SlideShare a Scribd company logo

Securing 5G Cloud Native Infrastructure with Service Proxy for Kubernetes (SPK) and Secure Communication Proxy (SCP

MyNOG
MyNOG

1) The document discusses securing 5G cloud native infrastructure using the Service Proxy for Kubernetes (SPK) and Secure Communication Proxy (SCP). 2) SPK provides ingress and egress services for telco protocols like HTTP/2, Diameter, and SIP to secure Kubernetes deployments. SCP simplifies and secures communications between network functions. 3) SCP and SPK work together to provide a secure "onion model" architecture for distributed 5G core deployments using mutual TLS and traffic management capabilities.

Technology
1 of 22
Download to read offline
Securing the Onion: 5G Cloud Native Infrastructure
©2023 F5 2 Agenda • Architecture Transformation to 5G Service Based Architecture (5G SBA) • 3GPP Releases Update • Important component in securing 5G SBA • Service Proxy for Kubernetes (SPK) • Secure Communication Proxy (SCP) Service Proxy for Kubernetes (SPK) 3GPP REL 14 TO REL 15 JOURNEY • Ingress and Egress Requirement to Secure Cloud Native Infrastructure (Kubernetes) • Kubernetes Networking Weaknesses in Addressing Carrier Grade needs • Handling Ingress traffic with SPK Ingress • Handling Egress traffic with SPK Service Mesh Secure Communication Proxy (SCP) 3GPP REL 15 TO REL 16 JOURNEY • Intelligently and Securely Simplify 5G Core Operation • Bridging 4G/5G in Multiple Domains • 5G SBA Secure Signaling Flow • Securing Distributed 5G Network Deployment • 5G Core Security in Onion Model with SCP and SPK
©2023 F5 3 5G: Functional and Architectural Transformation 5G Service-Based Architecture (SBA) MME SGSN PCRF HSS SGW PGW 2G/3G 4G Data network S3 (GTP) S6a (Diameter) Gx (Diameter) S1-MME S1-U (GTP) S5/S8 S4 (GTP) 4G Core: Telco Architecture HTTP/2 Microservices API centric Telco cloud Web protocol CUPS 5G SBA Technology Principles (derived from IT industry) Data network HTTP/2 JSON API 5G-AN Non 3GPP Access N 6 N1 N2 N3 N4 N3IWF Control and Signaling Edge (CUPS) UPF User data and packet gateway Regional Central 5G Core: IT Architecture NSSF NEF NRF PCF UDM AF AUSF AMF SMF
©2023 F5 4 3GPP Releases Updates SERVICE BASED ARCHITECTURE RELEASE 15 RELEASE 14 RELEASE 16 Control Plane Control Plane Control Plane EHANCED SERVICE BASED ARCHITECTURE CONTROL USER PLANE SEPARATION CONTAINERS VIRTUALIZATION LAYER COMPUTE NETWORK STORAGE VIRTUAL MACHINES CNF 1 CNF 2 CNF n VNF 1 VNF 2 VNF n RELEASE 17 Enabling Edge Application CONTAINERS
©2023 F5 5 Security Threat within 5G Service Based Architecture ... and some additional security points to pay attention to (R)AN Access UE Nnssf Npcf Nchf Namf N1 N2 N3 DN networks Networks Interworking Nnrf Nsmf Nudm Nausf Naf Nnef N9 N6 UPF Data Plane AMF Mobility AUSF Authentication SMF Sessions CHF Charging NEF Exposure AF Application UDM Sub Repo PCF Policy NRF Repository NSSF Slicing “HSS” “PCRF” “OCS” “HSS” “MME” “PGW-C” “PGW-U” IPX partners Billing environment Networks Apps and APIs
©2023 F5 6 Security Threat within 5G Service Based Architecture ... and some additional security points to pay attention to (R)AN Access UE Nnssf Npcf Nchf Namf N1 N2 N3 DN networks Networks Interworking Nnrf Nsmf Nudm Nausf Naf Nnef N9 N6 UPF Data Plane AMF Mobility AUSF Authentication SMF Sessions CHF Charging NEF Exposure AF Application UDM Sub Repo PCF Policy NRF Repository NSSF Slicing “HSS” “PCRF” “OCS” “HSS” “MME” “PGW-C” “PGW-U” IPX partners Billing environment Networks Apps and APIs SCP + (BSF) + SPK
©2023 F5 7 Security Threat within 5G Service Based Architecture ... and some additional security points to pay attention to (R)AN Access UE Nnssf Npcf Nchf Namf N1 N2 N3 DN networks Networks Interworking Nnrf Nsmf Nudm Nausf Naf Nnef N9 N6 UPF Data Plane AMF Mobility AUSF Authentication SMF Sessions CHF Charging NEF Exposure AF Application UDM Sub Repo PCF Policy NRF Repository NSSF Slicing “HSS” “PCRF” “OCS” “HSS” “MME” “PGW-C” “PGW-U” IPX partners Billing environment Networks Apps and APIs SCP + (BSF) + SPK • Enhanced ingress security with per-service secure proxy • scalability CNF’s • dynamic network elasticity • Multi-protocol support • SBA Security, mTLS • Routing, LB, Message Prioritisation, Persistence, Session Binding, etc. • HTTP/2 Protocol Validation
©2023 F5 8 Securing Cloud Native Infrastructure (K8s) with Service Proxy Kubernetes (SPK) SERVICE BASED ARCHITECTURE RELEASE 15 RELEASE 14 Control Plane CONTROL USER PLANE SEPARATION
©2023 F5 9 Securing Cloud Native (Kubernetes)Telco Cloud Requirement for Telco Cloud Infrastructure • Ingress for 5G SBA HTTP/2 traffic • Automation through Kubernetes control plane • Support for non-HTTP traffic* • SCTP, GTP/PFCP for 5G* • Diameter, GTP, SIP for hybrid 4G/5G deployment* • Full proxy (ingress + egress) for network-centric deployment* • Support for multi-vendor environment* • Proxying HTTP/2 traffic • Policy driven through Kubernetes control plane • Mutual TLS encryption • Packet capture and legal intercept* • Analytics and visibility* • Certificate management* • Support for multi-vendor environment* * Additional functions not supported natively in Kubernetes East/West Traffic (Service Mesh) North/South Traffic (Service Proxy)
©2023 F5 10 Kubernetes Networking Weaknesses Addressed Additional abilities applied to Kubernetes ingress/egress is powerful for telco deployment Kubernetes provides flexibility, scalability, and efficiency that will be key for service providers • 5G packet cores • Edge computing / Edge sites • Digital transformation But is not designed for service providers Traditionally developed for web and enterprise use: • Difficulty with telco protocols • NGAP/SCTP, 5G HTTP/2, Diameter, GTP, SIP, lawful intercept, others • Limited egress capabilities • Lack of routing integration with service provider networks • Lack of security controls • Lack of visibility and revenue controls • Difficulty with public cloud providers
©2023 F5 11 F5 Service Proxy for Kubernetes (SPK) for 5G Core Kubernetes ingress and egress services for telco protocols User Internet, other DNs Telco Cloud cscf pcrf upf ocs Virtualisation / Containerisation Layer Service Proxy for Kubernetes (SPK) scp Far Edge (MEC) Near Edge (MEC) Regional PoP Central PoP HTTP/2 Diameter SIP Multiprotocol Ingress Security Visibility L7 Routing 4G/5G Core Functions Other Other Kubernetes Platform Typical Telco Locations Kubernetes Platform Like GTP, but also considering adding PFCP
©2023 F5 12 F5 SPK is the Modern Telco grade Ingress Proxy Ingress Proxy & Egess GW Signaling control • Routing • Load balancing • Rate limiting Traffic Management • Load Balance • Persistence • Service continuity Diameter SIP HTTP/2 TCP SCTP UDP Egress GW • Routing • Traffic control policy • Topology(IP) hiding Egress NGAP
©2023 F5 13 E.g. Egress Security Control Use Case No control on container egress Without firewall function to regulate the risk of data leak/loss is real Central DC Edge CNF CNF CNF CNF SPK secures Telco everywhere Enables Telco cloud to control network flow and Core CNF topology hiding Central DC Edge SPK SPK CNF SPK SPK CNF #1 NSM for Telco in a controlled ACL and topology hiding for workloads to interact with NF from another network or another PLMN #2 Virtual Stop Gap deployed as policy for public cloud or untrusted environment to restrict traffic leaving CNF and Telco application container.
©2023 F5 14 Simplify, Scale and Securing NF communication with Service Communication Proxy (SCP) RELEASE 16 Control Plane EHANCED SERVICE BASED ARCHITECTURE SERVICE BASED ARCHITECTURE RELEASE 15 Control Plane
©2023 F5 15 What’s New in 3GPP Release 16 5G SA Core Control Plane Communications Model Options 3GPP Release 15: With Or without NRF Interaction 3GPP Release 16: SCP for Routing Selection and Load Balancing A NF consumers are configured with the producer and perform selection of producer Direct Communication WITHOUT NRF B Every NF consumer interacts with NRF for service discovery and has to support discovery result caching, and selection Direct Communication WITH NRF C SCP aggregates Hypertext Transfer Protocol (HTTP) links, and provides centralized signaling monitoring SCP WITHOUT delegated discovery D In addition to characteristics in Model C, SCP takes over service discovery and selection for NF consumers. Hence, NF consumers need not to perform discovery and selection of producer SCP WITH delegated discovery
©2023 F5 16 Service Communication Proxy (SCP) Helps to build a reliable, robust and secure 5G Standalone Core 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF SIMPLIFY § Move from a full mesh between all Networks Functions (NFs) by acting as a hub/proxy for all NF traffic. SCALE § Real-Time traffic management and network scalability § Internetworking Functions to simplify inter-vendor deployments. SECURE § Secure Communications with mTLS protection & OAuth2.0 authentication between NFs. § Restrict unknown connection or abnormal traffic flow SERVICE COMMUNICATION PROXY (SCP)
©2023 F5 17 SCP+ Intelligently and Securely Simplify 5G Core Operation Leading the movement toward using AI/ML mechanism F5 SCP+ increase network resiliency 1 2 3 4 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF Intelligent Load Balancing maximize 5G service availability and minimize 5G service disruption Advanced Overload Protection to improve network resiliency 5G aware DDoS Protection with deep insights 5G aware metrics provide deep insight to address transient events and feed for SBI encrypted traffic visibility CONFIDENTIAL Data Collection SCP+
©2023 F5 18 SCP+ Bridging 4G/5G in Multiple Domains Support 4G/5G telco protocols to reduce complexity and integration to 4G/5G services HTTP/2 Request Message Diameter-Request-Message 5G NF 5G NF 5G NF 5G NF 5G NF SCP+ 5G NF 5G NF 5G NF 5G NF Nxxx-request-message (HTTP/2) 4G Nodes 4G Nodes 4G Nodes Nxxx-message (HTTP/2) Diameter-Request-Message ß---------> Diameter Message 4G Nodes 4G Nodes
©2023 F5 19 5G SBA Secure Signaling Flow Mitigate spoofing messages from unknown or abnormal traffic flow NF PRODUCER SET NF CONSUMER SET NRF Request Token Validate Token Auth HTTP Request Unknown Consumer • TLS connections terminate in SCP • Decrypts traffic from NF Consumer and encrypts traffic to NF Producers • Identify unknown or abnormal traffic flow • Restrict connection from any unknown peer and drop the message CONFIDENTIAL X SIMPLIFY SCALE SECURE SCP mTLS NF Consumer NF Producer 1 HTTP Request mTLS Oauth 2.0 Oauth 2.0 • Consumer interacts with NRF first for Discovery and then for Auth before sending a service request message with authorization token embedded to a SCP. • SCP verify the “Subject” in the token against the information present in the Consumer’s TLS certificate* and presents to the producer a valid access token that was issued to the NF service consumer • SCP support TLS 1.2/1.3 to securely transport the tokens in 5G Signaling, makes it easier to terminate security directly in the network function • NF Producer then will verify the integrity of the access token before granting the NF service consumer access to its services. • Service Request is passed on to NF Producer after successful verification, • Verify the “Subject” in the token
©2023 F5 20 Securing Distributed 5G Network Deployment e.g. handling interaction between different network locations or domain SIMPLIFY SCALE SECURE 5G Edge 5G Core
©2023 F5 21 5G Core Security with Onion Model with SCP and SPK Telco Cloud • All CNF traffic via ingress/egress proxy • Proxy deployed as separate pod(s) within CNF namespace • Proxy deployment model same for external, inter- cluster, and intra-cluster SCP+ SCP+ Management Access network N2 Ingress/Egress Non- Exposed Services Cluster SBI mTLS namespace NSSF SPK namespace NRF SPK namespace PCF SPK namespace CHF SPK Kubernetes control plane Secure Services Cluster SBI mTLS namespace UDM SPK namespace AUSF SPK Kubernetes control plane Exposed Services Cluster namespace AMF SPK Kubernetes control plane SBI namespace NEF SPK mTLS namespace SEPP SPK namespace SMF SPK namespace UPF SPK namespace IPUPS SPK N9 N32 N6 Diameter N33 CHF info to OCS via NEF or via direct CAPIF link Potentially shared RAN Intercluster security Intercluster security SCTP proxy TCP proxy SCP+ Intercluster-FW Intercluster-FW SPK API/Management Firewalling N6-FW SIG-FW API-FW SECGW SCTP-FW SPK
Securing 5G Cloud Native Infrastructure with Service Proxy for Kubernetes (SPK) and Secure Communication Proxy (SCP

Recommended

Edge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksEdge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksMyNOG
 
Hierarchical Network Controller
Hierarchical Network ControllerHierarchical Network Controller
Hierarchical Network ControllerMyNOG
 
Building DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNBuilding DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNCisco Canada
 
5G Technology Tutorial
5G Technology Tutorial5G Technology Tutorial
5G Technology TutorialAPNIC
 
Aci presentation
Aci presentationAci presentation
Aci presentationJoe Ryan
 
OpenShift Kubernetes Native Infrastructure for 5GC and Telco Edge Cloud
OpenShift Kubernetes Native Infrastructure for 5GC and Telco Edge Cloud OpenShift Kubernetes Native Infrastructure for 5GC and Telco Edge Cloud
OpenShift Kubernetes Native Infrastructure for 5GC and Telco Edge Cloud Hidetsugu Sugiyama
 
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveFUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveMyNOG
 
5g introduction_NR
5g introduction_NR5g introduction_NR
5g introduction_NRNitin George Thomas
 

Recommended

Edge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksEdge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksMyNOG
 
Hierarchical Network Controller
Hierarchical Network ControllerHierarchical Network Controller
Hierarchical Network ControllerMyNOG
 
Building DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNBuilding DataCenter networks with VXLAN BGP-EVPN
Building DataCenter networks with VXLAN BGP-EVPNCisco Canada
 
5G Technology Tutorial
5G Technology Tutorial5G Technology Tutorial
5G Technology TutorialAPNIC
 
Aci presentation
Aci presentationAci presentation
Aci presentationJoe Ryan
 
OpenShift Kubernetes Native Infrastructure for 5GC and Telco Edge Cloud
OpenShift Kubernetes Native Infrastructure for 5GC and Telco Edge Cloud OpenShift Kubernetes Native Infrastructure for 5GC and Telco Edge Cloud
OpenShift Kubernetes Native Infrastructure for 5GC and Telco Edge Cloud Hidetsugu Sugiyama
 
FUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveFUTURE-PROOFING DATA CENTRES from Connectivity Perspective
FUTURE-PROOFING DATA CENTRES from Connectivity PerspectiveMyNOG
 
5g introduction_NR
5g introduction_NR5g introduction_NR
5g introduction_NRNitin George Thomas
 
Beginners: 5G Terminology
Beginners: 5G TerminologyBeginners: 5G Terminology
Beginners: 5G Terminology3G4G
 
What is-twamp
What is-twampWhat is-twamp
What is-twampNir Cohen
 
5G_NR_Overview_Architecture_and_Operating_Modes
5G_NR_Overview_Architecture_and_Operating_Modes5G_NR_Overview_Architecture_and_Operating_Modes
5G_NR_Overview_Architecture_and_Operating_ModesAalekh Jain
 
Cisco Application Centric Infrastructure
Cisco Application Centric InfrastructureCisco Application Centric Infrastructure
Cisco Application Centric Infrastructureislam Salah
 
5g architecture, Industrial Training
5g architecture, Industrial Training5g architecture, Industrial Training
5g architecture, Industrial TrainingSumanPramanik7
 
A Software Defined WAN Architecture
A Software Defined WAN ArchitectureA Software Defined WAN Architecture
A Software Defined WAN ArchitectureOpen Networking Summits
 
5G UE Simulator
5G UE Simulator5G UE Simulator
5G UE SimulatorSimnovus Tech Private Limited
 
BIRD Routing Daemon
BIRD Routing DaemonBIRD Routing Daemon
BIRD Routing DaemonAPNIC
 
Beginners: Introduction to 5G Reduced Capability (RedCap) Devices
Beginners: Introduction to 5G Reduced Capability (RedCap) DevicesBeginners: Introduction to 5G Reduced Capability (RedCap) Devices
Beginners: Introduction to 5G Reduced Capability (RedCap) Devices3G4G
 
Access Network Evolution
Access Network Evolution Access Network Evolution
Access Network Evolution Cisco Canada
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalKwonSun Bae
 
Modern Data Center Network Architecture - The house that Clos built
Modern Data Center Network Architecture - The house that Clos builtModern Data Center Network Architecture - The house that Clos built
Modern Data Center Network Architecture - The house that Clos builtCumulus Networks
 
5G Network Slicing
5G Network Slicing5G Network Slicing
5G Network SlicingSridhar Bhaskaran
 
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000Cisco Canada
 
Opinion: The Politics of SA vs NSA 5G & 4G Speeds
Opinion: The Politics of SA vs NSA 5G & 4G SpeedsOpinion: The Politics of SA vs NSA 5G & 4G Speeds
Opinion: The Politics of SA vs NSA 5G & 4G Speeds3G4G
 
VXLAN and FRRouting
VXLAN and FRRoutingVXLAN and FRRouting
VXLAN and FRRoutingFaisal Reza
 
Software Defined networking (SDN)
Software Defined networking (SDN)Software Defined networking (SDN)
Software Defined networking (SDN)Milson Munakami
 
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabNSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabCisco Canada
 
Beginners: 5G Terminology (Updated - Feb 2019)
Beginners: 5G Terminology (Updated - Feb 2019)Beginners: 5G Terminology (Updated - Feb 2019)
Beginners: 5G Terminology (Updated - Feb 2019)3G4G
 
