Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

Communication patterns

  • Intra-Component communication (e.g. between so-bpmn-infra and so-sdnc-adapter)
  • Inter-Component communication (e.g. between onap-cli and so)
  • External communication (e.g. user → sdc-ui)

Assumptions (to be agreed)

  • AAF will be removed
    • → No Container port encryption
  • Services must not use NodePorts 
    • → external communication only via Ingress
  • Ingress is the default for external communication
    • Istio IngressGateway
    • Nginx Ingress ?
  • Inter-component communication can be 
    • directly (as today)
    • via Ingress (Seshu's proposal) ?
  • Communication encryption can be done:
    • on Ingress level (adding certificate to Gateway)
    • on SM (e.g. Istio sidecars)
    • on Kernel Level (using eBPF via Cilium)

To be supported options in ONAP

  1. No ONAP internal encryption:

    1. Intra-Component: unencrypted
    2. Inter-Component: unencrypted
    3. External: unencrypted/encrypted
  2. Inter-Component encryption:
    1. Intra-Component: unencrypted
    2. Inter-Component: encrypted
    3. External: unencrypted/encrypted
  3. Full encryption:
    1. Intra-Component: encrypted
    2. Inter-Component: encrypted
    3. External: unencrypted/encrypted

Implementation proposals

Option 1 (no ONAP internal Encryption)

  • External communication:
    • Components expose (external) interfaces to Ingress 
    • Encryption on Ingress (optional)
  • Internal communication: 
    • No service Mesh
    • No TLS port encryption on pods
    • Direct unencrypted inter-component communication

Option 2 (inter-component encryption)

  • External communication:
    • Components expose (external) interfaces to Ingress 
    • Encryption on Ingress (optional)
  • Internal communication: 
    • No service Mesh
    • No TLS port encryption on pods
    • Inter-component communication via Ingress (encrypted)

Option 3 (full encryption)

  • External communication:
    • Components expose (external) interfaces to Ingress 
    • Encryption on Ingress (optional)
  • Internal communication: 
    • Service Mesh enabled
    • No TLS port encryption on pods
    • Direct encrypted inter-component communication (via sidecars)

Solution using Istio:

Solution using eBPF via Cilium:

https://cilium.io/blog/2020/11/10/ebpf-future-of-networking/
https://ebpf.io/

  • No labels