Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 25th of June 2024.

...

ENISA Threat Landscape (ETL) report edition 11

https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023 (page 47)

GSMA has FS.30 (threats) and FS.31 ( Security Controls to manage threats/risks).  There is currently a Change Request to add a mapping table to FS.31 to cover ENISA reported threats against controls in FS.31 recommendations.  GSMA Members are welcomed to join FASG/FSAG working calls to provide their input.

https://www.gsma.com/get-involved/working-groups/fraud-security-group (Fraud and Security Group)

https://www.gsma.com/solutions-and-impact/technologies/mobile-identity/wp-content/uploads/2020/10/James-Moran-GSMA.pdf. overview of the the Working Group.

...

  • Amy Zwarico , created the following draft of repos to be removed from Jenkins (will be discussed this at ONAP SECCOM tomorrow):
    • Draft of repos to be removed from Jenkins:

      CLI

      • cli

      DMaaP Message Router

      • dmaap-messagerouter-dmaapclient
      • dmaap-messagerouter-messageservice

      ExtAPI

      • externalapi-nbi

      Holmes

      • holmes-common
      • holmes-engine-management
      • holmes-rule-management

      Modeling

      • modeling-etsicatalog
      • modeling-yang-kit

      MSB

      • msb-apigateway
      • msb-discovery
      • msb-java-sdk
      • msb-swagger-sdk

      NBI (=ExtAPI)

      •  

      OOF

      • optf-has
      • optf-osdf

      VFC

      • vfc-gvnfm-vnflcm
      • vfc-gvnfm-vnfmgr
      • vfc-gvnfm-vnfres
      • vfc-nfvo-driver-svnfm-huawei
      • vfc-nfvo-driver-vnfm-gvnfm
      • vfc-nfvo-lcm

      VNFSDK

      • vnfsdk-dovetail-integration
      • vnfsdk-functest
      • vnfsdk-refrepo
      • vnfsdk-validation

            vvp - already removed

...

Registration information for SBOM-a-Rama attendees and SBOM-Solutions Showcase potential exhibitors:

Register to attend SBOM-a-Rama on September 11, 2024 or the SBOM-Solutions Showcase on September 12, 2024

...

New scans iteration for packages upgrades available on the restricted Wiki, but due to instability of Nexus-IQ, all the CLM jobs were failing. Amy has opened  ticket:  IT-26799 CLM Jenkins Jobs Failing

Progress - not all jobs are failing. Pawel's access to CLM reports was lost - Jira was opened for that: https://jira.linuxfoundation.org/plugins/servlet/desk/portal/2/IT-26825 and IT-26810.

Following the discussion at the last TSC Andreas confirmed that his tests are not failing.

Update received from Kevin on reasons CLM jobs are failing:

...

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 25th of June 2024.

Jira No

Summary

Description

Status

Solution

CyberSEC in Krakow

ENISA Threat Landscape (ETL) report edition 11

https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023 (page 47)

GSMA has FS.30 (threats) and FS.31 ( Security Controls to manage threats/risks).  There is currently a Change Request to add a mapping table to FS.31 to cover ENISA reported threats against controls in FS.31 recommendations.  GSMA Members are welcomed to join FASG/FSAG working calls to provide their input.

https://www.gsma.com/get-involved/working-groups/fraud-security-group (Fraud and Security Group)

https://www.gsma.com/solutions-and-impact/technologies/mobile-identity/wp-content/uploads/2020/10/James-Moran-GSMA.pdf. overview of the the Working Group.

to-be-deprecated repo list

  • Amy Zwarico , created the following draft of repos to be removed from Jenkins (Jessica completed the work):

    • Draft of repos to be removed from Jenkins:

      CLI

      • cli

      DMaaP Message Router

      • dmaap-messagerouter-dmaapclient

      • dmaap-messagerouter-messageservice

      ExtAPI

      • externalapi-nbi

      Holmes

      • holmes-common

      • holmes-engine-management

      • holmes-rule-management

      Modeling

      • modeling-etsicatalog

      • modeling-yang-kit

      MSB

      • msb-apigateway

      • msb-discovery

      • msb-java-sdk

      • msb-swagger-sdk

      NBI (=ExtAPI)

      •  

      OOF

      • optf-has

      • optf-osdf

      VFC

      • vfc-gvnfm-vnflcm

      • vfc-gvnfm-vnfmgr

      • vfc-gvnfm-vnfres

      • vfc-nfvo-driver-svnfm-huawei

      • vfc-nfvo-driver-vnfm-gvnfm

      • vfc-nfvo-lcm

      VNFSDK

      • vnfsdk-dovetail-integration

      • vnfsdk-functest

      • vnfsdk-refrepo

      • vnfsdk-validation

            vvp - already removed

SBOM-a-rama registration

Registration information for SBOM-a-Rama attendees and SBOM-Solutions Showcase potential exhibitors:

Register to attend SBOM-a-Rama on September 11, 2024 or the SBOM-Solutions Showcase on September 12, 2024

SBOM community meetings are held regularly.  If interested on supporting a Working Group for challenges or solutions, send an email to sbom@cisa.dhs.gov, join the meeting for just listen in or provide inout to improve.

