14:04:58 <LukeHinds> #startmeeting Security Group 03/06/15 14:04:58 <collabot> Meeting started Wed Jun 10 14:04:58 2015 UTC. The chair is LukeHinds. Information about MeetBot at http://wiki.debian.org/MeetBot. 14:04:58 <collabot> Useful Commands: #action #agreed #help #info #idea #link #topic. 14:04:58 <collabot> The meeting name has been set to 'security_group_03_06_15' 14:05:24 <LukeHinds> #topic last weeks minutes 14:06:10 <LukeHinds> The minutes are on the wiki as usual, I need to format them better. 14:06:13 <LukeHinds> #link https://wiki.opnfv.org/meetings/security/03062015 14:06:23 <LukeHinds> #topic agenda bashing 14:06:40 <LukeHinds> #link https://etherpad.opnfv.org/p/opnfv-sec-meetings 14:07:10 <LukeHinds> The plan was to talk with ODL, but they might not be able to make it 14:07:21 <LukeHinds> Inspector work items if juan/ari are there yet. 14:07:27 <LukeHinds> ETSI work mapping 14:07:42 <LukeHinds> and also a new hypervisor project is starting which I think might be of interest to us. 14:08:07 <LukeHinds> #info if anyone wants to add to the agenda, please do go ahead.... 14:08:19 <jaosorior> Nothing to add from this side 14:08:53 <LukeHinds> #topic Inspector / ODL Discussion 14:09:19 <LukeHinds> So I guess this could be mainly work items. 14:10:14 <jaosorior> anybody from ODL around? 14:10:17 <LukeHinds> juan...over to you. 14:10:26 <LukeHinds> no one :( 14:10:39 <jaosorior> lets pospone this topic until we get some ODL people 14:11:51 <LukeHinds> how about work items ? 14:12:06 <rex_lee> what about onos,someone will introduce it into opnfv 14:13:23 <jaosorior> LukeHinds: Well, we first want to make sure we have clarity regarding the plans for auditability in ODL 14:13:34 <jaosorior> so some preliminary dicussion is needed before having work items 14:13:50 <jaosorior> I wouldn't like to get into the situation where we have some vision of how things should work, and in the end they had another vision 14:14:18 <jaosorior> so first getting some common ground and offering a forum for discussion and brain-storming is necessary, IMO 14:15:08 <jaosorior> LukeHinds: Does that make sense? 14:15:28 <LukeHinds> sure, that makes sense 14:16:09 <rex_lee> agree, but what is next 14:16:33 <jaosorior> rex_lee: you mean, regarding ODL? 14:17:13 <jaosorior> rex_lee: If you're talking about inspector. We can pass on to that topic now 14:17:23 <jaosorior> #topic Inspector work items 14:17:39 <LukeHinds> thanks 14:18:04 <jaosorior> uhm... LukeHinds, I think you gotta do the topic change. Didn't really work when I did it 14:18:16 <rex_lee> iam not good at ODL, iam on inspector 14:18:17 <LukeHinds> #topic Inspector work items 14:18:26 <jaosorior> excellent 14:18:30 <jaosorior> Now, regarding inspector 14:19:02 <jaosorior> I asked...since the project was approved by the TSC, for a repo and a bug-tracker. But this wasn't delivered to us yet. Sending a bunch of mails I finally got a reply and we should be getting those today at some point 14:19:31 <jaosorior> (The Linux Foundation guys are on an american timezone so I guess in some hours we will get it) 14:20:02 <jaosorior> Now, after getting a repo, an action point for myself is to set the structure for the repo, for us to start writing the documentation there 14:20:26 <rex_lee> good start 14:20:41 <aripie> #link https://etherpad.opnfv.org/p/inspector_preliminary 14:20:44 <jaosorior> Once we have that, we can finally start collaborating solidly. 14:21:10 <aripie> feel free to add prel tasks onto the list 14:21:34 <jaosorior> rex_lee: You asked about ONOS. What's the status of it at the moment in OPNFV? Has it been approved? 14:21:57 <rex_lee> onosfw project is on 14:22:00 <LukeHinds> #action all encouraged to add to prel tasks list #link Inspector / ODL Discussion 14:22:06 <LukeHinds> #undo 14:22:06 <collabot> Removing item from minutes: <MeetBot.ircmeeting.items.Action object at 0x1d60110> 14:22:16 <LukeHinds> #action all encouraged to add to prel tasks list #link https://etherpad.opnfv.org/p/inspector_preliminary 14:23:17 <LukeHinds> we are using ONOS in opnfv? 