================================================================================================================================================================================+=============+====================================================================================================================================+ +| Id | A unique string that identifies this request. For e.g., a UUID | Mandatory | NOT NULL | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ +| PlaybookName | A string which contains the name of the playbook to execute. | Mandatory | NOT NULL | +| | | | | +| | Example: memthres.yaml | | | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ +| Action | Name of action | Optional | | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ +| NodeList | List of endpoints of the VNF against which the playbook should be executed. | Optional | If not specified, playbook executed within Ansible Server (localhost) | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ +| Timeout | Time the Ansible Server should wait (in seconds), before terminating playbook execution. The Ansible Server will apply the timeout for the entire playbook execution (i.e., independent of number of endpoints against which the playbook is executing). If playbook execution time exceeds the timeout value, the server will terminate the process. | Optional | If not specified, Ansible server will use internal default value (configurable) | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ +| LocalParameters | A JSON dictionary that can be used to provide key value pairs that are specific to each individual VNF/VM instance. Key must be endpoint FQDN and value a JSON dictionary with key-value pairs for the playbook run associated with that host/group. | Optional | | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ +| EnvParameters | A JSON dictionary that can be used to specify key value pairs passed at run time to the playbook that are common across all hosts against which the playbook will run. | Optional | | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ +| CallbackUrl | A callback URL that Ansible Server can POST results to once playbook finishes execution or is terminated. | Optional | If present, Ansible Server is required to POST response back on the Callback URL | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ +| FileParameters | A dictionary where keys correspond to file names to be generated and values correspond to contents of files. | Optional | If present, Ansible Server will first process this and write out contents to appropriate files and then process other parameters | ++-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+-------------+------------------------------------------------------------------------------------------------------------------------------------+ + +Table D3. Initial Response Message +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++--------------------+------------------------------------------------------------------------------------------+-------------+---------------+ +| **Key** | **Description** | **Type** | **Comment** | ++====================+==========================================================================================+=============+===============+ +| StatusCode | An integer indicating status of the request. It MUST take one of the following values: | Mandatory | | +| | | | | +| | 100 if request is accepted | | | +| | | | | +| | 101 if request is rejected | | | ++--------------------+------------------------------------------------------------------------------------------+-------------+---------------+ +| StatusMessage | A string describing Server’s response | Mandatory | | +| | | | | +| | It MUST be set to ‘PENDING’ if StatusCode=100 | | | +| | | | | +| | It MUST be set to appropriate error exception message if StatusCode=101 | | | ++--------------------+------------------------------------------------------------------------------------------+-------------+---------------+ +| ExpectedDuration | Time the server expects (in seconds) to finish the playbook execution. | Optional | | ++--------------------+------------------------------------------------------------------------------------------+-------------+---------------+ + +Table D4. Final Response Message +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++-----------------+-------------------------------------------------------------------------------------------------------+-------------+------------------------+ +| **Key** | **Description** | **Type** | **Comment** | ++=================+=======================================================================================================+=============+========================+ +| StatusCode | 200 if Execution finished normally | Mandatory | | +| | | | | +| | 500 otherwise. | | | ++-----------------+-------------------------------------------------------------------------------------------------------+-------------+------------------------+ +| StatusMessage | A string which be set to either of the TWO values: | Mandatory | | +| | | | | +| | - ‘FINISHED’ if StatusCode=200 | | | +| | | | | +| | - Appropriate error exception message if StatusCode=500 | | | ++-----------------+-------------------------------------------------------------------------------------------------------+-------------+------------------------+ +| Duration | Time it took for execution to finish (in seconds). | Optional | | ++-----------------+-------------------------------------------------------------------------------------------------------+-------------+------------------------+ +| Result | A JSON dictionary that lists the status of playbook execution for each VM (or VNF) in the NodeList. | Optional | Not present if empty | ++-----------------+-------------------------------------------------------------------------------------------------------+-------------+------------------------+ + +Table D5. Result Block Format +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + ++-----------------+----------------------------------------------------------+-------------+------------------------+ +| **Key** | **Description** | **Type** | **Comment** | ++=================+==========================================================+=============+========================+ +| GroupName | Group under which the VM (or VNF) falls in a playbook. | Optional | | ++-----------------+----------------------------------------------------------+-------------+------------------------+ +| StatusCode | A string which must have the following values: | Mandatory | | +| | | | | +| | - 200 if SUCCESS | | | +| | | | | +| | - 500 otherwise | | | ++-----------------+----------------------------------------------------------+-------------+------------------------+ +| StatusMessage | An integer with the following values: | Mandatory | | +| | | | | +| | - ‘SUCCESS’ if StatusCode=200 | | | +| | | | | +| | - Error exception message otherwise | | | ++-----------------+----------------------------------------------------------+-------------+------------------------+ +| Output | Any output the playbook is required to return. | Optional | Not present if empty | ++-----------------+----------------------------------------------------------+-------------+------------------------+ + +Some illustrative examples are shown below: + +1. An example POST for requesting execution of a Playbook : + + {"Id": "10", “Action”:”HealthCheck”, "PlaybookName": + "ansible\_getresource.yml", "NodeList": + ["interface1.vnf\_b.onap.com", ["interface2.vnf\_b.onap.com"], + "Timeout": 60, "EnvParameters": {"Retry": 3, "Wait": 5}} + +2. Potential examples of Ansible Server initial response. + + a. Successfully accepted request: {"StatusCode": "100", + "ExpectedDuration": "60sec", "StatusMessage": "PENDING"} + + b. Request rejected: {"StatusCode": "101", "StatusMessage": "PLAYBOOK + NOT FOUND "} + +3. Potential examples of final response by Ansible Server to a GET on + + a. Playbook successful execution: {"Duration": "4.864815sec", + “StatusCode”: 200, “StatusMessage”:”FINISHED”, "Results": + {"interface\_1.vnf\_b.onap.com": {"StatusCode": "200", + "GroupName": "vnf-x-oam", "StatusMessage": "SUCCESS", + “Output”:{“CPU”:30, “Memory”:”5Gb”}, + "interface\_1.vnf\_b.onap.com": {"StatusCode": "200", "GroupName": + "vnf-x-oam", "StatusMessage": "SUCCESS", “Output”:{“CPU”:60, + “Memory”:”10Gb”}}} + + b. Playbook failed execution on one of the hosts: {"Duration": + "10.8sec", “StatusCode”: 200, “StatusMessage”:”FINISHED”, + "Results": {"interface\_1.vnf\_b.onap.com": {"StatusCode": "500", + "GroupName": "vnf-x-oam", "StatusMessage": "Error executing + command ", "interface\_1.vnf\_b.onap.com": {"StatusCode": "200", + "GroupName": "vnf-x-oam", "StatusMessage": "SUCCESS", + “Output”:{“CPU”:60, “Memory”:”10Gb”}}} + + c. Playbook terminated: {"Duration": "61 sec", “StatusCode”: 500, + “StatusMessage”:”TERMINATED” } + +**Copyright 2017 AT&T Intellectual Property. All Rights Reserved.