Storm-Control
Storm-ControlStorm-Control
Storm-ControlNetProtocol Xpert
 
 Network Innovations Driving Business Transformation
 Network Innovations Driving Business Transformation Network Innovations Driving Business Transformation
 Network Innovations Driving Business TransformationCisco Service Provider
 
Securing the LTE Core: the Road to NFV
Securing the LTE Core: the Road to NFVSecuring the LTE Core: the Road to NFV
Securing the LTE Core: the Road to NFVMary McEvoy Carroll
 

More Related Content

What's hot

Beginners: 5G Terminology
Beginners: 5G TerminologyBeginners: 5G Terminology
Beginners: 5G Terminology3G4G
 
What is-twamp
What is-twampWhat is-twamp
What is-twampNir Cohen
 
5G_NR_Overview_Architecture_and_Operating_Modes
5G_NR_Overview_Architecture_and_Operating_Modes5G_NR_Overview_Architecture_and_Operating_Modes
5G_NR_Overview_Architecture_and_Operating_ModesAalekh Jain
 
Cisco Application Centric Infrastructure
Cisco Application Centric InfrastructureCisco Application Centric Infrastructure
Cisco Application Centric Infrastructureislam Salah
 
5g architecture, Industrial Training
5g architecture, Industrial Training5g architecture, Industrial Training
5g architecture, Industrial TrainingSumanPramanik7
 
BIRD Routing Daemon
BIRD Routing DaemonBIRD Routing Daemon
BIRD Routing DaemonAPNIC
 
Beginners: Introduction to 5G Reduced Capability (RedCap) Devices
Beginners: Introduction to 5G Reduced Capability (RedCap) DevicesBeginners: Introduction to 5G Reduced Capability (RedCap) Devices
Beginners: Introduction to 5G Reduced Capability (RedCap) Devices3G4G
 
Access Network Evolution
Access Network Evolution Access Network Evolution
Access Network Evolution Cisco Canada
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalKwonSun Bae
 
Modern Data Center Network Architecture - The house that Clos built
Modern Data Center Network Architecture - The house that Clos builtModern Data Center Network Architecture - The house that Clos built
Modern Data Center Network Architecture - The house that Clos builtCumulus Networks
 
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000Cisco Canada
 
Opinion: The Politics of SA vs NSA 5G & 4G Speeds
Opinion: The Politics of SA vs NSA 5G & 4G SpeedsOpinion: The Politics of SA vs NSA 5G & 4G Speeds
Opinion: The Politics of SA vs NSA 5G & 4G Speeds3G4G
 
VXLAN and FRRouting
VXLAN and FRRoutingVXLAN and FRRouting
VXLAN and FRRoutingFaisal Reza
 
Software Defined networking (SDN)
Software Defined networking (SDN)Software Defined networking (SDN)
Software Defined networking (SDN)Milson Munakami
 
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabNSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabCisco Canada
 
Beginners: 5G Terminology (Updated - Feb 2019)
Beginners: 5G Terminology (Updated - Feb 2019)Beginners: 5G Terminology (Updated - Feb 2019)
Beginners: 5G Terminology (Updated - Feb 2019)3G4G
 

What's hot (20)

Beginners: 5G Terminology
Beginners: 5G TerminologyBeginners: 5G Terminology
Beginners: 5G Terminology
 
What is-twamp
What is-twampWhat is-twamp
What is-twamp
 
5G_NR_Overview_Architecture_and_Operating_Modes
5G_NR_Overview_Architecture_and_Operating_Modes5G_NR_Overview_Architecture_and_Operating_Modes
5G_NR_Overview_Architecture_and_Operating_Modes
 
Cisco Application Centric Infrastructure
Cisco Application Centric InfrastructureCisco Application Centric Infrastructure
Cisco Application Centric Infrastructure
 
5g architecture, Industrial Training
5g architecture, Industrial Training5g architecture, Industrial Training
5g architecture, Industrial Training
 
A Software Defined WAN Architecture
A Software Defined WAN ArchitectureA Software Defined WAN Architecture
A Software Defined WAN Architecture
 
5G UE Simulator
5G UE Simulator5G UE Simulator
5G UE Simulator
 
BIRD Routing Daemon
BIRD Routing DaemonBIRD Routing Daemon
BIRD Routing Daemon
 
Beginners: Introduction to 5G Reduced Capability (RedCap) Devices
Beginners: Introduction to 5G Reduced Capability (RedCap) DevicesBeginners: Introduction to 5G Reduced Capability (RedCap) Devices
Beginners: Introduction to 5G Reduced Capability (RedCap) Devices
 
Access Network Evolution
Access Network Evolution Access Network Evolution
Access Network Evolution
 
Vxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 finalVxlan deep dive session rev0.5 final
Vxlan deep dive session rev0.5 final
 
Modern Data Center Network Architecture - The house that Clos built
Modern Data Center Network Architecture - The house that Clos builtModern Data Center Network Architecture - The house that Clos built
Modern Data Center Network Architecture - The house that Clos built
 
5G Network Slicing
5G Network Slicing5G Network Slicing
5G Network Slicing
 
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
Subscriber Traffic & Policy Management (BNG) on the ASR9000 & ASR1000
 
Opinion: The Politics of SA vs NSA 5G & 4G Speeds
Opinion: The Politics of SA vs NSA 5G & 4G SpeedsOpinion: The Politics of SA vs NSA 5G & 4G Speeds
Opinion: The Politics of SA vs NSA 5G & 4G Speeds
 
VXLAN and FRRouting
VXLAN and FRRoutingVXLAN and FRRouting
VXLAN and FRRouting
 
Software Defined networking (SDN)
Software Defined networking (SDN)Software Defined networking (SDN)
Software Defined networking (SDN)
 
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabNSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
 
Beginners: 5G Terminology (Updated - Feb 2019)
Beginners: 5G Terminology (Updated - Feb 2019)Beginners: 5G Terminology (Updated - Feb 2019)
Beginners: 5G Terminology (Updated - Feb 2019)
 
Storm-Control
Storm-ControlStorm-Control
Storm-Control
 

Similar to Securing 5G Cloud Native Infrastructure with Service Proxy for Kubernetes (SPK) and Secure Communication Proxy (SCP

 Network Innovations Driving Business Transformation
 Network Innovations Driving Business Transformation Network Innovations Driving Business Transformation
 Network Innovations Driving Business TransformationCisco Service Provider
 
Securing the LTE Core: the Road to NFV
Securing the LTE Core: the Road to NFVSecuring the LTE Core: the Road to NFV
Securing the LTE Core: the Road to NFVMary McEvoy Carroll
 
3GPP 5G Control Plane Service Based Architecture
3GPP 5G Control Plane Service Based Architecture3GPP 5G Control Plane Service Based Architecture
3GPP 5G Control Plane Service Based ArchitectureSridhar Bhaskaran
 
PLNOG 7: Klaudiusz Staniek - MPLS a QoS - praktycznie
PLNOG 7: Klaudiusz Staniek - MPLS a QoS - praktyczniePLNOG 7: Klaudiusz Staniek - MPLS a QoS - praktycznie
PLNOG 7: Klaudiusz Staniek - MPLS a QoS - praktyczniePROIDEA
 
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław Borek
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław BorekPLNOG14: Service orchestration in provider network, Tail-f - Przemysław Borek
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław BorekPROIDEA
 
Cisco at v mworld 2015 theater presentation brfarnha
Cisco at v mworld 2015 theater presentation brfarnhaCisco at v mworld 2015 theater presentation brfarnha
Cisco at v mworld 2015 theater presentation brfarnhaldangelo0772
 
Banv meetup 04162014
Banv meetup 04162014Banv meetup 04162014
Banv meetup 04162014ozkan01
 
OpenStack: Changing the Face of Service Delivery
OpenStack: Changing the Face of Service DeliveryOpenStack: Changing the Face of Service Delivery
OpenStack: Changing the Face of Service DeliveryLew Tucker
 
OpenStack: Changing the Face of Service Delivery
OpenStack: Changing the Face of Service DeliveryOpenStack: Changing the Face of Service Delivery
OpenStack: Changing the Face of Service DeliveryMirantis
 
Banv meetup-contrail
Banv meetup-contrailBanv meetup-contrail
Banv meetup-contrailnvirters
 
5G Core Network - ZTE 5g Cloude ServCore
5G Core Network - ZTE 5g Cloude ServCore5G Core Network - ZTE 5g Cloude ServCore
5G Core Network - ZTE 5g Cloude ServCoreITU
 
PLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof Konkowski
PLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof KonkowskiPLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof Konkowski
PLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof KonkowskiPROIDEA
 
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...PROIDEA
 
Service Chaining - Cloud Network Services at Scale
Service Chaining - Cloud Network Services at ScaleService Chaining - Cloud Network Services at Scale
Service Chaining - Cloud Network Services at ScaleMarketingArrowECS_CZ
 
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...PROIDEA
 
The Data Center Network Evolution
The Data Center Network EvolutionThe Data Center Network Evolution
The Data Center Network EvolutionCisco Canada
 
F5 Solutions for Service Providers
F5 Solutions for Service ProvidersF5 Solutions for Service Providers
F5 Solutions for Service ProvidersBAKOTECH
 
Cisco Prime for IP NGN
Cisco Prime for IP NGNCisco Prime for IP NGN
Cisco Prime for IP NGNCisco Canada
 
CNCF TUG (Telecom User Group) Ike Alisson 5G New Service Capabilities Rev pa10
CNCF TUG (Telecom User Group) Ike Alisson 5G New Service Capabilities Rev pa10CNCF TUG (Telecom User Group) Ike Alisson 5G New Service Capabilities Rev pa10
CNCF TUG (Telecom User Group) Ike Alisson 5G New Service Capabilities Rev pa10Ike Alisson
 

Similar to Securing 5G Cloud Native Infrastructure with Service Proxy for Kubernetes (SPK) and Secure Communication Proxy (SCP (20)

 Network Innovations Driving Business Transformation
 Network Innovations Driving Business Transformation Network Innovations Driving Business Transformation
 Network Innovations Driving Business Transformation
 
Securing the LTE Core: the Road to NFV
Securing the LTE Core: the Road to NFVSecuring the LTE Core: the Road to NFV
Securing the LTE Core: the Road to NFV
 
Sec conf london_v07
Sec conf london_v07Sec conf london_v07
Sec conf london_v07
 
3GPP 5G Control Plane Service Based Architecture
3GPP 5G Control Plane Service Based Architecture3GPP 5G Control Plane Service Based Architecture
3GPP 5G Control Plane Service Based Architecture
 
PLNOG 7: Klaudiusz Staniek - MPLS a QoS - praktycznie
PLNOG 7: Klaudiusz Staniek - MPLS a QoS - praktyczniePLNOG 7: Klaudiusz Staniek - MPLS a QoS - praktycznie
PLNOG 7: Klaudiusz Staniek - MPLS a QoS - praktycznie
 
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław Borek
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław BorekPLNOG14: Service orchestration in provider network, Tail-f - Przemysław Borek
PLNOG14: Service orchestration in provider network, Tail-f - Przemysław Borek
 
Cisco at v mworld 2015 theater presentation brfarnha
Cisco at v mworld 2015 theater presentation brfarnhaCisco at v mworld 2015 theater presentation brfarnha
Cisco at v mworld 2015 theater presentation brfarnha
 
Banv meetup 04162014
Banv meetup 04162014Banv meetup 04162014
Banv meetup 04162014
 
OpenStack: Changing the Face of Service Delivery
OpenStack: Changing the Face of Service DeliveryOpenStack: Changing the Face of Service Delivery
OpenStack: Changing the Face of Service Delivery
 
OpenStack: Changing the Face of Service Delivery
OpenStack: Changing the Face of Service DeliveryOpenStack: Changing the Face of Service Delivery
OpenStack: Changing the Face of Service Delivery
 
Banv meetup-contrail
Banv meetup-contrailBanv meetup-contrail
Banv meetup-contrail
 
5G Core Network - ZTE 5g Cloude ServCore
5G Core Network - ZTE 5g Cloude ServCore5G Core Network - ZTE 5g Cloude ServCore
5G Core Network - ZTE 5g Cloude ServCore
 
PLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof Konkowski
PLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof KonkowskiPLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof Konkowski
PLNOG16: Kreowanie usług przez operatorów – SP IWAN, Krzysztof Konkowski
 
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
 
Service Chaining - Cloud Network Services at Scale
Service Chaining - Cloud Network Services at ScaleService Chaining - Cloud Network Services at Scale
Service Chaining - Cloud Network Services at Scale
 
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
PLNOG16: Automatyzacja kreaowania usług operatorskich w separacji od rodzaju ...
 
The Data Center Network Evolution
The Data Center Network EvolutionThe Data Center Network Evolution
The Data Center Network Evolution
 
F5 Solutions for Service Providers
F5 Solutions for Service ProvidersF5 Solutions for Service Providers
F5 Solutions for Service Providers
 
Cisco Prime for IP NGN
Cisco Prime for IP NGNCisco Prime for IP NGN
Cisco Prime for IP NGN
 
CNCF TUG (Telecom User Group) Ike Alisson 5G New Service Capabilities Rev pa10
CNCF TUG (Telecom User Group) Ike Alisson 5G New Service Capabilities Rev pa10CNCF TUG (Telecom User Group) Ike Alisson 5G New Service Capabilities Rev pa10
CNCF TUG (Telecom User Group) Ike Alisson 5G New Service Capabilities Rev pa10
 

More from MyNOG

Peering Personal MyNOG-10
Peering Personal MyNOG-10Peering Personal MyNOG-10
Peering Personal MyNOG-10MyNOG
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023MyNOG
 
Equinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersEquinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersMyNOG
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformAether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformMyNOG
 
Cleaning up your RPKI invalids
Cleaning up your RPKI invalidsCleaning up your RPKI invalids
Cleaning up your RPKI invalidsMyNOG
 
Introducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXIntroducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXMyNOG
 
Load balancing and Service in Kubernetes
Load balancing and Service in KubernetesLoad balancing and Service in Kubernetes
Load balancing and Service in KubernetesMyNOG
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKIMyNOG
 
SDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmSDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmMyNOG
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEAI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEMyNOG
 
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...MyNOG
 
Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...MyNOG
 
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...MyNOG
 
MyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyNOG
 
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...MyNOG
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearMyNOG
 
Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...
Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...
Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...MyNOG
 
Routed Optical Networking by Shahnaz Mohamad, Cisco
Routed Optical Networking by Shahnaz Mohamad, CiscoRouted Optical Networking by Shahnaz Mohamad, Cisco
Routed Optical Networking by Shahnaz Mohamad, CiscoMyNOG
 
Edge Computing: NTT Offerings in Japan and Use Cases by Katsuhiro Ohki, NTT L...
Edge Computing: NTT Offerings in Japan and Use Cases by Katsuhiro Ohki, NTT L...Edge Computing: NTT Offerings in Japan and Use Cases by Katsuhiro Ohki, NTT L...
Edge Computing: NTT Offerings in Japan and Use Cases by Katsuhiro Ohki, NTT L...MyNOG
 
Latency Automation Service Enhancement Remedy (LASER) by Ts. Mohd Faizal Bin ...
Latency Automation Service Enhancement Remedy (LASER) by Ts. Mohd Faizal Bin ...Latency Automation Service Enhancement Remedy (LASER) by Ts. Mohd Faizal Bin ...
Latency Automation Service Enhancement Remedy (LASER) by Ts. Mohd Faizal Bin ...MyNOG
 

More from MyNOG (20)

Peering Personal MyNOG-10
Peering Personal MyNOG-10Peering Personal MyNOG-10
Peering Personal MyNOG-10
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023
 
Equinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersEquinix: New Markets, New Frontiers
Equinix: New Markets, New Frontiers
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformAether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
 
Cleaning up your RPKI invalids
Cleaning up your RPKI invalidsCleaning up your RPKI invalids
Cleaning up your RPKI invalids
 
Introducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXIntroducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIX
 
Load balancing and Service in Kubernetes
Load balancing and Service in KubernetesLoad balancing and Service in Kubernetes
Load balancing and Service in Kubernetes
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
 
SDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmSDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable Paradigm
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEAI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
 
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
 
Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...Keep Ukraine Connected: A project from the community – for the community by R...
Keep Ukraine Connected: A project from the community – for the community by R...
 
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
Solving Civilization’s Long Term Communication Needs by Dinesh Kummaran, Tran...
 
MyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIXMyIX Updates by Raja Mohan Marappan, MyIX
MyIX Updates by Raja Mohan Marappan, MyIX
 
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
Exploring Quantum Engineering for Networking by Melchior Aelmans, Juniper Net...
 
Quick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, OpengearQuick wins in the NetOps Journey by Vincent Boon, Opengear
Quick wins in the NetOps Journey by Vincent Boon, Opengear
 
Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...
Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...
Data Centre Interconnect (DCI) with X86’s DCI Solution by Raja Akmal, X86 Net...
 
Routed Optical Networking by Shahnaz Mohamad, Cisco
Routed Optical Networking by Shahnaz Mohamad, CiscoRouted Optical Networking by Shahnaz Mohamad, Cisco
Routed Optical Networking by Shahnaz Mohamad, Cisco
 
Edge Computing: NTT Offerings in Japan and Use Cases by Katsuhiro Ohki, NTT L...
Edge Computing: NTT Offerings in Japan and Use Cases by Katsuhiro Ohki, NTT L...Edge Computing: NTT Offerings in Japan and Use Cases by Katsuhiro Ohki, NTT L...
Edge Computing: NTT Offerings in Japan and Use Cases by Katsuhiro Ohki, NTT L...
 
Latency Automation Service Enhancement Remedy (LASER) by Ts. Mohd Faizal Bin ...
Latency Automation Service Enhancement Remedy (LASER) by Ts. Mohd Faizal Bin ...Latency Automation Service Enhancement Remedy (LASER) by Ts. Mohd Faizal Bin ...
Latency Automation Service Enhancement Remedy (LASER) by Ts. Mohd Faizal Bin ...
 

Recently uploaded

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Recently uploaded (20)

#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Securing 5G Cloud Native Infrastructure with Service Proxy for Kubernetes (SPK) and Secure Communication Proxy (SCP

  • 1. Securing the Onion: 5G Cloud Native Infrastructure
  • 2. ©2023 F5 2 Agenda • Architecture Transformation to 5G Service Based Architecture (5G SBA) • 3GPP Releases Update • Important component in securing 5G SBA • Service Proxy for Kubernetes (SPK) • Secure Communication Proxy (SCP) Service Proxy for Kubernetes (SPK) 3GPP REL 14 TO REL 15 JOURNEY • Ingress and Egress Requirement to Secure Cloud Native Infrastructure (Kubernetes) • Kubernetes Networking Weaknesses in Addressing Carrier Grade needs • Handling Ingress traffic with SPK Ingress • Handling Egress traffic with SPK Service Mesh Secure Communication Proxy (SCP) 3GPP REL 15 TO REL 16 JOURNEY • Intelligently and Securely Simplify 5G Core Operation • Bridging 4G/5G in Multiple Domains • 5G SBA Secure Signaling Flow • Securing Distributed 5G Network Deployment • 5G Core Security in Onion Model with SCP and SPK
  • 3. ©2023 F5 3 5G: Functional and Architectural Transformation 5G Service-Based Architecture (SBA) MME SGSN PCRF HSS SGW PGW 2G/3G 4G Data network S3 (GTP) S6a (Diameter) Gx (Diameter) S1-MME S1-U (GTP) S5/S8 S4 (GTP) 4G Core: Telco Architecture HTTP/2 Microservices API centric Telco cloud Web protocol CUPS 5G SBA Technology Principles (derived from IT industry) Data network HTTP/2 JSON API 5G-AN Non 3GPP Access N 6 N1 N2 N3 N4 N3IWF Control and Signaling Edge (CUPS) UPF User data and packet gateway Regional Central 5G Core: IT Architecture NSSF NEF NRF PCF UDM AF AUSF AMF SMF
  • 4. ©2023 F5 4 3GPP Releases Updates SERVICE BASED ARCHITECTURE RELEASE 15 RELEASE 14 RELEASE 16 Control Plane Control Plane Control Plane EHANCED SERVICE BASED ARCHITECTURE CONTROL USER PLANE SEPARATION CONTAINERS VIRTUALIZATION LAYER COMPUTE NETWORK STORAGE VIRTUAL MACHINES CNF 1 CNF 2 CNF n VNF 1 VNF 2 VNF n RELEASE 17 Enabling Edge Application CONTAINERS
  • 5. ©2023 F5 5 Security Threat within 5G Service Based Architecture ... and some additional security points to pay attention to (R)AN Access UE Nnssf Npcf Nchf Namf N1 N2 N3 DN networks Networks Interworking Nnrf Nsmf Nudm Nausf Naf Nnef N9 N6 UPF Data Plane AMF Mobility AUSF Authentication SMF Sessions CHF Charging NEF Exposure AF Application UDM Sub Repo PCF Policy NRF Repository NSSF Slicing “HSS” “PCRF” “OCS” “HSS” “MME” “PGW-C” “PGW-U” IPX partners Billing environment Networks Apps and APIs
  • 6. ©2023 F5 6 Security Threat within 5G Service Based Architecture ... and some additional security points to pay attention to (R)AN Access UE Nnssf Npcf Nchf Namf N1 N2 N3 DN networks Networks Interworking Nnrf Nsmf Nudm Nausf Naf Nnef N9 N6 UPF Data Plane AMF Mobility AUSF Authentication SMF Sessions CHF Charging NEF Exposure AF Application UDM Sub Repo PCF Policy NRF Repository NSSF Slicing “HSS” “PCRF” “OCS” “HSS” “MME” “PGW-C” “PGW-U” IPX partners Billing environment Networks Apps and APIs SCP + (BSF) + SPK
  • 7. ©2023 F5 7 Security Threat within 5G Service Based Architecture ... and some additional security points to pay attention to (R)AN Access UE Nnssf Npcf Nchf Namf N1 N2 N3 DN networks Networks Interworking Nnrf Nsmf Nudm Nausf Naf Nnef N9 N6 UPF Data Plane AMF Mobility AUSF Authentication SMF Sessions CHF Charging NEF Exposure AF Application UDM Sub Repo PCF Policy NRF Repository NSSF Slicing “HSS” “PCRF” “OCS” “HSS” “MME” “PGW-C” “PGW-U” IPX partners Billing environment Networks Apps and APIs SCP + (BSF) + SPK • Enhanced ingress security with per-service secure proxy • scalability CNF’s • dynamic network elasticity • Multi-protocol support • SBA Security, mTLS • Routing, LB, Message Prioritisation, Persistence, Session Binding, etc. • HTTP/2 Protocol Validation
  • 8. ©2023 F5 8 Securing Cloud Native Infrastructure (K8s) with Service Proxy Kubernetes (SPK) SERVICE BASED ARCHITECTURE RELEASE 15 RELEASE 14 Control Plane CONTROL USER PLANE SEPARATION
  • 9. ©2023 F5 9 Securing Cloud Native (Kubernetes)Telco Cloud Requirement for Telco Cloud Infrastructure • Ingress for 5G SBA HTTP/2 traffic • Automation through Kubernetes control plane • Support for non-HTTP traffic* • SCTP, GTP/PFCP for 5G* • Diameter, GTP, SIP for hybrid 4G/5G deployment* • Full proxy (ingress + egress) for network-centric deployment* • Support for multi-vendor environment* • Proxying HTTP/2 traffic • Policy driven through Kubernetes control plane • Mutual TLS encryption • Packet capture and legal intercept* • Analytics and visibility* • Certificate management* • Support for multi-vendor environment* * Additional functions not supported natively in Kubernetes East/West Traffic (Service Mesh) North/South Traffic (Service Proxy)
  • 10. ©2023 F5 10 Kubernetes Networking Weaknesses Addressed Additional abilities applied to Kubernetes ingress/egress is powerful for telco deployment Kubernetes provides flexibility, scalability, and efficiency that will be key for service providers • 5G packet cores • Edge computing / Edge sites • Digital transformation But is not designed for service providers Traditionally developed for web and enterprise use: • Difficulty with telco protocols • NGAP/SCTP, 5G HTTP/2, Diameter, GTP, SIP, lawful intercept, others • Limited egress capabilities • Lack of routing integration with service provider networks • Lack of security controls • Lack of visibility and revenue controls • Difficulty with public cloud providers
  • 11. ©2023 F5 11 F5 Service Proxy for Kubernetes (SPK) for 5G Core Kubernetes ingress and egress services for telco protocols User Internet, other DNs Telco Cloud cscf pcrf upf ocs Virtualisation / Containerisation Layer Service Proxy for Kubernetes (SPK) scp Far Edge (MEC) Near Edge (MEC) Regional PoP Central PoP HTTP/2 Diameter SIP Multiprotocol Ingress Security Visibility L7 Routing 4G/5G Core Functions Other Other Kubernetes Platform Typical Telco Locations Kubernetes Platform Like GTP, but also considering adding PFCP