Packages upgrades for a New Delhi

New scans iteration for packages upgrades available on the restricted Wiki, but due to instability of Nexus-IQ, all the CLM jobs were failing. Amy has opened  ticket:  IT-26799 CLM Jenkins Jobs Failing

Progress - not all jobs are failing. Pawel's access to CLM reports was lost - Jira was opened for that: https://jira.linuxfoundation.org/plugins/servlet/desk/portal/2/IT-26825 and IT-26810.

Following the discussion at the last TSC Andreas confirmed that his tests are not failing.

Update received from Kevin on reasons CLM jobs are failing:

ccsdk
apps
326
there are test failures [TO BE FIXED BY COMMUNITY]
msb
discovery
311
sdnc
apps
310
oom-platform-cert-service
210/console
  • plugins missing required configuration at POM files so they fail when executed, additionally the jobs failing with this error seem abandoned as they have not run properly for a long time so they should be removed [TO BE FIXED BY COMMUNITY]:
    • nexus IQ application IDs missing: we FIXED this one by creating the missing application IDs through NexusIQ dashboard
    • old clm-maven-plugin version causing incompatibility errors: we FIXED this one by removing a hardcoded version pin we had in a GlobalJJB script
    fixedLogging modifications proposal

    Mateusz Pilat from Tata presented changes in log format for its unification. Change Request will be prepared by Mateusz. Discussion will be followed at the OOM meeting on Wednesday.

    RBAC changes could be provided: Improvement for NewDelhi Release

    Root access for container need was explained.

    • Maggie, Justin and Andrew Lamb's input: 
      • ONAP application services will run in a namespace whose privilege and security context are restricted via Pod Security Standards Restricted policy to meet the CIS 1.6 benchmark. No workloads in this namespace will ever be permitted to run with privileges or as root within the container.
      • ONAP logging services will run in a separate namespace which allows Pod Security Standards Privileged profiles. Any workload in this namespace will be permitted to run with privileges. To mitigate the risk of such a namespace, the Kubernetes Admission Controller, via Kyverno policies, will enforce strict admission requirements on workloads in this namespace.
      • To be deployed into the privileged namespace, workloads must be running a specific container image with restrictive container startup commands and arguments, as specified in Kyverno policies written by ONAP developers. This will ensure that only ONAP SECCOM approved workloads are ever permitted to run with privileges in this namespace.
    • As a more general SECCOM note, Byung - I discovered in my research that the Kyverno admission validation hook can also (1) enforce minimum versions of container images (which I wish I would have known when trying to keep log4j off my clusters last year) and (2) prevent exec operations into running containers - this would be useful in preventing an insider from accessing the privileged workload once it has already been admitted to the privileged namespace. I did not include these because they seem to be larger design requirements for cluster administrators beyond just the management of ONAP. If you think it would be within ONAP's purview to enforce these mechanisms I'm happy to include them in the next PoC iteration. - Justin
    • Hope in Oslo, we can discuss/explore this further.

    Further update will be discussed during Oslo.

    GitHub Actions integration pipeline

    LF IT migrating CI pipeline to GitHub actions - may take to the end of fall or later, once ONAP is completed for GitHub Actions , we will do security review. Last update from Matt is that LF IT is continuously shipping one project at a time. 

    4/2: in progress

    At the TSC Jess mentionned Q4'24? 

    open - WIPLFN AI/ML use cases

    Muddasar Ahmed presented the draft deck about LFN AI/ML use cases.

    Maggie shared link:

    https://www.nist.gov/itl/ai-risk-management-framework 

    We need to have Ops feedback (NOC manager) on AI, what pain point could  be solved by AI.

    Deck shared with Marian from Orange, feedback expected in first week of December. Under WG 11 in ORAN Alliance (doing standards for ORAN) - threat analysis will be done in the domain of AI security - OWASP TOP 10 - planned by March'24.

    Runtime influence under interest.

    Maggie shared the link: https://www.cisa.gov/news-events/alerts/2023/11/26/cisa-and-uk-ncsc-unveil-joint-guidelines-secure-ai-system-development 

    Feedback from Marian received to be discussed at the next SECCOM.

    China Mobile and Infosys would like to work on use cases. First call done yesterday, agreed on a model to move forward. Intent Based Mode would use Generative AI. 3 layers approach: business layer, services layer, domain layer. Each Intent Manager would have its own AI. Generic model would be used: business language into ONAP consumable, for services more data oriented and finally domain oriented. We do not focus on 5G only architecture but rather on any so could be used by any organization. 

    Topic is in forming group. China Mobile and Infosys interested in Intent context. China Telecom is also interested with focused on user input and Intent.

