ONAP-to-Edge Secure site reachability

Slides:

Advertisements

Similar presentations

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)

Advertisements

Module 5: Configuring Access for Remote Clients and Networks.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)

Windows Internet Connection Sharing Dave Eitelbach Program Manager Networking And Communications Microsoft Corporation.

OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 6 – Configure Remote Access VPN.

Objectives Configure routing in Windows Server 2008 Configure Network Address Translation 1.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Presented by Xiaoyu Qin Virtualized Access Control & Firewall Virtualization.

Abdullah Alshalan Garrett Drown Team 3 CSE591: Virtualization and Cloud Computing.

Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.

Jun Li DHCP Option for Access Network Information draft-lijun-dhc-clf-nass-option-01.

Homework 02 NAT 、 DHCP 、 Firewall 、 Proxy. Computer Center, CS, NCTU 2 Basic Knowledge  DHCP Dynamically assigning IPs to clients  NAT Translating addresses.

1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.

1 Welcome to Designing a Microsoft Windows 2000 Network Infrastructure.

V4 traversal for IPv6 mobility protocols - Scenarios Mip6trans Design Team MIP6 and NEMO WGs, IETF 63.

Architecting Enterprise Workloads on AWS Mike Pfeiffer.

Firewalls, Network Address Translators(NATs), and H.323

Unit 7: DHCP, APIPA and NTP. Static versus dynamic IP addressing Dynamic IP addresses can change each time you connect to the Internet, while static IP.

Security fundamentals

Chapter 7: Transport Layer

NAT、DHCP、Firewall、FTP、Proxy

Networking for Home and Small Businesses – Chapter 5

Contents Software components All users in one location:

Virtual Private Network (VPN)

Module 3: Enabling Access to Internet Resources

Virtual Private Networks

Introduction An introduction to the software and organization of the Internet Lab.

Oracle SOA Cloud Integration Project

Set up your own Cloud The search for a secure and acceptable means of gaining access to your files stored at the office from a remote location.

Implementing Network Access Protection

Get the Most Out of GoAnywhere: Agents

StratusLab Tutorial (Bordeaux, France)

Multi-VIM/Cloud High Level Architecture

Chris Meullion Preston Burden Dwight Philpotts John C. Jones-Walker

Certificate and Secret Management Services

IPSec VPN Chapter 13 of Malik.

Introducing To Networking

PNF Bootstrapping Steps

Hiding Network Computers Gateways

OpenStack Ani Bicaku 18/04/ © (SG)² Konsortium.

2018 Real Cisco Dumps IT-Dumps

Isasku, Srini, Alex, Ramki, Seshu, Bin Hu, Munish, Gil, Victor

Introduction to TCP/IP

Implementing IP Addressing Services

Server-to-Client Remote Access and DirectAccess

CIS 82 Routing Protocols and Concepts Chapter 11 NAT

Microsoft Virtual Academy

Goals Introduce the Windows Server 2003 family of operating systems

ACTORS DESCRIPTION PNF

TechReady 16 1/12/2019 MDC-B351 How to Design and Configure Networking in Microsoft System Center Part 2 of 2 Greg Cusanza Senior Program Manager, Microsoft.

Implementing IP Addressing Services

Addressing the Network – IPv4

AbbottLink™ - IP Address Overview

Agenda Create certificates for the GlobalProtect Portal, internal gateway, and external gateway. Attach certificates to a SSL-TLS Service Profile. Configure.

Chapter 10: Advanced Cisco Adaptive Security Appliance

Cengage Learning: Computer Networking from LANs to WANs

Networking for Home and Small Businesses – Chapter 5

Network Addressing.

Computer Networks Protocols

5G Use Case Configuration & PNF SW Upgrade using NETCONF ONAP DDF, Jan 9, 2019 Ericsson.

Certificate handling and secure key storage ONAP SECCOM F2F, Kista, June 11-14, 2019 Ericsson.

Title: Robust ONAP Platform Controller for LCM in a Distributed Edge Environment (In Progress) Source: ONAP Architecture Task Force on Edge Automation.

