diff options
| -rw-r--r-- | docs/Chapter1.rst | 3 | ||||
| -rw-r--r-- | docs/Chapter4.rst | 14 | ||||
| -rw-r--r-- | docs/Chapter7.rst | 10 | ||||
| -rw-r--r-- | docs/Chapter8.rst | 24 |
4 files changed, 25 insertions, 26 deletions
diff --git a/docs/Chapter1.rst b/docs/Chapter1.rst index 1306efc..040611d 100644 --- a/docs/Chapter1.rst +++ b/docs/Chapter1.rst @@ -5,4 +5,5 @@ - These requirements serve multiple purposes: - Primarily it provides a detailed list of requirements for VNF providers to meet to be compatible with ONAP; VNF providers will use the VNF requirements to build VNFs that are compatible with ONAP - It can also serve as a list of requirements that service providers can use in RFPs for selecting VNFs - - It will also be used as a basis for testing and certification of VNFs for compliance with ONAP; ONAP projects such as the VNF Validation Project will uses these VNFs requirements to build test cases to validate VNFs for compliance with ONAP.
\ No newline at end of file + - It will also be used as a basis for testing and certification of VNFs for compliance with ONAP; ONAP projects such as the VNF Validation Project will uses these VNFs requirements to build test cases to validate VNFs for compliance with ONAP. + diff --git a/docs/Chapter4.rst b/docs/Chapter4.rst index b61e25c..dd0c652 100644 --- a/docs/Chapter4.rst +++ b/docs/Chapter4.rst @@ -293,8 +293,8 @@ Integration and operation within a robust security environment is necessary and * R-46908 The VNF **MUST**, if not using the NCSP’s IDAM API, comply with "password complexity" policy. When passwords are used, they shall be complex and shall at least meet the following password construction requirements: (1) be a minimum configurable number of characters in length, (2) include 3 of the 4 following types of characters: upper-case alphabetic, lower-case alphabetic, numeric, and special, (3) not be the same as the UserID with which they are associated or other common strings as specified by the environment, (4) not contain repeating or sequential characters or numbers, (5) not to use special characters that may have command functions, and (6) new passwords must not contain sequences of three or more characters from the previous password. * R-39342 The VNF **MUST**, if not using the NCSP’s IDAM API, comply with "password changes (includes default passwords)" policy. Products will support password aging, syntax and other credential management practices on a configurable basis. * R-40521 The VNF **MUST**, if not using the NCSP’s IDAM API, support use of common third party authentication and authorization tools such as TACACS+, RADIUS. -* R-41994 The VNF **MUST**, if not using the NCSP’s IDAM API, comply with "No Self-Signed Certificates" policy. Self-signed certificates must be used for encryption only, using specified and approved encryption protocols such as LS 1.1 or higher or equivalent security protocols such as IPSec, AES. -* R-23135 The VNF **MUST**, if not using the NCSP’s IDAM API, authenticate system to system communications were one system accesses the resources of another system, and must never conceal individual accountability. +* R-41994 The VNF **MUST**, if not using the NCSP’s IDAM API, comply with "No Self-Signed Certificates" policy. Self-signed certificates must be used for encryption only, using specified and approved encryption protocols such as TLS 1.2 or higher or equivalent security protocols such as IPSec, AES. +* R-23135 The VNF **MUST**, if not using the NCSP’s IDAM API, authenticate system to system communications where one system accesses the resources of another system, and must never conceal individual accountability. VNF Identity and Access Management Requirements ----------------------------------------------- @@ -326,12 +326,12 @@ Identity and Access Management Requirements * R-24825 The VNF **MUST** provide Context awareness data (device, location, time, etc.) and be able to integrate with threat detection system. * R-59391 The VNF provider **MUST**, where a VNF provider requires the assumption of permissions, such as root or administrator, first log in under their individual user login ID then switch to the other higher level account; or where the individual user login is infeasible, must login with an account with admin privileges in a way that uniquely identifies the individual performing the function. * R-85028 The VNF **MUST** authenticate system to system access and do not conceal a VNF provider user’s individual accountability for transactions. -* R-80335 The VNF **MUST** make visible a Warning Notices: A formal statement of resource intent, i.e., a warning notice, upon initial access to a VNF provider user who accesses private internal networks or Company computer resources, e.g., upon initial logon to an internal web site, system or application which requires authentication. -* R-73541 The VNF **MIST** use access controls for VNFs and their supporting computing systems at all times to restrict access to authorized personnel only, e.g., least privilege. These controls could include the use of system configuration or access control software. +* R-80335 The VNF **MUST** make visible a Warning Notice: A formal statement of resource intent, i.e., a warning notice, upon initial access to a VNF provider user who accesses private internal networks or Company computer resources, e.g., upon initial logon to an internal web site, system or application which requires authentication. +* R-73541 The VNF **MUST** use access controls for VNFs and their supporting computing systems at all times to restrict access to authorized personnel only, e.g., least privilege. These controls could include the use of system configuration or access control software. * R-64503 The VNF **MUST** provide minimum privileges for initial and default settings for new user accounts. * R-86835 The VNF **MUST** set the default settings for user access to sensitive commands and data to deny authorization. * R-77157 The VNF **MUST** conform to approved request, workflow authorization, and authorization provisioning requirements when creating privileged users. -* R-81147 The VNF **MUST** have greater restrictions for access and execution, such as up to 3 factors of authentication and restricted authorization, for commands affecting network services, such as commands relating to VNFs, must. +* R-81147 The VNF **MUST** have greater restrictions for access and execution, such as up to 3 factors of authentication and restricted authorization, for commands affecting network services, such as commands relating to VNFs. * R-49109 The VNF **MUST** encrypt TCP/IP--HTTPS (e.g., TLS v1.2) transmission of data on internal and external networks. * R-39562 The VNF **MUST** disable unnecessary or vulnerable cgi-bin programs. * R-15671 The VNF **MUST NOT** provide public or unrestricted access to any data without the permission of the data owner. All data classification and access controls must be followed. @@ -538,11 +538,11 @@ Virtual Machine (VM) (i.e., OS::Nova::Server) is deleted, allowing the volume to be reused on another instance (e.g., during a failover activity). -* R-11200 The VNF MUST keep the scope of a Cinder volume module, when it exists, to be 1:1 with the VNF Base Module or Incremental Module. +* R-11200 The VNF **MUST** keep the scope of a Cinder volume module, when it exists, to be 1:1 with the VNF Base Module or Incremental Module. * R-38474 The VNF MUST have a corresponding environment file for a Base Module. * R-81725 The VNF MUST have a corresponding environment file for an Incremental Module. -* R-53433 The VNF MUST have a corresponding environment file for a Cinder Volume Module. +* R-53433 The VNF **MUST** have a corresponding environment file for a Cinder Volume Module. These concepts will be described in more detail throughout the document. This overview is provided to set the stage and help clarify the concepts diff --git a/docs/Chapter7.rst b/docs/Chapter7.rst index d0aed53..38e42f2 100644 --- a/docs/Chapter7.rst +++ b/docs/Chapter7.rst @@ -79,7 +79,7 @@ and GS NFV IFA011 V0.3.0 (2015-10) - Network Functions Virtualization - A unique identification string for the specific VNF, a description of the problem that caused the error, and steps or procedures to perform Root Cause Analysis and resolve the issue. - All events, severity level (e.g., informational, warning, error) and descriptions including causes/fixes if applicable for the event. - - All events (fault, measurement for VNF Scaling, Syslogs, State Change and Mobile Flow), that need to be collected at each VM, VNFC (defined in *VNF Guidelines for Network Cloud and ONAP*) and for the overall VNF. + - All events (fault, measurement for VNF Scaling, Syslogs, State Change and Mobile Flow), that need to be collected at