Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 6th of February 2024.

Jira No
SummaryDescriptionStatusSolution

ONF joins LF



LFN Annual Report



GitHub vulnerability

Amy shared info: https://www.bleepingcomputer.com/news/security/github-rotates-keys-to-mitigate-impact-of-credential-exposing-flaw/

We agreed that the ticket will be opened to LF IT to asess if ONAP is affected as we use GitHub for code storage: https://jira.linuxfoundation.org/plugins/servlet/desk/portal/4/SUPPORT-24007




Issue to be further tracked with LF IT at the TSC meeting.

Jessica Gonzales Response to SUPPORT-24007:

I brought this topic to my team. There is no specific action done internally. The owner permissions are never given to any community members. We have account user/pass that can access those permissions but are under 1pass passwords protection. 

We rotate these passwords whenever we hear about a password leak or when an admin leaves, we keep mindful of these passwords.

Also, we have a separate CI internal account that has owner permissions to repos but not to the org and they are the only accounts responsible for triggering jobs. Additionally, we have the replication account which also has permissions at the repo level to replicate the code from Gerrit into GH. In general the org owner permissions are kept limited and never extended to the communities.

We're extremely careful with how the credentials related to that get distributed. They're only in hiera encrtyped or on the Gerrit system configuration which is inaccessible to remote parties


ONESummit

The session agenda for ONE Summit 2024 has just been published - you can view it here. (Note, the keynotes will be announced later.)

APRIL 29 – MAY 1, 2024 | IN-PERSON

List of potential topics:

Adding AI/ML security within SDLC.

NIST document with threat models.

Testing aspects whether model is working as supposed to.

Maintaining open source lifecycle.




IT-26130 Add Image signing in ONAP CI/CD Pipeline

Image signing for ONAP Docker Image was turned on. 

We still have permanent solution pending changes expected from re-evaluating of CI/CD workflow.

LF IT will have All hand in workshop where they will discuss and propose GitHub actions architecture.

Muddasar Ahmed LF IT Dev Eng is meeting week of 1/22, they will report back proposed plan changes after this week's meeting.

Hacathon type pf meeting was done with ideas brainstorming. We expect new process flow for releasing software and not losing SBOM and signing capabilities while reengineering pipeline.





Muddasar Ahmed checked with Jess and Matt when and where workshop would take place.

1/22/24- this week. San Diego- Monday to Thursday

hackathon to decide on the CI/CD pipeline.

Expected update and decision from Jess and Matt 2nd week of February.


LFN AI/ML use cases

Muddasar Ahmed presented the draft deck about LFN AI/ML use cases.

Maggie shared link:

https://www.nist.gov/itl/ai-risk-management-framework 

We need to have Ops feedback (NOC manager) on AI, what pain point could  be solved by AI.

Deck shared with Marian from Orange, feedback expected in first week of December. Under WG 11 in ORAN Alliance (doing standards for ORAN) - threat analysis will be done in the domain of AI security - OWASP TOP 10 - planned by March'24.

Runtime influence under interest.

Maggie shared the link: https://www.cisa.gov/news-events/alerts/2023/11/26/cisa-and-uk-ncsc-unveil-joint-guidelines-secure-ai-system-development 

Feedback from Marian received to be discussed at the next SECCOM.

China Mobile and Infosys would like to work on use cases. First call done yesterday, agreed on a model to move forward. Intent Based Mode would use Generative AI. 3 layers approach: business layer, services layer, domain layer. Each Intent Manager would have its own AI. Generic model would be used: business language into ONAP consummable, for services more data oriented and finally domain oriented. We do not focus on 5G only architecture but rather on any so could be used by any organization. 

Topic is in forming group. China Mobile and Infosys interested in Intent context. China Telecom is also interested with focused on user input and Intent.

Muddasar Ahmed Byung-Woo Jun Maggie update

China Telecom: New Delhi - data service. CCVPN use cases - LLM does not give enough intelligence. Develop domain specific model to generate more intelligent decisions.

China Mobile & Infosys: Intent based networking - Level 3 autonomy. Infosys is consulting with MNOs and has experience developing small AI-based autonomous loops.  New Delhi release: CM/Infosys will deliver LLM for Intent based networking. Intelligent decision making.

Post New Delhi will evaluate if the two tracks can leverage each other.

UUI is impacted system for both tracks. No impact to other components

NSA/Georgia Tech: AI/ML for security. Collecting and tagging security data to correlate the data.

Amy Zwarico provided reference to NIST AI 100-2e2023 Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations

Call this week booked. AI/ML use cases focus group still works on platform and use cases priorities.



Nephio security working group

Byung-Woo Jun informed SECCOM that the Nephio security WG is holding a joint meeting with the LF security SIG today at 11AM ET. Nephio plans to adopt 80% of OSSF passing badge.

Topic further discussed:

It was noted that the passing badge should be straight-forward to achieve.

The web page tlhansen.us/badging was discussed. Click on “Single Project…” then fill in a search string or badging ID (e.g. "nephio" or "7665").