    Muddasar Ahmed Byung-Woo Jun Maggie update

    China Telecom: New Delhi - data service. CCVPN use cases - LLM does not give enough intelligence. Develop domain specific model to generate more intelligent decisions.

    China Mobile & Infosys: Intent based networking - Level 3 autonomy. Infosys is consulting with MNOs and has experience developing small AI-based autonomous loops.  New Delhi release: CM/Infosys will deliver LLM for Intent based networking. Intelligent decision making.

    Post New Delhi will evaluate if the two tracks can leverage each other.

    UUI is impacted system for both tracks. No impact to other components

    NSA/Georgia Tech: AI/ML for security. Collecting and tagging security data to correlate the data.

    Amy Zwarico provided reference to NIST AI 100-2e2023 Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations

    Call this week booked. AI/ML use cases focus group still works on platform and use cases priorities.

    CCVPN use case and intent based networking. China Mobile and Infosys starting work on that in more downstream.

    ORAN WG11 is working on security aspects. WG2 (non-real-time RIC) and WG3 (near-real-time RIC) are working on xApps and rApps (AI/ML capabilities).

    Need to write LF informative position white paper for AI/ML - team to write constituted. Meeting is planned with convenient time for all contributors. Goal is to produce it by DTF.

    Structure bulleted paper available on Confluence - https://wiki.lfnetworking.org/pages/viewpage.action?pageId=120652848

    China Mobile focus: generative AI. (New Delhi UUI)

    China Telecom focus: intent transformation & LLM tuning parameters to create domain specific solutions. (New Delhi UUI)

    Both projects are in progress.

    Oslo lightweight model 

    China Telecom and China Mobile presented at the last TSC their plans for AI/ML use cases with ONAP.

    open - sceleton structure of the documentNephio security working group

    Byung-Woo Jun informed SECCOM that the Nephio security WG is holding a joint meeting with the LF security SIG today at 11AM ET. Nephio plans to adopt 80% of OSSF passing badge.

    Topic further discussed:

    It was noted that the passing badge should be straight-forward to achieve.

    The web page tlhansen.us/badging was discussed. Click on “Single Project…” then fill in a search string or badging ID (e.g. "nephio" or "7665").

    For Nephio, Tony recommends to sort by “Type+Section”

    Nephio SIG Security meeting:

    By: Lucy Hyde When: Tuesday, October 31st, 2023 8:00am to 9:00am (UTC-07:00) Pacific Time - Los Angeles Repeats: Weekly on Tuesday Location: https://zoom.us/j/96025994457

    We could support Nephio by sharing our best practices and processes in place. Lucy OOO for the next few weeks?

    Byung introduced Tony's tool and was positively perceived by Nephio team. Nephio has GUI and talked about UI: AuthN and AuthZ to be shared by Byung.

    Nephio Sig meeting last week: https://nephio.slack.com/files/U0503L9UA8N/F065V0AAZRQ/sig-security_action_items.pdf?origin_team=T03LMAUL4HH&origin_channel=D065DKWJJ9X 

    No update - info collection ongoing.Byung will join SIG group. Secrets and Service Mesh
    •  Byung-Woo Jun many above items are done. LF Security and SIG Security joint meeting did not happen.

    Nephio SIG Security discussion topics are:

    • Secrets management leveraging Vault (open-source version)
    • Service Mesh
    • Ericsson plans to propose Identity and Access Management at the SIG Security meeting today (Jan 23)

    Byung-Woo Jun Discussing R3 release.

    • using open source vault for secrets storage
    • Service mesh: ONAP uses a single management cluster. Nephio has a built-in service mesh component that can be added by the operator. E/// will propose IAM to SIG today.
    • Considering OpenSSF tool.
    • Muddasar Ahmed will provide a template for analysis.

    Byung-Woo Jun The following proposals are under review at Nephio SIG Security

    Nephio Secrets management user story proposal,
      • 305/console (last time it worked as expected was Jul 2023)

    • nexus IQ application IDs missing: we FIXED this one by creating the missing application IDs through NexusIQ dashboard

    • old clm-maven-plugin version causing incompatibility errors: we FIXED this one by removing a hardcoded version pin we had in a GlobalJJB script

    fixed

    Logging modifications proposal

    Mateusz Pilat from Tata presented changes in log format for its unification. Change Request will be prepared by Mateusz. Discussion will be followed at the OOM meeting on Wednesday.

    RBAC changes could be provided: Improvement for NewDelhi Release

    Root access for container need was explained.

    • Maggie, Justin and Andrew Lamb's input: 

      • ONAP application services will run in a namespace whose privilege and security context are restricted via Pod Security Standards Restricted policy to meet the CIS 1.6 benchmark. No workloads in this namespace will ever be permitted to run with privileges or as root within the container.

