Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

WHY a flow matrix?


Numerous components are embedded in the ONAP architecture. 

To enable a reliable and efficient security level of the deployed solution, the owner of the solution has to manage his IN/OUT flows of it. Then adapted access control rules can be activated to enable only authorized incoming and outcoming flows.

Without this information, it is impossible to deploy a real access control solution.

For more clarity reasons, 3 types of flows have been defined.


  • External flows 

It is by definition all flows out of ONAP platforms e.g. interconnection to a BSS.

The main objective is then to authorize only pre configured flows on specific ports.


  • Inter-components flows

All flows defined between components defined as project by ONAP.

For example it could concern a flow between the AAI and DCAE.


  • Intra-component flows

The flows remain within the components - ONAP project.

For instance for DCAE component, a flow between the collector (VES) sub_component and DCAE_lifecycle_manager.


WHEN a flow matrix?

A flow matrix should be established for each ONAP project.

It should be reviewd at each major release of the component.


HOW a flow matrix?

This may be too complicated to address all flows for a given project.

As a first step, external flows should be considered, and then the 2 other categories.

This file enables to provide information for each external flow for the DCAE example:


ParameterValue
namename of the ONAP project e.g. DCAE.
sub_components:
        - name:
real name of the sub component e.g. dcae-snmptrap-collector
external_server_side:in external server side list only ingress (external -> ONAP) traffic
type:nodePort
external_communication:N/A
descriptione.g. SNMP trap
ide.g. DCAE_EXT_1.
communication_initiatorwhich component initiates the communication.
e.g.  any component sending SNMP either internally to ONAP platform or externally e.g. xNF.
communication_receiptwhich component is the dest of the communication.
protocolat least level 4 or higher, to be specified if applicable. 
versionto be specified if applicable
exposed_pod_portto be specified if applicable
exposed_portto be specified if applicable
encryptionnone or active e.g. HTTps implemented.











 


exposed_pod_port: 6162 #to be specified if applicable
exposed_port: 30470 #to be specified if applicable
encryption: none
#data_exchanged: specifies the file format, the main exchanged information.
data_exchanged: snmp trap information
#to specify whether the component hosts a TLS sever or a TLS client (yes or no), if applicable.
tls_server: N/A
tls_client: N/A
flow_direction: incoming






  • No labels