14:23:56 <jaosorior> If it's been approved, then we should invite them to the next OPNFV security group meeting so we start aligning on the view for auditing. And whether we should introduce audit capabilities to ONOS ourselves, or provide guidelines on what's expected for that 14:24:09 <rex_lee> no, maybe in B-release 14:24:47 <jaosorior> But, before starting to assign tasks. I would like to know more about the people that will be able to contribute to inspector 14:24:50 <LukeHinds> #link https://wiki.opnfv.org/onosfw 14:24:54 <jaosorior> rex_lee: What's your area of expertice? 14:26:53 <rex_lee> i used to be a 3G Ran dev.i am familiar with 3G protocol 14:27:26 <rex_lee> for i use phone.a little slow 14:28:39 <jaosorior> Are you planning to do hands-on work on some of the modules in OPNFV or mostly requirements specification work? 14:28:47 <rex_lee> and i did dev a BAM system for monitoring and configure RAN system 14:29:44 <rex_lee> requirement 14:30:05 <jaosorior> Alright, cool 14:30:22 <rex_lee> what is the meaninf of modules 14:31:08 <rex_lee> do you think the community will produce code? 14:31:15 <jaosorior> uhm... I might need to rephrase. I actually meant components in OPNFV... the definition gets quite blurry. But the components would be OpenStack, ODL, ONOS (Once it's taken into use), Moon (once it's taken into use) 14:32:14 <jaosorior> rex_lee: yes. So besides the requirements work, if there's a need to do some hands-on work, then we will actually code the functionality that's needed 14:32:47 <rex_lee> in the upstream? 14:32:52 <jaosorior> rex_lee: yeah 14:33:15 <jaosorior> rex_lee: Inspector shouldn't have any code. All should go upstream 14:33:40 <rex_lee> ok, if needed' i can pick up one moduel 14:33:43 <jaosorior> rex_lee: So in inspector we should find gaps, we should get requirements, and that should go upstream 14:33:50 <jaosorior> rex_lee: That would be great! 14:35:19 <jaosorior> But anyway, at the moment the immediate action points go for myself into getting a repo together, which will hopefully be provided by the Linux Foundation today 14:35:53 <LukeHinds> #info rex_lee (luigi) interested in taking on one module 14:36:02 <aripie> LukeHinds: as regards ETSI NFV req's, we need to understand what tjheir view is to the (minimum) data required for showing audit compliance 14:36:44 <LukeHinds> understand, was hoping kapil / ashutosh would join as they have insight into etsi nfv. 14:37:08 <LukeHinds> I can link to the materials for all in the minutes 14:37:31 <jaosorior> Uhm... I'm noticing it's a bit hard to get them to come to the meetings, maybe it would be better if we just ping them by mail or something of the sort with more concrete questions 14:37:34 <LukeHinds> most of its around topology, but they are starting to look at monitoring now. 14:37:55 <LukeHinds> agree juan, we should push more over email/ 14:38:23 <LukeHinds> I will drop them an email 14:38:33 <aripie> I can take an action to formulate what we want to know from ETSI 14:39:15 <rex_lee> who is aripie 14:39:16 <LukeHinds> we have a wiki page already up, or your free to create your own if you like. 14:39:27 <LukeHinds> also use another tool if you prefer. 14:39:37 <jaosorior> rex_lee: aripie is Ari Pietikainen, he's also a contributor to Inspector 14:39:55 <LukeHinds> #action aripie to start formulating etsi items related to inspector. 14:39:58 <rex_lee> thx 14:39:58 <jaosorior> ...prooobably an introduction would have been appropriate 14:40:27 <LukeHinds> #action Luke to email Kapil / Ashutosh and instruct them on actions. 