      • ONAP logging services will run in a separate namespace which allows Pod Security Standards Privileged profiles. Any workload in this namespace will be permitted to run with privileges. To mitigate the risk of such a namespace, the Kubernetes Admission Controller, via Kyverno policies, will enforce strict admission requirements on workloads in this namespace.

      • To be deployed into the privileged namespace, workloads must be running a specific container image with restrictive container startup commands and arguments, as specified in Kyverno policies written by ONAP developers. This will ensure that only ONAP SECCOM approved workloads are ever permitted to run with privileges in this namespace.

    • As a more general SECCOM note, Byung - I discovered in my research that the Kyverno admission validation hook can also (1) enforce minimum versions of container images (which I wish I would have known when trying to keep log4j off my clusters last year) and (2) prevent exec operations into running containers - this would be useful in preventing an insider from accessing the privileged workload once it has already been admitted to the privileged namespace. I did not include these because they seem to be larger design requirements for cluster administrators beyond just the management of ONAP. If you think it would be within ONAP's purview to enforce these mechanisms I'm happy to include them in the next PoC iteration. - Justin

    • Hope in Oslo, we can discuss/explore this further.

    Further update will be discussed during Oslo.

    GitHub Actions integration pipeline

    LF IT migrating CI pipeline to GitHub actions - may take to the end of fall or later, once ONAP is completed for GitHub Actions , we will do security review. Last update from Matt is that LF IT is continuously shipping one project at a time. 

    4/2: in progress

    At the TSC Jess mentionned Q4'24? 

    open - WIP

    LFN AI/ML use cases

    Muddasar Ahmed presented the draft deck about LFN AI/ML use cases.

    Maggie shared link:

    https://www.nist.gov/itl/ai-risk-management-framework 

    We need to have Ops feedback (NOC manager) on AI, what pain point could  be solved by AI.

    Deck shared with Marian from Orange, feedback expected in first week of December. Under WG 11 in ORAN Alliance (doing standards for ORAN) - threat analysis will be done in the domain of AI security - OWASP TOP 10 - planned by March'24.

    Runtime influence under interest.

    Maggie shared the link: https://www.cisa.gov/news-events/alerts/2023/11/26/cisa-and-uk-ncsc-unveil-joint-guidelines-secure-ai-system-development 

    Feedback from Marian received to be discussed at the next SECCOM.

    China Mobile and Infosys would like to work on use cases. First call done yesterday, agreed on a model to move forward. Intent Based Mode would use Generative AI. 3 layers approach: business layer, services layer, domain layer. Each Intent Manager would have its own AI. Generic model would be used: business language into ONAP consumable, for services more data oriented and finally domain oriented. We do not focus on 5G only architecture but rather on any so could be used by any organization. 

    Topic is in forming group. China Mobile and Infosys interested in Intent context. China Telecom is also interested with focused on user input and Intent.

    Muddasar Ahmed Byung-Woo Jun Maggie update

    China Telecom: New Delhi - data service. CCVPN use cases - LLM does not give enough intelligence. Develop domain specific model to generate more intelligent decisions.

    China Mobile & Infosys: Intent based networking - Level 3 autonomy. Infosys is consulting with MNOs and has experience developing small AI-based autonomous loops.  New Delhi release: CM/Infosys will deliver LLM for Intent based networking. Intelligent decision making.

    Post New Delhi will evaluate if the two tracks can leverage each other.

    UUI is impacted system for both tracks. No impact to other components

    NSA/Georgia Tech: AI/ML for security. Collecting and tagging security data to correlate the data.

    Amy Zwarico provided reference to NIST AI 100-2e2023 Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations

    Call this week booked. AI/ML use cases focus group still works on platform and use cases priorities.

    CCVPN use case and intent based networking. China Mobile and Infosys starting work on that in more downstream.

    ORAN WG11 is working on security aspects. WG2 (non-real-time RIC) and WG3 (near-real-time RIC) are working on xApps and rApps (AI/ML capabilities).

    Need to write LF informative position white paper for AI/ML - team to write constituted. Meeting is planned with convenient time for all contributors. Goal is to produce it by DTF.

    Structure bulleted paper available on Confluence - https://wiki.lfnetworking.org/pages/viewpage.action?pageId=120652848

    China Mobile focus: generative AI. (New Delhi UUI)

    China Telecom focus: intent transformation & LLM tuning parameters to create domain specific solutions. (New Delhi UUI)

    Both projects are in progress.

    Oslo lightweight model 

    China Telecom and China Mobile presented at the last TSC their plans for AI/ML use cases with ONAP.

    open - sceleton structure of the document

    LFN AI-ML Use case formulation.pptx

    Nephio security working group

    Byung-Woo Jun informed SECCOM that the Nephio security WG is holding a joint meeting with the LF security SIG today at 11AM ET. Nephio plans to adopt 80% of OSSF passing badge.

    Topic further discussed:

    It was noted that the passing badge should be straight-forward to achieve.

