1、 ETSI GR NFV-SEC 003 V1.2.1 (2016-08) Network Functions Virtualisation (NFV); NFV Security; Security and Trust Guidance Disclaimer The present document has been produced and approved by the Network Functions Virtualisation (NFV) ETSI Industry Specification Group (ISG) and represents the views of tho
2、se members who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. GROUP REPORT ETSI ETSI GR NFV-SEC 003 V1.2.1 (2016-08)2 Reference RGR/NFV-SEC003ed121 Keywords NFV, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +
3、33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org/standards-search The present document may be made availabl
4、e in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only pre
5、vailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ET
6、SI documents is available at https:/portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https:/portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilize
7、d in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to repr
8、oduction in all media. European Telecommunications Standards Institute 2016. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of th
9、e 3GPP Organizational Partners. GSM and the GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GR NFV-SEC 003 V1.2.1 (2016-08)3 Contents Intellectual Property Rights 6g3Foreword . 6g3Modal verbs terminology 6g31 Scope 7g32 References 7g32.1 Normative references . 7g32.2
10、Informative references 7g33 Abbreviations . 7g34 Network Function Virtualisation Security 9g34.1 NFV High-Level Security Goals 9g34.2 NFV Security Use Case Summaries . 9g34.2.1 Intra-VNFSec: Security within Virtual Network Functions . 9g34.2.1.1 VNFC-Specific Security Use Cases 10g34.2.1.1.1 VNFC Cr
11、eation 10g34.2.1.1.2 VNFC Deletion 10g34.2.1.1.3 VNFC Configuration and Package Management 10g34.2.1.1.4 VNFCI Migration 11g34.2.1.1.5 VNFC Operational State Changes . 11g34.2.1.1.6 VNFC Topology Changes . 11g34.2.1.1.7 VNFC Scale-Up and Scale-Down . 11g34.2.1.1.8 VNFC Scale-In and Scale-Out 11g34.2
12、.2 Infra-VNFSec: Security between Virtual Network Functions 12g34.2.3 Extra-VNFSec: Security external to Virtual Network Functions 12g34.3 NFV External Operational Environment 13g34.3.1 External Physical Security Guidance 13g34.3.2 External Hardware Guidance 13g34.3.3 External Service Guidance 13g34
13、.3.3.1 DNS. 13g34.3.3.2 IP Addressing, DHCP and Routing . 13g34.3.3.3 Time Services and NTP 13g34.3.3.4 Geolocation . 13g34.3.3.5 Security Visibility and Testing 13g34.3.3.6 Certificate Authority . 14g34.3.3.7 Identity and Access Management . 14g34.3.4 External Policies, Processes and Practices Guid
14、ance . 14g34.3.4.1 Regulatory Compliance Considerations for NFV . 14g34.3.4.2 Forensic Considerations for NFV . 14g34.3.4.3 Legal/Lawful Intercept Considerations for NFV 14g34.3.4.4 Considerations for NFV Analytics and Service Level Agreements (SLAs) . 14g34.4 NFV Security Management Lifecycle 15g34
15、.4.1 NFV Threat Landscape . 15g34.4.1.1 Threat Vectors, Monitoring and Detection 16g34.4.2 NFV Platform Guidance . 16g34.4.2.1 Platform visibility and validation 16g34.4.2.1.1 Workload Visibility into Physical and Virtualised Resources . 16g34.4.2.1.2 Introspection 18g34.4.2.2 Access Visibility for
16、Data and Control Packets in Virtualised Environment 18g34.4.2.3 Validation of Root of Trust and Chain of Trust 19g34.4.2.4 Services validation 19g34.4.3 Certificate, Credential and Key Management within NFV . 19g34.4.3.1 Certificate management 19g34.4.3.2 Credential Management 19g34.4.3.2.1 Void . 1