14:40:43 <rex_lee> ok we have a private talk 14:41:46 <jaosorior> Now, we also need to take into account testing for auditability 14:41:59 <jaosorior> We should start preparing for a proposition regarding this 14:42:36 <jaosorior> Should we push test suites for the individual projects or should we start getting engaged in either Pharos or Yardstick and introduce the auditability tests there 14:43:37 <jaosorior> So basically we need physical proof (in the form of tests) that the infra is outputting the necessary information in terms of auditability 14:44:35 <LukeHinds> do we need a test enviroment, or do we plan to use local dev env? 14:44:53 <rex_lee> can you make sure Yardstick support the test 14:45:05 <jaosorior> Well, we do have the OPNFV environment to our availability 14:45:32 <rex_lee> if so .i prefer use the existed 14:45:39 <jaosorior> This is gonna get pretty interesting. Lets take OpenStack as an example: there is audit record generation and taxonomies for several components already... But this is not tested, and there is no means currently to test this 14:46:32 <rex_lee> for we dont worry the test env availability 14:46:44 <jaosorior> So we need to figure out if we introduce test that assert this capabilities in Tempest, or should we resort to another framework where we should write the tests (such as YardStick or something else). And of course, as rex_lee mentiones, we need to make sure that the framework is appropriate 14:49:10 <jaosorior> rex_lee: Would be nice, but it seems in some cases there are no existing tests, nor test suites for us to verify the audit capabilities in components 14:50:03 <rex_lee> i mean use yardstick if it support 14:50:53 <jaosorior> rex_lee: that's a possibility. I think we should start looking into YardStick and it's scope, and see if it's appropriate for us to introduce an audit test suit there or not 14:51:43 <LukeHinds> yet to be approved as well (yardstick), not that it should stop us investigating. 14:51:49 <rex_lee> good . that is introduced by your company 14:52:32 <LukeHinds> sorry, I was wrong there 'Incubation' 14:53:13 <rex_lee> what is wrong.haha 14:53:30 <LukeHinds> "yet to be approved as well (yardstick), not that it should stop us investigating." 14:53:34 <jaosorior> So, am I right then that aripie and LukeHinds will work on checking the audit-related scope in ETSI? 14:54:11 <LukeHinds> aripie will drive and I will support (and try and get kapil / ashutosh involved as well) 14:54:21 <aripie> yes that is fine 14:54:25 <jaosorior> excellent 14:54:44 <LukeHinds> #action aripie will drive and I (luke) will support (and try and get kapil / ashutosh involved as well) 14:54:52 <LukeHinds> ok, we have five mins left. 14:55:00 <jaosorior> rex_lee: Do you have any involvement in ETSI? 14:55:11 <LukeHinds> we can keep going of course, but I wanted to get something else on the radar quickly 14:55:19 <jaosorior> sure 14:55:23 <rex_lee> no 14:55:27 <LukeHinds> #topic Hypervisor Project 14:55:31 <LukeHinds> #link https://wiki.opnfv.org/nfv_hypervisors-kvm?s[]=hypervisor 14:55:43 <LukeHinds> I recommend all have a ready 14:55:47 <LukeHinds> *read 14:56:07 <rex_lee> i have read 14:56:28 <rex_lee> what suggestion 14:56:33 <LukeHinds> if this goes ahead, there is a lot of security around isolation, kvm / qemu hardening. 14:57:10 <LukeHinds> We have all seen what happens when QEMU is compiled with all drivers included (venom vulnerability). 14:57:23 <LukeHinds> I will try and attend the meeting to see what plans they have security wise. 14:57:26 <jaosorior> rex_lee: Can you look into ONOS and OpenMANO to see if they have any specific requirements or even audit capabilities already there? 14:57:44 <jaosorior> LukeHinds: When is the Hypervisor meeting? 14:58:12 <LukeHinds> not on the wiki, I will drop intel guy an email 14:58:28 <rex_lee> i will try 14:58:37 <LukeHinds> also of interest is inspector audit events? (or is that too low level?) 14:59:04 <LukeHinds> i.e. anything kvm wise we should get from nova, not the kernel 14:59:05 <jaosorior> LukeHinds: Well, that would be more up to Nova 14:59:13 <LukeHinds> ^ :-] 14:59:32 <LukeHinds> as i thought 15:00:06 <rex_lee> so why openmano? 15:00:08 <LukeHinds> ok, we are on the hour..I will close meetbot, but guys, this channel is open 24/7 so we can talk topics here whenever we like 15:00:18 <LukeHinds> please do continue... 15:00:21 <jaosorior> rex_lee: I thought it was going to be included in OPNFV 15:00:37 <jaosorior> if it isn't going to be included, then nevermind 15:00:40 <LukeHinds> #endmeeting