    The web page tlhansen.us/badging was discussed. Click on “Single Project…” then fill in a search string or badging ID (e.g. "nephio" or "7665").

    For Nephio, Tony recommends to sort by “Type+Section”

    Nephio SIG Security meeting:

    By: Lucy Hyde When: Tuesday, October 31st, 2023 8:00am to 9:00am (UTC-07:00) Pacific Time - Los Angeles Repeats: Weekly on Tuesday Location: https://zoom.us/j/96025994457

    We could support Nephio by sharing our best practices and processes in place. Lucy OOO for the next few weeks?

    Byung introduced Tony's tool and was positively perceived by Nephio team. Nephio has GUI and talked about UI: AuthN and AuthZ to be shared by Byung.

    Nephio Sig meeting last week: https://nephio.slack.com/files/U0503L9UA8N/F065V0AAZRQ/sig-security_action_items.pdf?origin_team=T03LMAUL4HH&origin_channel=D065DKWJJ9X 

    No update - info collection ongoing.Byung will join SIG group. Secrets and Service Mesh

    •  Byung-Woo Jun many above items are done. LF Security and SIG Security joint meeting did not happen.

    Nephio SIG Security discussion topics are:

    • Secrets management leveraging Vault (open-source version)

    • Service Mesh

    • Ericsson plans to propose Identity and Access Management at the SIG Security meeting today (Jan 23)

    Byung-Woo Jun Discussing R3 release.

    • using open source vault for secrets storage

    • Service mesh: ONAP uses a single management cluster. Nephio has a built-in service mesh component that can be added by the operator. E/// will propose IAM to SIG today.

    • Considering OpenSSF tool.

    • Muddasar Ahmed will provide a template for analysis.

    Byung-Woo Jun The following proposals are under review at Nephio SIG Security

    Nephio Secrets management user story proposal, https://docs.google.com/document/d/1Ce_cR7afovjWsdECkV8kNbPreG5GirfJXP5IrSiABjg/edit?usp=sharing

    Service Mesh Requirements, https://docs.google.com/document/d/1UtW20GLTbICTUQyeC1Kx6aDnHlf4EqdhmeD29vsHSEM/edit?usp=sharing

    Identity and Access Management Requirements proposal, https://docs.google.com/document/d/1qxGZI-HwTA0DfUO_hXKlkEpFzTNcmbDd6IO-CO7mLYo/edit?usp=sharing 

    Package validation user story proposal, https://docs.google.com/document/d/1YeyUZUPFCS4bBgh8ShWVPrGs9HMLtrhwFSIDC6Xl3xc/edit?usp=sharing

    Package validation under preparation.

    Rahul Jadhav shared his Nephio workload identity. The team plans to review it. Also, Ericsson plans to share Identity and Access management requirements (2nd review) next week. requirements from Workload Identity perspective. 

    https://docs.google.com/

    document

    presentation/d/

    1Ce

    1K0gooS9ge181zNXLvA_

    cR7afovjWsdECkV8kNbPreG5GirfJXP5IrSiABjgIdentity and Access Management Requirements proposal

    SNAtGJyK1l77zOsRy6qpv7ME/edit?usp=sharing

    Service Mesh Requirements, https://docs.google.com/document/d/1UtW20GLTbICTUQyeC1Kx6aDnHlf4EqdhmeD29vsHSEM/edit?usp=sharing

    Additional meeting planned today, E/// will provide user access control. Interest on workload to wokload access control, https://docs.google.com/document/d/

    1qxGZI-HwTA0DfUO_hXKlkEpFzTNcmbDd6IO-CO7mLYo/edit?usp=sharing Package validation user story proposal

    1IwWVGASgdOuLHCHYg82WaZaHdOEXyOM1/edit#heading=h.30j0zll

    Byung presented E/// user access control and workload access control under interest. SPIFFE in ORAN as study item. Workload identity still to be addressed.

    Last Tuesday, Shiv Bhagavatula (Nephio SIG Architecture) shared additional Workload Identity design, leveraging SPIFFE infrastructure (SPIRE server, SPIRE agent, SPIFFE Id and SVID…), https://docs.google.com/

    document

    presentation/d/

    1YeyUZUPFCS4bBgh8ShWVPrGs9HMLtrhwFSIDC6Xl3xc/edit?usp=sharing

    Package validation under preparation.

    Rahul Jadhav shared his Nephio workload identity. The team plans to review it. Also, Ericsson plans to share Identity and Access management requirements (2nd review) next week. requirements from Workload Identity perspective. 

    1L79WrZ64Uar3IrH-jL_IeQTlPoLtXGZKHIIfVCXLoco/edit#slide=id.p.

