1、 ETSI GS NFV-SEC 001 V1.1.1 (2014-10) Network Functions Virtualisation (NFV); NFV Security; Problem Statement Disclaimer This document has been produced and approved by the Network Functions Virtualisation (NFV) ETSI Industry Specification Group (ISG) and represents the views of those members who pa
2、rticipated in this ISG. It does not necessarily represent the views of the entire ETSI membership. GROUP SPECIFICATION ETSI ETSI GS NFV-SEC 001 V1.1.1 (2014-10)2Reference DGS/NFV-SEC001 Keywords NFV, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00
3、 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org The present document may be made available in electronic versions and/or i
4、n print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of
5、the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at http
6、:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechan
7、ical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommunications
8、Standards Institute 2014. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and the GSM log
9、o are Trade Marks registered and owned by the GSM Association. ETSI ETSI GS NFV-SEC 001 V1.1.1 (2014-10)3Contents Intellectual Property Rights 5g3Foreword . 5g3Modal verbs terminology 5g31 Scope 6g32 References 6g32.1 Normative references . 6g32.2 Informative references 6g33 Definitions and abbrevia
10、tions . 8g33.1 Definitions 8g33.2 Abbreviations . 9g34 Industry Context . 10g35 Security Reference Framework 11g35.1 Deployment Scenarios 11g35.2 Threat Surface 12g35.3 Attacker Profiles . 13g36 Potential Areas of Concern . 15g36.1 Topology Validation Essential, or potentially Essential, IPRs notifi
11、ed to ETSI in respect of ETSI standards“, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to t
12、he existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Group Specification (GS) has been produced by ETSI Industry Specification Group (ISG) Network Functions Virtualis
13、ation (NFV). Modal verbs terminology In the present document “shall“, “shall not“, “should“, “should not“, “may“, “may not“, “need“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of prov
14、isions). “must“ and “must not“ are NOT allowed in ETSI deliverables except when used in direct citation. ETSI ETSI GS NFV-SEC 001 V1.1.1 (2014-10)61 Scope The present document aims to: To identify potential security vulnerabilities of NFV and to determine whether they are new problems, or just exist
15、ing problems in different guises. To provide a reference framework within which these vulnerabilities can be defined. Out of scope: To list vulnerabilities that NFV suffers from that are no different from pre-existing vulnerabilities of networking and virtualisation technologies and are not altered
16、by the virtualisation of network functions. Intended audience: Security experts wanting to deploy NFV but needing to identify and solve potential security issues and then to attain security accreditation for systems. Ultimate goal of the NFV Security Expert Group: Identify and propose solutions to a
17、ny new vulnerabilities that result from the introduction of NFV. To enable checks for these vulnerabilities to be incorporated into processes for security accreditation of products based on NFV. 2 References References are either specific (identified by date of publication and/or edition number or v
18、ersion number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be
19、found at http:/docbox.etsi.org/Reference. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. 2.1 Normative references The following referenced documents are necessary for the application of the present document. N
20、ot applicable. 2.2 Informative references The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area. i.1 Homomorphic Encryption. NOTE: http:/en.wikipedia.org/wiki/Homomorphic_encryption. i.2 Trus
21、ted Computing Group. NOTE: http:/www.trustedcomputinggroup.org/. i.3 Unified Extensible Firmware Interface (UEFI) forum. NOTE: http:/www.uefi.org/home/. i.4 ISO/IEC 11889-1 (March 2009(en): “Trusted Platform Module - Part 1: Overview“. i.5 CERT Vulnerability Note VU#362332 (August 2010). i.6 NIST SP
