1、 ETSI GS NFV-SEC 003 V1.1.1 (2014-12) Network Functions Virtualisation (NFV); NFV Security; Security and Trust Guidance Disclaimer This document has been produced and approved by the Network Functions Virtualisation (NFV) ETSI Industry Specification Group (ISG) and represents the views of those memb
2、ers who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. GROUP SPECIFICATION ETSI ETSI GS NFV-SEC 003 V1.1.1 (2014-12)2Reference DGS/NFV-SEC003 Keywords NFV, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 9
3、2 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org The present document may be made available in electronic version
4、s and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
5、 print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is availab
6、le at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic
7、 or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommu
8、nications Standards Institute 2014. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and t
9、he GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GS NFV-SEC 003 V1.1.1 (2014-12)3Contents Intellectual Property Rights 6g3Foreword . 6g3Modal verbs terminology 6g31 Scope 7g32 References 7g32.1 Normative references . 7g32.2 Informative references 7g33 Abbreviations
10、. 7g34 Network Function Virtualisation Security 9g34.1 NFV High-Level Security Goals 9g34.2 NFV Security Use Case Summaries . 9g34.2.1 Intra-VNFSec: Security within Virtual Network Functions . 9g34.2.1.1 VNFC-Specific Security Use Cases 10g34.2.1.1.1 VNFC Creation 10g34.2.1.1.2 VNFC Deletion 10g34.2
11、.1.1.3 VNFC Configuration and Package Management 10g34.2.1.1.4 VNFCI Migration 11g34.2.1.1.5 VNFC Operational State Changes . 11g34.2.1.1.6 VNFC Topology Changes . 11g34.2.1.1.7 VNFC Scale-Up and Scale-Down . 11g34.2.1.1.8 VNFC Scale-In and Scale-Out 11g34.2.2 Infra-VNFSec: Security between Virtual
12、Network Functions 12g34.2.3 Extra-VNFSec: Security external to Virtual Network Functions 12g34.3 NFV External Operational Environment 13g34.3.1 External Physical Security Guidance 13g34.3.2 External Hardware Guidance 13g34.3.3 External Service Guidance 13g34.3.3.1 DNS. 13g34.3.3.2 IP Addressing, DHC
13、P and Routing . 13g34.3.3.3 Time Services and NTP 13g34.3.3.4 Geolocation . 13g34.3.3.5 Security Visibility and Testing 13g34.3.3.6 Certificate Authority . 14g34.3.3.7 Identity and Access Management . 14g34.3.4 External Policies, Processes and Practices Guidance . 14g34.3.4.1 Regulatory Compliance C
14、onsiderations for NFV . 14g34.3.4.2 Forensic Considerations for NFV . 14g34.3.4.3 Legal/Lawful Intercept Considerations for NFV 14g34.3.4.4 Considerations for NFV Analytics and Service Level Agreements (SLAs) . 14g34.4 NFV Security Management Lifecycle 15g34.4.1 NFV Threat Landscape . 15g34.4.1.1 Th
15、reat Vectors, Monitoring and Detection 16g34.4.2 NFV Platform Guidance . 16g34.4.2.1 Platform visibility and validation 16g34.4.2.1.1 Workload Visibility into Physical and Virtualised Resources . 16g34.4.2.1.2 Introspection 18g34.4.2.2 Access Visibility for Data and Control Packets in Virtualised En
16、vironment 18g34.4.2.3 Validation of Root of Trust and Chain of Trust 19g34.4.2.4 Services validation 19g34.4.3 Certificate, Credential and Key Management within NFV . 19g34.4.3.1 Certificate management 19g34.4.3.2 Credential Management 19g34.4.3.2.1 Dynamic Credential Management . 19g3ETSI ETSI GS N
17、FV-SEC 003 V1.1.1 (2014-12)44.4.3.2.2 Role of Identity, keys and certificates . 19g34.4.3.2.3 Credential Injection by hypervisor 20g34.4.3.3 Key Management 20g34.4.3.3.1 Key Management and security within cloned images . 20g34.4.3.3.2 Key Management and security within migrated images 21g34.4.3.3.3
18、Self-generation of key pairs . 21g34.4.4 Multiparty Administrative domains 21g34.4.4.1 Rational . 21g34.4.4.2 Administrative domains 21g34.4.4.3 Infrastructure Domain . 22g34.4.4.4 Tenant Domain 22g34.4.4.5 Implications. 22g34.4.4.6 Inter-Domain functional blocks and reference points . 23g34.4.4.6.1
19、 Network Service Orchestration . 23g34.4.4.6.2 Infrastructure Orchestration . 23g34.4.4.6.3 VNF-Specific Lifecycle Management . 23g34.4.4.6.4 Generic VNF Lifecycle Management 23g34.4.4.6.5 Inter-Orchestration (Os-Ma) 23g34.4.4.6.6 Inter-VNFM (Ve-Vnfm) 23g34.4.4.7 VNF Package and Image Management . 2
20、3g34.4.4.7.1 Integrity checks . 24g34.4.4.7.2 Trust checks. 24g34.4.4.8 VNFC Security Overview . 24g34.4.4.8.1 VNFC security scope. 24g34.4.4.9 VNFC Lifecycle Security - Statement of the problem 25g34.4.4.10 Security Approach . 26g34.4.5 VNF Instantiation . 27g34.4.5.1 Secured Boot . 27g34.4.5.2 VTP
21、M (Virtual Trusted Platform Module) . 28g34.4.5.3 Attestation . 28g34.4.5.4 Attribution . 28g34.4.5.5 Authenticity . 28g34.4.5.6 Authentication . 28g34.4.5.6.1 User/Tenant Authentication, Authorization and Accounting 28g34.4.5.7 Authorization 30g34.4.5.8 Interface Instantiation 30g34.4.5.9 Levels of
22、 assurance . 30g34.4.5.10 Logging, Reporting, Analytics and Metrics 30g34.4.6 VNF Operation . 31g34.4.6.1 Planned operational lifecycle events . 31g34.4.6.2 VNFC Lifecycle control and authorization . 31g34.4.6.3 Dynamic State Management . 32g34.4.6.3.1 Provision by trusted party - network . 32g34.4.
23、6.3.2 Provision by trusted party - storage . 32g34.4.6.4 Dynamic Integrity Management 32g34.4.6.4.1 Secured crash and recovery . 32g34.4.6.5 Application Programming Interfaces (APIs) . 32g34.4.7 VNF Retirement 32g34.4.7.1 License retirement . 33g34.4.7.2 Secured wipe . 33g34.5 NVF Security Technolog
24、ies . 33g34.5.1 Technologies and Processes 34g35 Trusted Network Function Virtualisation . 34g35.1 NFV High-Level Trust Goals . 34g35.1.1 Assigning trust 35g35.1.1.1 Why assign trust? 35g35.1.1.2 How to assign trust 35g35.1.2 Evaluating and validating trust . 36g35.1.2.1 Parameters for trust evaluat
25、ion 36g35.1.2.2 Methods for trust evaluation . 37g35.1.3 Re-evaluating trust 37g3ETSI ETSI GS NFV-SEC 003 V1.1.1 (2014-12)55.1.4 Invalidating trust . 38g35.1.5 Re-establishing trust . 39g35.1.5.1 Delegation up the chain of trust 39g35.1.5.2 Peer-mediated distrust . 39g35.1.6 Delegating trust . 40g35
26、.1.6.1 Directly delegated trust . 41g35.1.6.2 Collaborative trust . 41g35.1.6.3 Transitive trust 42g35.1.6.4 Reputational trust 43g35.1.7 Scope of trust 43g35.1.7.1 Trust manager . 43g35.2 NFV Trust Use Case Summaries 44g35.2.1 Intra-VNF Trust: Trust within Virtual Network Functions . 44g35.2.2 Inte
27、r-VNF Trust: Trust between Virtual Network Functions 44g35.2.2.1 Managing trust between a VNF instance and its VNFM. 45g35.2.2.1.1 VNF instances trusting of the VNFM . 45g35.2.2.1.2 VNFMs trusting of the VNF instance . 45g35.2.2.2 Managing trust between VNF instances 46g35.2.3 Extra-VNF Trust: Trust
28、 external to Virtual Network Functions . 47g35.2.3.1 Establishing trust in a VNF Package for deployment . 47g35.2.3.1.1 NFVI domain . 47g35.2.3.1.2 Management and Operations domain 48g35.2.3.1.3 VNF provider 49g35.3 Trust between Management and Orchestration entities 49g35.3.1 Management and Orchest
29、ration infrastructure 50g35.3.2 Implications of long-lived entities 50g35.4 NFV Trusted Lifecycle Management . 51g35.4.1 Objectives and Policy . 51g35.4.2 Defining a Chain of Trust . 52g35.4.3 Establishing Roots of Trust for VNFs 52g35.4.3.1 Initial VNFC root of trust establishment . 52g35.4.3.1.1 M
30、ulticast 53g35.4.3.1.2 Injection by hypervisor 53g35.4.3.1.3 Initial image . 53g35.4.3.1.4 Hypervisor . 53g35.4.3.1.5 VNFC OS and application . 53g35.4.3.1.6 Deployment state . 54g3Annex A (informative): Authors Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“
31、, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not reference
32、d in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Group Specification (GS) has been produced by ETSI Industry Specification Group (ISG) Network Functions Virtualisation (NFV). Modal verbs terminology In
33、the present document “shall“, “shall not“, “should“, “should not“, “may“, “may not“, “need“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT a
34、llowed in ETSI deliverables except when used in direct citation. ETSI ETSI GS NFV-SEC 003 V1.1.1 (2014-12)71 Scope The present document has been developed to describe the security and trust guidance that is unique to NFV development, architecture and operation. Guidance consists of items to consider
35、 that may be unique to the environment or deployment. Supplied guidance does not consist of prescriptive requirements or specific implementation details, which should be built from the considerations supplied. Guidance is based on defined use cases, included in the present document, that are derived
36、 from the Security Problem Statement and are unique to NFV. Relevant external guidance will be referenced, where available. 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific r
37、eferences, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE
38、: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. 1 ETSI GS NFV 001: “Network Functions Virtualisation (NFV); Use Cases“.
39、2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any am
40、endments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a part
41、icular subject area. i.1 Popek and Goldberg 1974 paper: “Formal Requirements for Virtualizable Third Generation Architectures“. i.2 CSA CloudTrust. i.3 GS NFV-SWA 001: “Network Functions Virtualisation (NFV); Virtual Network Function Architecture“. 3 Abbreviations For the purposes of the present doc
42、ument, the following abbreviations apply: ABAC Attribute-Based Access Control API Application Programming Interface BIOS Basic Input Output System CA Certificate Authority ETSI ETSI GS NFV-SEC 003 V1.1.1 (2014-12)8CDN Content Distribution Network CLI Command Line Interface CPU Central Processing Uni
43、t CPUID CPU Identifier CSA Cloud Security Alliance DDoS Distributed Denial of Service DHCP Dynamic Host Configuration Protocol DMA Direct Memory Access DNA DeoxyriboNucleic AcidDNS Domain Naming Service DoS Denial of ServiceDPI Deep Packet Inspection DRM Digital Rights Management EM Element ManagerE
44、MS Element Management System FIPS Federal Information Processing Standards GPS Global Positioning System GTP-C GPRS Tunnelling Protocol-Control GTP-U GPRS Tunnelling Protocol-User Data Tunneling GUI Graphical User Interface HSM Hardware Security Module HSS Home Subscriber Server HVM Hardware Virtual
45、 Machine IAM Identity and Access Management IMS IP Multimedia Subsystem IMSI International Mobile Subscriber Identity IO Input/Output IP Intellectual Property IT Information Technology LI Lawful InterceptLUN Logical Unit Number MAC Media Access Control MANO Management and Orchestration MME Mobile Ma
46、nagement Entity NE Network Element NF Network FunctionNFV Network Function Virtualization NFVI Network Function Virtualization Infrastructure NFVO Network Function Virtualization Orchestrator NIC Network Interface Card NTP Network Time Protocol OA make unauthorized changes to NE configuration, etc.
47、Theft of Service: Attackers exploit a flaw to use services without being charged. For example, attacker exploits a flaw in HSS/PCRF/PCEF to use services without being charged. 4.4.2 NFV Platform Guidance This clause describes guidance for the hardware, software and service platform that directly sup
48、ports NFV resources. 4.4.2.1 Platform visibility and validation Platform visibility and validation describes the mechanisms to view and verify resources and services within the NFV environment. These capabilities are typically utilized to validate running processes, for workloads to have visibility
49、into their operating environment and resources, as well as for introspection into the virtual environment. 4.4.2.1.1 Workload Visibility into Physical and Virtualised Resources Workloads, including virtual machines, virtual appliances and VNFs need to have carefully prescribed interfaces into physical and virtualised resources to ensure appropriate visibility. In some instances, it is not permissible or desirable for a workload to have any visibility or knowledge as to the operating environment and whether the workload is running virtualised. In other instances, w
