ETSI
Contents
Intellectual Property Rights ................................................................................................................................ 5
Foreword ............................................................................................................................................................. 5
Modal verbs terminology .................................................................................................................................... 5
1 Scope ........................................................................................................................................................ 6
2 References ................................................................................................................................................ 6
2.1 Normative references ......................................................................................................................................... 6
2.2 Informative references ........................................................................................................................................ 6
3 Definitions and abbreviations ................................................................................................................... 8
3.1 Definitions .......................................................................................................................................................... 8
3.2 Abbreviations ..................................................................................................................................................... 9
4 Industry Context ..................................................................................................................................... 10
5 Security Reference Framework .............................................................................................................. 11
5.1 Deployment Scenarios ...................................................................................................................................... 11
5.2 Threat Surface .................................................................................................................................................. 12
5.3 Attacker Profiles ............................................................................................................................................... 13
6 Potential Areas of Concern ..................................................................................................................... 15
6.1 Topology Validation & Enforcement ............................................................................................................... 15
6.1.1 Topology Validation Example .................................................................................................................... 15
6.1.2 Validating the Topology of Virtualised Network Functions ....................................................................... 17
6.1.3 Validating the Topology of the Infrastructure Network.............................................................................. 18
6.1.3.1 SDN-specific issues .............................................................................................................................. 18
6.1.3.1.1 Hierarchies of control ...................................................................................................................... 19
6.1.3.1.2 Additional layers of hierarchy ......................................................................................................... 20
6.1.3.1.3 Further issues ................................................................................................................................... 20
6.1.3.2 Issues specific to distributed (non-SDN) routing .................................................................................. 20
6.1.3.3 Related issues ........................................................................................................................................ 21
6.1.4 Topology Policy Validation & Enforcement .............................................................................................. 21
6.2 Availability of Management Support Infrastructure ......................................................................................... 21
6.3 Secured Boot .................................................................................................................................................... 23
6.3.1 Background ................................................................................................................................................. 23
6.3.2 Secure Boot and Trusted Boot Technology ................................................................................................ 24
6.3.3 Secured Boot Summary .............................................................................................................................. 25
6.4 Secure crash ...................................................................................................................................................... 25
6.5 Performance isolation ....................................................................................................................................... 26
6.5.1 Network and I/O partitioning ...................................................................................................................... 27
6.5.2 Shared core partitioning .............................................................................................................................. 27
6.5.3 Acceleration hardware partitioning ............................................................................................................. 27
6.5.4 Shared memory partitioning ....................................................................................................................... 28
6.5.5 Attacks on the resources of the virtualisation infrastructure ....................................................................... 28
6.6 User/Tenant Authentication, Authorization and Accounting ........................................................................... 29
6.7 Authenticated Time Service ............................................................................................................................. 30
6.8 Private Keys within Cloned Images ................................................................................................................. 31
6.9 Back-Doors via Virtualised Test & Monitoring Functions .............................................................................. 31
6.9.1 Operational Test, Monitoring and Fault Tracing ........................................................................................ 31
6.9.2 Developer's debug and test interfaces ......................................................................................................... 32
6.9.2.1 Industry Experience Example 1 ............................................................................................................ 32
6.9.2.2 Industry Experience Example 2 ............................................................................................................ 33
6.9.2.3 Guidance for the NFV ISG working groups: ........................................................................................ 33
6.10 Multi-Administrator Isolation .......................................................................................................................... 33
7 General Concerns ................................................................................................................................... 33
7.1 Safety vs. Complexity ...................................................................................................................................... 33