    Byung-Woo Jun , the latest user Identity and Access Management requirements, https://docs.google.com/

    presentation

    document/d/

    1K0gooS9ge181zNXLvA_SNAtGJyK1l77zOsRy6qpv7ME/edit?usp=sharingAdditional meeting planned today, E/// will provide user access control. Interest on workload to wokload access control

    1IwWVGASgdOuLHCHYg82WaZaHdOEXyOM1/edit#heading=h.nzahaii2p80p 

    For Shiv and team’s workload identity design, https://docs.google.com/

    document

    presentation/d/

    1IwWVGASgdOuLHCHYg82WaZaHdOEXyOM1/edit#heading=h.30j0zll

    Byung presented E/// user access control and workload access control under interest. SPIFFE in ORAN as study item. Workload identity still to be addressed.

    Last Tuesday, Shiv Bhagavatula (Nephio SIG Architecture) shared additional Workload Identity design, leveraging SPIFFE infrastructure (SPIRE server, SPIRE agent, SPIFFE Id and SVID…), https://docs.google.com/presentation/d/1L79WrZ64Uar3IrH-jL_IeQTlPoLtXGZKHIIfVCXLoco/edit#slide=id.p.

    Byung-Woo Jun , the latest user Identity and Access Management requirements

    1L79WrZ64Uar3IrH-jL_IeQTlPoLtXGZKHIIfVCXLoco/edit#slide=id.g2bfc4581413_1_5

    4/2: Target R4 (3Q24/4Q24)

    Nephio Security team POC - (1) OIDC AuthN/AuthZ using Service Mesh and Key Cloak, (2) Workload identity and access management using SPIFFE.

    Workload  identity and access management in progress. Internal discussions in E/// for next steps for user identity and access management.

    1IwWVGASgdOuLHCHYg82WaZaHdOEXyOM1
    =h.nzahaii2p80p 

    For Shiv and team’s workload identity design, https://docs.google.com/presentation/d/1L79WrZ64Uar3IrH-jL_IeQTlPoLtXGZKHIIfVCXLoco/edit#slide=id.g2bfc4581413_1_5

    4/2: Target R4 (3Q24/4Q24)

    Nephio Security team POC - (1) OIDC AuthN/AuthZ using Service Mesh and Key Cloak, (2) Workload identity and access management using SPIFFE.

    Workload  identity and access management in progress. Internal discussions in E/// for next steps for user identity and access management.

    Workload Identity User Story

    Nephio R3, there is an action point, secret management, "sharing secrets across clusters as Skupper generates a secret in one cluster/namespace and that secret has to be shared with another cluster/namespace. To create the tunnel for communication. Now the question is how to share the secrets" It is a narrowed scope of sharing secretes between particular services, which is different from what Nephio SIG Security proposed.

    Byung-Woo Jun , The Nephio SIG Security team (Shiv from Accuknox) plans to provide a demo of workload identity with SPIFFE this or next week. I will share the detail after their demo.

    LF IT support is needed for SBOM SPDX format generation. Jess has experience with java based projects, and Nephio is Go based.

    Byung-Woo Jun , Nephio O-RAN Workload Identity proposal by Nephio SIG Security will be presented to Nephio WG 2 ORAN on May 29th (postponed to June 5the), https://docs.google.com/

    document/d/1nkh7tTItwii1bY877PfzjFCBtmRos4IDh5EOJxWXRdg/edit#heading=h.srlm9p7wuua8
  • Shiv plans to provide a better definition of "token".
  • Nephio R3, there is an action point, secret management, "sharing secrets across clusters as Skupper generates a secret in one cluster/namespace and that secret has to be shared with another cluster/namespace. To create the tunnel for communication. Now the question is how to share the secrets" It is a narrowed scope of sharing secretes between particular services, which is different from what Nephio SIG Security proposed.

    Byung-Woo Jun , The Nephio SIG Security team (Shiv from Accuknox) plans to provide a demo of workload identity with SPIFFE this or next week. I will share the detail after their demo.

    LF IT support is needed for SBOM SPDX format generation. Jess has experience with java based projects, and Nephio is Go based.

    Byung-Woo Jun , Nephio O-RAN Workload Identity proposal by Nephio SIG Security will be presented to Nephio WG 2 ORAN on May 29th (postponed to June 5the), https://docs.google.com/presentation/d/1kofOHWswM2_OJPfefTcSzVvsBAg0QE3Z7GQITlaPO2w/edit#slide=id.p

    Nephio Workload Identity execution plan:

    • Start with PoC / demo to the relevant groups
    • Requirements / user stories to SIG-1
    • Detailed demo / run-through to SIG-Automation

    Nephio update 2024-5-28:

    • Signed image handling thru Nephio CI
    • Nephio SGI security team is working on the above execution plan
    • Nephio O-RAN workload identity proposal to Nephio WG 2 ORAN this week
    • ORAN integration discussion (Q&A) further this week

    Update xpected on 18th of June - Nephio signed image is a work in progress

    ongoingONAP Security Implementation Status

    Byung-Woo Jun TATA Communications supports RBAC, observability, logging, backup, etc. by leveraging the ONAP currently security mechanism (Ingress, Service Mesh) for their own platform. It is possible they contribute the enhancements they made to the ONAP New Delhi release (TBD).

