2024-12-10 Security Subcommittee Meeting Notes
- Paweł Pawlak
Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 10th of December 2024.
Jira No | Summary | Description | Status | Solution |
|
|---|---|---|---|---|---|
| New TSC Chair | Congrats Byung!
|
|
|
|
| Next level for SCA and Nexu-IQ reports for Go Lang. | Following the discussion at the PTLs meeting. OPA PDP subproject under Policy project. GoLang we need support from LT IT. Ticket IT-27561 Request Guidance on adding golang based project to Nexus IQ Go Lang used in the project is 1.23, which is the latest version. Link to restricted Wiki: Security Vulnerabilities - Confluence. Deena will ask in a dedicated ticket access to Nexus-IQ + access to restricted Wiki. |
|
|
|
| Next SECCOM session in January’25 | We propose 14th of January for a dedicated session at the SECCOM. |
|
|
|
| Oslo Release Status | @Byung-Woo Jun to provide status on the Oslo release 11/19: SDC is not ready to be published. Implications to be discussed at 11/21 TSC meeting. Policy, CPS, PortalNG, OOM are ready. Need to confirm SDNC. New RC date this Thursday Dec 12th. In SDNC Bierman interface removed and impact on SO. |
|
|
|
| Package Upgrades for Oslo | Oslo Package Updates - Security Vulnerabilities - Confluence Vulnerability report is not accurate:
|
|
|
|
| TAC/Software Quality and Security | 2025 Quality & Security Goals - LF Networking - Confluence TAC:
|
|
|
|
| Kubecon report | @Byung-Woo Jun WASM is very popular: WASM Cloud, etc. Small size, secure by design (each project has its memory), supports multiple languages, can support IoT. Istio announced Ambient mesh support, still using Envoy at layer 7, don’t need proxy at layer 4, plan to add gateway function (migrate ingress to gateway) multicluster support, AI, Security secure supply chain (e.g., In-Toto and others) to present at next SECCOM |
|
|
|
| Policy road to gold badge | Support for Ramesh and Policy team to get gold badge. Info from Tony: Policy Framework performed a security review one year ago. They do not need to do another one for four years. https://lf-onap.atlassian.net/wiki/spaces/DW/pages/16519988/PF+-+ONAP+Security+Review+Questionnaire We can proceed with reviewing their remaining questions as part of next week’s meeting. 5 Nov: Policy Gold badge approved except for site_hardening which is outside the control of the Policy team. Ticket opened to openSFF to resolve the issue with site_hardening. CONGRATULATIONS to the Policy team for this achievement. | complete (5 Nov)
|
|
|
| UUI for Gold Badging | Under consideration with Keguang. |
|
|
|
| Technical debt | @Fiete Ostkamp : Chef dependency in SDC related to Ruby conflict (2.0 is pretty old) SDC-4691: catalog-be docker build is failing due to ruby dependency conflictOpen- pipeline is broken due to this. SECCOM recommends to: in short term fix Chef (v13 from 2013?) dependency so that Ruby can be upgraded to 3.0, in long term: need to convert all of the Chef recipes into chart forms. Need to discuss at the TSC the need of having end2end testing. 5 Nov Update: DT will fix and upload into ONAP for the Oslo release. @Andreas Geißler will provide date at 7 Nov TSC. 18 Nov PTL meeting: @Fiete Ostkamp still waiting for upgrade. Delay in the Oslo RC to be discussed at 21 TSC meeting. | in progress |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Issue with merging gerrit code | Ticket opened by Tony: IT-26848 - Tony is checking on it, still has issues? Issue still exists. Kevin to update the ticket with an additional info. Tony reported it still has an issue, see https://gerrit.onap.org/r/c/dcaegen2/collectors/ves/+/138052
11/19: Kevin working on new ticket for the same issue | status to be updated |
|
|
| Support for Oslo release |
| ongoing |
|
|
| Logging modifications proposal | Mateusz Pilat from Tata presented changes in log format for its unification. Change Request will be prepared by Mateusz. Discussion will be followed at the OOM meeting on Wednesday. RBAC changes could be provided: Improvement for NewDelhi Release Root access for container need was explained.
Further update will be discussed during Oslo. Tata Communications still plans to do some improvement for Oslo, but no detailed plan yet. Risk of not getting contribution in Oslo release. 11/19: May be a candidate feature for Paris release | on hold |
|
|
| GitHub Actions integration pipeline | LF IT migrating CI pipeline to GitHub actions - may take to the end of fall or later, once ONAP is completed for GitHub Actions , we will do security review. Last update from Matt is that LF IT is continuously shipping one project at a time. 4/2: in progress At the TSC Jess mentioned Q4'24? or rather beginning of 2025. | open - WIP |
|
|
| LFN AI/ML use cases | Need to write LF informative position white paper for AI/ML - team to write constituted. Meeting is planned with convenient time for all contributors. Goal is to produce it by DTF. Structure bulleted paper available on Confluence - https://wiki.lfnetworking.org/pages/viewpage.action?pageId=120652848 China Mobile focus: generative AI. (New Delhi UUI) China Telecom focus: intent transformation & LLM tuning parameters to create domain specific solutions. (New Delhi UUI) Both projects are in progress. Oslo lightweight model China Telecom and China Mobile presented at the last TSC their plans for AI/ML use cases with ONAP.
In September both companies presented their plans for Oslo in this domain at the TSC meetings. 11/19 update:
TAC will open AI/ML seat. | open - select structure of the document | Copy of 2024-10-01 Security Subcommittee Meeting Notes (under prep) |
|
| Nephio security working group | Workload identity and access management in progress. Internal discussions in E/// for next steps for user identity and access management.
Nephio R3, there is an action point, secret management, "sharing secrets across clusters as Skupper generates a secret in one cluster/namespace and that secret has to be shared with another cluster/namespace. To create the tunnel for communication. Now the question is how to share the secrets" It is a narrowed scope of sharing secretes between particular services, which is different from what Nephio SIG Security proposed. @Byung-Woo Jun , The Nephio SIG Security team (Shiv from Accuknox) plans to provide a demo of workload identity with SPIFFE this or next week. I will share the detail after their demo. LF IT support is needed for SBOM SPDX format generation. Jess has experience with java based projects, and Nephio is Go based. @Byung-Woo Jun , Nephio O-RAN Workload Identity proposal by Nephio SIG Security will be presented to Nephio WG 2 ORAN on May 29th (postponed to June 5the), https://docs.google.com/presentation/d/1kofOHWswM2_OJPfefTcSzVvsBAg0QE3Z7GQITlaPO2w/edit#slide=id.p Nephio Workload Identity execution plan:
Nephio update 2024-5-28:
Update xpected on 18th of June - Nephio signed image is a work in progress Branch selected for Workload Identity - WIP.
Links shared by Muddasar: https://datatracker.ietf.org/doc/bofreq-richer-wimse/ https://www.ietf.org/archive/id/draft-gilman-wimse-use-cases-00.html Small demo presented with Vault used for secrets. https://istio.io/latest/docs/ops/integrations/spire/ The second demo topic on July 23rd, 2024:
Another demo on July 30th, 2024:
 New hydration concept = customization of CRD. https://docs.google.com/document/d/1aTIkp0h9SS7iypgF42FE1jz252aJQ2WIHjmfAmfjNkY/edit?tab=t.0  11/19: Nephio formed the Nephio AI/ML work group - selecting model, security | ongoing |
|
|
| ONAP Security Implementation Status | @Byung-Woo Jun TATA Communications supports RBAC, observability, logging, backup, etc. by leveraging the ONAP currently security mechanism (Ingress, Service Mesh) for their own platform. It is possible they contribute the enhancements they made to the ONAP New Delhi release (TBD). Share of code most probably in Oslo release. Andreas is working on enhancements for OOM Team. Tata communication shared which components in Montreal use STDOUT or not, Copy of 2024-10-01 Security Subcommittee Meeting Notes (under prep) Postponed to Oslo. 11/19: OOM enhancing security script for service mesh in Oslo (DT work - @Andreas Geißler ) |
|
|
|
| New ISTIO 1.22 | Ambient mesh under consideration if stable and memory safe. Trigger with ISTIO implementation to be detailed. A plan for eBPF via Cilium, see Andreas' wiki page ONAP "Networking" Options (>=Kohn) For now, it is a consideration only. DT on hold in general on hold with Ambient mode, for ONAP Andreas will continue. |
|
|
|
|
|
|
|
|
|
| PTL meeting (December 9th) | Vulnerability report is not accurate: Nexus-IQ demo by @Amy Zwarico delivered. Record 5 min max session..
|
|
|
|
| LFN-TAC (DTF F2F) | CNTI approved as project. Paraglide might prepare presentation. - Next meeting on July 10th. KPIs in project promotion and with health check discussion with every project. Chair and vice Chair election. Security seat and Superblueprint seat. Proposal: use Tony's 5 year assessment as a baseline. Planning meeting done last week. WIP for Superblueprint. New Use case under consideration (software packaging?) No quorum for the last 2 meetings. CI/CD process for RAN and core deployment. Aether project. Hexa-eBPF UPF based solution. https://aetherproject.org Hexa: https://coranlabs.com/?_sm_pdc=1&_sm_rid=ZTsnTH13HrWPtNsPZTH1f6FFQqTF1nTH16MZDqg Best practices for security goals in projects under collection. |
| @Muddasar Ahmed to check for document availability on software quality goals. |
|
|
| Quality goals and security goals - no actions taken, so putted back into agenda for this week. Criteria for project incubation and graduation to be worked on. No quorum at the last meeting - planning for the next meeting. Feedback from Olaf received for quality and security goals. Discussion to be followed this week. https://lf-networking.atlassian.net/wiki/spaces/LN/pages/15700616/2024-09-04+TAC+Minutes Security Review Page- TAC page to collaborate: https://lf-networking.atlassian.net/wiki/spaces/LN/pages/18415618/Security+Review+Matrix. ( May require new login set up, as this site has migrated to web based confluence) Willingness to move forward but limited contributions. Paperwork submission this week for 5G Superblueprint and Paraglider (projects in the waiting room to join LF https://paragliderproject.io). Working calls on Mondays to focus on KPIs, tools related to quality. |
| @Muddasar Ahmed to follow with Jill. |
|
| @Muddasar Ahmed | TAC update: 2 issues: security, 5g super blueprint
|
|
|
|
| Lack of CLM scans for NG Portal | Andreas was informed about lack of Jenkins jobs for Nexus-IQ scans. Fiete will work on this as project PTL. Update from @Fiete Ostkamp :
Jira opened by Fiete, ongoing support by LF-IT. Fiete is back from holidays. Update from Fiete: onap-portal-ng-preferences: onap-portal-ng-history: onap-portal-ng-bff: Sonarcloud scans for NG Portal available - waiting for a resolution for Nexus-IQ and NG Portal UI. |
|
|
|
| PostQuantum cryptography | Currently used keys and impact of PostQuantum cryptography. Key management from UPF example. NIST already approved some algorithms - asymmetric is a concern due to overhead and additional resources that need to be used. We need to create cryptography inventory for ONAP. |
|
|
|
| NEXT SECCOM MEETING CALL WILL BE HELD ON January 7th 2025 | Upcoming security events: https://events.linuxfoundation.org/open-source-summit-europe/ |
|
|
|
Recordings: