ETSI GR NFV-SEC 011-2018 Network Functions Virtualisation (NFV) Security Report on NFV LI Architecture (V1 1 1).pdf

1、 ETSI GR NFV-SEC 011 V1.1.1 (2018-04) Network Functions Virtualisation (NFV); Security; Report on NFV LI Architecture Disclaimer The present document has been produced and approved by the Network Functions Virtualisation (NFV) ETSI Industry Specification Group (ISG) and represents the views of those

2、 members who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. GROUP REPORT ETSI ETSI GR NFV-SEC 011 V1.1.1 (2018-04)2 Reference DGR/NFV-SEC011 Keywords lawful interception, NFV, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex -

3、FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be

4、 made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print

5、, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of thi

6、s and other ETSI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reprodu

7、ced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction

8、extend to reproduction in all media. ETSI 2018. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are trademarks of ETSI registered for the benefit of its Members. 3GPPTM and LTETMare trademarks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners

9、. oneM2M logo is protected for the benefit of its Members. GSMand the GSM logo are trademarks registered and owned by the GSM Association. ETSI ETSI GR NFV-SEC 011 V1.1.1 (2018-04)3 Contents Intellectual Property Rights 5g3Foreword . 5g3Modal verbs terminology 5g3Introduction 5g31 Scope 6g32 Referen

10、ces 6g32.1 Normative references . 6g32.2 Informative references 6g33 Definitions and abbreviations . 7g33.1 Definitions 7g33.2 Abbreviations . 7g34 Problem Statement Lawful Interception in NFV 8g34.1 General . 8g34.2 Security 8g34.2.1 General 8g34.2.2 Basic Trust and Default Security Stance . 8g34.2

11、.2.1 General 8g34.2.2.2 The One Deity Complex . 8g34.2.2.3 Basic LI Security Stance . 9g34.2.2.4 System Trust and Isolation 9g34.2.3 LI Function Visibility and Hiding . 9g34.2.4 Data Egress and Communication 10g34.3 Mobility and Location 10g34.3.1 Virtualised Function Location 10g34.3.1.1 General Lo

12、cation and Simple VNFs . 10g34.3.1.2 Multi VNFCI VNFs 10g34.3.2 Inferred Location of the Target . 11g34.3.3 VNF Migration . 11g34.3.4 User Mobility 12g34.4 Network Architecture . 13g34.5 Administration and Instantiation 13g34.6 Mediation and Egress . 13g34.7 Correlation and Timing 14g34.8 VNF Scalin

13、g . 14g35 LI Architecture . 16g35.1 General . 16g35.2 High Level Architecture . 16g35.3 Reference Point Architecture . 17g36 LI Deployment Scenarios . 18g36.1 General . 18g36.2 POI VNF Embedded - Trusted VNF 19g36.2.1 Reference Diagram . 19g36.2.2 Components and Interfaces description 20g36.3 POI VN

14、F Embedded - Low-Trust VNF . 21g36.3.1 Reference Diagram . 21g36.3.2 Components and Interfaces description 22g36.4 Non VNF Embedded POI . 23g36.4.1 General 23g36.4.2 Non-Embedded POI 24g36.4.3 NFV Layer POI . 24g36.4.4 NFV External Hardware POI 25g36.5 LI Routing Proxy Gateway . 25g3ETSI ETSI GR NFV

15、-SEC 011 V1.1.1 (2018-04)4 6.5.1 General 25g36.5.2 LRPG Functionality 25g36.6 LI Controller . 26g36.6.1 Overview 26g36.6.2 LI Controller Functions 26g36.6.2.1 The LI Service Controller . 26g36.6.2.2 The LI Security Controller 26g36.7 LEMF . 26g36.7.1 General 26g36.7.2 Virtualisation (vLEMF) 27g36.7.

16、3 Scaling and Dynamic Configuration . 27g36.7.4 Single logical vLEMF . 27g37 Part VNF Part Legacy Implementations. 27g37.1 Overview 27g37.2 General Implications 28g37.2.1 ADMF . 28g37.2.1.1 Backward compatibility 28g37.2.1.2 Standalone vs NFV Virtualised . 28g37.2.2 MF/DF 29g37.2.2.1 Backward compat

17、ibility 29g37.2.2.2 Standalone vs NFV Virtualised . 29g37.2.2.3 Handover Aspects . 29g37.2.3 Mixed Legacy and Virtualised Functions . 30g37.2.4 VNF Mobility . 30g37.2.5 Target Mobility. 30g37.2.6 LI Security Risks in Hybrid Deployment Scenarios . 31g37.2.6.1 Overview. 31g37.2.6.2 Virtualised Node Co

18、mpromise 31g37.2.6.3 Legacy Node Compromise 31g37.2.6.4 Mitigations 31g38 LI Solutions 32g38.1 LI Deployment and Lifecycle Management . 32g38.1.1 Overview 32g38.1.2 LI Deployment and Lifecycle Management Overview . 32g38.1.3 LI VNF instantiation . 34g38.1.4 Embedded Virtualised POI Security Provisio

19、ning and Configuration 36g38.1.4.1 General 36g38.1.4.2 Virtualised POI On-Boarding 37g38.1.4.3 POI Instantiation . 38g38.1.5 Initial Communication Establishment and Certificate Provision 39g38.1.5.1 General 39g38.1.5.2 Trusted MANO . 39g38.1.5.3 Low Trust MANO . 39g38.1.6 ADMF VNFI and Connectivity

20、Tracking . 40g38.1.6.1 General 40g38.1.6.2 ADMF VNFI Tracking . 40g38.1.6.3 ADMF VNFI Connectivity Tracking 40g38.1.6.4 VNFI scaling/migration 41g38.2 LI Solutions Evolution Stages 41g38.2.1 Overview 41g38.2.2 Stage 1 Evolution 44g38.2.3 Stage 2 Evolution 45g38.2.4 Stage 3 Evolution 46g38.2.5 Stage

21、4 Evolution 47g3Annex A (informative): Authors Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no inves

22、tigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Trademarks The present documen

23、t may include trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no right to use or reproduce any trademark and/or tradename. Mention of those trademarks in

24、 the present document does not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks. Foreword This Group Report (GR) has been produced by ETSI Industry Specification Group (ISG) Network Functions Virtualisation (NFV). Modal verbs terminology In th

25、e present document “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when use

26、d in direct citation. Introduction Virtualised CSP networks are required to be able to support lawful interception and other mandatory regulatory requirements. Lawful Interception (LI) as detailed in ETSI GS NFV-SEC 004 i.1, needs to be performed in a way that is transparent to both the targeted use

27、r and non-authorized CSP personnel. In addition, LI needs to be implemented in security domain isolation from other general CSP network functions. In a virtualised network, many of the legacy “Security by Obscurity“ and physical hardware based approaches for hiding Lawful Interception are no longer

28、viable, either due to mobility of virtualised network functions or as a result of the common hypervisor/compute architecture on which virtualised networks are based. Therefore, the virtualised network functions need to provide equivalent transparency and security solutions compared to existing legac

29、y hardware networks. In order to support this, it is necessary for both the NFV platform on which the virtualised function/application is running and the underlying hardware platform to provide a set of standard secure building blocks on which the virtualised network function/application can be impl

30、emented. ETSI ETSI GR NFV-SEC 011 V1.1.1 (2018-04)6 1 Scope The present document provides a study of the virtual functions which are required to support LI in ETSI NFV based virtualised networks. The present document identifies the set of capabilities, interfaces, functions and components which can

31、be utilized by the virtualised applications (VNFs) to provide Lawful Interception. The present document identifies top to bottom (Virtualised Application through NFV layer through hardware platform) LI architectures and identifies within the scope of ETSI NFV, capabilities, interfaces, functions and

32、 components required to support these architectures. The present document has 3 primary objectives: 1) Identify and define 1 or more NFV reference LI architectures, including administration functions, virtual points of interception, mediation functions and other LI functions. This is intended to pro

33、vide a common reference architecture which can be used to identify functional split across the Virtualised Network Functions application layer (e.g. 3GPP Network), NFV software platform layer (ETSI NFV) and Hardware Platform layer. 2) Identify potential NFV solutions which provide the capabilities,

34、interfaces, functions and components to meet the identified LI architectures. This is intended to identify all of the elements and interconnection relationships needed to perform LI in a virtualised network. These will form the basis for future normative standardization in both ETSI NFV and other bo