For Nephio, Tony recommends to sort by “Type+Section”

Nephio SIG Security meeting:

By: Lucy Hyde When: Tuesday, October 31st, 2023 8:00am to 9:00am (UTC-07:00) Pacific Time - Los Angeles Repeats: Weekly on Tuesday Location: https://zoom.us/j/96025994457

We could support Nephio by sharing our best practices and processes in place. Lucy OOO for the next few weeks?

Byung introduced Tony's tool and was positively perceived by Nephio team. Nephio has GUI and talked about UI: AuthN and AuthZ to be shared by Byung.

Nephio Sig meeting last week: https://nephio.slack.com/files/U0503L9UA8N/F065V0AAZRQ/sig-security_action_items.pdf?origin_team=T03LMAUL4HH&origin_channel=D065DKWJJ9X 

No update - info collection ongoing.Byung will join SIG group. Secrets and Service Mesh

  •  Byung-Woo Jun many above items are done. Not sure about LF Security and SIG Security joint meeting

Nephio SIG Security discussion topics are:

  • Secrets management leveraging Vault (open-source version)
  • Service Mesh
  • Ericsson plans to propose Identity and Access Management at the SIG Security meeting today (Jan 23)

Byung-Woo Jun Discussing R3 release.

  • using open source vault for secrets storage
  • Service mesh: ONAP uses a single management cluster. Nephio has a built-in service mesh component that can be added by the operator. E/// will propose IAM to SIG today.
  • Considering OpenSSF tool.
  • Muddasar Ahmed will provide a template for analysis.

Byung-Woo Jun The following proposals are under review at Nephio SIG Security

Nephio Secrets management user story proposal, https://docs.google.com/document/d/1Ce_cR7afovjWsdECkV8kNbPreG5GirfJXP5IrSiABjg/edit?usp=sharing

Service Mesh Requirements, https://docs.google.com/document/d/1UtW20GLTbICTUQyeC1Kx6aDnHlf4EqdhmeD29vsHSEM/edit?usp=sharing

Identity and Access Management Requirements proposal, https://docs.google.com/document/d/1qxGZI-HwTA0DfUO_hXKlkEpFzTNcmbDd6IO-CO7mLYo/edit?usp=sharing 

Package validation user story proposal, https://docs.google.com/document/d/1YeyUZUPFCS4bBgh8ShWVPrGs9HMLtrhwFSIDC6Xl3xc/edit?usp=sharing

AAF Certificate Expiration

Jira Legacy
serverSystem Jira
columnIdsissuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyAAF-1217

Review work around proposed by Andreas Geißler - deferred until Andreas Geißler returns from holiday

Workaround

Some project containers still experiencing problems: clients using the cert-initializer (e.g. SO, SDC, CDS) still fail.

Need to document certificate management in user docs.

Louis Gamers' AAF cert wiki page: (1) Create AAF CA certificates - Developer Wiki - Confluence (onap.org)

  • Components such as dcaegen2 have their own cert init container with the aaf certificate embedded in the container image. This might be the reason why SO, SDC, and CDS broke if they have their own cert init containers.
  • Unclear why onap-aaf-sms-preload and onap-dmaap-bc-dmaap-provisioning jobs broke in Louis's environment.

Discussion with China Telecom done - they could check potentially next week and they worked independently on this issue, Aaarna Networks commited to check Andreas's patch.

Waiting for an update from Andreas. No progress.

  •  Byung-Woo Jun No solution. The recommendation is to upgrade ONAP to London + . The ORAN SMO team plans to upgrade ONAP to the latest release, not to use AAF. 

Byung-Woo Jun to bring up with TSC that all releases prior to London are broken because AAF is broken. Users should select London+. TSC should publish this on the ONAP wiki, release notes, etc.

Byung-Woo Jun brought this up to TSC and TSC agreed that ONAP writes notes, saying ONAP releases prior to London are broken for AAF certificate issues. The ONAP London + release should be used. 

Paweł Pawlak to send an e-mail notification to China Telecom about the script prepared by Andreas and associated Wiki documenting it.

Byung-Woo Jun China Telecom reported the same issue as Andreas experienced. No solution; decided to move on.




ONAP Security Implementation Status

Byung-Woo Jun TATA Communications supports RBAC, observability, logging, backup, etc. by leveraging the ONAP currently security mechanism (Ingress, Service Mesh) for their own platform. It is possible they contribute the enhancements they made to the ONAP New Delhi release (TBD).




Container Signing

Review next steps:

-select signing software (SECCOM + LFIT)

-perform POC with friendly projects (ONAP)

-integrate into build process (LFIT)

Looking for a volunteering project to work with us. raised at the 18th September PTL's call but no volunteer so far.

LF IT would have to prioritized topic. Prioritization is possible with LFN, Muddasar to update ticket.Item discussed with Matt at the lasy PTLs call.Still in evaluation stage, Sigstore under evaluation.

Last PTL's meeting LF IT is going to switch from Sig-Util to Sigstore. Timeline not clear - for image/container signing should be relatively fast. For code signing to be elaborated. 

We would like to have activities around manual signing. We want Sigstore implementation ready to go by New Delhi release.

Muddasar Ahmed Waiting for the LFIT CI/CD decision.