VNet and Cross-Premises Connectivity

Presentation transcript:

ONAP-to-Edge Secure site reachability Edge Automation working group Srinivasa Addepalli Ramki Krishnan

Background – Management network ONAP ONAP makes multiple outbound connections to sites. Sites that make multiple inbound connections to ONAP All connections are not HTTP(S) based Some are UDP based (Collectd) Some are SSH (Netconf) based. Kafka based (non-HTTP TCP) New protocols in future Limited number of public IP addresses Terminal proxy Multi-Cloud SDNC APPC DCAE Management Network Cloud-region (e.g Edge) Edge-Cloud (e.g Openstack Edge) Workloads keystone neutron Fabric Cinder Nova Glance NFVI-nodes

Requirements ONAP shall be able to communicate with multiple services in Edges/Sites that have only one public IP address (either static or dynamic) ONAP shall be able to communicate with services running in multiple nodes. ONAP shall be able to communicate with services that are non HTTP/S based. Edges/Sites shall be able to communicate with ONAP To send notifications/statistics via various protocols (UDP/Collectd, SNMP, NTP etc…) Communication between ONAP and Edges/Sites shall be secure. Communication between ONAP and Workloads shall be secure Secure communication entities shall be able to authenticate with each other. No changes to existing ONAP components

Solution overview Connectivity between ONAP & Edges/Sites using private IP addresses. (IPSEC/IKEv2) Certificate based authentication between ONAP and Sites. (X.509v3 certificate based authentication) Authenticated certificate enrolment (Using ISTIO CA) All communication would need to be encrypted/integrity checked (IPSEC/IKEv2, AES-GCM) Support Edges that have overlapping IP addresses (Internal IP address assignment / Static NAT at the ONAP) Similar to 3GPP solution – 32.508

Solution deployment architecture ONAP K8S ISTIO CA Components: IPSEC Gateway as a container Node agent to be part of IPSEC Gateway Reference (jumpstart) software for VNFs/PNFs: IPSEC Client/EM agent & Node agent EM as a container : Which configures IPSEC Gateways/NAT when the edges are onboarded in ONAP Static NAT part of IPSEC GW container DHCP Server and DNS Server as a container. Multi-Cloud SDNC APPC DCAE EM Static NAT DHCP Server DNS Server IPSEC Gateway/Server Management Network Cloud-region (e.g Edge) Edge-Cloud (e.g Openstack Edge) Workloads EM agent, IPSEC Client Node Agent IPSEC Gateway, Node agent, EM Agent keystone neutron Fabric NFVI-nodes Cinder Nova Glance

Edge onboarding – infrastructure VPN 1 Create edge service account (ISTIO CA gets to know it) Add Edge network information (Edge private IP subnet information, FQDN information vs IPs) – Internally allocates unique subnet (ONAP edge IP) EM onfigures static NAT to translate edge IPs to ONAP edge IPs (Ensures all ONAP see is unqiue edge IPs). EM configures DNS Server with local subnet IP addresses EM configures IPSEC Gateway to accept new tunnels IPSEC Gateway is brought up by passing service account created at the ONAP. Also, IPSEC Server/config information is passed. Node agent (using service account) creates CSR and gets the certificate (signed by ISTIO CA). BTW, ISTIO verifies the CSR to ensure that it is giving certificate for the service accounts it knows. IPSEC tunnel gets established. ONAP K8S ISTIO CA Multi-Cloud SDNC APPC DCAE 2 3 3 EM Static NAT DHCP Server DNS Server IPSEC Gateway/Server 4 Management Network 7 6 Cloud-region (e.g Edge) Edge-Cloud (e.g Openstack Edge) Workloads EM agent, IPSEC Client Node Agent 5 IPSEC Gateway, Node agent, EM agent keystone neutron Fabric NFVI-nodes Cinder Nova Glance

Management Network for ONAP to workload communication 3 One time: Admin via EM adds IPSEC Server configuration (to issue IP addresses via local DHCP Server) EM configures DHCP Server and IPSEC Server On per workload basis : Create a service account (mostly it is done as part of VNF onboarding?). ISTIO CA comes to know about it via ISTIO watcher. Workload is brought up (may be via cloud-init or via environment variables) with IPSEC Server information, service account etc… Workload gets the certificate enrolled by ISTIO CA (CSR with service account name). ISTIO CA verifies CSR subject/altname with the service accounts it has, then issues certificate. (over public IP address) Workload establishes IPSEC tunnel and gets the internal IP address from DHCP Server IPSEC communication between workloads and ONAP services. ONAP K8S ISTIO CA Multi-Cloud SDNC APPC DCAE 1 2 EM Static NAT DHCP Server DNS Server IPSEC Gateway/Server 2 5 Management Network 6 7 Cloud-region (e.g Edge) Edge-Cloud (e.g Openstack Edge) Workloads EM agent, IPSEC Client Node Agent 4 IPSEC Gateway, Node agent, EM Agent keystone neutron Fabric NFVI-nodes Cinder Nova Glance

Discussion Any other options? Any missing scenarios? Should we project this as a separate project or make it part of Multi-Cloud project? Contributors? Intel, VMWare, Verizon (showed interest), ??? Need for “Terminal proxy” for devops to SSH into VM via ONAP???