35、dies such as 3GPP utilizing ETSI NFV to virtualise their network functions. 3) Document deployment scenarios examples for each of the identified reference LI architectures. This is intended to show specific examples for different types of interception (e.g. on switch/function vs probe based) in spec

36、ific technology deployment scenarios (e.g. 3GPP). 2 References 2.1 Normative references Normative references are not applicable in the present document. 2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specif

37、ic. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term

38、validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ETSI GS NFV-SEC 004: “Network Functions Virtualisation (NFV); NFV Security; Privacy and Regulation; Report on Lawful Inter

39、ception Implications“. i.2 ETSI TS 102 232-1: “Lawful Interception (LI); Handover Interface and Service-Specific Details (SSD) for IP delivery; Part 1: Handover specification for IP delivery“. i.3 ETSI GS NFV-SEC 009: “Network Functions Virtualisation (NFV); NFV Security; Report on use cases and tec

40、hnical approaches for multi-layer host administration“. i.4 ETSI GS NFV-MAN 001: “Network Functions Virtualisation (NFV); Management and Orchestration“. i.5 ETSI GS NFV 002: “Network Functions Virtualisation (NFV); Architectural Framework“. ETSI ETSI GR NFV-SEC 011 V1.1.1 (2018-04)7 i.6 ETSI TS 133

41、108: “Universal Mobile Telecommunications System (UMTS); LTE; 3G security; Handover interface for Lawful Interception (LI) (3GPP TS 33.108)“. i.7 ETSI GS NFV-SEC 012: “Network Functions Virtualisation (NFV) Release 3; Security; System architecture specification for execution of sensitive NFV compone

42、nts“. i.8 ETSI GS NFV-SEC 013: “Network Functions Virtualisation (NFV) Release 3; Security; Security Management and Monitoring specification“. i.9 ETSI TS 133 107: “Universal Mobile Telecommunications System (UMTS); LTE; 3G security; Lawful interception architecture and functions (3GPP TS 33.107)“.

43、i.10 ETSI GR NFV-SEC 016: “Network Functions Virtualisation (NFV); Security; Report on location, timestamping of VNFs“. i.11 ETSI GR NFV-SEC 007: “Network Functions Virtualisation (NFV); Trust; Report on Attestation Technologies and Practices for Secure Deployments“. 3 Definitions and abbreviations

44、3.1 Definitions For the purposes of the present document, the terms and definitions given in ETSI TS 102 232-1 i.2, ETSI TS 133 107 i.9 and the following apply: LI Virtual Machine (LI VM): dedicated virtual host containing a virtual Point of Interception virtual point of interception: dedicated LI f

45、unction which may be either a dedicated VNFCI within a VNFI or a separate VNFI in its own right targeting traffic from other VNFIs 3.2 Abbreviations For the purposes of the present document, the abbreviations given in ETSI TS 102 232-1 i.2, ETSI TS 133 107 i.9 and the following apply: ADMF Administr

46、ation Function CA Certificate AuthorityDF Delivery Function HI Handover Interface HI1 Handover Interface 1 HI2 Handover Interface 2 HI3 Handover Interface 3 LEA Law Enforcement Agency LEMF Law Enforcement Monitoring Function LI Lawful Interception LI VM Lawful Interception Virtual Machine LoA Level

47、of Assurance LRPG Lawful Interception Routing Proxy Gateway MF Mediation Function POI Point Of Interception RD Retained Data SDN Software Defined Network SO Security Orchestrator TCF Triggering Control Function TTP Trusted Third PartyvDF virtualised Delivery Function vMF virtualised Mediation Functi

48、on vPOI virtualised Point Of Interception ETSI ETSI GR NFV-SEC 011 V1.1.1 (2018-04)8 4 Problem Statement Lawful Interception in NFV 4.1 General This clause outlines the overall challenges which should be addressed when considering how and where to deploy Lawful Interception functionality in an NFV e

49、nvironment. These challenges form the basis of the problem set which any LI architecture should be able to overcome, as detailed in subsequent clauses of the present document. Details for the underlying LI requirements and internal LI VM functionality are given in ETSI GS NFV-SEC 004 i.1 and ETSI TS 102 232-1 i.2. 4.2 Security 4.2.1 General NFV does not necessarily introduce any new security challenges for lawful interception which did not otherwise exist in legacy networks. In fact, a properly implemented NFV network may actually provide bet