    Share of code most probably in Oslo release. Andreas is working on enhancements for OOM Team.

    Tata communication shared which components in Montreal use STDOUT or not, ONAP Logging alignment for Montreal release.xlsx

    Postponed to Oslo.

    Gold Badge for Policy team

    Preparation for Gold Badging. Presentation for TSC for Oparent removal.

    New ISTIO 1.22

    Ambient mesh under consideration if stable.

    TSC meeting (June 13th)

    ONAP Streamlining Phase 2 - Requirements, documentation, roadmap for Oslo - work in progress

    • Leveraging individual core ONAP network automation functions, create lightweight ONAP solutions
    • create documentation (user guide, APIs, architecture, trouble-shooting), focusing how to use individual ONAP network automations
    • Use case of O-RAN / Nephio connections

    TSC approved New Delhi release sign off.

    Wiki pages unstability was raised.

    TSC agreed to remove all past recordings older than 1 year.

    Byung-Woo Jun , Ericsson Policy team will share O-parent removal experience with TSC this week

    ONAP Focus for the future

    Initial discussion with Dong, Keguang and Byung. Lightweight ONAP under consideration: SO, SDC, Policy, CPS, UUI, DCAE, SDNC.

    Byung-Woo Jun , refined the ONAP initiative slide deck further (simplified based on Maggie's comments, Thanks!); plan to present it to TSC this week; I will share the slide deck with SECCOM after then - done

    Byung-Woo Jun , at the ONAP TSC on May 23rd, China Mobile and China Telecom presented their plans for:

    PTL meeting (June 17th)

    Issues mentionned above (Marek and Tony initiated) discussed intensively with Matt and Kevin.

    NG Portal status CLM jobs - no solution for now

    presentation/d/1kofOHWswM2_OJPfefTcSzVvsBAg0QE3Z7GQITlaPO2w/edit#slide=id.p

    Nephio Workload Identity execution plan:

    • Start with PoC / demo to the relevant groups

    • Requirements / user stories to SIG-1

    • Detailed demo / run-through to SIG-Automation

    Nephio update 2024-5-28:

    • Signed image handling thru Nephio CI

    • Nephio SGI security team is working on the above execution plan

    • Nephio O-RAN workload identity proposal to Nephio WG 2 ORAN this week

    • ORAN integration discussion (Q&A) further this week

    Update xpected on 18th of June - Nephio signed image is a work in progress

    Branch selected for Workload Identity - WIP.

    ongoing

    ONAP Security Implementation Status

    Byung-Woo Jun TATA Communications supports RBAC, observability, logging, backup, etc. by leveraging the ONAP currently security mechanism (Ingress, Service Mesh) for their own platform. It is possible they contribute the enhancements they made to the ONAP New Delhi release (TBD).

    Share of code most probably in Oslo release. Andreas is working on enhancements for OOM Team.

    Tata communication shared which components in Montreal use STDOUT or not, ONAP Logging alignment for Montreal release.xlsx

    Postponed to Oslo.

    Gold Badge for Policy team

    Preparation for Gold Badging. Presentation for TSC for Oparent removal.

    New ISTIO 1.22

    Ambient mesh under consideration if stable.

    TSC meeting (June 20th)

    ONAP Streamlining Phase 2 - Requirements, documentation, roadmap for Oslo - work in progress

    • Leveraging individual core ONAP network automation functions, create lightweight ONAP solutions

    • create documentation (user guide, APIs, architecture, trouble-shooting), focusing how to use individual ONAP network automations

    • Use case of O-RAN / Nephio connections

    TSC approved New Delhi release sign off.

    Wiki pages unstability was raised.

    TSC agreed to remove all past recordings older than 1 year.

    Byung-Woo Jun , Ericsson Policy team will share O-parent removal experience with TSC this week

    Mature project discussion.

    ONAP Focus for the future

    Initial discussion with Dong, Keguang and Byung. Lightweight ONAP under consideration: SO, SDC, Policy, CPS, UUI, DCAE, SDNC.

    Byung-Woo Jun , refined the ONAP initiative slide deck further (simplified based on Maggie's comments, Thanks!); plan to present it to TSC this week; I will share the slide deck with SECCOM after then - done

    Byung-Woo Jun , at the ONAP TSC on May 23rd, China Mobile and China Telecom presented their plans for:

    PTL meeting (June 24th)

    Issues mentionned above (Marek and Tony initiated) discussed intensively with Matt and Kevin.

    NG Portal status CLM jobs - no solution for now

    ONAP component mature state, Mature State Projects

    Now, we are handling ONAP component individually under ONAP Streamlining, exposing the components to users. CPS is the first case that TSC approved the mature state after ONAP Streamlining. Should we keep the projects under the list as "mature", or should we certify them again? Several components are deprecated.

