summaryrefslogtreecommitdiffstats
path: root/docs/Chapter4.rst
blob: 7487f1fbccbafca2c53a9720684998c0d228a9e2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
**4. VNF Development Requirements**
====================================

a. VNF Design
==============

Services are composed of VNFs and common components and are designed to
be agnostic of the location to leverage capacity where it exists in the
Network Cloud. VNFs can be instantiated in any location that meets the
performance and latency requirements of the service.

A key design principle for virtualizing services is decomposition of
network functions using NFV concepts into granular VNFs. This enables
instantiating and customizing only essential functions as needed for the
service, thereby making service delivery more nimble. It provides
flexibility of sizing and scaling and also provides flexibility with
packaging and deploying VNFs as needed for the service. It enables
grouping functions in a common cloud data center to minimize
inter-component latency. The VNFs should be designed with a goal of
being modular and reusable to enable using best-in-breed vendors

Section 5.a VNF Design in *VNF Guidelines* describes
the overall guidelines for designing VNFs from VNF Components (VNFCs).
Below are more detailed requirements for composing VNFs.

VNF Design Requirements

* R-xxxxx The VNF **SHOULD** be decomposed into granular re-usable VNFCs.
* R-xxxxx The VNF **MUST** be decomposed if the functions have significantly different scaling characteristics (e.g., signaling versus media functions, control versus data plane functions).
* R-xxxxx The VNF **MUST** enable instantiating only the functionality that is needed for the decomposed VNF (e.g., if transcoding is not needed it should not be instantiated).
* R-xxxxx The VNFC **MUST** be designed as a standalone, executable process.
* R-xxxxx The VNF **SHOULD** create a single component VNF for VNFCs that can be used by other VNFs.
* R-xxxxx The VNF **MUST** be designed to scale horizontally (more instances of a VNF or VNFC) and not vertically (moving the existing instances to larger VMs or increasing the resources within a VM) to achieve effective utilization of cloud resources.
* R-xxxxx The VNF **MUST** utilize cloud provided infrastructure and VNFs (e.g., virtualized Local Load Balancer) as part of the VNF so that the cloud can manage and provide a consistent service resiliency and methods across all VNF's.
* R-xxxxx The VNFC **SHOULD** be independently deployed, configured, upgraded, scaled, monitored, and administered by ONAP.
* R-xxxxx The VNFC **MUST** provide API versioning to allow for independent upgrades of VNFC.
* R-xxxxx The VNFC **SHOULD** minimize the use of state within a VNFC to facilitate the movement of traffic from one instance to another.
* R-xxxxx The VNF **SHOULD** maintain state in a geographically redundant datastore that may, in fact, be its own VNFC.
* R-xxxxx The VNF **SHOULD** decouple persistent data from the VNFC and keep it in its own datastore that can be reached by all instances of the VNFC requiring the data.
* R-xxxxx The VNF **MUST** utilize virtualized, scalable open source database software that can meet the performance/latency requirements of the service for all datastores.
* R-xxxxx The VNF **MUST** NOT terminate stable sessions if a VNFC instance fails.
* R-xxxxx The VNF **MUST** enable DPDK in the guest OS for VNF’s requiring high packets/sec performance.  High packet throughput is defined as greater than 500K packets/sec.
* R-xxxxx The VNF **MUST** use the NCSP’s supported library and compute flavor that supports DPDK to optimize network efficiency if using DPDK. [1]_
* R-xxxxx The VNF **MUST** NOT use technologies that bypass virtualization layers (such as SR-IOV) unless approved by the NCSP (e.g., if necessary to meet functional or performance requirements).
* R-xxxxx The VNF **MUST** limit the size of application data packets to no larger than 9000 bytes for SDN network-based tunneling when guest data packets are transported between tunnel endpoints that support guest logical networks.
* R-xxxxx The VNF **MUST** NOT require the use of a dynamic routing protocol unless necessary to meet functional requirements.

b. VNF Resiliency
=================

The VNF is responsible for meeting its resiliency goals and must factor
in expected availability of the targeted virtualization environment.
This is likely to be much lower than found in a traditional data center.
Resiliency is defined as the ability of the VNF to respond to error
conditions and continue to provide the service intended. A number of
software resiliency dimensions have been identified as areas that should
be addressed to increase resiliency. As VNFs are deployed into the
Network Cloud, resiliency must be designed into the VNF software to
provide high availability versus relying on the Network Cloud to achieve
that end.

Section 5.a Resiliency in *VNF Guidelines* describes
the overall guidelines for designing VNFs to meet resiliency goals.
Below are more detailed resiliency requirements for VNFs.

All Layer Redundancy
--------------------

Design the VNF to be resilient to the failures of the underlying
virtualized infrastructure (Network Cloud). VNF design considerations
would include techniques such as multiple vLANs, multiple local and
geographic instances, multiple local and geographic data replication,
and virtualized services such as Load Balancers.

+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| All Layer Redundancy Requirements                                                                                                                                                                                                                                                                     | Type   | ID #    |
+=======================================================================================================================================================================================================================================================================================================+========+=========+
| VNFs are responsible to meet their own resiliency goals and not rely on the Network Cloud.                                                                                                                                                                                                            | Must   | 30010   |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Design resiliency into a VNF such that the resiliency deployment model (e.g., active-active) can be chosen at run-time.                                                                                                                                                                               | Must   | 30020   |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| VNFs must survive any single points of failure within the Network Cloud (e.g., virtual NIC, VM, disk failure).                                                                                                                                                                                        | Must   | 30030   |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| VNFs must survive any single points of software failure internal to the VNF (e.g., in memory structures, JMS message queues).                                                                                                                                                                         | Must   | 30040   |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Design, build and package VNFs to enable deployment across multiple fault zones (e.g., VNFCs deployed in different servers, racks, OpenStack regions, geographies) so that in the event of a planned/unplanned downtime of a fault zone, the overall operation/throughput of the VNF is maintained.   | Must   | 30050   |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Support the ability to failover a VNFC automatically to other geographically redundant sites if not deployed active-active to increase the overall resiliency of the VNF.                                                                                                                             | Must   | 30060   |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Support the ability of the VNFC to be deployable in multi-zoned cloud sites to allow for site support in the event of cloud zone failure or upgrades.                                                                                                                                                 | Must   | 30070   |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+

Minimize Cross Data-Center Traffic
----------------------------------

Avoid performance-sapping data center-to-data center replication delay
by applying techniques such as caching and persistent transaction paths
- Eliminate replication delay impact between data centers by using a
concept of stickiness (i.e., once a client is routed to data center "A",
the client will stay with Data center “A” until the entire session is
completed).

+------------------------------------------------------------------------------------------------------------------+----------+---------+
| Minimize Cross Data-Center Traffic Requirements                                                                  | Type     | ID #    |
+==================================================================================================================+==========+=========+
| Minimize the propagation of state information across multiple data centers to avoid cross data center traffic.   | Should   | 31010   |
+------------------------------------------------------------------------------------------------------------------+----------+---------+

Application Resilient Error Handling
------------------------------------

Ensure an application communicating with a downstream peer is equipped
to intelligently handle all error conditions. Make sure code can handle
exceptions seamlessly - implement smart retry logic and implement
multi-point entry (multiple data centers) for back-end system
applications.