17、9g34.4.3.2.2 Role of Identity, keys and certificates . 19g3ETSI ETSI GR NFV-SEC 003 V1.2.1 (2016-08)4 4.4.3.2.3 Credential Injection by hypervisor 20g34.4.3.3 Key Management 20g34.4.3.3.1 Key Management and security within cloned images . 20g34.4.3.3.2 Key Management and security within migrated ima
18、ges 21g34.4.3.3.3 Self-generation of key pairs . 21g34.4.4 Multiparty Administrative domains 21g34.4.4.1 Rational . 21g34.4.4.2 Administrative domains 21g34.4.4.3 Infrastructure Domain . 22g34.4.4.4 Tenant Domain 22g34.4.4.5 Implications . 22g34.4.4.6 Inter-Domain functional blocks and reference poi
19、nts . 23g34.4.4.6.1 Network Service Orchestration . 23g34.4.4.6.2 Infrastructure Orchestration . 23g34.4.4.6.3 VNF-Specific Lifecycle Management . 23g34.4.4.6.4 Generic VNF Lifecycle Management 23g34.4.4.6.5 Inter-Orchestration (Os-Ma) 23g34.4.4.6.6 Inter-VNFM (Ve-Vnfm) 23g34.4.4.7 VNF Package and I
20、mage Management . 23g34.4.4.7.1 Integrity checks . 24g34.4.4.7.2 Trust checks . 24g34.4.4.8 VNFC Security Overview . 24g34.4.4.8.1 VNFC security scope . 24g34.4.4.9 VNFC Lifecycle Security - Statement of the problem 25g34.4.4.10 Security Approach . 26g34.4.5 VNF Instantiation . 27g34.4.5.1 Trustwort
21、hy Boot 27g34.4.5.2 VTPM (Virtual Trusted Platform Module) . 28g34.4.5.3 Attestation . 28g34.4.5.4 Attribution . 28g34.4.5.5 Authenticity . 28g34.4.5.6 Authentication . 28g34.4.5.6.1 User/Tenant Authentication, Authorization and Accounting 28g34.4.5.7 Authorization 30g34.4.5.8 Interface Instantiatio
22、n 30g34.4.5.9 Levels of assurance . 30g34.4.5.10 Logging, Reporting, Analytics and Metrics 30g34.4.6 VNF Operation . 31g34.4.6.1 Planned operational lifecycle events . 31g34.4.6.2 VNFC Lifecycle control and authorization . 31g34.4.6.3 Dynamic State Management . 32g34.4.6.3.1 Provision by trusted par
23、ty - network . 32g34.4.6.3.2 Provision by trusted party - storage . 32g34.4.6.4 Dynamic Integrity Management 32g34.4.6.4.1 Secured crash and recovery . 32g34.4.6.5 Application Programming Interfaces (APIs) . 32g34.4.7 VNF Retirement 32g34.4.7.1 License retirement . 33g34.4.7.2 Secured wipe . 33g34.5
24、 NVF Security Technologies . 33g34.5.1 Technologies and Processes 34g35 Trusted Network Function Virtualisation . 34g35.1 NFV High-Level Trust Goals . 34g35.1.1 Assigning trust 35g35.1.1.1 Why assign trust? 35g35.1.1.2 How to assign trust 35g35.1.2 Evaluating and validating trust . 36g35.1.2.1 Param
25、eters for trust evaluation 36g35.1.2.2 Methods for trust evaluation . 37g35.1.3 Re-evaluating trust 37g35.1.4 Invalidating trust . 38g3ETSI ETSI GR NFV-SEC 003 V1.2.1 (2016-08)5 5.1.5 Re-establishing trust . 39g35.1.5.1 Delegation up the chain of trust 39g35.1.5.2 Peer-mediated distrust . 39g35.1.6
26、Delegating trust . 40g35.1.6.1 Directly delegated trust . 41g35.1.6.2 Collaborative trust . 41g35.1.6.3 Transitive trust 42g35.1.6.4 Reputational trust 43g35.1.7 Scope of trust 43g35.1.7.1 Trust manager . 43g35.2 NFV Trust Use Case Summaries 44g35.2.1 Intra-VNF Trust: Trust within Virtual Network Fu
27、nctions . 44g35.2.2 Inter-VNF Trust: Trust between Virtual Network Functions 44g35.2.2.1 Managing trust between a VNF instance and its VNFM. 45g35.2.2.1.1 VNF instances trusting of the VNFM . 45g35.2.2.1.2 VNFMs trusting of the VNF instance . 45g35.2.2.2 Managing trust between VNF instances 46g35.2.
28、3 Extra-VNF Trust: Trust external to Virtual Network Functions . 47g35.2.3.1 Establishing trust in a VNF Package for deployment . 47g35.2.3.1.1 NFVI domain . 47g35.2.3.1.2 Management and Operations domain 48g35.2.3.1.3 VNF provider 49g35.3 Trust between Management and Orchestration entities 49g35.3.
