14:04:58 <LukeHinds> #startmeeting Security Group 03/06/15
14:04:58 <collabot> Meeting started Wed Jun 10 14:04:58 2015 UTC.  The chair is LukeHinds. Information about MeetBot at http://wiki.debian.org/MeetBot.
14:04:58 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:04:58 <collabot> The meeting name has been set to 'security_group_03_06_15'
14:05:24 <LukeHinds> #topic last weeks minutes
14:06:10 <LukeHinds> The minutes are on the wiki as usual, I need to format them better.
14:06:13 <LukeHinds> #link https://wiki.opnfv.org/meetings/security/03062015
14:06:23 <LukeHinds> #topic agenda bashing
14:06:40 <LukeHinds> #link https://etherpad.opnfv.org/p/opnfv-sec-meetings
14:07:10 <LukeHinds> The plan was to talk with ODL, but they might not be able to make it
14:07:21 <LukeHinds> Inspector work items if juan/ari are there yet.
14:07:27 <LukeHinds> ETSI work mapping
14:07:42 <LukeHinds> and also a new hypervisor project is starting which I think might be of interest to us.
14:08:07 <LukeHinds> #info if anyone wants to add to the agenda, please do go ahead....
14:08:19 <jaosorior> Nothing to add from this side
14:08:53 <LukeHinds> #topic Inspector / ODL Discussion
14:09:19 <LukeHinds> So I guess this could be mainly work items.
14:10:14 <jaosorior> anybody from ODL around?
14:10:17 <LukeHinds> juan...over to you.
14:10:26 <LukeHinds> no one :(
14:10:39 <jaosorior> lets pospone this topic until we get some ODL people
14:11:51 <LukeHinds> how about work items ?
14:12:06 <rex_lee> what about onos,someone will introduce it into opnfv
14:13:23 <jaosorior> LukeHinds: Well, we first want to make sure we have clarity regarding the plans for auditability in ODL
14:13:34 <jaosorior> so some preliminary dicussion is needed before having work items
14:13:50 <jaosorior> I wouldn't like to get into the situation where we have some vision of how things should work, and in the end they had another vision
14:14:18 <jaosorior> so first getting some common ground and offering a forum for discussion and brain-storming is necessary, IMO
14:15:08 <jaosorior> LukeHinds: Does that make sense?
14:15:28 <LukeHinds> sure, that makes sense
14:16:09 <rex_lee> agree, but what is next
14:16:33 <jaosorior> rex_lee: you mean, regarding ODL?
14:17:13 <jaosorior> rex_lee: If you're talking about inspector. We can pass on to that topic now
14:17:23 <jaosorior> #topic Inspector work items
14:17:39 <LukeHinds> thanks
14:18:04 <jaosorior> uhm... LukeHinds, I think you gotta do the topic change. Didn't really work when I did it
14:18:16 <rex_lee> iam not good at ODL, iam on inspector
14:18:17 <LukeHinds> #topic Inspector work items
14:18:26 <jaosorior> excellent
14:18:30 <jaosorior> Now, regarding inspector
14:19:02 <jaosorior> I asked...since the project was approved by the TSC, for a repo and a bug-tracker. But this wasn't delivered to us yet. Sending a bunch of mails I finally got a reply and we should be getting those today at some point
14:19:31 <jaosorior> (The Linux Foundation guys are on an american timezone so I guess in some hours we will get it)
14:20:02 <jaosorior> Now, after getting a repo, an action point for myself is to set the structure for the repo, for us to start writing the documentation there
14:20:26 <rex_lee> good start
14:20:41 <aripie> #link https://etherpad.opnfv.org/p/inspector_preliminary
14:20:44 <jaosorior> Once we have that, we can finally start collaborating solidly.
14:21:10 <aripie> feel free to add prel tasks onto the list
14:21:34 <jaosorior> rex_lee: You asked about ONOS. What's the status of it at the moment in OPNFV? Has it been approved?
14:21:57 <rex_lee> onosfw project is on
14:22:00 <LukeHinds> #action all encouraged to add to prel tasks list #link Inspector / ODL Discussion
14:22:06 <LukeHinds> #undo
14:22:06 <collabot> Removing item from minutes: <MeetBot.ircmeeting.items.Action object at 0x1d60110>
14:22:16 <LukeHinds> #action all encouraged to add to prel tasks list #link https://etherpad.opnfv.org/p/inspector_preliminary
14:23:17 <LukeHinds> we are using ONOS in opnfv?