+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Application Resilient Error Handling Requirements                                                                                                                                                                                                                                                                            | Type   | ID #    |
+==============================================================================================================================================================================================================================================================================================================================+========+=========+
| Detect connectivity failure for inter VNFC instance and intra/inter VNF and re-establish connectivity automatically to maintain the VNF without manual intervention to provide service continuity.                                                                                                                           | Must   | 32010   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Handle the restart of a single VNFC instance without requiring all VNFC instances to be restarted.                                                                                                                                                                                                                           | Must   | 32020   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Handle the start or restart of VNFC instances in any order with each VNFC instance establishing or re-establishing required connections or relationships with other VNFC instances and/or VNFs required to perform the VNF function/role without requiring VNFC instance(s) to be started/restarted in a particular order.   | Must   | 32030   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Handle errors and exceptions so that they do not interrupt processing of incoming VNF requests to maintain service continuity.                                                                                                                                                                                               | Must   | 32040   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Provide the ability to modify the number of retries, the time between retries and the behavior/action taken after the retries have been exhausted for exception handling to allow the NCSP to control that behavior.                                                                                                         | Must   | 32050   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Fully exploit exception handling to the extent that resources (e.g., threads and memory) are released when no longer needed regardless of programming language.                                                                                                                                                              | Must   | 32060   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Handle replication race conditions both locally and geo-located in the event of a data base instance failure to maintain service continuity.                                                                                                                                                                                 | Must   | 32070   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Automatically retry/resubmit failed requests made by the software to its downstream system to increase the success rate.                                                                                                                                                                                                     | Must   | 32080   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+

System Resource Optimization
----------------------------

Ensure an application is using appropriate system resources for the task
at hand; for example, do not use network or IO operations inside
critical sections, which could end up blocking other threads or
processes or eating memory if they are unable to complete. Critical
sections should only contain memory operation, and should not contain
any network or IO operation.

+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| System Resource Optimization Requirements                                                                                                                                                                                                       | Type     | ID #    |
+=================================================================================================================================================================================================================================================+==========+=========+
| Do not execute long running tasks (e.g., IO, database, network operations, service calls) in a critical section of code, so as to minimize blocking of other operations and increase concurrent throughput.                                     | Must     | 33010   |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Automatically advertise newly scaled components so there is no manual intervention required.                                                                                                                                                    | Must     | 33020   |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Utilize FQDNs (and not IP address) for both Service Chaining and scaling.                                                                                                                                                                       | Must     | 33030   |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Deliver any and all functionality from any VNFC in the pool. The VNFC pool member should be transparent to the client. Upstream and downstream clients should only recognize the function being performed, not the member performing it.        | Must     | 33040   |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Automatically enable/disable added/removed sub-components or component so there is no manual intervention required.                                                                                                                             | Should   | 33050   |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Support the ability to scale down a VNFC pool without jeopardizing active sessions. Ideally, an active session should not be tied to any particular VNFC instance.                                                                              | Should   | 33060   |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Support load balancing and discovery mechanisms in resource pools containing VNFC instances.                                                                                                                                                    | Should   | 33070   |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Utilize resource pooling (threads, connections, etc.) within the VNF application so that resources are not being created and destroyed resulting in resource management overhead.                                                               | Should   | 33080   |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Use techniques such as “lazy loading” when initialization includes loading catalogues and/or lists which can grow over time, so that the VNF startup time does not grow at a rate proportional to that of the list.                             | Should   | 33090   |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Release and clear all shared assets (memory, database operations, connections, locks, etc.) as soon as possible, especially before long running sync and asynchronous operations, so as to not prevent use of these assets by other entities.   | Should   | 33100   |
+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+

Application Configuration Management
------------------------------------

Leverage configuration management audit capability to drive conformity
to develop gold configurations for technologies like Java, Python, etc.

+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Application Configuration Management Requirements                                                                                                                                 | Type   | ID #    |
+===================================================================================================================================================================================+========+=========+
| Allow configurations and configuration parameters to be managed under version control to ensure consistent configuration deployment, traceability and rollback.                   | Must   | 34010   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Allow configurations and configuration parameters to be managed under version control to ensure the ability to rollback to a known valid configuration.                           | Must   | 34020   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Allow changes of configuration parameters to be consumed by the VNF without requiring the VNF or its sub-components to be bounced so that the VNF availability is not effected.   | Must   | 34030   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+

Intelligent Transaction Distribution & Management
-------------------------------------------------

Leverage Intelligent Load Balancing and redundant components (hardware
and modules) for all transactions, such that at any point in the
transaction: front end, middleware, back end -- a failure in any one
component does not result in a failure of the application or system;
i.e., transactions will continue to flow, albeit at a possibly reduced
capacity until the failed component restores itself. Create redundancy
in all layers (software and hardware) at local and remote data centers;
minimizing interdependencies of components (i.e. data replication,
deploying non-related elements in the same container).

+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Intelligent Transaction Distribution & Management Requirements                                                                                                                                                                   | Type     | ID #    |
+==================================================================================================================================================================================================================================+==========+=========+
| Use intelligent routing by having knowledge of multiple downstream/upstream endpoints that are exposed to it, to ensure there is no dependency on external services (such as load balancers) to switch to alternate endpoints.   | Should   | 35010   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Use redundant connection pooling to connect to any backend data source that can be switched between pools in an automated/scripted fashion to ensure high availability of the connection to the data source.                     | Should   | 35020   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Include control loop mechanisms to notify the consumer of the VNF of their exceeding SLA thresholds so the consumer is able to control its load against the VNF.                                                                 | Should   | 35030   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+

Deployment Optimization
-----------------------

Reduce opportunity for failure, by human or by machine, through smarter
deployment practices and automation. This can include rolling code
deployments, additional testing strategies, and smarter deployment
automation (remove the human from the mix).

+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Deployment Optimization Requirements                                                                                                                                                                                                                | Type     | ID #    |
+=====================================================================================================================================================================================================================================================+==========+=========+
| Support at least two major versions of the VNF software and/or sub-components to co-exist within production environments at any time so that upgrades can be applied across multiple systems in a staggered manner.                                 | Must     | 36010   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Support the existence of multiple major/minor versions of the VNF software and/or sub-components and interfaces that support both forward and backward compatibility to be transparent to the Service Provider usage.                               | Must     | 36020   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Support hitless staggered/rolling deployments between its redundant instances to allow "soak-time/burn in/slow roll" which can enable the support of low traffic loads to validate the deployment prior to supporting full traffic loads.           | Must     | 36030   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Support the ability of a requestor of the service to determine the version (and therefore capabilities) of the service so that Network Cloud Service Provider can understand the capabilities of the service.                                       | Must     | 36040   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Test for adherence to the defined performance budgets at each layer, during each delivery cycle with delivered results, so that the performance budget is measured and the code is adjusted to meet performance budget.                             | Must     | 36050   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Test for adherence to the defined performance budget at each layer, during each delivery cycle so that the performance budget is measured and feedback is provided where the performance budget is not met.                                         | Must     | 36060   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Test for adherence to the defined resiliency rating recommendation at each layer, during each delivery cycle with delivered results, so that the resiliency rating is measured and the code is adjusted to meet software resiliency requirements.   | Should   | 36070   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Test for adherence to the defined resiliency rating recommendation at each layer, during each delivery cycle so that the resiliency rating is measured and feedback is provided where software resiliency requirements are not met.                 | Should   | 36080   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+

Monitoring & Dashboard
----------------------

Promote dashboarding as a tool to monitor and support the general
operational health of a system. It is critical to the support of the
implementation of many resiliency patterns essential to the maintenance
of the system. It can help identify unusual conditions that might
indicate failure or the potential for failure. This would contribute to
improve Mean Time to Identify (MTTI), Mean Time to Repair (MTTR), and
post-incident diagnostics.