each VM, VNFC (defined in `VNF Guidelines <http://onap.readthedocs.io/en/latest/submodules/vnfrqts/guidelines.git/docs/vnf_guidelines/vnf_guidelines.html#a-glossary>`__ ) and for the overall VNF. * R-27711 The VNF provider **MUST** provide an XML file that contains a list of VNF error codes, descriptions of the error, and possible causes/corrective action. * R-01478 The VNF Package **MUST** include documentation describing all parameters that are available to monitor the VNF after instantiation (includes all counters, OIDs, PM data, KPIs, etc.) that must be collected for reporting purposes. The documentation must include a list of: @@ -176,7 +176,7 @@ industry standards. * R-29324 The VNF **SHOULD** implement the protocol operation: **copy-config(target, source) -** Copy the content of the configuration datastore source to the configuration datastore target. * R-88031 The VNF **SHOULD** implement the protocol operation: **delete-config(target) -** Delete the named configuration datastore target. * R-97529 The VNF **SHOULD** implement the protocol operation: **get-schema(identifier, version, format) -** Retrieve the YANG schema. -* R-62468 The VNF **MUST** allow all configuration data shall to be edited through a NETCONF <edit-config> operation. Proprietary NETCONF RPCs that make configuration changes are not sufficient. +* R-62468 The VNF **MUST** allow all configuration data to be edited through a NETCONF <edit-config> operation. Proprietary NETCONF RPCs that make configuration changes are not sufficient. * R-01382 The VNF **MUST** allow the entire configuration of the VNF to be retrieved via NETCONF's <get-config> and <edit-config>, independently of whether it was configured via NETCONF or other mechanisms. * R-28756 The VNF **MUST** support **:partial-lock** and **:partial-unlock** capabilities, defined in RFC 5717. This allows multiple independent clients to each write to a different part of the <running> configuration at the same time. * R-83873 The VNF **MUST** support **:rollback-on-error** value for the <error-option> parameter to the <edit-config> operation. If any error occurs during the requested edit operation, then the target database (usually the running configuration) will be left unaffected. This provides an 'all-or-nothing' edit mode for a single <edit-config> request. @@ -231,7 +231,7 @@ conform, and those where applicable, that suppliers need to use. * R-22700 The VNF **MUST** conform its YANG model to RFC 6470, “NETCONF Base Notifications”. * R-10353 The VNF **MUST** conform its YANG model to RFC 6244, “An Architecture for Network Management Using NETCONF and YANG”. * R-53317 The VNF **MUST** conform its YANG model to RFC 6087, “Guidelines for Authors and Reviewers of YANG Data Model Documents”. -* R-33955 The VNF **SHOULD** conform its YANG model to \*\*RFC 6991, “Common YANG Data Types”. +* R-33955 The VNF **SHOULD** conform its YANG model to RFC 6991, “Common YANG Data Types”. * R-22946 The VNF **SHOULD** conform its YANG model to RFC 6536, “NETCONF Access Control Model”. * R-10129 The VNF **SHOULD** conform its YANG model to RFC 7223, “A YANG Data Model for Interface Management”. * R-12271 The VNF **SHOULD** conform its YANG model to RFC 7223, “IANA Interface Type YANG Module”. @@ -332,7 +332,7 @@ Chef-Client and Push Jobs Client on the VNF **Chef Roles/Requirements** * R-27310 The VNF Package **MUST** include all relevant Chef artifacts (roles/cookbooks/recipes) required to execute VNF actions requested by ONAP for loading on appropriate Chef Server. -* R-26567 The VNF Package **MUST** include a run list of roles/cookbooks/recipes, for each supported VNF action, that will perform the desired VNF action in its entirety as specified by ONAP (see Section 8.c, ONAP Controller APIs and Behavior, for list of VNF actions and requirements), when triggered by a chef-client run list in JSON file. +* R-26567 The VNF Package **MUST** include a run list of roles/cookbooks/recipes, for each supported VNF action, that will perform the desired VNF action in its entirety as specified by ONAP (see Section 7.c, ONAP Controller APIs and Behavior, for list of VNF actions and requirements), when triggered by a chef-client run list in JSON file. * R-98911 The VNF **MUST NOT** use any instance specific parameters for the VNF in roles/cookbooks/recipes invoked for a VNF action. * R-37929 The VNF **MUST** accept all necessary instance specific data from the environment or node object attributes for the VNF in roles/cookbooks/recipes invoked for a VNF action. * R-62170 The VNF **MUST** over-ride any default values for configurable parameters that can be set by ONAP in the roles, cookbooks and recipes. @@ -433,7 +433,7 @@ will host and run playbooks to manage VNFs that support Ansible. An Ansible playbook is a collection of tasks that is executed on the Ansible server (local host) and/or the target VM (s) in order to complete the desired action. * R-40293 The VNF **MUST** make available playbooks that conform to the ONAP requirement. -* R-49396 The VNF **MUST** support each VNF action be supported by ONAP (APPC) by invocation of **one** playbook [4]_. The playbook will be responsible for executing all necessary tasks (as well as calling other playbooks) to complete the request. +* R-49396 The VNF **MUST** support each VNF action by invocation of **one** playbook [4]_. The playbook will be responsible for executing all necessary tasks (as well as calling other playbooks) to complete the request. * R-33280 The VNF **MUST NOT** use any instance specific parameters in a playbook. * R-48698 The VNF **MUST** utilize information from key value pairs that will be provided by the Ansible Server as extra-vars during invocation to execute the desired VNF action. If the playbook requires files, they must also be supplied using the methodology detailed in the Ansible Server API. diff --git a/docs/Chapter8.rst b/docs/Chapter8.rst index d9b6ea1..fbe2d89 100644 --- a/docs/Chapter8.rst +++ b/docs/Chapter8.rst @@ -518,7 +518,7 @@ Table C8. Required Fields for Amount d. – Requirement List ================================== -R-11200: The VNF MUST keep the scope of a Cinder volume module, when it exists, to be 1:1 with the VNF Base Module or Incremental Module. +R-11200: The VNF **MUST** keep the scope of a Cinder volume module, when it exists, to be 1:1 with the VNF Base Module or Incremental Module. R-01334: The VNF **MUST** conform to the NETCONF RFC 5717, “Partial Lock Remote Procedure Call”. @@ -542,7 +542,7 @@ R-62498: The VNF **MUST**, if not using the NCSP’s IDAM API, encrypt OA&M acce R-42366: The VNF **MUST** support secure connections and transports. -R-33955: The VNF **SHOULD** conform its YANG model to \*\*RFC 6991, “Common YANG Data Types”. +R-33955: The VNF **SHOULD** conform its YANG model to RFC 6991, “Common YANG Data Types”. R-33488: The VNF **MUST** protect against all denial of service attacks, both volumetric and non-volumetric, or integrate with external denial of service protection tools. @@ -604,7 +604,7 @@ R-21558: The VNF **SHOULD** use intelligent routing by having knowledge of multi R-07545: The VNF **MUST** support all operations, administration and management (OAM) functions available from the supplier for VNFs using the supplied YANG code and associated NETCONF servers. -R-73541: The VNF **MIST** use access controls for VNFs and their supporting computing systems at all times to restrict access to authorized personnel only, e.g., least privilege. These controls could include the use of system configuration or access control software. +R-73541: The VNF **MUST** use access controls for VNFs and their supporting computing systems at all times to restrict access to authorized personnel only, e.g., least privilege. These controls could include the use of system configuration or access control software. R-97102: The VNF Package **MUST** include VM requirements via a Heat template that provides the necessary data for: @@ -850,7 +850,7 @@ R-75608: The VNF provider **MUST** provide playbooks to be loaded on the appropr R-61354: The VNF **MUST** implement access control list for OA&M services (e.g., restricting access to certain ports or applications). -R-62468: The VNF **MUST** allow all configuration data shall to be edited through a NETCONF <edit-config> operation. Proprietary NETCONF RPCs that make configuration changes are not sufficient. +R-62468: The VNF **MUST** allow all configuration data to be edited through a NETCONF <edit-config> operation. Proprietary NETCONF RPCs that make configuration changes are not sufficient. R-34552: The VNF **MUST** provide or support the Identity and Access Management (IDAM) based threat detection data for OWASP Top 10. @@ -908,7 +908,7 @@ R-09467: The VNF **MUST** utilize only NCSP standard compute