29、1 Management and Orchestration infrastructure 50g35.3.2 Implications of long-lived entities 50g35.4 NFV Trusted Lifecycle Management . 51g35.4.1 Objectives and Policy . 51g35.4.2 Defining a Chain of Trust . 52g35.4.3 Establishing Roots of Trust for VNFs 52g35.4.3.1 Initial VNFC root of trust establi
30、shment . 52g35.4.3.1.1 Multicast 53g35.4.3.1.2 Injection by hypervisor 53g35.4.3.1.3 Initial image . 53g35.4.3.1.4 Hypervisor . 53g35.4.3.1.5 VNFC OS and application . 53g35.4.3.1.6 Deployment state . 54g3Annex A (informative): Authors Essential, or potentially Essential, IPRs notified to ETSI in re
31、spect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https:/ipr.etsi.org/). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence o
32、f other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Group Report (GR) has been produced by ETSI Industry Specification Group (ISG) Network Functions Virtualisation (NFV). Modal ve
33、rbs terminology In the present document “should“, “should not“, “may“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT allowed in ETSI deliver
34、ables except when used in direct citation. ETSI ETSI GR NFV-SEC 003 V1.2.1 (2016-08)7 1 Scope The present document has been developed to describe the security and trust guidance that is unique to NFV development, architecture and operation. Guidance consists of items to consider that may be unique t
35、o the environment or deployment. Supplied guidance does not consist of prescriptive requirements or specific implementation details, which should be built from the considerations supplied. Guidance is based on defined use cases, included in the present document, that are derived from the Security Pr
36、oblem Statement and are unique to NFV. Relevant external guidance will be referenced, where available. 2 References 2.1 Normative references Normative references are not applicable in the present document. 2.2 Informative references References are either specific (identified by date of publication a
37、nd/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. NOTE: While any hyperlinks included in this clause were valid at the time o
38、f publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 ETSI GS NFV 001: “Network Functions Virtualisation (NFV); Use Cases“.
39、 i.2 CSA CloudTrust. i.3 ETSI GS NFV-SWA 001: “Network Functions Virtualisation (NFV); Virtual Network Functions Architecture“. i.4 UEFI specification: Unfied Extensible Firmware Interface Forum, Unified Extensible Firmware Interface (UEFI) Specification, 2016. NOTE: Available at http:/www.uefi.org/
40、specifications. 3 Abbreviations For the purposes of the present document, the following abbreviations apply: ABAC Attribute-Based Access Control API Application Programming Interface BIOS Basic Input Output System CA Certificate Authority CDN Content Distribution Network CLI Command Line Interface C
41、PU Central Processing Unit CPUID CPU Identifier CSA Cloud Security Alliance DDoS Distributed Denial of Service DHCP Dynamic Host Configuration Protocol DMA Direct Memory Access DNA DeoxyriboNucleic Acid ETSI ETSI GR NFV-SEC 003 V1.2.1 (2016-08)8 DNS Domain Naming Service DoS Denial of Service DPI De
42、ep Packet Inspection DRM Digital Rights Management EM Element Manager EMS Element Management System FIPS Federal Information Processing Standards GPS Global Positioning System GTP-C GPRS Tunnelling Protocol-Control GTP-U GPRS Tunnelling Protocol-User Data Tunneling GUI Graphical User Interface HSM H
43、ardware Security Module HSS Home Subscriber Server HVM Hardware Virtual Machine IAM Identity and Access Management IMS IP Multimedia Subsystem IMSI International Mobile Subscriber Identity IO Input/Output IP Intellectual Property IT Information Technology LI Lawful Intercept LUN Logical Unit Number
44、MAC Media Access Control MANO Management and Orchestration MME Mobile Management Entity NE Network Element NF Network Function NFV Network Function Virtualisation NFVI Network Function Virtualisation Infrastructure NFVO Network Function Virtualisation Orchestrator NIC Network Interface Card NTP Netw
45、ork Time Protocol OA make unauthorized changes to NE configuration, etc. Theft of Service: Attackers exploit a flaw to use services without being charged. For example, attacker exploits a flaw in HSS/PCRF/PCEF to use services without being charged. 4.4.2 NFV Platform Guidance This clause describes g
46、uidance for the hardware, software and service platform that directly supports NFV resources. 4.4.2.1 Platform visibility and validation Platform visibility and validation describes the mechanisms to view and verify resources and services within the NFV environment. These capabilities are typically
47、utilized to validate running processes, for workloads to have visibility into their operating environment and resources, as well as for introspection into the virtual environment. 4.4.2.1.1 Workload Visibility into Physical and Virtualised Resources Workloads, including virtual machines, virtual app
48、liances and VNFs need to have carefully prescribed interfaces into physical and virtualised resources to ensure appropriate visibility. In some instances, it is not permissible or desirable for a workload to have any visibility or knowledge as to the operating environment and whether the workload is
49、 running virtualised. In other instances, workload visibility and knowledge of select or total environmental aspects - including virtualisation aspects - may be required. ETSI ETSI GR NFV-SEC 003 V1.2.1 (2016-08)17 Virtual abstractions, privacy, security and external management are often cited as reasons to limit workload visibility into the physical and virtualised operating environment. The direct use of physical resources such as a TPM or HSM, as well as practices including lawful intercept may require total or limited workload visibility into the physical and