+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Monitoring & Dashboard Requirements                                                                                                                                                                                                            | Type     | ID #    |
+================================================================================================================================================================================================================================================+==========+=========+
| Provide a method of metrics gathering for each layer's performance to identify/document variances in the allocations so they can be addressed.                                                                                                 | Must     | 37010   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Provide unique traceability of a transaction through its life cycle to ensure quick and efficient troubleshooting.                                                                                                                             | Must     | 37020   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Provide a method of metrics gathering and analysis to evaluate the resiliency of the software from both a granular as well as a holistic standpoint. This includes, but is not limited to thread utilization, errors, timeouts, and retries.   | Must     | 37030   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Provide operational instrumentation such as logging, so as to facilitate quick resolution of issues with the VNF to provide service continuity.                                                                                                | Must     | 37040   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Monitor for and alert on (both sender and receiver) errant, running longer than expected and missing file transfers, so as to minimize the impact due to file transfer errors.                                                                 | Must     | 37050   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Use an appropriately configured logging level that can be changed dynamically, so as to not cause performance degradation of the VNF due to excessive logging.                                                                                 | Should   | 37060   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Utilize Cloud health checks, when available from the Network Cloud, from inside the application through APIs to check the network connectivity, dropped packets rate, injection, and auto failover to alternate sites if needed.               | Should   | 37070   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Conduct a resiliency impact assessment for all inter/intra-connectivity points in the VNF to provide an overall resiliency rating for the VNF to be incorporated into the software design and development of the VNF.                          | Must     | 37080   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+

c. VNF Security
===============

The objective of this section is to provide the key security
requirements that need to be met by VNFs. The security requirements are
grouped into five areas as listed below. Other security areas will be
addressed in future updates. These security requirements are applicable
to all VNFs. Additional security requirements for specific types of VNFs
will be applicable and are outside the scope of these general
requirements.

Section 5.a Security in *VNF Guidelines* outlines
the five broad security areas for VNFs that are detailed in the
following sections:

-  **VNF General Security**: This section addresses general security
   requirements for the VNFs that the vendors will need to address.

-  **VNF Identity and Access Management**: This section addresses
   security requirements with respect to Identity and Access Management
   as these pertain to generic VNFs.

-  **VNF API Security**: This section addresses the generic security
   requirements associated with APIs. These requirements are applicable
   to those VNFs that use standard APIs for communication and data
   exchange.

-  **VNF Security Analytics**: This section addresses the security
   requirements associated with analytics for VNFs that deal with
   monitoring, data collection and analysis.

-  **VNF Data Protection**: This section addresses the security
   requirements associated with data protection.

VNF General Security Requirements
---------------------------------

This section provides details on the VNF general security requirements
on various security areas such as user access control, network security,
ACLs, infrastructure security, and vulnerability management. These
requirements cover topics associated with compliance, security patching,
logging/accounting, authentication, encryption, role-based access
control, least privilege access/authorization. The following security
requirements need to be met by the solution in a virtual environment:

+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
| General Security Requirements                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | Type                                                                                                                                                                                                                                                                                                                                                                                                                                   | ID #              |
+=================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================+========================================================================================================================================================================================================================================================================================================================================================================================================================================+=========+=========+
| Integration and operation within a robust security environment is necessary and expected. The security architecture will include one or more of the following: IDAM (Identity and Access Management) for all system and applications access, Code scanning, network vulnerability scans, OS, Database and application patching, malware detection and cleaning, DDOS prevention, network security gateways (internal and external) operating at various layers, host and application based tools for security compliance validation, aggressive security patch application, tightly controlled software distribution and change control processes and other state of the art security solutions. The VNF is expected to function reliably within such an environment and the developer is expected to understand and accommodate such controls and can expected to supply responsive interoperability support and testing throughout the product’s lifecycle.   | Informational                                                                                                                                                                                                                                                                                                                                                                                                                          | 40010             |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
| The VNF must accommodate the security principle of “least privilege” during development, implementation and operation. The importance of “least privilege” cannot be overstated and must be observed in all aspects of VNF development and not limited to security. This is applicable to all sections of this document.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Must                                                                                                                                                                                                                                                                                                                                                                                                                                   | 40020             |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
| Implement access control list for OA&M services (e.g., restricting access to certain ports or applications).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Must                                                                                                                                                                                                                                                                                                                                                                                                                                   | 40030             |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
| Implement Data Storage Encryption (database/disk encryption) for Sensitive Personal Information (SPI) and other subscriber identifiable data. Note: subscriber’s SPI/data must be encrypted at rest, and other subscriber identifiable data should be encrypted at rest. Other data protection requirements exist and should be well understood by the developer.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               | Must                                                                                                                                                                                                                                                                                                                                                                                                                                   | 40040             |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
| Implement a mechanism for automated and frequent "system configuration (automated provisioning / closed loop)" auditing.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Should                                                                                                                                                                                                                                                                                                                                                                                                                                 | 40050             |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
| Use both network scanning and application scanning security tools on all code, including underlying OS and related configuration. Scan reports shall be provided. Remediation roadmaps shall be made available for any findings.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | Should                                                                                                                                                                                                                                                                                                                                                                                                                                 | 40060             |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
| Perform source code to scanning tools (e.g., Fortify) and provide reports.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | Should                                                                                                                                                                                                                                                                                                                                                                                                                                 | 40070             |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
| Production code shall be distributed from NCSP internal sources only. No production code, libraries, OS images, etc. shall be distributed from publically accessible depots.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Must                                                                                                                                                                                                                                                                                                                                                                                                                                   | 40080             |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
| Provide all code/configuration files in a “Locked down” or hardened state or with documented recommendations for such hardening. All unnecessary services will be disabled. Vendor default credentials, community strings and other such artifacts will be removed or disclosed so that they can be modified or removed during provisioning.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    | Must                                                                                                                                                                                                                                                                                                                                                                                                                                   | 40090             |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
| Support L3 VPNs that enable segregation of traffic by application (dropping packets not belonging to the VPN) (i.e., AVPN, IPSec VPN for Internet routes).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      | Should                                                                                                                                                                                                                                                                                                                                                                                                                                 | 40100             |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
| Interoperate with various access control mechanisms for the Network Cloud execution environment (e.g., Hypervisors, containers).                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | Should                                                                                                                                                                                                                                                                                                                                                                                                                                 | 40110             |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
| VNF should support the use of virtual trusted platform module, hypervisor security testing and standards scanning tools.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Should                                                                                                                                                                                                                                                                                                                                                                                                                                 | 40120             |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
| Interoperate with the ONAP (SDN) Controller so that it can dynamically modify the firewall rules, ACL rules, QoS rules, virtual routing and forwarding rules.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | Must                                                                                                                                                                                                                                                                                                                                                                                                                                   | 40130             |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
| Support the ability to work with aliases (e.g., gateways, proxies) to protect and encapsulate resources.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        | Should                                                                                                                                                                                                                                                                                                                                                                                                                                 | 40140             |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
| All access to applications (Bearer, signaling and OA&M) will pass through various security tools and platforms from ACLs, stateful firewalls and application layer gateways depending on manner of deployment. The application is expected to function (and in some cases, interwork) with these security tools.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | Must                                                                                                                                                                                                                                                                                                                                                                                                                                   | 40150             |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
| Patch vulnerabilities in VNFs as soon as possible. Patching shall be controlled via change control process with vulnerabilities disclosed along with mitigation recommendations.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | Must                                                                                                                                                                                                                                                                                                                                                                                                                                   | 40160             |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
| Identification, authentication and access control of **customer** or **VNF application users** must be performed by utilizing the NCSP’s IDAM API.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              | Must                                                                                                                                                                                                                                                                                                                                                                                                                                   | 40170             |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
| Identification, authentication and access control of **OA&M** and other system level functions must use the NCSP’s IDAM API or comply with the following is expected.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           | Must                                                                                                                                                                                                                                                                                                                                                                                                                                   | 40180             |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Support User-IDs and passwords to uniquely identify the user/application. VNF needs to have appropriate connectors to the Identity, Authentication and Authorization systems that enables access at OS, Database and Application levels as appropriate.                                                                                                                                                                                | Must    | 40190   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Provide the ability to support Multi-Factor Authentication (e.g., 1st factor = Software token on device (RSA SecureID); 2nd factor = User Name+Password, etc.) for the users.                                                                                                                                                                                                                                                          | Must    | 40200   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Support Role-Based Access Control to permit/limit the user/application to performing specific activities.                                                                                                                                                                                                                                                                                                                              | Must    | 40210   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Support logging via ONAP for a historical view of “who did what and when”.                                                                                                                                                                                                                                                                                                                                                             | Must    | 40220   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Encrypt OA&M access (e.g., SSH, SFTP).                                                                                                                                                                                                                                                                                                                                                                                                 | Must    | 40230   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Enforce a configurable maximum number of Login attempts policy for the users. VNF vendor must comply with "terminate idle sessions" policy. Interactive sessions must be terminated, or a secure, locking screensaver must be activated requiring authentication, after a configurable period of inactivity. The system-based inactivity timeout for the enterprise identity and access management system must also be configurable.   | Must    | 40240   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Comply with the NCSP’s credential management policy.                                                                                                                                                                                                                                                                                                                                                                                   | Must    | 40250   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Password expiration must be required at regular configurable intervals.                                                                                                                                                                                                                                                                                                                                                                | Must    | 40260   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Comply with "password complexity" policy. When passwords are used, they shall be complex and shall at least meet the following password construction requirements:                                                                                                                                                                                                                                                                     | Must    | 40270   |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                                                                                        |         |         |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | -  Be a minimum configurable number of characters in length.                                                                                                                                                                                                                                                                                                                                                                           |         |         |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                                                                                        |         |         |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | -  Include 3 of the 4 following types of characters: upper-case alphabetic, lower-case alphabetic, numeric, and special.                                                                                                                                                                                                                                                                                                               |         |         |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                                                                                        |         |         |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | -  Not be the same as the UserID with which they are associated or other common strings as specified by the environment.                                                                                                                                                                                                                                                                                                               |         |         |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                                                                                        |         |         |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | -  Not contain repeating or sequential characters or numbers.                                                                                                                                                                                                                                                                                                                                                                          |         |         |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                                                                                        |         |         |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | -  Not to use special characters that may have command functions.                                                                                                                                                                                                                                                                                                                                                                      |         |         |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |                                                                                                                                                                                                                                                                                                                                                                                                                                        |         |         |
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | -  New passwords must not contain sequences of three (3) or more characters from the previous password.                                                                                                                                                                                                                                                                                                                                |         |         |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Comply with "password changes (includes default passwords)" policy. Products will support password aging, syntax and other credential management practices on a configurable basis.                                                                                                                                                                                                                                                    | Must    | 40280   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Support use of common third party authentication and authorization tools such as TACACS+, RADIUS.                                                                                                                                                                                                                                                                                                                                      | Must    | 40290   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Comply with "No Self-Signed Certificates" policy. Self-signed certificates must be used for encryption only, using specified and approved encryption protocols such as LS 1.1 or higher or equivalent security protocols such as IPSec, AES.                                                                                                                                                                                           | Must    | 40300   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+
|                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | Authenticate system to system communications where one system accesses the resources of another system, and must never conceal individual accountability.                                                                                                                                                                                                                                                                              | Must    | 40310   |
+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+---------+---------+

VNF Identity and Access Management Requirements
-----------------------------------------------

The following security requirements for logging, identity, and access
management need to be met by the solution in a virtual environment:

