Uploaded image for project: 'VNF Requirements'
  1. VNF Requirements
  2. VNFRQTS-497

Adding xNF Package security based on ETSI SOL004

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: High High
    • Dublin Release
    • Dublin Release
    • VNF Requirements
    • None

      There are security requirements on VNF/PNF package in SOL004 which is missing in VNF requirement. 

       

      Proposed Change:

      ---------------------------------------------

      Remove old requirement R-444945

      ---------------------------------------------

      5.1.6.4. VNF and PNF Package Authenticity and Integrity

      VNF/PNF package shall support a method for authenticity and integrity assurance.

      According to ETSI SOL004 the onboarding package shall be secured. ETSI SOL004 provides two options:

      Option 1 - One Digest hash for each component of the VNF package. The table of hashes is included in the manifest file, which is signed with the VNF provider private key. A signing certificate including the provider’s public key shall be included in the package. If a format of the signature allows the signature may be embedded in the manifest file.

      Option 2 - The complete CSAR file shall be digitally signed with the provider private key. The provider delivers one zip file consisting of the CSAR file, a signature file and a certificate file that includes the VNF provider public key.

      Dublin release note,

      -pre-onboarding:

      -Option 1 specified in ETSI SOL004 is supported

      -Option 2 specified in ETSI SOL004 is supported

      - onboarding:

      -Option 2 specified in ETSI SOL004 is supported

      -Option 1 will be supported

       

      Requirement: R- 787965

      target: VNF/PNF TOSCA CSAR Authenticity

      keyword: MUST

      introduced: Dublin

      If option 2 is supported, the complete VNF/PNF TOSCA CSAR file MUST be digitally signed with the VNF/PNF provider private key. The VNF/PNF provider delivers one zip file consisting of the CSAR file, a signature file and a certificate file that includes the VNF/PNF provider public key. The certificate may also be included in the signature container, if the signature format allows that. The VNF/PNF provider creates a zip file consisting of the CSAR file with .csar extension, signature and certificate files. The signature and certificate files must be siblings of the CSAR file with extensions .cms and .cert respectively.

      Requirement: R- 130206

      target: VNF/PNF TOSCA CSAR Authenticity

      keyword: MUST

      introduced: Dublin

      If option 1 is supported, the VNF/PNF package MUST contain a Digest (a.k.a. hash) for each of the components of the VNF/PNF package. The table of hashes is included in the package manifest file, which is signed with the VNF/PNF provider private key. In addition, the VNF/PNF provider MUST include a signing certificate that includes the VNF/PNF provider public key, following a pre-defined naming convention and located either at the root of the archive or in a predefined location specified by the TOSCA.meta file with the corresponding entry named "ETSI-Entry-Certificate".

      ---------------------------------------------

            fzhang fzhang
            zuqiang zuqiang
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: