Re: [opnfv-tech-discuss] CVC Jonit Meeting (Feb 4th) Agenda

[LOVETT, TREVOR J]

What was the solution in OPNFV? Can someone lay out the proposed experience and 
flow as well?  Based on prior conversations, I thought the proposal for a 
short-term solution was a human-being from the VNF Provider/Lab to upload the 
result files to the web site.  If there's an alternate proposed flow (i.e. 
Dovetail directly uploading the results to the portal), then I think it would 
be helpful to start getting that written down somewhere and it has bearing on 
how the results are secured/certified.  It's not clear that all players are on 
the same page here at this juncture.

In Option 2, I don't fully understand your comment about a clever user 
overwriting what is in the logs.  I did state that the report itself could 
still be fabricated so I'm not arguing that it couldn't be. My point was that 
if they provide a checksum with their report, then the result could at least be 
challenged and verified.  If a consumer of the VNF can't reproduce the test 
results on the files with the same checksum then the fraud can be detected.

Thanks,
Trevor

From: Lincoln Lavoie [mailto:lylav...@iol.unh.edu]
Sent: Thursday, February 07, 2019 10:22 AM
To: LOVETT, TREVOR J <tl2...@att.com>
Cc: onap-disc...@lists.onap.org; victor....@huawei.com; 
complia...@lists.lfnetworking.org; opnfv-tech-discuss@lists.opnfv.org; 
Kanagaraj Manickam <kanagaraj.manic...@huawei.com>; STARK, STEVEN 
<ss8...@att.com>; WRIGHT, STEVEN A <sw3...@att.com>; Katsaounis Molyvas 
Stamatios <mok...@intracom-telecom.com>; HALLAHAN, RYAN <rh1...@att.com>; 
vincent.sch...@telekom.de
Subject: Re: CVC Jonit Meeting (Feb 4th) Agenda

Hi Trevor,

I think one concern I have with Option 1 is, it will only work for the VVP 
compliance testing, as soon as we move towards more advanced testing (i.e. live 
cycle testing, etc), it would cause a split path for VNF testing, where you 
have to do 1/2 of your testing through a web portal and then 1/2 on some type 
NFVI / MANO platform that is in your lab or another lab. I think this will just 
make for a complicated future.

For option 2, this provides some protection, but a clever user could always 
just overwrite what is in the logs before submitting this.

Many of these questions / points were already talked about a lot within the 
OPNFV program, when that was developed and there was a desire to protect the 
results as well.

Cheers,
Lincoln

On Thu, Feb 7, 2019 at 10:42 AM LOVETT, TREVOR J 
<tl2...@att.com<mailto:tl2...@att.com>> wrote:
During the call, one item that came up was how to lessen the likelihood of a 
fraudulent report being submitted as part of the certification/badging process.

One suggestion was to include additional runtime, vnf-specific trace 
information in the report itself making it more difficult to fabricate.  The 
VVP team discussed this, but we feel this would be non-trivial to implement and 
not truly prevent the core issue.  We would not be in favor of pursuing this 
option.

If we feel that we need to protect against fraudulent reports, then we are 
suggesting two alternatives that can be discussed in a future session.


1)      Certification Portal Executes the validations directly using Dovetail:

a.       Since we are only scanning a set of static files, and the validation 
tools will be available in a container for execution, we could simply have the 
portal run the scan upon uploading of the artifacts.  This eliminates a 
fraudulent report submission entirely, and avoids other issues such as ensuring 
the proper versions of the tools are executed externally.

b.      I do understand there may be sensitivity to uploading the proprietary 
artifacts, but there is no need for them to be stored or shared indefinitely.  
They would only need to be retained for the duration of the scan.  After that 
we simply need to retain the checksum of the artifact that was submitted.

c.       If we simply don't think VNF Providers would agree to that, then our 
back-up option is below

2)      Display Artifact Checksum Along with Badge

a.       The VVP tool already computes an MD5 hash of all the file contents and 
stores that in the report

b.      If we retain this information and publish it on the certification site, 
then the ultimate consumer of the artifact can at least verify the artifact 
they receive from the vendor corresponds to the artifact submitted for 
certification.  We should likely do this even in option #1 for the same reason.

c.       This doesn't mean prevent the provider from submitting a fabricated 
report, but it does ensure that it can be challenged and verified 
after-the-fact if needed.

d.      I believe the CSAR similarly has an checksum that can be used for this 
purpose as well.

We can discuss the topic further in one of our upcoming joint calls.

Thanks,
Trevor

From: onap-disc...@lists.onap.org<mailto:onap-disc...@lists.onap.org> 
[mailto:onap-disc...@lists.onap.org<mailto:onap-disc...@lists.onap.org>] On 
Behalf Of Gaoweitao(Victor)
Sent: Sunday, February 03, 2019 2:26 AM
To: 
complia...@lists.lfnetworking.org<mailto:complia...@lists.lfnetworking.org>; 
onap-disc...@lists.onap.org<mailto:onap-disc...@lists.onap.org>; 
opnfv-tech-discuss@lists.opnfv.org<mailto:opnfv-tech-discuss@lists.opnfv.org>
Cc: Kanagaraj Manickam 
<kanagaraj.manic...@huawei.com<mailto:kanagaraj.manic...@huawei.com>>; Lincoln 
Lavoie <lylav...@iol.unh.edu<mailto:lylav...@iol.unh.edu>>
Subject: [onap-discuss] CVC Jonit Meeting (Feb 4th) Agenda

Hi VNFSDK/VVP/Dovetail Developers,

                Here is the initial agenda for Feb 4th Joint 
meeting<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_DW_CVC-2BJoint-2BMeeting-2B02-2D04-2D2019&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=-YhkEGJSSKD46SqQByjR_bJvnYWC7lsI62elfSWGTQA&e=>,
 feel free to add your topics:


1.       CVC one click deployment

2.       Show marketplace capability and is it possible used for dovetail test 
script execution trigger?

I will be absence due to Chinese new year and Kanagraj from VNFSDK Team is my 
proxy and host the meeting.

The zoom bridge is still available during my absence: 
https://zoom.us/j/346625009<https://urldefense.proofpoint.com/v2/url?u=https-3A__zoom.us_j_346625009&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=-wmrOsLWyh45frQOsVJCAqGlh2DmMNJu15PMacF17Z0&e=>

The previous meeting minutes is here: 
https://wiki.onap.org/display/DW/Joint+CVC+Meeting<https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_DW_Joint-2BCVC-2BMeeting&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=mkSu7O2_kzmJipm2xlbfaaZGwXViIQJvQt12MmFifJo&e=>


BR
Victor
_._,_._,_
________________________________
Links:

You receive all messages sent to this group.

View/Reply Online 
(#15324)<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.onap.org_g_onap-2Ddiscuss_message_15324&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=2DIdFBAfxs43n6h4Lw6yH2FGyRmBqimlbz41vQNgGtw&e=>
 | Reply To 
Group<mailto:onap-disc...@lists.onap.org?subject=Re:%20%5Bonap-discuss%5D%20CVC%20Jonit%20Meeting%20%28Feb%204th%29%20Agenda>
 | Reply To 
Sender<mailto:victor....@huawei.com?subject=Private:%20Re:%20%5Bonap-discuss%5D%20CVC%20Jonit%20Meeting%20%28Feb%204th%29%20Agenda>
 | Mute This 
Topic<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.onap.org_mt_29638769_1198157&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=LeTLkAhNSX8sD_rxDuVs1mIlWHYZESMZPmuIf18ic_A&e=>
 | New 
Topic<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.onap.org_g_onap-2Ddiscuss_post&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=rxFGHYc7sNu0tzbdyYovrN7Kpnj-T_bZ9Gu0niWSMT8&e=>

Your 
Subscription<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.onap.org_g_onap-2Ddiscuss_editsub_1198157&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=6n1a-52slPnkgXiGGJySGaZzkxq_t5TrSTw_o9GtvqI&e=>
 | Contact Group Owner<mailto:onap-discuss+ow...@lists.onap.org> | 
Unsubscribe<https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.onap.org_g_onap-2Ddiscuss_unsub&d=DwMFAg&c=LFYZ-o9_HUMeMTSQicvjIg&r=dIU_U39dl9FoORwHk72kyMcMyxm1s8RqOhr8grdzE2s&m=ZKQoo454X4U_lELjzO_WCevaKAV5R5GeOb-B0URqdcI&s=x3ICz0g1PsytMM03urA8OHzkY-WW_yA77jqC4tU5b7Q&e=>
 [trevor.lov...@att.com<mailto:trevor.lov...@att.com>]
_._,_._,_


--
Lincoln Lavoie
Senior Engineer, Broadband Technologies
21 Madbury Rd., Ste. 100, Durham, NH 03824
lylav...@iol.unh.edu<mailto:lylav...@iol.unh.edu>
https://www.iol.unh.edu<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.iol.unh.edu&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=g9LhwjMTPM4AuoWvYyDmqA&m=UdvYRI0iWQVoM8OjcQ2mvJst7GbGwawBimVeis3IEm4&s=v7yOqkd93k2wkmp4FMkKZDTKNEblZrYoEpkpmHCrM5c&e=>
+1-603-674-2755 (m)
[http://homeautomation.lavoieholdings.com/_/rsrc/1390068882701/unh-iol-logo.png]<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.iol.unh.edu_&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=g9LhwjMTPM4AuoWvYyDmqA&m=UdvYRI0iWQVoM8OjcQ2mvJst7GbGwawBimVeis3IEm4&s=M3cJfFEQvxci-Zj1_7zb_oIPoAuzKoUV4mXBTLeOcRc&e=>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.

View/Reply Online (#22776): 
https://lists.opnfv.org/g/opnfv-tech-discuss/message/22776
Mute This Topic: https://lists.opnfv.org/mt/29667350/21656
Group Owner: opnfv-tech-discuss+ow...@lists.opnfv.org
Unsubscribe: https://lists.opnfv.org/g/opnfv-tech-discuss/unsub  
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-