+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Identity and Access Management Requirements                                                                                                                                                                                                                                                                                                                                                    | Type     | ID #    |
+================================================================================================================================================================================================================================================================================================================================================================================================+==========+=========+
| Access to VNFs will be required at several layers. Hence, VNF vendor needs to be able to host connectors for access to the following layers:                                                                                                                                                                                                                                                   |          |         |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. Application                                                                                                                                                                                                                                                                                                                                                                                 | Must     | 41010   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. OS (Operating System)                                                                                                                                                                                                                                                                                                                                                                       | Must     | 41020   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. Database                                                                                                                                                                                                                                                                                                                                                                                    | Must     | 41030   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Manage access to VNF, its OS, or Database by an enterprise access request process.                                                                                                                                                                                                                                                                                                             | Must     | 41040   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Comply with the following when persons or non-person entities access VNFs:                                                                                                                                                                                                                                                                                                                     |          |         |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. Individual Accountability (each person must be assigned a unique ID)                                                                                                                                                                                                                                                                                                                        | Must     | 41050   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. Least Privilege (no more privilege than required to perform job functions)                                                                                                                                                                                                                                                                                                                  | Must     | 41060   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. Segregation of Duties (access to a single layer and no developer may access production without special oversight)                                                                                                                                                                                                                                                                           | Must     | 41070   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Vendors will not be allowed to access VNFs remotely, e.g., VPN                                                                                                                                                                                                                                                                                                                                 | Must     | 41080   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Vendors accessing VNFs through a client application API must be authorized by the client application owner and the resource owner of the VNF before provisioning authorization through Role Based Access Control (RBAC), Attribute Based Access Control (ABAC), or other policy based mechanism.                                                                                               | Must     | 41090   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Vendor VNF access will be subject to privilege reconciliation tools to prevent access creep and ensure correct enforcement of access policies.                                                                                                                                                                                                                                                 | Must     | 41100   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Provide or Support the Identity and Access Management (IDAM) based threat detection data for:                                                                                                                                                                                                                                                                                                  |          |         |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. OWASP Top 10                                                                                                                                                                                                                                                                                                                                                                                | Must     | 41110   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. Password Attacks                                                                                                                                                                                                                                                                                                                                                                            | Must     | 41120   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. Phishing / SMishing                                                                                                                                                                                                                                                                                                                                                                         | Must     | 41130   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. Malware (Key Logger)                                                                                                                                                                                                                                                                                                                                                                        | Must     | 41140   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. Session Hijacking                                                                                                                                                                                                                                                                                                                                                                           | Must     | 41150   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. XSS / CSRF                                                                                                                                                                                                                                                                                                                                                                                  | Must     | 41160   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. Replay                                                                                                                                                                                                                                                                                                                                                                                      | Must     | 41170   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. Man in the Middle (MITM)                                                                                                                                                                                                                                                                                                                                                                    | Must     | 41180   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. Eavesdropping                                                                                                                                                                                                                                                                                                                                                                               | Must     | 41190   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Provide Context awareness data (device, location, time, etc.) and be able to integrate with threat detection system.                                                                                                                                                                                                                                                                           | Must     | 41200   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Where a VNF vendor requires the assumption of permissions, such as root or administrator, the vendor user must first log in under their individual user login ID then switch to the other higher level account; or where the individual user login is infeasible, must login with an account with admin privileges in a way that uniquely identifies the individual performing the function.   | Must     | 41210   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Authenticate system to system access and do not conceal a VNF vendor user’s individual accountability for transactions.                                                                                                                                                                                                                                                                        | Must     | 41220   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Warning Notices: A formal statement of resource intent, i.e., a warning notice, must be made visible upon initial access to a VNF vendor user who accesses private internal networks or Company computer resources, e.g., upon initial logon to an internal web site, system or application which requires authentication.                                                                     | Must     | 41230   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Use access controls for VNFs and their supporting computing systems at all times to restrict access to authorized personnel only, e.g., least privilege. These controls could include the use of system configuration or access control software.                                                                                                                                              | Must     | 41240   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. Initial and default settings for new user accounts must provide minimum privileges only.                                                                                                                                                                                                                                                                                                    | Must     | 41250   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. Default settings for user access to sensitive commands and data must be denied authorization.                                                                                                                                                                                                                                                                                               | Must     | 41260   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. Privileged users may be created conforming to approved request, workflow authorization, and authorization provisioning requirements.                                                                                                                                                                                                                                                        | Must     | 41270   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. Commands affecting network services, such as commands relating to VNFs, must have greater restrictions for access and execution, such as up to 3 factors of authentication and restricted authorization.                                                                                                                                                                                    | Must     | 41280   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Encrypt TCP/IP--HTTPS (e.g., TLS v1.2) transmission of data on internal and external networks.                                                                                                                                                                                                                                                                                                 | Must     | 41290   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Unnecessary or vulnerable cgi-bin programs must be disabled.                                                                                                                                                                                                                                                                                                                                   | Must     | 41300   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| No public or unrestricted access to any data should be provided without the permission of the data owner. All data classification and access controls must be followed.                                                                                                                                                                                                                        | Must     | 41310   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| When in production, vendors or developers must not do the following without authorization of the VNF system owner including:                                                                                                                                                                                                                                                                   |          |         |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. Install or use systems, tools or utilities capable of capturing or logging data that was not created by them or sent specifically to them;                                                                                                                                                                                                                                                  | Must     | 41320   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. Run security testing tools and programs, e.g., password cracker, port scanners, hacking tools.                                                                                                                                                                                                                                                                                              | Must     | 41330   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Authentication credentials must not be included in security audit logs, even if encrypted.                                                                                                                                                                                                                                                                                                     | Must     | 41340   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| The standard interface for a VNF should be REST APIs exposed to Client Applications for the implementation of OAuth 2.0 Authorization Code Grant and Client Credentials Grant.                                                                                                                                                                                                                 | Should   | 41350   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Support hosting connectors for OS Level and Application Access.                                                                                                                                                                                                                                                                                                                                | Should   | 41360   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Support SCEP (Simple Certificate Enrollment Protocol).                                                                                                                                                                                                                                                                                                                                         | Should   | 41370   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+

VNF API Security Requirements
-----------------------------

This section covers API security requirements when these are used by the
VNFs. Key security areas covered in API security are Access Control,
Authentication, Passwords, PKI Authentication Alarming, Anomaly
Detection, Lawful Intercept, Monitoring and Logging, Input Validation,
Cryptography, Business continuity, Biometric Authentication,
Identification, Confidentiality and Integrity, and Denial of Service.

The solution in a virtual environment needs to meet the following API
security requirements:

+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| API Requirements                                                                                                                                                                                                                                                                                                         | Type   | ID #    |
+==========================================================================================================================================================================================================================================================================================================================+========+=========+
| Provide a mechanism to restrict access based on the attributes of the VNF and the attributes of the subject.                                                                                                                                                                                                             | Must   | 42010   |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Integrate with external authentication and authorization services (e.g., IDAM).                                                                                                                                                                                                                                          | Must   | 42020   |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Use certificates issued from publicly recognized Certificate Authorities (CA) for the authentication process where PKI-based authentication is used                                                                                                                                                                      | Must   | 42030   |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Validate the CA signature on the certificate, ensure that the date is within the validity period of the certificate, check the Certificate Revocation List (CRL), and recognize the identity represented by the certificate where PKI-based authentication is used.                                                      | Must   | 42040   |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Protect the confidentiality and integrity of data at rest and in transit from unauthorized access and modification.                                                                                                                                                                                                      | Must   | 42050   |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Protect against all denial of service attacks, both volumetric and non-volumetric, or integrate with external denial of service protection tools                                                                                                                                                                         | Must   | 42060   |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Implement at minimum the following input validation controls:                                                                                                                                                                                                                                                            |        |         |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Check the size (length) of all input. Do not permit an amount of input so great that it would cause the VNF to fail. Where the input may be a file, the VNF API must enforce a size limit.                                                                                                                            | Must   | 42070   |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Do not permit input that contains content or characters inappropriate to the input expected by the design. Inappropriate input, such as SQL insertions, may cause the system to execute undesirable and unauthorized transactions against the database or allow other inappropriate access to the internal network.   | Must   | 42080   |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Validate that any input file has a correct and valid Multipurpose Internet Mail Extensions (MIME) type. Input files should be tested for spoofed MIME types.                                                                                                                                                          | Must   | 42090   |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Validate input at all layers implementing VNF APIs.                                                                                                                                                                                                                                                                      | Must   | 42100   |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Comply with NIST standards and industry best practices for all implementations of cryptography                                                                                                                                                                                                                           | Must   | 42110   |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Implement all monitoring and logging as described in the Security Analytics section.                                                                                                                                                                                                                                     | Must   | 42120   |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Restrict changing the criticality level of a system security alarm to administrator(s).                                                                                                                                                                                                                                  | Must   | 42130   |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection.                                                                                                                  | Must   | 42140   |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Support requests for information from law enforcement and government agencies.                                                                                                                                                                                                                                           | Must   | 42150   |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+

VNF Security Analytics Requirements
-----------------------------------

This section covers VNF security analytics requirements that are mostly
applicable to security monitoring. The VNF Security Analytics cover the
collection and analysis of data following key areas of security
monitoring:

-  Anti-virus software

-  Logging

-  Data capture

-  Tasking

-  DPI

-  API based monitoring

-  Detection and notification

-  Resource exhaustion detection

-  Proactive and scalable monitoring

-  Mobility and guest VNF monitoring

-  Closed loop monitoring

-  Interfaces to management and orchestration

-  Malformed packet detections

-  Service chaining

-  Dynamic security control

-  Dynamic load balancing

-  Connection attempts to inactive ports (malicious port scanning)

The following requirements of security monitoring need to be met by the
solution in a virtual environment.

+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Security Analytics Requirements                                                                                                                                                                                                                                                          | Type   | ID #    |
+==========================================================================================================================================================================================================================================================================================+========+=========+
| Support the following monitoring features by the VNF:                                                                                                                                                                                                                                    |        |         |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Real-time detection and notification of security events.                                                                                                                                                                                                                              | Must   | 43010   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Integration functionality via API/Syslog/SNMP to other functional modules in the network (e.g., PCRF, PCEF) that enable dynamic security control by blocking the malicious traffic or malicious end users                                                                             | Must   | 43020   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. API-based monitoring to take care of the scenarios where the control interfaces are not exposed, or are optimized and proprietary in nature                                                                                                                                           | Must   | 43030   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Event logging, formats, and delivery tools to provide the required degree of event data to ONAP                                                                                                                                                                                       | Must   | 43040   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Detection of malformed packets due to software misconfiguration or software vulnerability                                                                                                                                                                                             | Must   | 43050   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Integrated DPI/monitoring functionality as part of VNFs (e.g., PGW, MME)                                                                                                                                                                                                              | Must   | 43060   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Alternative monitoring capabilities when VNFs do not expose data or control traffic or use proprietary and optimized protocols for inter VNF communication                                                                                                                            | Must   | 43070   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Proactive monitoring to detect and report the attacks on resources so that the VNFs and associated VMs can be isolated, such as detection techniques for resource exhaustion, namely OS resource attacks, CPU attacks, consumption of kernel memory, local storage attacks.           | Must   | 43080   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Coexist and operate normally with commercial anti-virus software which shall produce alarms every time when there is a security incident.                                                                                                                                                | Must   | 43090   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Protect all security audit logs (including API, OS and application-generated logs), security audit software, data, and associated documentation from modification, or unauthorized viewing, by standard OS access control mechanisms, by sending to a remote system, or by encryption.   | Must   | 43100   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Log the following events:                                                                                                                                                                                                                                                                |        |         |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Successful and unsuccessful login attempts                                                                                                                                                                                                                                            | Must   | 43110   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Logoffs                                                                                                                                                                                                                                                                               | Must   | 43120   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Successful and unsuccessful changes to a privilege level                                                                                                                                                                                                                              | Must   | 43130   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Starting and stopping of security logging                                                                                                                                                                                                                                             | Must   | 43140   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Creating, removing, or changing the inherent privilege level of users                                                                                                                                                                                                                 | Must   | 43150   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Connections to a network listener of the resource                                                                                                                                                                                                                                     | Must   | 43160   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Log, at minimum, the following fields (where applicable and technically feasible) in the security audit logs:                                                                                                                                                                            |        |         |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Event type                                                                                                                                                                                                                                                                            | Must   | 43170   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Date/time                                                                                                                                                                                                                                                                             | Must   | 43180   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Protocol                                                                                                                                                                                                                                                                              | Must   | 43190   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Service or program used for access                                                                                                                                                                                                                                                    | Must   | 43200   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Success/failure                                                                                                                                                                                                                                                                       | Must   | 43210   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Login ID                                                                                                                                                                                                                                                                              | Must   | 43220   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Security audit logs must never contain an authentication credential, e.g., password, even if encrypted.                                                                                                                                                                                  | Must   | 43230   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Detect when the security audit log storage medium is approaching capacity (configurable) and issue an alarm via SMS or equivalent as to allow time for proper actions to be taken to pre-empt loss of audit data.                                                                        | Must   | 43240   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Support the capability of online storage of security audit logs.                                                                                                                                                                                                                         | Must   | 43250   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Activate security alarms automatically when the following events, at a minimum, are detected:                                                                                                                                                                                            |        |         |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Configurable number of consecutive unsuccessful login attempts                                                                                                                                                                                                                        | Must   | 43260   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Successful modification of critical system or application files                                                                                                                                                                                                                       | Must   | 43270   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Unsuccessful attempts to gain permissions or assume the identity of another user                                                                                                                                                                                                      | Must   | 43280   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Include, at a minimum, the following fields in the Security alarms (where applicable and technically feasible):                                                                                                                                                                          |        |         |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Date                                                                                                                                                                                                                                                                                  | Must   | 43290   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Time                                                                                                                                                                                                                                                                                  | Must   | 43300   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Service or program used for access                                                                                                                                                                                                                                                    | Must   | 43310   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Success/failure                                                                                                                                                                                                                                                                       | Must   | 43320   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| a. Login ID                                                                                                                                                                                                                                                                              | Must   | 43330   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Restrict changing the criticality level of a system security alarm to administrator(s).                                                                                                                                                                                                  | Must   | 43340   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Monitor API invocation patterns to detect anomalous access patterns that may represent fraudulent access or other types of attacks, or integrate with tools that implement anomaly and abuse detection.                                                                                  | Must   | 43350   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Support requests for information from law enforcement and government agencies.                                                                                                                                                                                                           | Must   | 43360   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Implement “Closed Loop” automatic implementation (without human intervention) for Known Threats with detection rate in low false positives.                                                                                                                                              | Must   | 43370   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Perform data capture for security functions.                                                                                                                                                                                                                                             | Must   | 43380   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Generate security audit logs that must be sent to Security Analytics Tools for analysis.                                                                                                                                                                                                 | Must   | 43390   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Provide audit logs that include user ID, dates, times for log-on and log-off, and terminal location at minimum.                                                                                                                                                                          | Must   | 43400   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Provide security audit logs including records of successful and rejected system access data and other resource access attempts.                                                                                                                                                          | Must   | 43410   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Support the storage of security audit logs for agreed period of time for forensic analysis.                                                                                                                                                                                              | Must   | 43420   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Provide the capability of generating security audit logs by interacting with the operating system (OS) as appropriate.                                                                                                                                                                   | Must   | 43430   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+
| Security logging for VNFs and their OSs must be active from initialization. Audit logging includes automatic routines to maintain activity records and cleanup programs to ensure the integrity of the audit/logging systems.                                                            | Must   | 43440   |
+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+--------+---------+

VNF Data Protection Requirements
--------------------------------

This section covers VNF data protection requirements that are mostly
applicable to security monitoring.

