Kata and arm, a secure alternative in the 5 g space

1 © 2021 Arm Limited
Kata and Arm
A secure alternative
in the 5G space
Kiel Friedt
Principal Solutions Engineer, Arm
September 2021

Agenda
•5G Technology and Initiatives
– 5G Acronyms, O-RAN
– Arm in 5G
– RICs and performance requirements
– Addressing security concerns
•Experience Using Cloud Native Technology
– Deploying RICs with Kata containers
– Orchestration and lifecycle
•Conclusion and Remarks
•Q&A
Kiel Friedt
Principal Solutions Engineer, Arm
Focused on 5G and Networking using Arm
technology

5G Technology
and Initiatives

Acronyms
• RAN: Radio Access Network
• RIC: RAN Intelligent Controller
• Near RT (RealTime) RIC: a logical function that enables near-real-time
control and optimization of O-RAN elements and resources via fine-grained
data collection and actions over E2 interface.
• non-RT RIC: a logical function that enables non-real-time control and
optimization of RAN elements and resources, AI/ML workflow including
model training and updates, and policy-based guidance of
applications/features in near-RT RIC.
• O-CU: O-RAN Central Unit: a logical node hosting RRC, SDAP and PDCP
protocols
• O-DU: O-RAN Distributed Unit: a logical node hosting RLC/MAC/High-PHY
layers based on a lower layer functional split.
• O-RU: O-RAN Radio Unit: a logical node hosting Low-PHY layer and RF
processing based on a lower layer functional split. This is similar to 3GPP’s
“TRP” or “RRH” but more specific in including the Low-PHY layer (FFT/iFFT,
PRACH extraction).
• O-CU-CP: O-RAN Central Unit – Control Plane: a logical node hosting the RRC
and the control plane part of the PDCP protocol
• O-CU-UP: O-RAN Central Unit – User Plane: a logical node hosting the user
plane part of the PDCP protocol and the SDAP protocol
• multi-RAT: Device that connects to multiple cell networks ie. 4G & 5G
• O1: Interface between management entities in Service Management and
Orchestration Framework and O-RAN managed elements, for operation and
management, by which FCAPS management, Software management, File
management shall be achieved.
• O1*: Interface between Service Management and Orchestration Framework
and Infrastructure Management Framework supporting O-RAN virtual network
functions.
• xAPP: Independent software plug-in to the Near-RT RIC platform to provide
functional extensibility to the RAN by third parties.
• gNB: the logical 5G radio node, “g” stands for next generation “NB”for NodeB
• eNB/ng-eNB : the logical 4G radio node connected to a 5G network
• A1: Interface is to enable Non-RT RIC function to provide policy-based
guidance, AI/ML model management, and enrichment information to the
near-RT RIC for RAN optimization.
• E1: Interface facilitates the inter-connection of a gNB-CU-CP and a gNB-CU-UP
supplied by different manufacturers
• E2: interface is to allow the RIC to communicate with a RAN to provide
guidance, optimization and value added services.
• X2: interface supports the exchange of signalling information between two
eNBs
• NMS: A Network Management System
• MNO: Mobile network operators

A little history
• In 2G and 3G, the mobile architectures used a controller that was responsible for RAN
orchestration and management.
• 4G, the X2 interface caused vendor lock-in as every RAN vendor had either own version
of X2.
• Mobile network operators now focused on one RAN vendor instead of deploying many
different vendors in one location.
• The O-RAN Alliance saw this and went back to the controller concept to enable Open
RAN. (https://www.o-ran.org/membership)
Operator Members

Arm in 5G

Where does arm fit into 5G?
https://gsacom.com/paper/lte-to-5g-june-2021-global-update
Launched 5G networks
Deployed 5G networks
Investment in 5G
Soft-launched 5G
• Core Network
• 5G core
• LTE core
• RAN
• DU
• CU
22,000 5G cell
sites from over
160 operators
worldwide
1+ billion active
5G smartphone
customers
by 2022
• RIC
• High L1
• Small Cell
• L1/2/3

Arm: Enabling More Open 5G Platforms
Deployable
Technology
Innovations
Enabling
Software
Accelerator
Abstraction
L1
Kernels
Cloud
Native
RU
DU
CU
REC
RIC
EPC
Software Libraries ISV Stacks on Arm
Neoverse Platform &
Silicon Partner
Innovation
ML TRS
MEC
ASIC
AI/ML
CPU system
L2/
L3+
L1
FPGA
ASSP
Diversity of choice by enabling a rich ecosystem of hardware and software vendors
Platform Diversity & Choice