14:23:56 <jaosorior> If it's been approved, then we should invite them to the next OPNFV security group meeting so we start aligning on the view for auditing. And whether we should introduce audit capabilities to ONOS ourselves, or provide guidelines on what's expected for that
14:24:09 <rex_lee> no, maybe in B-release
14:24:47 <jaosorior> But, before starting to assign tasks. I would like to know more about the people that will be able to contribute to inspector
14:24:50 <LukeHinds> #link https://wiki.opnfv.org/onosfw
14:24:54 <jaosorior> rex_lee: What's your area of expertice?
14:26:53 <rex_lee> i used to be a 3G Ran  dev.i am familiar with 3G protocol
14:27:26 <rex_lee> for i use phone.a little slow
14:28:39 <jaosorior> Are you planning to do hands-on work on some of the modules in OPNFV or mostly requirements specification work?
14:28:47 <rex_lee> and i did dev a BAM system for monitoring and configure RAN system
14:29:44 <rex_lee> requirement
14:30:05 <jaosorior> Alright, cool
14:30:22 <rex_lee> what is the meaninf of modules
14:31:08 <rex_lee> do you think the community will produce code?
14:31:15 <jaosorior> uhm... I might need to rephrase. I actually meant components in OPNFV... the definition gets quite blurry. But the components would be OpenStack, ODL, ONOS (Once it's taken into use), Moon (once it's taken into use)
14:32:14 <jaosorior> rex_lee: yes. So besides the requirements work, if there's a need to do some hands-on work, then we will actually code the functionality that's needed
14:32:47 <rex_lee> in the upstream?
14:32:52 <jaosorior> rex_lee: yeah
14:33:15 <jaosorior> rex_lee: Inspector shouldn't have any code. All should go upstream
14:33:40 <rex_lee> ok, if needed' i can pick up one moduel
14:33:43 <jaosorior> rex_lee: So in inspector we should find gaps, we should get requirements, and that should go upstream
14:33:50 <jaosorior> rex_lee: That would be great!
14:35:19 <jaosorior> But anyway, at the moment the immediate action points go for myself into getting a repo together, which will hopefully be provided by the Linux Foundation today
14:35:53 <LukeHinds> #info rex_lee (luigi) interested in taking on one module
14:36:02 <aripie> LukeHinds: as regards ETSI NFV req's, we need to understand what tjheir view is to the (minimum) data required for showing audit compliance
14:36:44 <LukeHinds> understand, was hoping kapil / ashutosh would join as they have insight into etsi nfv.
14:37:08 <LukeHinds> I can link to the materials for all in the minutes
14:37:31 <jaosorior> Uhm... I'm noticing it's a bit hard to get them to come to the meetings, maybe it would be better if we just ping them by mail or something of the sort with more concrete questions
14:37:34 <LukeHinds> most of its around topology, but they are starting to look at monitoring now.
14:37:55 <LukeHinds> agree juan, we should push more over email/
14:38:23 <LukeHinds> I will drop them an email
14:38:33 <aripie> I can take an action to formulate what we want to know from ETSI
14:39:15 <rex_lee> who is aripie
14:39:16 <LukeHinds> we have a wiki page already up, or your free to create your own if you like.
14:39:27 <LukeHinds> also use another tool if you prefer.
14:39:37 <jaosorior> rex_lee: aripie is Ari Pietikainen, he's also a contributor to Inspector
14:39:55 <LukeHinds> #action aripie to start formulating etsi items related to inspector.
14:39:58 <rex_lee> thx
14:39:58 <jaosorior> ...prooobably an introduction would have been appropriate
14:40:27 <LukeHinds> #action Luke to email Kapil / Ashutosh and instruct them on actions.
14:40:43 <rex_lee> ok we have a private talk
14:41:46 <jaosorior> Now, we also need to take into account testing for auditability
14:41:59 <jaosorior> We should start preparing for a proposition regarding this
14:42:36 <jaosorior> Should we push test suites for the individual projects or should we start getting engaged in either Pharos or Yardstick and introduce the auditability tests there
14:43:37 <jaosorior> So basically we need physical proof (in the form of tests) that the infra is outputting the necessary information in terms of auditability
14:44:35 <LukeHinds> do we need a test enviroment, or do we plan to use local dev env?
