standard Yes Not yet Not yet NSH,MPLS Implemented
Transport
Transport Plain IP All No some Yes No IP+flowcontrol Not
work-ing
have Can have No MPLS SR/PCE,
new NSH
Telco. No Not yet Not yet Not yet NSH, TOSCA,
SID
have Can have Can have Industry propriet-ary (Colt, NSX)
No spe-cification
Table 7.2:Summary of the NFV technology classification
7.7 Conclusion
Traditionally, end-to-end security is ensured by end-to-end network channels with integrity and encryption. In NFV, there are more than two parties involved in the communication, where the use of traditional end-to-end security methods res-ults in complex setups of network flows. We have created a model that shows there are network security dependencies between the NFV components in a hori-zontal and vertical manner. The model includes a new top-level integration point on domain-level, that opens up for automation and simplification when deploying NFV interconnections between two ISPs.
The model is also used to classify the research and the NFV interconnection tech-nologies. The technologies have been evaluated with respect to isolation, encryp-tion and ability to communicate up, down sideways in the model. It is shown that the current research silos do not have a common end-to-end security framework and that most technologies lack integrity and encryption. This leaves a security gap in the ETSI NFV model.
From autonomous systems, such as ISPs, NSH is the most promising transport technology that can support the model, but it still lacks support for encryption, integrity and control-layer protocols.
We have introduced a chain of Security Associations (SA) between the NFV com-ponents as a possible solution to ensure end-to-end security. Due to lack of dy-namics in standard security frameworks, we suggest future work to focus on de-veloping a framework for automatic key distribution of SAs such as block-chains or key tokens [35].
References
[1] ETSI.Network Function Virtualization (NFV) Use Cases 001 v1.1.1. Avail-able online: http://www.etsi.org/deliver/etsi-gs/nfv/001_099/001/01.01.01-60/gs-nfv001v010101p.pdf (accessed on 04 June 2019). 2013.
[2] ETSI. Network Functions Virtualisation (NFV) NFV-SEC 001 Problem Statement. Available online: http://www.etsi.org/deliver/etsi_gs/NFV-SEC/
001_099/001/01.01.01_60/gs_NFV-SEC001v010101p.pdf (accessed on 04 June 2019). 2014.
[3] Rashid Mijumbi et al. ‘Network Function Virtualization: State-of-the-art and research challenges’. In:IEEE Communications Surveys & Tutorials 18.1 (2015), pp. 236–262.
[4] 5GPPP Architecture WG.View on 5G Architecture. Available online:
https://5g-ppp.eu/wp-content/uploads/2014/02/5G-PPP-View-on-5G -Architecture-For-public-consultation.pdf (accessed on 04 Aug 2016). 2016.
[5] K Tirumaleswar Reddy et al. Authenticated and encrypted NSH service chains. Internet-Draft. Work in Progress. Apr. 2015.
[6] Norival Figueira et al.Policy Architecture and Framework for NFV Infra-structures. Internet-Draft draft-irtf-nfvrg-nfv-policy-arch-04. Work in Pro-gress. Internet Engineering Task Force, Sept. 2016.
[7] Open Networking Foundation (ONF).Functional Requirements for Trans-port API (TR-527). Available online: https://www.opennetworking.org/wp-content/uploads/2014/10/TR-527_TAPI_Functional_Requirements.pdf (ac-cessed on 04 June 2019). 2016.
[8] Max Alaluna, Fernando MV Ramos and Nuno Neves. ‘Literally above the clouds: Virtualizing the network over multiple clouds’. In:IEEE NetSoft Conference and Workshops (NetSoft). IEEE. 2016, pp. 112–115.
References 103 [9] Roberto Bifulco, Anton Matsiuk and Alessio Silvestro. ‘Ready-to-deploy service function chaining for mobile networks’. In:IEEE NetSoft Confer-ence and Workshops (NetSoft). IEEE. 2016, pp. 175–183.
[10] Marc G Villinger and Reinhard Jung. ‘Establishing a continuous corporate business model innovation process: Process antecedents’. In: (2015).
[11] Bram Naudts et al. ‘Deploying SDN and NFV at the speed of innova-tion: Toward a new bond between standards development organizations, industry fora, and open-source software projects’. In:IEEE Communica-tions Magazine54.3 (2016), pp. 46–53.
[12] Ahmed Abujoda and Panagiotis Papadimitriou. ‘DistNSE: Distributed net-work service embedding across multiple providers’. In:8th International Conference on Communication Systems and Networks (COMSNETS). IEEE.
2016, pp. 1–8.
[13] OpenStack community.The OpenStack API webpage. Available online:
http://docs.openstack.org/developer/networking-sfc/api.html (accessed on 01 August 2016). 2016.
[14] Hongtao Yin et al. SDNi: A Message Exchange Protocol for Software Defined Networks (SDNS) across Multiple Domains. Internet-Draft draft-yin-sdn-sdni-00. Work in Progress. Internet Engineering Task Force, June 2012.
[15] OPNFV and OpenvSwitch community.The Open Virtual Network. Avail-able online: https://wiki.opnfv.org/display/PROJ/Ovn4nfv (accessed on 01 August 2016). 2016.
[16] ETSI.Network Functions Virtualisation (NFV) NFV-SEC 003 Security and Trust Guidance. Available online: http://www.etsi.org/deliver/etsi_gs/NFV-SEC/001_099/003/01.01.01_60/gs_NFV-SEC003v010101p.pdf (accessed on 04 June 2019). 2014.