Muddasar Ahmed to analyze which ONAP project has the most frequent changes in its containers.

Muddasar reached out to LF-IT, Jess and her team are analyzing what enhancement has to be made with CI jobs to allow for Container signing.  Further updates will be provided when scope and efforts have been assessed.

https://jira.linuxfoundation.org/plugins/servlet/desk/portal/2/IT-26130



Topic to be proposed by Pawel to elaborated at upcoming TSC meeting.


No PTL for AAI, DCAE, OOF

-Andreas Geissler and Thomas Kulik made committers

-They will do the work necessary for the projects to participate in the release

-TSC approved streamlining process (7 September)

-SECCOM will create package upgrade recommendations

-TSC will recruit resources to perform upgrades for AAI, DCAE, OOF

  • need options to move forward

Kenny's reply is that we could benefit from Mentorship program. We have to define job description and skills needed.

Byung-Woo Jun New Delhi - VFC, SDC PTLs stepped down.

Byung-Woo Jun temporarily handling the Release Manager role.


-Byung will discuss with Andreas and Thomas to coordinate release tasks such as backlog prioritization

-Muddasar: someone needs to take backlog management role

-Muddasar: no mandated best practice to manage technical debt; call for a statement about code quality – all code will be secure

-Muddasar & Amy: bring mandate for code quality to LFN TAC 2023/8/16

  • Pawel to raise a request to TSC with getting resources for upgrades for AAI, DCAE, OOF - done.

TSC meeting 

TSC Chair election completed- started vice chair nominations. 

The TSC agreed to the licensing exception with the understanding that the ODL RESTCONF code would be removed by the end of 2023.

 vice Congratulations to 3chairs: Keguang He, Byung Woo Jun, and Dong Wang

Byung-Woo Jun update (January 11th & 18th)

Fiete Ostkamp was elected as new PTL for the portalNG project.

3 new features for New Delhi

  • Huawei: Incident API requirements in R14; impacted projects: SDNC, Policy, DCAE
  • China Telecom: Data Service Enhancements of Intent Driven Network for CCVPN use cases based on LLM.
  • Chine Mobile: Generative AI solution based on LLM.

ARCHCOM approve and recommend architecture changes to TSC. TSC provides final approval or denial. Reviews and changes are tracked through Jira. Muddasar Ahmed recommends including technical debt as part of feature/architectural enhancements.




PTL meeting (January 29th)

Finally to be discussed at the next TSC if we would maintain separate PTLs meeting, or have it as part of TSC meeting. We would need Release Manager volunteer.

  • Leave the PTL meeting in place and cut it by an half hour.
  • Rotate/alternate PTL to lead the meetings
  • Toine Siebelink runs the meeting for the week of January 15th

Andreas Geißler proposed simplified/flexible Helm chart versioning for New Delhi

For the up-to-date PTL list, see Project Status in New Delhi Release




LFN-TAC (DTF F2F)

FY24 priority, security was covered - consensus on ONAP best practices.

http://tlhansen.us/badging

Platform Maturity Requirements (aka Carrier Grade)

New project induction and project graduation criteria documentation accepted. Security - discussion should be a separate WG meeting - security scrum of scrums. LFN Security Forum.

Updated meeting agenda for tomorrow's TAC meeting (https://wiki.lfnetworking.org/display/LN/2023-12-06+TAC+Minutes) and presentation planned by Amy and Muddasar:

  • security scrum of scrums proposal
  • Tony's dashboard for all LFN projects
  • SAST and SCA tools and onboarding provided by LFN
  • LFN having responsibility in releasing certifications (incubation, mature etc.)

TAC agreed with the proposal provided by Amy. In 6 months trial period we should have recommendations for secure software development. Projects SECCOM representatives to join those meetings. Sense of ownership to be improved.

LFN wide security focus group approved by TAC.

Align AI/ML initiatives

Creating LFN-wide Security FG

L3AF project - Microsoft pulled out

XGVela - no active contributors

FIDO

Muddasar Ahmed requested TAC to make a formal quality statement about LFN produced code.

CNCF certification and testing topic recently discussed.





Technical debt budgeting discussion needed with TSC/TAC - 10% of efforts for app security could be invested. 

What are best practices to transfer project to Archive or Unmaintained state.

This could be part of quality goal.




Badging update

Tony presented additional functionalities:

www.Bestpractices.dev/en/projects/1718?criteria_level=2 

Gap on ONAP badging: no master editor for the badges. Bring up with TSC to find a LFIT resource to fill the role.

TSC topic to be added for the upcoming agenda.




SABRES

USC - Dr Eric Klein
https://wiki.lfnetworking.org/display/LN/5G+SBP+Use+Case+-+SABRES%3A+Slice+Selection%2C+Path+Validation%2C+Multiparty+Management
https://github.com/openfheorg/openfhe-development

These will be migrated and opened when published:
https://pulwar.isi.edu/sabres/cbs/cbs
https://gitlab.com/ops5g-sabres/nizk/nizkpathvalidatio




Package update recommendations

Amy Zwarico my team will create recommendations.

Work in Progress.




NEXT SECCOM MEETING CALL WILL BE HELD ON February  13th 2024





...