+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Data Protection Requirements                                                                                                                                                                                                                                                                                         | Type     | ID #    |
+======================================================================================================================================================================================================================================================================================================================+==========+=========+
| Provide the capability to restrict read and write access to data.                                                                                                                                                                                                                                                    | Must     | 44010   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Provide the capability to restrict access to data to specific users.                                                                                                                                                                                                                                                 | Must     | 44020   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Provide the capability to encrypt data in transit on a physical or virtual network.                                                                                                                                                                                                                                  | Must     | 44030   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Provide the capability to encrypt data on non-volatile memory.                                                                                                                                                                                                                                                       | Must     | 44040   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Where the encryption of non-transient data is required on a device for which the operating system performs paging to virtual memory, then if possible disable the paging of the data requiring encryption, if not the virtual memory should be encrypted.                                                            | Should   | 44050   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Provide the capability to integrate with an external encryption service.                                                                                                                                                                                                                                             | Must     | 44060   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Use industry standard cryptographic algorithms and standard modes of operations when implementing cryptography.                                                                                                                                                                                                      | Must     | 44070   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Use commercial algorithms only when there are no applicable governmental standards for specific cryptographic functions, e.g., public key cryptography, message digests.                                                                                                                                             | Should   | 44080   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| The SHA, DSS, MD5, SHA-1 and Skipjack algorithms or other compromised encryption must not be used.                                                                                                                                                                                                                   | Must     | 44090   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Use, whenever possible, standard implementations of security applications, protocols, and format, e.g., S/MIME, TLS, SSH, IPSec, X.509 digital certificates for cryptographic implementations. These implementations must be purchased from reputable vendors and must not be developed in-house.                    | Must     | 44100   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| A VNF must provide the ability to migrate to newer versions of cryptographic algorithms and protocols with no impact.                                                                                                                                                                                                | Must     | 44110   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Use symmetric keys of at least 112 bits in length.                                                                                                                                                                                                                                                                   | Must     | 44120   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Use asymmetric keys of at least 2048 bits in length.                                                                                                                                                                                                                                                                 | Must     | 44130   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Use commercial tools that comply with X.509 standards and produce x.509 compliant keys for public/private key generation. Keys must not be generated or derived from predictable functions or values, e.g., values considered predictable include user identity information, time of day, stored/transmitted data.   | Must     | 44140   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Provide the capability to configure encryption algorithms or devices so that they comply with the laws of the jurisdiction in which there are plans to use data encryption.                                                                                                                                          | Must     | 44150   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Provide the capability of using certificates issued from a Certificate Authority not provided by the VNF vendor.                                                                                                                                                                                                     | Must     | 44160   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Provide the capability of allowing certificate renewal and revocation.                                                                                                                                                                                                                                               | Must     | 44170   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Provide the capability of testing the validity of a digital certificate by performing the following:                                                                                                                                                                                                                 |          |         |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. The CA signature on the certificate must be validated                                                                                                                                                                                                                                                             | Must     | 44180   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. The date the certificate is being used must be within the validity period for the certificate                                                                                                                                                                                                                     | Must     | 44190   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. The Certificate Revocation List (CRL) for the certificates of that type must be checked to ensure that the certificate has not been revoked                                                                                                                                                                       | Must     | 44200   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| a. The identity represented by the certificate — the "distinguished name" — must be recognized                                                                                                                                                                                                                       | Must     | 44210   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Provide the capability of encrypting selected data fields stored or bound for security logs.                                                                                                                                                                                                                         | Must     | 44220   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Provide the capability of deleting data stored in the VNF.                                                                                                                                                                                                                                                           | Must     | 44230   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+
| Provide the capability to make data available in order to support requests from law enforcement and government agencies as required by legal or regulatory mandates. Capability must be configurable for MOW deployment.                                                                                             | Must     | 44240   |
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+----------+---------+

d. VNF Modularity
=================

VNF Modularity Overview
-----------------------

ONAP supports a modular Heat design pattern, referred to as *VNF
Modularity.* With this approach, a single VNF may be composed from one
or more Heat templates, each of which represents some subset of the
overall VNF. These component parts are referred to as “\ *VNF
Modules*\ ”. During orchestration, these modules may be deployed
incrementally to build up the complete VNF.

A Heat template can be either one of the following types of modules:

1. Base Module

2. Incremental Modules

3. Independent Cinder Volume Modules

The ONAP Heat template naming convention must be followed (Section
5.b Filenames). The naming convention identifies the module type.

A VNF must be composed of one “base” VNF module (also called a base
module) and zero to many “incremental” or “add on” VNF modules. The base
module must be deployed first, prior to the add-on modules.

A module can be thought of as equivalent to a Heat template, where a
Heat template is composed of a YAML file and an environment file (also
referred to as an ENV file). A given YAML file must have a corresponding
environment file; ONAP requires it.

A Heat template is used to create or deploy a Heat stack. Therefore, a
module is also equivalent to a Heat Stack.

ONAP supports the concept of an optional, independent deployment of
a Cinder volume via separate Heat templates. This allows the volume to
persist after VNF deletion so that the volume can be reused on another
instance (e.g. during a failover activity).

The scope of a volume module, when it exists, must be 1:1 with the VNF
Module (base or add-on). A single volume module must create only the
volumes needed by a single VNF module (base or add-on).

These concepts will be described in more detail throughout the document.
This overview is provided to set the stage and help clarify the concepts
that will be introduced.

Design Pattern: VNF Modularity
------------------------------

ONAP supports the concept of *VNF Modularity*. With this approach,
a single VNF may be composed from one or more Heat templates, each of
which represents some subset of the overall VNF. These component parts
are referred to as “\ *VNF Modules*\ ”. During orchestration, these
modules may be deployed incrementally to build up the complete VNF.

A Heat template can be either one for the following types of modules

1. Base Module

2. Incremental Modules

3. Independent Cinder Volume Modules

The ONAP Heat template naming convention must be followed (Section
5.b Filenames). The naming convention identifies the module type.

A VNF must be composed of one “base” VNF module (also called a base
module) and zero to many “incremental” or “add on” VNF modules. The base
module must be deployed first prior to the add-on modules.

A module can be thought of as equivalent to a Heat template, where a
Heat template is composed of a YAML file and an environment file. A
given YAML file must have a corresponding environment file; ONAP
requires it. A Heat template is used to create or deploy a Heat stack.
Therefore, a module is also equivalent to a Heat Stack.

However, there are cases where a module maybe composed of more than one
Heat stack and/or more than one YAML file.

As discussed in Section 5.b, Independent Volume Templates, each VNF
Module may have an associated Volume template.

-  When a volume template is utilized, it must correspond 1:1 with
   add-on module template or base template it is associated with

-  A Cinder volume may be embedded within the add-on module template
   and/or base template if persistence is not required, thus not
   requiring the optional Volume template.

A VNF module may support nested templates. In this case, there will be
one or more additional YAML files.

Any shared resource defined in the base module template and used across
the entire VNF (e.g., private networks, server groups), must be exposed
to the incremental or add-on modules by declaring their resource UUIDs
as Heat outputs (i.e., ONAP Base Template Output Parameter in the
output section of the Heat template). Those outputs will be provided by
ONAP as input parameter values to all add-on module Heat templates
in the VNF that have declared the parameter in the template.

*Note:* A Cinder volume is *not* considered a shared resource. A volume
template must correspond 1:1 with a base template or add-on module
template.

There are two suggested usage patterns for modular VNFs, though any
variation is supported.

A. **Modules per VNFC type**

   a. Group all VMs (VNFCs) of a given type into its own module

   b. Build up the VNF one VNFC type at a time

   c. Base module contains only the shared resources (and possibly
      initial Admin VMs)

   d. Suggest one or two modules per VNFC type

      i.  one for initial count

      ii. one for scaling increment (if different from initial count)

B. **Base VNF + Growth Units**

   a. Base module (template) contains a complete initial VNF instance

   b. Growth modules for incremental scaling units

      i.  May contain VMs of multiple types in logical scaling
          combinations

      ii. May be separated by VM type for multi-dimensional scaling

   c. With no growth units, this is equivalent to the “\ *One Heat
      Template per VNF*\ ” model

Note that modularization of VNFs is not required. A single Heat template
(a base template) may still define a complete VNF, which might be
appropriate for smaller VNFs without a lot of scaling options.