14:44:53 <rex_lee> can you make sure Yardstick support the test
14:45:05 <jaosorior> Well, we do have the OPNFV environment to our availability
14:45:32 <rex_lee> if so .i prefer use the existed
14:45:39 <jaosorior> This is gonna get pretty interesting. Lets take OpenStack as an example: there is audit record generation and taxonomies for several components already... But this is not tested, and there is no means currently to test this
14:46:32 <rex_lee> for we dont worry the test env availability
14:46:44 <jaosorior> So we need to figure out if we introduce test that assert this capabilities in Tempest, or should we resort to another framework where we should write the tests (such as YardStick or something else). And of course, as rex_lee mentiones, we need to make sure that the framework is appropriate
14:49:10 <jaosorior> rex_lee: Would be nice, but it seems in some cases there are no existing tests, nor test suites for us to verify the audit capabilities in components
14:50:03 <rex_lee> i mean use yardstick if it support
14:50:53 <jaosorior> rex_lee: that's a possibility. I think we should start looking into YardStick and it's scope, and see if it's appropriate for us to introduce an audit test suit there or not
14:51:43 <LukeHinds> yet to be approved as well (yardstick), not that it should stop us investigating.
14:51:49 <rex_lee> good . that is introduced by your company
14:52:32 <LukeHinds> sorry, I was wrong there 'Incubation'
14:53:13 <rex_lee> what is wrong.haha
14:53:30 <LukeHinds> "yet to be approved as well (yardstick), not that it should stop us investigating."
14:53:34 <jaosorior> So, am I right then that aripie and LukeHinds will work on checking the audit-related scope in ETSI?
14:54:11 <LukeHinds> aripie will drive and I will support (and try and get kapil / ashutosh involved as well)
14:54:21 <aripie> yes that is fine
14:54:25 <jaosorior> excellent
14:54:44 <LukeHinds> #action aripie will drive and I (luke) will support (and try and get kapil / ashutosh involved as well)
14:54:52 <LukeHinds> ok, we have five mins left.
14:55:00 <jaosorior> rex_lee: Do you have any involvement in ETSI?
14:55:11 <LukeHinds> we can keep going of course, but I wanted to get something else on the radar quickly
14:55:19 <jaosorior> sure
14:55:23 <rex_lee> no
14:55:27 <LukeHinds> #topic Hypervisor Project
14:55:31 <LukeHinds> #link https://wiki.opnfv.org/nfv_hypervisors-kvm?s[]=hypervisor
14:55:43 <LukeHinds> I recommend all have a ready
14:55:47 <LukeHinds> *read
14:56:07 <rex_lee> i have read
14:56:28 <rex_lee> what suggestion
14:56:33 <LukeHinds> if this goes ahead, there is a lot of security around isolation, kvm / qemu hardening.
14:57:10 <LukeHinds> We have all seen what happens when QEMU is compiled with all drivers included (venom vulnerability).
14:57:23 <LukeHinds> I will try and attend the meeting to see what plans they have security wise.
14:57:26 <jaosorior> rex_lee: Can you look into ONOS and OpenMANO to see if they have any specific requirements or even audit capabilities already there?
14:57:44 <jaosorior> LukeHinds: When is the Hypervisor meeting?
14:58:12 <LukeHinds> not on the wiki, I will drop intel guy an email
14:58:28 <rex_lee> i will try
14:58:37 <LukeHinds> also of interest is inspector audit events? (or is that too low level?)
14:59:04 <LukeHinds> i.e. anything kvm wise we should get from nova, not the kernel
14:59:05 <jaosorior> LukeHinds: Well, that would be more up to Nova
14:59:13 <LukeHinds> ^ :-]
14:59:32 <LukeHinds> as i thought
15:00:06 <rex_lee> so why openmano?
15:00:08 <LukeHinds> ok, we are on the hour..I will close meetbot, but guys, this channel is open 24/7 so we can talk topics here whenever we like
15:00:18 <LukeHinds> please do continue...
15:00:21 <jaosorior> rex_lee: I thought it was going to be included in OPNFV
15:00:37 <jaosorior> if it isn't going to be included, then nevermind
15:00:40 <LukeHinds> #endmeeting