  • 12. ©2023 F5 12 F5 SPK is the Modern Telco grade Ingress Proxy Ingress Proxy & Egess GW Signaling control • Routing • Load balancing • Rate limiting Traffic Management • Load Balance • Persistence • Service continuity Diameter SIP HTTP/2 TCP SCTP UDP Egress GW • Routing • Traffic control policy • Topology(IP) hiding Egress NGAP
  • 13. ©2023 F5 13 E.g. Egress Security Control Use Case No control on container egress Without firewall function to regulate the risk of data leak/loss is real Central DC Edge CNF CNF CNF CNF SPK secures Telco everywhere Enables Telco cloud to control network flow and Core CNF topology hiding Central DC Edge SPK SPK CNF SPK SPK CNF #1 NSM for Telco in a controlled ACL and topology hiding for workloads to interact with NF from another network or another PLMN #2 Virtual Stop Gap deployed as policy for public cloud or untrusted environment to restrict traffic leaving CNF and Telco application container.
  • 14. ©2023 F5 14 Simplify, Scale and Securing NF communication with Service Communication Proxy (SCP) RELEASE 16 Control Plane EHANCED SERVICE BASED ARCHITECTURE SERVICE BASED ARCHITECTURE RELEASE 15 Control Plane
  • 15. ©2023 F5 15 What’s New in 3GPP Release 16 5G SA Core Control Plane Communications Model Options 3GPP Release 15: With Or without NRF Interaction 3GPP Release 16: SCP for Routing Selection and Load Balancing A NF consumers are configured with the producer and perform selection of producer Direct Communication WITHOUT NRF B Every NF consumer interacts with NRF for service discovery and has to support discovery result caching, and selection Direct Communication WITH NRF C SCP aggregates Hypertext Transfer Protocol (HTTP) links, and provides centralized signaling monitoring SCP WITHOUT delegated discovery D In addition to characteristics in Model C, SCP takes over service discovery and selection for NF consumers. Hence, NF consumers need not to perform discovery and selection of producer SCP WITH delegated discovery
  • 16. ©2023 F5 16 Service Communication Proxy (SCP) Helps to build a reliable, robust and secure 5G Standalone Core 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF SIMPLIFY § Move from a full mesh between all Networks Functions (NFs) by acting as a hub/proxy for all NF traffic. SCALE § Real-Time traffic management and network scalability § Internetworking Functions to simplify inter-vendor deployments. SECURE § Secure Communications with mTLS protection & OAuth2.0 authentication between NFs. § Restrict unknown connection or abnormal traffic flow SERVICE COMMUNICATION PROXY (SCP)
  • 17. ©2023 F5 17 SCP+ Intelligently and Securely Simplify 5G Core Operation Leading the movement toward using AI/ML mechanism F5 SCP+ increase network resiliency 1 2 3 4 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF 5G NF Intelligent Load Balancing maximize 5G service availability and minimize 5G service disruption Advanced Overload Protection to improve network resiliency 5G aware DDoS Protection with deep insights 5G aware metrics provide deep insight to address transient events and feed for SBI encrypted traffic visibility CONFIDENTIAL Data Collection SCP+
  • 18. ©2023 F5 18 SCP+ Bridging 4G/5G in Multiple Domains Support 4G/5G telco protocols to reduce complexity and integration to 4G/5G services HTTP/2 Request Message Diameter-Request-Message 5G NF 5G NF 5G NF 5G NF 5G NF SCP+ 5G NF 5G NF 5G NF 5G NF Nxxx-request-message (HTTP/2) 4G Nodes 4G Nodes 4G Nodes Nxxx-message (HTTP/2) Diameter-Request-Message ß---------> Diameter Message 4G Nodes 4G Nodes
  • 19. ©2023 F5 19 5G SBA Secure Signaling Flow Mitigate spoofing messages from unknown or abnormal traffic flow NF PRODUCER SET NF CONSUMER SET NRF Request Token Validate Token Auth HTTP Request Unknown Consumer • TLS connections terminate in SCP • Decrypts traffic from NF Consumer and encrypts traffic to NF Producers • Identify unknown or abnormal traffic flow • Restrict connection from any unknown peer and drop the message CONFIDENTIAL X SIMPLIFY SCALE SECURE SCP mTLS NF Consumer NF Producer 1 HTTP Request mTLS Oauth 2.0 Oauth 2.0 • Consumer interacts with NRF first for Discovery and then for Auth before sending a service request message with authorization token embedded to a SCP. • SCP verify the “Subject” in the token against the information present in the Consumer’s TLS certificate* and presents to the producer a valid access token that was issued to the NF service consumer • SCP support TLS 1.2/1.3 to securely transport the tokens in 5G Signaling, makes it easier to terminate security directly in the network function • NF Producer then will verify the integrity of the access token before granting the NF service consumer access to its services. • Service Request is passed on to NF Producer after successful verification, • Verify the “Subject” in the token
  • 20. ©2023 F5 20 Securing Distributed 5G Network Deployment e.g. handling interaction between different network locations or domain SIMPLIFY SCALE SECURE 5G Edge 5G Core
  • 21. ©2023 F5 21 5G Core Security with Onion Model with SCP and SPK Telco Cloud • All CNF traffic via ingress/egress proxy • Proxy deployed as separate pod(s) within CNF namespace • Proxy deployment model same for external, inter- cluster, and intra-cluster SCP+ SCP+ Management Access network N2 Ingress/Egress Non- Exposed Services Cluster SBI mTLS namespace NSSF SPK namespace NRF SPK namespace PCF SPK namespace CHF SPK Kubernetes control plane Secure Services Cluster SBI mTLS namespace UDM SPK namespace AUSF SPK Kubernetes control plane Exposed Services Cluster namespace AMF SPK Kubernetes control plane SBI namespace NEF SPK mTLS namespace SEPP SPK namespace SMF SPK namespace UPF SPK namespace IPUPS SPK N9 N32 N6 Diameter N33 CHF info to OCS via NEF or via direct CAPIF link Potentially shared RAN Intercluster security Intercluster security SCTP proxy TCP proxy SCP+ Intercluster-FW Intercluster-FW SPK API/Management Firewalling N6-FW SIG-FW API-FW SECGW SCTP-FW SPK