There are some rules to follow when building modular VNF templates:

1. All VNFs must have one Base VNF Module (template) that must be the
   first one deployed. The base template:

   a. Must include all shared resources (e.g., private networks, server
      groups, security groups)

   b. Must expose all shared resources (by UUID) as “outputs” in its
      associated Heat template (i.e., ONAP Base Template Output
      Parameters)

   c. May include initial set of VMs

   d. May be operational as a stand-alone “minimum” configuration of the
      VNF

2. VNFs may have one or more Add-On VNF Modules (templates) which:

   a. Defines additional resources that can be added to an existing VNF

   b. Must be complete Heat templates

      i. i.e. not snippets to be incorporated into some larger template

   c. Should define logical growth-units or sub-components of an overall
      VNF

   d. On creation, receives all Base VNF Module outputs as parameters

      i.  Provides access to all shared resources (by UUID)

      ii. must not be dependent on other Add-On VNF Modules

   e. Multiple instances of an Add-On VNF Module type may be added to
      the same VNF (e.g. incrementally grow a VNF by a fixed “add-on”
      growth units)

3. Each VNF Module (base or add-on) may have (optional) an associated
   Volume template (*see Section 5.b, Independent Volume Templates*)

   a. Volume templates should correspond 1:1 with Module (base or
      add-on) templates

   b. A Cinder volume may be embedded within the Module template (base
      or add-on) if persistence is not required

4. Shared resource UUIDs are passed between the base template and add-on
   template via Heat Outputs Parameters (i.e., Base Template Output
   Parameters)

   a. The output parameter name in the base must match the parameter
      name in the add-on module

*Examples:*

In this example, the {vm-type} have been defined as “lb” for load
balancer and “admin” for admin server.

1. **Base VNF Module Heat Template (partial)**

Heat\_template\_version: 2013-05-23

.. code-block:: python

    parameters:
        admin\_name\_0:
            type: string

    resources:
        int\_oam\_network:
            type: OS::Neutron::Network
            properties:
                name: { }

        admin\_server:
            type: OS::Nova::Server
            properties:
            name: {get\_param: admin\_name\_0}
            image: ...

    outputs:
        int\_oam\_net\_id:
            value: {get\_resource: int\_oam\_network }


2. **Add-on VNF Module Heat Template (partial)**

Heat\_template\_version: 2013-05-23

.. code-block:: python

    Parameters:
        int\_oam\_net\_id:
            type: string
            description: ID of shared private network from Base template
        lb\_name\_0:
            type: string
            description: name for the add-on VM instance

    Resources:
        lb\_server:
            type: OS::Nova::Server
            properties:
                name: {get\_param: lb\_name\_0}
                networks:
                    - port: { get\_resource: lb\_port }
                    ...

        lb\_port:
            type: OS::Neutron::Port
            properties:
                network\_id: { get\_param: int\_oam\_net\_id }
    ...

Scaling Considerations
----------------------

Scaling of a VNF may be manually driven to add new capacity (**static
scaling**) or it may be driven in near real-time by the ONAP
controllers based on a real-time need **(dynamic scaling).**

With VNF Modularity, the recommended approach for scaling is to provide
additional “growth unit” templates that can be used to create additional
resources in logical scaling increments. This approach is very
straightforward, and has minimal impact on the currently running VNFCs
and must comply with the following:

-  Combine resources into reasonable-sized scaling increments; do not
   just scale by one VM at a time in potentially large VNFs.

-  Combine related resources into the same growth template where
   appropriate, e.g. if VMs of different types are always deployed in
   pairs, include them in a single growth template.

-  Growth templates can use the private networks and other shared
   resources exposed by the Base Module template.

VNF Modules may also be updated “in-place” using the OpenStack Heat
Update capability, by deploying an updated Heat template with different
VM counts to an existing stack. This method requires another VNF module
template that includes the new resources *in addition to all resources
contained in the original module template*. Note that this also requires
re-specification of all existing parameters as well as new ones.

*For this approach:*

-  Use a fixed number of pre-defined VNF module configurations

-  Successively larger templates must be identical to the next smaller
   one, plus add the additional VMs of the scalable type(s)

-  VNF is scalable by sending a stack-update with a different template

*Please do note that:*

-  If properties do not change for existing VMs, those VMs should remain
   unchanged

-  If the update is performed with a smaller template, the Heat engine
   recognizes and deletes no-longer-needed VMs (and associated
   resources)

-  Nested templates for the various server types will simplify reuse
   across multiple configurations

-  Per the section on Use of Heat ResourceGroup, if *ResourceGroup* is
   ever used for scaling (e.g. increment the count and include an
   additional element to each list parameter), Heat will often rebuild
   every existing element in addition to adding the “deltas”.  For this
   reason, use of *ResourceGroup* for scaling in this manner is not
   supported.

e. VNF Devops
=============

This section includes guidelines for vendors to ensure that a Network
Cloud Service Provider’s operations personnel have a common and
consistent way to support VNFs and VNFCs.

NCSPs may elect to support standard images to enable compliance with
security, audit, regulatory and other needs. As part of the overall VNF
software bundle, VNF suppliers using standard images would typically
provide the NCSP with an install package consistent with the default OS
package manager (e.g. aptitude for Ubuntu, yum for Redhat/CentOS).

Section 5.a DevOps in *VNF Guidelines* describes
the DevOps guidelines for VNFs.

DevOps Requirements

* R-xxxxx The VNF **MUST** utilize only the Guest OS versions that are supported by the NCSP’s Network Cloud. [1]_
* R-xxxxx The VNF **SHOULD** utilize only NCSP provided Guest OS images. [2]_
* R-xxxxx The VNF **MUST**  utilize only NCSP standard compute flavors. [2]_
* R-xxxxx The VNF **MUST** preserve their persistent data. Running VMs will not be backed up in the Network Cloud infrastructure.
* R-xxxxx The VNFC **MUST** be installed on non-root file systems, unless software is specifically included with the operating system distribution of the guest image.
* R-xxxxx The VNF **MUST** be agnostic to the underlying infrastructure (such as hardware, host OS, Hypervisor), any requirements should be provided as specification to be fulfilled by any hardware.
* R-xxxxx The VNF **MUST NOT** require Hypervisor-level customization from the cloud provider.
* R-xxxxx The VNF **SHOULD** provide an automated test suite to validate every new version of the software on the target environment(s). The tests should be of sufficient granularity to independently test various representative VNF use cases throughout its lifecycle. Operations might choose to invoke these tests either on a scheduled basis or on demand to support various operations functions including test, turn-up and troubleshooting.
* R-xxxxx The VNF **SHOULD** provide the ability to test incremental growth of the VNF.
* R-xxxxx The VNF **MUST** respond to a "move traffic" [3]_ command against a specific VNFC, moving all existing session elsewhere with minimal disruption if a VNF provides a load balancing function across multiple instances of its VNFCs. Note: Individual VNF performance aspects (e.g., move duration or disruption scope) may require further constraints.
* R-xxxxx  The VNF **MUST** respond to a "drain VNFC" [2]_ command against a specific VNFC, preventing new session from reaching the targeted VNFC, with no disruption to active sessions on the impacted VNFC, if a VNF provides a load balancing function across multiple instances of its VNFCs. This is used to support scenarios such as proactive maintenance with no user impact,

f. VNF Develop Steps
=======================

Aid to help the VNF vendor to fasten the integration with the GVNFM, the
OpenO provides the VNF SDK tools, and the documents. In this charter,
the develop steps for VNF vendors will be introduced.

First, using the VNF SDK tools to design the VNF with TOSCA model and
output the VNF TOSCA package. The VNF package can be validated, and
tested.

Second, the VNF vendor should provide the VNF Rest API to integrate with
the GVNFM if needed. The VNF Rest API is aligned to the ETSI IFA
document.

Third, the TOSCA model supports the EPA feature.

Note:

1. The scripts to extend capacity to satisfy some special requirements.
   In the R2, the scripts is not implemented fully, and will be provided
   in the next release.

2. The monitoring and scale policy also be provide the next release.


.. [1]
   Refer to NCSP’s Network Cloud specification

.. [2]
   Refer to NCSP’s Network Cloud specification

.. [3]
   Not currently supported in ONAP release 1