[17] ETSI.Network Functions Virtualisation (NFV) 002 Architectural Frame-work v1.1.1.Available online: http://www.etsi.org/deliver/etsi_gs/NFV/
001_099/002/01.01.01_60/gs_nfv002v010101p.pdf (accessed on 04 June 2019). 2014.
[18] ETSI.Network Functions Virtualisation (NFV) NFV-REL 003 Models for End-to-End Reliability. Available online: http://www.etsi.org/deliver/
etsi_gs/NFV-REL/001_099/003/01.01.02_60
/gs_nfv-rel003v010102p.pdf (accessed on 04 June 2019). 2016.
[19] ETSI.Network Functions Virtualisation (NFV) NFV-EVE 005 SDN Usage in NFV Architectural Framework. Available online: http://www.etsi.org /deliver/etsi_gs/NFV-EVE/001_099/005/01.01.01_60
/gs_nfv-eve005v010101p.pdf (accessed on 04 June 2019). 2015.
[20] ETSI.Network Functions Virtualisation (NFV) NFV-MAN 001 Manage-ment and Orchestration. Available online:
http://www.etsi.org/deliver/etsi_gs/NFV-MAN/001_099/001/01.01.01_60/
gs_nfv-man001v010101p.pdf (accessed on 04 June 2019). 2014.
[21] Scott O. Bradner. Key words for use in RFCs to Indicate Requirement Levels. RFC 2119. Mar. 1997.
[22] A Jøsang. ‘Prospectives for modelling trust in information security’. In:
Australasian Conference on Information Security and Privacy. Springer.
1997, pp. 2–13.
[23] Randall Atkinson and Stephen Kent.Security Architecture for the Internet Protocol. RFC 2401. Nov. 1998.
[24] Network Working Group et al. ‘Internet X. 509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile’. In: RFC5280 (2008).
[25] Abhishek Gupta et al. ‘Joint virtual network function placement and rout-ing of traffic in operator networks’. In: University of California Davis, USA, Tech. Rep(2015).
[26] Paul Quinn and Uri Elzur.Network Service Header. Internet-Draft draft-ietf-sfc-nsh-05. Work in Progress. Internet Engineering Task Force, 2016.
[27] Clarence Filsfils et al. ‘The Segment Routing Architecture’. In:2015 IEEE Global Communications Conference (Globecom). IEEE. 2015, pp. 1–6.
[28] JP Vasseur, Adrian Farrel and Gerald Ash. A Path Computation Element (PCE)-Based Architecture. RFC 4655. Aug. 2006.
[29] Siamak Azodolmolky, Philipp Wieder and Ramin Yahyapour. ‘SDN-based cloud computing networking’. In:15th International Conference on Trans-parent Optical Networks (ICTON). IEEE. 2013, pp. 1–4.
[30] Sandra Scott-Hayward, Sriram Natarajan and Sakir Sezer. ‘A survey of security in software defined networks’. In:IEEE Communications Surveys
& Tutorials18.1 (2015), pp. 623–654.
[31] Teemu Koponen et al. ‘Network virtualization in multi-tenant datacenters’.
In: 11th USENIX Symposium on Networked Systems Design and Imple-mentation (NSDI 14). 2014, pp. 203–216.
References 105 [32] Hassan Hawilo et al. ‘NFV: state of the art, challenges, and implementa-tion in next generaimplementa-tion mobile networks (vEPC)’. In:IEEE Network28.6 (2014), pp. 18–26.
[33] J Garay et al. ‘Service description in the NFV revolution: Trends, chal-lenges and a way forward’. In:IEEE Communications Magazine54.3 (2016), pp. 68–74.
[34] Colt.Case Study Rolling out hybrid cloud services across Europe from Ju-niper.Available online: http://www.colt.net/blog/2014/05/23/sdn-nfv-the-beginning-of-a-new-era (accessed on 01 August 2016). 2015.
[35] D.W. Bachmann et al.Token caching in trust chain processing. US Patent 9,325,695. Apr. 2016.
Chapter 8
Security Requirements for Service Function Chaining Isolation and Encryption
Published in IEEE 17th International Conference on Communication Technology (ICCT), Chengdu, China, 2017
Håkon Gunleifsen, Thomas Kemmerich
Faculty of Information Technology and Electrical Engineering Norwegian University of Science and Technology, Gjøvik, Norway Email: hakon.gunleifsen2@ntnu.no thomas.kemmerich@ntnu.no
Abstract
This paper presents a study of Service Function Chaining (SFC) isolation and encryption in interconnected Network Function Virtualisation (NFV) domains. The adoption of NFV deployments is currently designed to be implemented within trusted domains where overlay networks with static-ally trusted links are considered to enable network security. We challenge this statement and introduce a security problem related to Virtual Network Functions (VNF) confidentiality and isolation. A data-flow that traverses through a chain of Virtual Network Functions (VNF) cannot be end-to-end encrypted when each VNF must have access to the data-flow. This restricts both end-users and Service Providers from enabling end-to-end security and VNF isolation to their NFV flow. Therefore, there is a need to encrypt the data-flows on a per flow basis. In this paper we present the discovered security problem, set the requirements for the problem
solu-107
tion and study the constraints for securing and isolating VNFs in a Service Function Chain.
Keywords: Network Function Virtualisation, Service Function Chaining, Network Service Headers, Network Encryption, NFV