flavors. [5]_ R-62170: The VNF **MUST** over-ride any default values for configurable parameters that can be set by ONAP in the roles, cookbooks and recipes. -R-41994: The VNF **MUST**, if not using the NCSP’s IDAM API, comply with "No Self-Signed Certificates" policy. Self-signed certificates must be used for encryption only, using specified and approved encryption protocols such as LS 1.1 or higher or equivalent security protocols such as IPSec, AES. +R-41994: The VNF **MUST**, if not using the NCSP’s IDAM API, comply with "No Self-Signed Certificates" policy. Self-signed certificates must be used for encryption only, using specified and approved encryption protocols such as TLS 1.2 or higher or equivalent security protocols such as IPSec, AES. R-38474: The VNF **MUST** have a corresponding environment file for a Base Module. @@ -1038,7 +1038,7 @@ R-98391: The VNF **MUST**, if not using the NCSP’s IDAM API, support Role-Base R-29967: The VNF **MUST** conform its YANG model to RFC 6022, “YANG module for NETCONF monitoring”. -R-80335: The VNF **MUST** make visible a Warning Notices: A formal statement of resource intent, i.e., a warning notice, upon initial access to a VNF provider user who accesses private internal networks or Company computer resources, e.g., upon initial logon to an internal web site, system or application which requires authentication. +R-80335: The VNF **MUST** make visible a Warning Notice: A formal statement of resource intent, i.e., a warning notice, upon initial access to a VNF provider user who accesses private internal networks or Company computer resources, e.g., upon initial logon to an internal web site, system or application which requires authentication. R-48596: The VNF Package **MUST** include documentation describing the characteristics for the VNF reliability and high availability. @@ -1088,7 +1088,7 @@ R-47597: The VNF **MUST** carry data in motion only over secure connections. R-43253: The VNF **MUST** use playbooks designed to allow Ansible Server to infer failure or success based on the “PLAY_RECAP” capability. -R-23135: The VNF **MUST**, if not using the NCSP’s IDAM API, authenticate system to system communications were one system accesses the resources of another system, and must never conceal individual accountability. +R-23135: The VNF **MUST**, if not using the NCSP’s IDAM API, authenticate system to system communications where one system accesses the resources of another system, and must never conceal individual accountability. R-99730: The VNF **MUST** include the field “Login ID” in the Security alarms (where applicable and technically feasible). @@ -1104,7 +1104,7 @@ R-35291: The VNF **MUST** support the ability to failover a VNFC automatically t R-43332: The VNF **MUST** activate security alarms automatically when the following event is detected: successful modification of critical system or application files -R-81147: The VNF **MUST** have greater restrictions for access and execution, such as up to 3 factors of authentication and restricted authorization, for commands affecting network services, such as commands relating to VNFs, must. +R-81147: The VNF **MUST** have greater restrictions for access and execution, such as up to 3 factors of authentication and restricted authorization, for commands affecting network services, such as commands relating to VNFs. R-60656: The VNF **MUST** support sub tree filtering. @@ -1299,8 +1299,8 @@ e. - Ansible Playbook Examples The following sections contain examples of Ansible playbook contents which follow the guidelines. -Guidelines for Playbooks to properly integrate with APPC -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Guidelines for Playbooks to properly integrate with APPC +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ NOTE: To support concurrent requests to multiple VNF instances of same or different type, VNF hosts and other files with VNF specific default @@ -1403,9 +1403,7 @@ by underscore: oam: {vnfc_name: {{ vm_config_oam_vnfc_name }}, hostname: {{ vm_config_oam_hostname }}, provider_ip_address: {{ vm_config_oam_provider_ip_address } - }, - … Parameters like VNF names, VNFC names, OA&M IP addresses, after @@ -1886,4 +1884,4 @@ developed playbooks for the VNF. under consideration. .. [7] - Multiple ONAP actions may map to one playbook.
\ No newline at end of file + Multiple ONAP actions may map to one playbook. |