22、 800-147 (April 2011): “Basic Input/Output System (BIOS) Protection Guidelines“. ETSI ETSI GS NFV-SEC 001 V1.1.1 (2014-10)7i.7 NIST SP 800-155 (December 2011): “DRAFT BIOS Integrity Measurement Guidelines“. i.8 TPM Main Specification (March 2011). NOTE: http:/www.trustedcomputinggroup.org/resources/
23、tpm_main_specification. i.9 Virtualized Trusted Platform Architecture Specification (September 2011). NOTE: http:/www.trustedcomputinggroup.org/resources/tpm_main_specification. i.10 NIST SP 800-147b (July 2012): “DRAFT BIOS Protection Guidelines for Servers“. i.11 NFV White paper (October 2012): “N
24、etwork Functions Virtualisation, An Introduction, Benefits, Enablers, Challenges Architectural Framework“. i.13 ETSI GS NFV 001: “Network Functions Virtualisation (NFV); Use Cases“. i.14 ETSI GS NFV INF 001-1 (V0.3.8 April 2014): “Network Functions Virtualisation; Infrastructure Architecture; Sub-pa
25、rt 1: Overview“, (work in progress). i.15 ETSI GS NFV 003: “Network Functions Virtualisation (NFV); Terminology for Main Concepts in NFV“. i.16 David Kleidermacher and Mike Kleidermacher: “Embedded Systems Security“, Newnes, April 2012. i.17 Rowan Klti, Vasileios Kotronis and Paul Smith: “OpenFlow:
26、A Security Analysis“. In Proc. Wkshp on Secure Network Protocols (NPSec). IEEE, October 2013. i.18 Diego Kreutz, Fernando M.V. Ramos and Paulo Verissimo: “Towards secure and dependable software-defined networks“. In Proc. 2nd ACM SIGCOMM workshop on Hot topics in software defined networks, HotSDN 13
27、, pages 55-60, New York, NY, USA, 2013. ACM. i.19 ONF Security Discussion Group. NOTE: https:/www.opennetworking.org/working-groups/discussion-groups. i.20 OpenFlow Switch Specification. NOTE: Available via http:/archive.openflow.org/wp/documents/. i.21 Recommendation ITU-T Y.3500 (July 2014) | Inte
28、rnational Standard ISO/IEC 17788 “Information technology - Cloud computing - Overview and Vocabulary“. i.22 Thomas Ristenpart, Eran Tromer, Hovav Shacham and Stefan Savage: “Hey, You, Get Off of My Cloud! Exploring Information Leakage in Third-Party Compute Clouds“. In Proc. Conference on Computer a
29、nd Communications Security (CCS09), pages 199-212. ACM, November 2009. i.23 Dawn Song, David Wagner and Adrian Perrig: “Search on Encrypted Data“. In Proc. IEEE Symposium on Security and Privacy, May 2000. i.24 IETF draft-mrw-sdnsec-openflow-analysis-02 (April 2013): “Security Analysis of the Open N
30、etworking Foundation (ONF) OpenFlow Switch Specification“, Margaret Wasserman and Sam Hartman, (work in progress). i.25 IEEE 802.1ah: “Provider Backbone Bridges“. i.26 IEEE 802.1ad: “Provider Bridges“. i.27 IETF draft-mahalingam-dutt-dcops-vxlan-09 (April 2014): “VXLAN: A Framework for Overlaying Vi
31、rtualized Layer 2 Networks over Layer 3 Networks“, M. Mahalingam and others, (work in progress). ETSI ETSI GS NFV-SEC 001 V1.1.1 (2014-10)8i.28 IETF draft-davie-stt-06 (April 2014): “A Stateless Transport Tunneling Protocol for Network Virtualization (STT)“, Bruce Davie and Jesse Gross, (work in pro
32、gress). i.29 IETF draft-sridharan-virtualization-nvgre-04 (February 2014): “NVGRE: Network Virtualization using Generic Routing Encapsulation“, Murari Sridharan and others, (work in progress). i.30 IETF RFC 3031 (January 2001): “Multiprotocol Label Switching Architecture“, Eric Rosen, Arun Viswanath
33、an and Ross Callon. i.31 ETSI/TC LI#35 LI(14)P35037r2 “NFV LI Considerations“. i.32 NFV White paper (October 2013): “Network Functions Virtualisation, Network Operator Perspectives on Industry Progress“. NOTE: http:/portal.etsi.org/NFV/NFV_White_Paper2.pdf. 3 Definitions and abbreviations 3.1 Defini
34、tions For the purposes of the present document, the terms and definitions given in ETSI GS NFV 003 i.15 and the following apply: Forwarding Function: provides forwarding connectivity between multiple (two or more) network interfaces NOTE 1: This distinguishes a Forwarding Function from just any netw
35、orked application. A Forwarding Function receives data at any of the interfaces, processes it, then outputs some transformation of the original to other network interface(s). EXAMPLE: Message routing or the filtering provided by a firewall. Some examples of other network functions are shown in Figur
36、e 1. NOTE 2: Some transformation is necessarily vague. It is meant to preclude server applications that might take in requests on one interface and send out responses on another. But it is meant to include, say, deep packet inspection or a packet filter that takes in data packets on one interface an