    According to TSC 2.0 doc, Mature state is "Project is fully functioning and stable, has achieved successful releases." Several projects in the list are deprecated/archived. To approach a broad audience, should we consider the "Core" state for some selected projects??

    Gold badging is a separate process from the project maturity in LFN?

    • CPS got the gold badging

    • What other components do we want to get the gold badging? Policy is working on it.

    LFN-TAC (DTF F2F)

    FY24 priority, security was covered - consensus on ONAP best practices.

    http://tlhansen.us/badging

    Platform Maturity Requirements (aka Carrier Grade)

    New project induction and project graduation criteria documentation accepted. Security - discussion should be a separate WG meeting - security scrum of scrums. LFN Security Forum.

    Updated meeting agenda for tomorrow's TAC meeting (https://wiki.lfnetworking.org/display/LN/2023-12-06+TAC+Minutes) and presentation planned by Amy and Muddasar:

    • security scrum of scrums proposal

    • Tony's dashboard for all LFN projects

    • SAST and SCA tools and onboarding provided by LFN

    • LFN having responsibility in releasing certifications (incubation, mature etc.)

    TAC agreed with the proposal provided by Amy. In 6 months trial period we should have recommendations for secure software development. Projects SECCOM representatives to join those meetings. Sense of ownership to be improved.

    LFN wide security focus group approved by TAC.

    Align AI/ML initiatives

    Creating LFN-wide Security FG

    L3AF project - Microsoft pulled out

    XGVela - no active contributors

    FIDO

    Muddasar Ahmed requested TAC to make a formal quality statement about LFN produced code.

    CNCF certification and testing topic recently discussed.

    Tailor from CNCF and Sana presented the need for certification. CNTI (CloudNative Network Function for Telco) conformance discussion - proposal expected by April to Governing Board.

    Security whitepaper update under consideration - quality goal statement to be drafted. ORAN Alliance is doing yearly publication on security blog post.

    CNTI - discussion finished last week. CNTI assets (test and documentation for certifying) moved to LFN.

    Discussion on Superblueprint and documentation.

    Migration process in progress.

    Documentation update - modifying Lifecycle.

    Confidential computing.

    Leave automation, CI/CD security, sample statements under prep by Muddasar.

    Having Superblueprint form as TSC. Aiming demonstration of projects interoperability. 

    in San Jose joint LF Edge and LFN joint meeting. Muddasar to follow-up with LJ Luis.

    CNTI still some discussion on migration plan for other conformance and certification efforts. Project is being approved, and some migration issues communication on certification path.

    Quality goal could be more explored.

    Meeting on Wednesday June 12th - CNTI induction discussion followed by induction of Paraglider candidate project - LF helps technology group coming to LFN. 5G Superblueprint considered in the future (matter of few months). 

    CNTI aproved as  project. Paraglide might prepare presentation.

    Muddasar Ahmed to check for document availability on software quality goals.

    Technical debt budgeting discussion needed with TSC/TAC - 10% of efforts for app security could be invested. 

    What are best practices to transfer project to Archive or Unmaintained state.

    This could be part of quality goal. Still waiting for Jill Levato action on that. E-mail was sent by Pawel too. but no response received from Jill.

    Jill responded and included Rany who suggested TAC level discussion and decision taking.

    Let's work through project's maturity asessment process.

    Waiting for Tony's return from holidays.

    Muddasar Ahmed to follow with Jill.

    Lack of CLM scans for NG Portal

    Andreas was informed about lack of Jenkins jobs for Nexus-IQ scans. Fiete will work on this as project PTL.

    Update

    from 

    from Fiete Ostkamp :

    • maven based

    jobs 
     that
    •  that triggers

    the 
    gradle 
    the 
     that
    •  that could provide similar functionality

    Jira opened by Fiete, ongoing support by LF-IT. Fiete is back from holidays.

    Update from Fiete:

    onap-portal-ng-preferences:

    https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/applicationReport/onap-portal-ng-preferences/b50d4e842a0847bc91437d354075e383/policy

    onap-portal-ng-history:

    https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/applicationReport/onap-portal-ng-history/03f1fde4f7ea4f029031bbaf9689cfa8/policy

    onap-portal-ng-bff:

    https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/applicationReport/onap-portal-ng-bff/4d9a28df94eb4bad85d858fe72321dac/policy

    NEXT SECCOM MEETING CALL WILL BE HELD ON

    JUNE 25th 2024

    JULY 2nd 2024

    Upcoming security events: https://events.linuxfoundation.org/open-source-summit-europe/

    Recordings: 

    GMT20240625-115228_Recording.transcript.vtt

    https://zoom.us/rec/share/ASkVT9DKn4uSbnCiGE3Ubnpum5m_bGyh-_6Fu2ROAX2NYnkIsVH-delgeQ7g40gG.zeBdDzU16btnOK05