** + +This paper is licensed to you under the Creative Commons License: + +**Creative Commons Attribution-ShareAlike 4.0 International Public +License** + +You may obtain a copy of the License at: + +https://creativecommons.org/licenses/by-sa/4.0/legalcode + +**You are free to:** + +- Share — copy and redistribute the material in any medium or format + +- Adapt — remix, transform, and build upon the material for any + purpose, even commercially. + +- The licensor cannot revoke these freedoms as long as you follow the + license terms. + +**Under the following terms:** + +- Attribution — You must give appropriate credit, provide a link to the + license, and indicate if changes were made. You may do so in any + reasonable manner, but **not** in any way that suggests the + licensor endorses you or your use. + +- ShareAlike — If you remix, transform, or build upon the material, you + must distribute your contributions under the same license as the + original. + +- No additional restrictions — You may not apply legal terms or + technological measures that legally restrict others from doing + anything the license permits. + +**Notices:** + +- You do not have to comply with the license for elements of the + material in the public domain or where your use is permitted by an + applicable exception or limitation. + +- No warranties are given. The license may not give you all of the + permissions necessary for your intended use. For example, other + rights such as publicity, privacy, or moral rights may limit how you + use the material. + +.. [1] + ECOMP (Enhanced Control Orchestration, Management & Policy) + Architecture White Paper + (http://about.att.com/content/dam/snrdocs/ecomp.pdf) + +.. [2] + https://github.com/mbj4668/pyang + +.. [3] + Decision on which Chef Server instance associates with a VNF will be + made on a case-by-case basis depending on VNF, access requirements, + etc. and are outside the scope of this document. The specific + criteria for this would involve considerations like connectivity and + access required by the VNF, security, VNF topology and proprietary + cookbooks. + +.. [4] + Recall that the Node Object **is required** to be identical across + all VMs of a VNF invoked as part of the action except for the “name”. + +.. [5] + Decision on which Ansible Server to use may happen on a case-by-case + basis depending on VNF, access requirements etc. and are outside the + scope of this document. The specific criteria for this could involve + considerations like connectivity and access required by the VNF, + security, VNF topology and proprietary playbooks. + +.. [6] + Upstream elements must provide the appropriate FQDN in the request to + ONAP for the desired action. + +.. [7] + Multiple ONAP actions may map to one playbook. + +.. [8] + This option is not currently supported in ONAP and it is currently + under consideration. + +.. [9] + https://wiki.opnfv.org/display/PROJ/VNF+Event+Stream + +.. [10] + The “name” field is a mandatory field in a valid Chef Node Object + JSON dictionary. + + +.. |image0| image:: Data_Model_For_Event_Records.png + :width: 7in + :height: 8in diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Managment_Requirements_for_OpenECOMP/index.rst b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Managment_Requirements_for_OpenECOMP/index.rst new file mode 100644 index 0000000..e02df02 --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/VNF_Managment_Requirements_for_OpenECOMP/index.rst @@ -0,0 +1,7 @@ +VNF Management Requirements for OpenECOMP 7/3/2017 +-------------------------------------------------- + +.. toctree:: + :maxdepth: 1 + + VNF_Management_Requirements_for_OpenECOMP_7_3_2017 \ No newline at end of file diff --git a/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/index.rst b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/index.rst new file mode 100644 index 0000000..7951d87 --- /dev/null +++ b/docs/all_vnfrqts_seed_docs/open_ecomp/q2_ecomp/index.rst @@ -0,0 +1,9 @@ +Second Quarter ECOMP Documents +------------------------------- + +.. toctree:: + :titlesonly: + + VNF_Cloud_Readiness_Requirements_for_ONAP/index + VNF_Guidelines_for_Network_Cloud_and_ONAP/index + VNF_Managment_Requirements_for_OpenECOMP/index \ No newline at end of file diff --git a/docs/index.rst b/docs/index.rst index e3f8c29..71e8ff7 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -1,10 +1,9 @@ -Seed Documents ---------------- +VNF Guidelines Documentation +---------------------------- .. toctree:: - :maxdepth: 2 - - Common_Requirements_for_VNF_Functions/index - VNF_Guides_for_Network_Cloud_and_OpenEcomp/index - VNF_Heat_Templates_for_OpenEcomp/index - VNF_Mgmt_Requirements_for_OpenEcomp/index \ No newline at end of file + :titlesonly: + + all_vnfrqts_seed_docs/index + vnf_guidelines/index + diff --git a/docs/vnf_guidelines/index.rst b/docs/vnf_guidelines/index.rst new file mode 100644 index 0000000..16f9842 --- /dev/null +++ b/docs/vnf_guidelines/index.rst @@ -0,0 +1,8 @@ +VNF Guidelines +------------------ + +.. toctree:: + :titlesonly: + + vnf_guidelines + \ No newline at end of file diff --git a/docs/vnf_guidelines/vnf_guidelines.rst b/docs/vnf_guidelines/vnf_guidelines.rst new file mode 100644 index 0000000..a78c75f --- /dev/null +++ b/docs/vnf_guidelines/vnf_guidelines.rst @@ -0,0 +1,2 @@ +VNF Guidelines +--------------- \ No newline at end of file -- cgit 1.2.3-korg