5G O-RAN Partner PoC Solutions
5G Core
CU
RAN Intelligence
Controller near-RT
DU
RU
RIC
5G Core
CU
Distributed Unit
L2
High-L1
RU
High-L1
5G Core
Centralized Unit
Distributed Unit
RU
RAN on Neoverse
L2
High-L1
5G Core
Smallcell L2/3
Smallcell L1
Small-cell
RFE
CU
DU
RU
Core Network
5G Core
LTE Core

5G Solutions and Ecosystem
Compute/MEC EPC, RIC CU/DU uCPE
Small-cell
Use-cases, PoCs
Partner HW
Partner Stacks
Community SW
AWS Graviton2,
Outpost
Hawkeye,
Accton
T&W
(NXP+QC)
CIG, Arcadyan
(NXP)
MRVL Octeon 10
Telco Sys
ENEA
Fortinet,
Clavister
RadiSys
Altran
Arraycomm
Astri
Accelleran
Phluido
Magma
OAI
Comm
Agility
Radisys
Ampere Altra
Video
ML inference
Web, Data
Platform
Standards
Middleware,
Libraries
System-Ready ORAN-TIP Accel-API
DPDK, ODP, VPP, OpenSSL
ARM-RAL
Cloud-native: Kubernetes,
KVM, Docker, Rancher
PARSEC
Video, ML, Data
libraries
Cassini

Four components of the RIC architecture
• Four functional software elements:
• Orchestration/NMS layer with Non-Real Time RIC
• Near-real time RIC itself
• multi-RAT CU protocol stack
• DU software function
They all are deployed as VNFs or containers to distribute capacity across multiple network elements
with security isolation and scalable resource allocation. Interactions with RU hardware is done to
increase efficiency and to be optimized in real-time. Thus, providing better network experiences to the
end user.

RICs and
Performance
Requirements

O-RAN architecture Non Real-Time RIC >=1 Sec
Functionality includes configuration
management, device management, fault
management, performance management,
and lifecycle management for all network
elements in the network.
Source: O-RAN ALLIANCE Logical Architecture
Near Real-Time RIC >10 ms < 1second
A near-real-time, micro-service-based software
platform for hosting applications called xApps.
These run on the near-RT RIC platform. The
near-RT RIC software platform provides xApps
with data, which is then used to optimize run
behavior. Control of RAN infrastructure (eNB,
gNB, CU, DU) is done through the E2 protocol.

Performance needs
• Looking at the latency
numbers in the figure, the
Near Real-time RIC acts
within 10 to 1000
milliseconds to make
decisions based on metrics
from RAN nodes.
• These decisions are driven
by sophisticated algorithms
built in to the “xApps.” But,
why is there the need for
these algorithms or XApps?
Source: O-RAN ALLIANCE

What can the near real-time RIC do for you!
• Near real-time RIC leverages embedded intelligence
and is responsible for:
• per-UE controlled load-balancing
• RB management
• Interference detection and mitigation
• Provides QoS management, connectivity
management and seamless handover control.
• xApps
• Admission Control
– Executing logic to determine if a dual connection should be accepted or rejected (4G &5G)
• Measurement Campaign:
– The metrics are reported periodically as VES events and include metrics such as number of dual
connected UEs, duration of dual connections, and signal strength metrics.
• ML Based:
– Support ML models in non-real time and near-real time RIC use cases.
• Traffic steering
– Control which cell a UE should use based on performance.
Capabilities options for an xApp

Security
Concerns

Security concerns
• xApps have the ability to control RAN infrastructure (eNB, gNB, CU, DU)
• 3rd
party xApps are not vetted or may contains exploits or be exploitable.
• 3rd
party xApps not compatible with others when ran along side each other.
• Multiple RT RICs having similar/same xApps.
• Process starvation due to resource allocation.
• Only Security is policy based currently
Kata is a natural fit when securing the RIC.

Experience Using
Cloud Native
Technology

Deploying RICs
with Kata
containers

kata-containers
Multi
Hypervisor
QEMU,
Cloud Hypervisor,
Firecracker
Works seamlessly
with Kubernetes
and Docker
and is a drop in
replacement for runc
Open Source
Open governance
project under the
Open Infrastructure
Foundation umbrella
Multi
Architecture
x86, ARM, IBM Power,
IBM s/390x
OCI-compatible runtime that enhances the security of container workloads in a
lightweight virtual machines.
https://kata-containers.io

Katas Growing Community
https://kata-containers.io

Docker containers
Traditional containers use Linux control groups (cgroups),
for managing and allocating resources and namespaces
to provide container isolation. Further security isolation is
provided by dropping Linux capabilities, using read-only
mount points, mandatory access controls (MAC) security
measures like those in SELinux or dropping syscalls using
SECCOMP, etc. It is difficult, if not impossible, to
effectively apply these security policies to complex
applications.
To mitigate this, operators started nesting containers in
VMs. Doing so reduced performance and the agile aspect
of a container.

Kata containers
• Kata Containers provides container
isolation by using hardware virtualization.
• In the case of Kubernetes, VM isolation is
provided at the pod level.
• For Kata Containers, each pod is booted as
a lightweight VM with its own unique
kernel instance.
• Since each pod is now running with its
own VM, they no longer gain access to the
host kernel and get the full security
benefits of a VM.

Orchestration
and Lifecycle

Deployment currently
Source: kata-containers.io
• Currently the near RT RIC is
deployed with Helm and
Kubernetes
• E2 manager: controls E2 connection establishment and provides REST
APIs to manage these connections.
• Routing Manager: a basic RIC platform service, responsible for generating
and distributing routing policies to xApps.
• Subscription Manager: Near-realtime RIC Platform Subscription Manager
• A1 Mediator: Terminating the northbound A1 interface. It is translating
information received over A1 it into conrete actions that xApps must take
to adpat their behavior accordingly and it sends back feedback on the
implementation status of such actions.
• App manager: provides a flexible and secure way for deploying and
managing various RIC xApp applications in a Kubernetes environment.
• RMR: RIC message routing - A library originally based on NNG
(nano-messaging nxt generation) for low latency message routing.

Multi-tenant Kubernetes example
KERNEL
CONTAINER
POD
CONTAINER
CONTAINER
CONTAINER
KERNEL
CONTAINER
CONTAINER
CONTAINER
KERNEL
CONTAINER
CONTAINER
CONTAINER
CONTAINER
KERNEL
KUBERNETES
NODE 1
NODE 2 NODE 3 NODE 4
KATA VM
NODE 2
KATA VM KATA VM KATA VM
CONTAINER
CONTAINER
CONTAINER
CONTAINER
CONTAINER
CONTAINER
CONTAINER
CONTAINER
CONTAINER
CONTAINER
CONTAINER
CONTAINER
POD POD POD POD POD POD POD POD POD
Standard Containers Kata Containers
Isolate sensitive workloads by node
KERNEL
KUBERNETES
NODE 1
Isolate sensitive workloads within a node
Source: kata-containers.io

Deployment with kata example

Kata orchestration and lifecycle
• The process to use kata is easy
• Install or compile version 2 of kata
• Configure containerd
• Modify the runtimeclass to kata
• Modify the
plugins.cri.containerd.runtime.kata-runti
me
• Kata-agent is a process running in the guest
as a supervisor for managing containers and
processes running within those containers.
• The kata-agent makes use of libcontainer to
manage the lifecycle of the container. This
way the kata-agent reuses most of the code
used by runc.
• The Kubelet is responsible for managing the
lifecycle of pods within the node/s

Conclusion and
Q&A

Conclusion
• 5G is quickly taking hold and arm is going to be part of it.
• Security concerns seen are easily remedied using Kata
• Complexity can easily be solved with a combination of tools readily available and
supported on arm.

See you at KubeCon and Arm DevSummit 2021!
devsummit.arm.com
events.linuxfoundation.org/kubecon-
cloudnativecon-north-america/

Blogs
Write in your subtitle here
• The open, interoperable path to 5G deployment
• Enabling the dynamic 5G infrastructure with Arm-based solutions
• Project Cassini - Ensuring a cloud native experience across a secure Arm-based edge
ecosystem

The Cloud to Edge Infrastructure Foundation
for a World of 1T Intelligent Devices
Thank You!

© 2021 Arm Limited
The Arm trademarks featured in this presentation are registered
trademarks or trademarks of Arm Limited (or its subsidiaries) in
the US and/or elsewhere. All rights reserved. All other marks
featured may be trademarks of their respective owners.
www.arm.com/company/policies/trademarks

Kata and arm, a secure alternative in the 5 g space

More Related Content

What's hot (20)

Similar to Kata and arm, a secure alternative in the 5 g space (20)

More from LibbySchulze (20)

Recently uploaded (20)

Kata and arm, a secure alternative in the 5 g space