37、d forwards most to an output interface, but discards or re-orders some packets in the process. It also includes switches or network address translators that largely forward the data unchanged, but make a few focused changes to addresses. It even includes meters that take a packet flow as input and o
38、utput a stream of measurement data that summarises the characteristics of the input flows. NOTE 3: Although a Forwarding Function is defined by its multiple data interfaces, the definition does not preclude other interfaces for control (e.g. routing messages) and management - and these are certainly
39、 within scope of security problem analysis. NOTE 4: All Forwarding Functions are Network Functions, but some Network Functions do not involve forwarding. For instance, most directory, control or management functions are Network Functions but not Forwarding Functions. hypervisor: computer software, f
40、irmware or hardware running on a host computer that creates, runs and monitors guest virtual machines. NOTE: A hypervisor enables multiple instances of a variety of guest operating systems to share the virtualised hardware resources of the host. ETSI ETSI GS NFV-SEC 001 V1.1.1 (2014-10)93.2 Abbrevia
41、tions For the purposes of the present document, the abbreviations given in ETSI GS NFV 003 i.15 and the following apply: AAA Authentication, Authorization and Accounting API Application Programming Interface ASIC Application-Specific Integrated Circuit BGP Border Gateway Protocol (IETF) BIOS Basic I
42、nput/Output System CA Certification AuthoritiesCPU Central Processing Unit DMA Direct Memory AccessECDSA Elliptic Curve Digital Signature Algorithm FB Functional Block FTP File Transfer Protocol (IETF) GRE Generic Routing Encapsulation (IETF) GS Group Specification (ETSI) I/O Input/Output IDS Intrus
43、ion Detection System IETF Internet Engineering Task Force IOMMU I/O Memory Management Unit ISG Industry Specification Group (ETSI) IS-IS Intermediate System to Intermediate System (IETF) ISO International Organisation for Standardization IT Information Technology JTAG Joint Test Action Group LAN Loc
44、al Area Network LI Lawful Interception (ETSI TC) LOM Lights-Out Management MAC Medium/Media Access Control MANO Management 9 million IT servers are bought globally each year, but only 180 thousand edge routers. It is safe to predict that a network equipment facility will become physically the same a
45、s a data centre. Virtualised network functions will also be managed in common with IT management processes - as orchestrated remote software installations deployed independently to hardware upgrades. The transition towards network functions virtualisation will be incremental. As each bespoke applian
46、ce reaches the end of its life it will be replaced by a software equivalent. Independently, more server blades, storage or network interface cards will be plugged in to existing racks to provide the necessary hardware resources. For further information, see i.11 and for an update on industry activit
47、y on NFV see i.32. g47g374g282g286g393g286g374g282g286g374g410g94g381g296g410g449g258g396g286g3g115g286g374g282g381g396g400g17g90g4g94g38g349g396g286g449g258g367g367g24g87g47g18g24g69g100g286g400g410g286g396g876g89g381g28g373g381g374g349g410g381g396g116g4g69g4g272g272g286g367g286g396g258g410g349g381
48、g374g68g286g400g400g258g336g286g90g381g437g410g286g396g90g258g282g349g381g3g69g286g410g449g381g396g364g18g381g374g410g396g381g367g367g286g396g18g258g396g396g349g286g396g39g396g258g282g286g3g69g4g100g94g286g400g400g349g381g374g3g17g381g396g282g286g396g18g381g374g410g396g381g367g367g286g396g18g367g258
49、g400g400g349g272g258g367g3g69g286g410g449g381g396g364g3g4g393g393g367g349g258g374g272g286g4g393g393g396g381g258g272g346g87g28g3g90g381g437g410g286g396g94g39g94g69g876g39g39g94g69g39g286g374g286g396g349g272g3g44g349g336g346g3g115g381g367g437g373g286g28g410g346g286g396g374g286g410g3g94g449g349g410g272g346g286g400g39g286g374g286g396g349g272g3g44g349g336g346g3g115g381g367g437g373g286g3g94g286g396g448g286g396g400g39g286g374g286g396g349g272g3g44g349g336g346g3g115g381g367g437g373g286g3g94g410g38
