Presentation is loading. Please wait.

Presentation is loading. Please wait.

ONAP-to-Edge Secure site reachability

Published byAurora Mäkinen Modified over 5 years ago

Similar presentations

Presentation on theme: "ONAP-to-Edge Secure site reachability"— Presentation transcript:

1 ONAP-to-Edge Secure site reachability
Edge Automation working group Srinivasa Addepalli Ramki Krishnan

2 Background – Management network
ONAP ONAP makes multiple outbound connections to sites. Sites that make multiple inbound connections to ONAP All connections are not HTTP(S) based Some are UDP based (Collectd) Some are SSH (Netconf) based. Kafka based (non-HTTP TCP) New protocols in future Limited number of public IP addresses Terminal proxy Multi-Cloud SDNC APPC DCAE Management Network Cloud-region (e.g Edge) Edge-Cloud (e.g Openstack Edge) Workloads keystone neutron Fabric Cinder Nova Glance NFVI-nodes

3 Requirements ONAP shall be able to communicate with multiple services in Edges/Sites that have only one public IP address (either static or dynamic) ONAP shall be able to communicate with services running in multiple nodes. ONAP shall be able to communicate with services that are non HTTP/S based. Edges/Sites shall be able to communicate with ONAP To send notifications/statistics via various protocols (UDP/Collectd, SNMP, NTP etc…) Communication between ONAP and Edges/Sites shall be secure. Communication between ONAP and Workloads shall be secure Secure communication entities shall be able to authenticate with each other. No changes to existing ONAP components

4 Solution overview Connectivity between ONAP & Edges/Sites using private IP addresses. (IPSEC/IKEv2) Certificate based authentication between ONAP and Sites. (X.509v3 certificate based authentication) Authenticated certificate enrolment (Using ISTIO CA) All communication would need to be encrypted/integrity checked (IPSEC/IKEv2, AES-GCM) Support Edges that have overlapping IP addresses (Internal IP address assignment / Static NAT at the ONAP) Similar to 3GPP solution –

5 Solution deployment architecture
ONAP K8S ISTIO CA Components: IPSEC Gateway as a container Node agent to be part of IPSEC Gateway Reference (jumpstart) software for VNFs/PNFs: IPSEC Client/EM agent & Node agent EM as a container : Which configures IPSEC Gateways/NAT when the edges are onboarded in ONAP Static NAT part of IPSEC GW container DHCP Server and DNS Server as a container. Multi-Cloud SDNC APPC DCAE EM Static NAT DHCP Server DNS Server IPSEC Gateway/Server Management Network Cloud-region (e.g Edge) Edge-Cloud (e.g Openstack Edge) Workloads EM agent, IPSEC Client Node Agent IPSEC Gateway, Node agent, EM Agent keystone neutron Fabric NFVI-nodes Cinder Nova Glance

6 Edge onboarding – infrastructure VPN
1 Create edge service account (ISTIO CA gets to know it) Add Edge network information (Edge private IP subnet information, FQDN information vs IPs) – Internally allocates unique subnet (ONAP edge IP) EM onfigures static NAT to translate edge IPs to ONAP edge IPs (Ensures all ONAP see is unqiue edge IPs). EM configures DNS Server with local subnet IP addresses EM configures IPSEC Gateway to accept new tunnels IPSEC Gateway is brought up by passing service account created at the ONAP. Also, IPSEC Server/config information is passed. Node agent (using service account) creates CSR and gets the certificate (signed by ISTIO CA). BTW, ISTIO verifies the CSR to ensure that it is giving certificate for the service accounts it knows. IPSEC tunnel gets established. ONAP K8S ISTIO CA Multi-Cloud SDNC APPC DCAE 2 3 3 EM Static NAT DHCP Server DNS Server IPSEC Gateway/Server 4 Management Network 7 6 Cloud-region (e.g Edge) Edge-Cloud (e.g Openstack Edge) Workloads EM agent, IPSEC Client Node Agent 5 IPSEC Gateway, Node agent, EM agent keystone neutron Fabric NFVI-nodes Cinder Nova Glance

7 Management Network for ONAP to workload communication
3 One time: Admin via EM adds IPSEC Server configuration (to issue IP addresses via local DHCP Server) EM configures DHCP Server and IPSEC Server On per workload basis : Create a service account (mostly it is done as part of VNF onboarding?). ISTIO CA comes to know about it via ISTIO watcher. Workload is brought up (may be via cloud-init or via environment variables) with IPSEC Server information, service account etc… Workload gets the certificate enrolled by ISTIO CA (CSR with service account name). ISTIO CA verifies CSR subject/altname with the service accounts it has, then issues certificate. (over public IP address) Workload establishes IPSEC tunnel and gets the internal IP address from DHCP Server IPSEC communication between workloads and ONAP services. ONAP K8S ISTIO CA Multi-Cloud SDNC APPC DCAE 1 2 EM Static NAT DHCP Server DNS Server IPSEC Gateway/Server 2 5 Management Network 6 7 Cloud-region (e.g Edge) Edge-Cloud (e.g Openstack Edge) Workloads EM agent, IPSEC Client Node Agent 4 IPSEC Gateway, Node agent, EM Agent keystone neutron Fabric NFVI-nodes Cinder Nova Glance

8 Discussion Any other options? Any missing scenarios?
Should we project this as a separate project or make it part of Multi-Cloud project? Contributors? Intel, VMWare, Verizon (showed interest), ??? Need for “Terminal proxy” for devops to SSH into VM via ONAP???

9

Download ppt "ONAP-to-Edge Secure site reachability"

Similar presentations

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206) 217-7048

Securing Remote PC Access to UNIX/Linux Hosts with VPN or SSH Charles T. Moetului WRQ, Inc. (206)
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)

Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 23 Virtual Private Networks (VPNs)
Windows Internet Connection Sharing Dave Eitelbach Program Manager Networking And Communications Microsoft Corporation.

Windows Internet Connection Sharing Dave Eitelbach Program Manager Networking And Communications Microsoft Corporation.
OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.

OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Objectives Configure routing in Windows Server 2008 Configure Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Network Address Translation 1.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Www.infotech.monash.edu.au Presented by Xiaoyu Qin 21637881 Virtualized Access Control & Firewall Virtualization.

Presented by Xiaoyu Qin Virtualized Access Control & Firewall Virtualization.
Abdullah Alshalan Garrett Drown Team 3 CSE591: Virtualization and Cloud Computing.

Abdullah Alshalan Garrett Drown Team 3 CSE591: Virtualization and Cloud Computing.
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.

Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Jun Li DHCP Option for Access Network Information draft-lijun-dhc-clf-nass-option-01.

Jun Li DHCP Option for Access Network Information draft-lijun-dhc-clf-nass-option-01.
Homework 02 NAT 、 DHCP 、 Firewall 、 Proxy. Computer Center, CS, NCTU 2 Basic Knowledge  DHCP Dynamically assigning IPs to clients  NAT Translating addresses.

Homework 02 NAT 、 DHCP 、 Firewall 、 Proxy. Computer Center, CS, NCTU 2 Basic Knowledge  DHCP Dynamically assigning IPs to clients  NAT Translating addresses.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.

1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
1 Welcome to Designing a Microsoft Windows 2000 Network Infrastructure.

1 Welcome to Designing a Microsoft Windows 2000 Network Infrastructure.
V4 traversal for IPv6 mobility protocols - Scenarios Mip6trans Design Team MIP6 and NEMO WGs, IETF 63.

V4 traversal for IPv6 mobility protocols - Scenarios Mip6trans Design Team MIP6 and NEMO WGs, IETF 63.
Architecting Enterprise Workloads on AWS Mike Pfeiffer.

Architecting Enterprise Workloads on AWS Mike Pfeiffer.

Similar presentations

Ads by Google