ETSI GR NFV-SEC 003 V1.3.1 (2024-12)

GROUP REPORT
Network Functions Virtualisation (NFV);
NFV Security;
Security and Trust Guidance
Disclaimer
The present document has been produced and approved by the Network Functions Virtualisation (NFV) ETSI Industry
Specification Group (ISG) and represents the views of those members who participated in this ISG.
It does not necessarily represent the views of the entire ETSI membership.

2 ETSI GR NFV-SEC 003 V1.3.1 (2024-12)

Reference
RGR/NFV-SEC003ed131
Keywords
ICT, NFV, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - APE 7112B
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° w061004871

Important notice
The present document can be downloaded from the
ETSI Search & Browse Standards application.
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format on ETSI deliver repository.
Users should be aware that the present document may be revised or have its status changed,
this information is available in the Milestones listing.
If you find errors in the present document, please send your comments to
the relevant service listed under Committee Support Staff.
If you find a security vulnerability in the present document, please report it through our
Coordinated Vulnerability Disclosure (CVD) program.
Notice of disclaimer & limitation of liability
The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of
experience to understand and interpret its content in accordance with generally accepted engineering or
other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law
and/or governmental rule and/or regulation and further, no representation or warranty is made of merchantability or fitness
for any particular purpose or against infringement of intellectual property rights.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.

Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not
limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property
rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages
for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use
of or inability to use the software.
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2024.
All rights reserved.
ETSI
3 ETSI GR NFV-SEC 003 V1.3.1 (2024-12)
Contents
Intellectual Property Rights . 7
Foreword . 7
Modal verbs terminology . 7
1 Scope . 8
2 References . 8
2.1 Normative references . 8
2.2 Informative references . 8
3 Definition of terms, symbols and abbreviations . 8
3.1 Terms . 8
3.2 Symbols . 8
3.3 Abbreviations . 9
4 Network Function Virtualisation Security. 10
4.1 NFV High-Level Security Goals . 10
4.2 NFV Security Use Case Summaries . 11
4.2.0 General . 11
4.2.1 Intra-VNFSec: Security within Virtual Network Functions . 11
4.2.1.0 General . 11
4.2.1.1 VNFC-Specific Security Use Cases . 11
4.2.1.1.0 General . 11
4.2.1.1.1 VNFC Creation . 11
4.2.1.1.2 VNFC Deletion . 12
4.2.1.1.3 VNFC Configuration and Package Management . 12
4.2.1.1.4 VNFCI Migration . 12
4.2.1.1.5 VNFC Operational State Changes . 12
4.2.1.1.6 VNFC Topology Changes . 13
4.2.1.1.7 VNFC Scale-Up and Scale-Down . 13
4.2.1.1.8 VNFC Scale-In and Scale-Out . 13
4.2.2 Infra-VNFSec: Security between Virtual Network Functions . 13
4.2.3 Extra-VNFSec: Security external to Virtual Network Functions . 13
4.3 NFV External Operational Environment . 14
4.3.0 General . 14
4.3.1 External Physical Security Guidance . 14
4.3.2 External Hardware Guidance . 14
4.3.3 External Service Guidance . 15
4.3.3.1 DNS. 15
4.3.3.2 IP Addressing, DHCP and Routing . 15
4.3.3.3 Time Services and NTP . 15
4.3.3.4 Geolocation . 15
4.3.3.5 Security Visibility and Testing . 15
4.3.3.6 Certificate Authority . 15
4.3.3.7 Identity and Access Management . 16
4.3.4 External Policies, Processes and Practices Guidance . 16
4.3.4.0 General . 16
4.3.4.1 Regulatory Compliance Considerations for NFV . 16
4.3.4.2 Forensic Considerations for NFV . 16
4.3.4.3 Legal/Lawful Intercept Considerations for NFV . 16
4.3.4.4 Considerations for NFV Analytics and Service Level Agreements (SLAs) . 16
4.4 NFV Security Management Lifecycle . 16
4.4.0 General . 16
4.4.1 NFV Threat Landscape . 17
4.4.1.0 General . 17
4.4.1.1 Threat Vectors, Monitoring and Detection . 18
4.4.2 NFV Platform Guidance . 18
4.4.2.0 General . 18
ETSI
4 ETSI GR NFV-SEC 003 V1.3.1 (2024-12)
4.4.2.1 Platform visibility and validation . 18
4.4.2.1.0 General . 18
4.4.2.1.1 Workload Visibility into Physical and Virtualised Resources . 19
4.4.2.1.2 Introspection . 20
4.4.2.2 Access Visibility for Data and Control Packets in Virtualised Environment . 20
4.4.2.3 Validation of Root of Trust and Chain of Trust . 21
4.4.2.4 Services validation . 21
4.4.3 Certificate, Credential and Key Management within NFV . 21
4.4.3.1 Certificate management . 21
4.4.3.2 Credential Management . 21
4.4.3.2.0 General . 21
4.4.3.2.1 Void . 22
4.4.3.2.2 Role of Identity, keys and certificates . 22
4.4.3.2.3 Credential Injection by hypervisor . 22
4.4.3.3 Key Management . 23
4.4.3.3.0 General . 23
4.4.3.3.1 Key Management and security within cloned images . 23
4.4.3.3.2 Key Management and security within migrated images . 23
4.4.3.3.3 Self-generation of key pairs . 23
4.4.4 Multiparty Administrative domains . 23
4.4.4.1 Rational . 23
4.4.4.2 Administrative domains . 23
4.4.4.3 Infrastructure Domain . 24
4.4.4.4 Tenant Domain . 24
4.4.4.5 Implications . 24
4.4.4.6 Inter-Domain functional blocks and reference points . 25
4.4.4.6.1 Network Service Orchestration . 25
4.4.4.6.2 Infrastructure Orchestration . 25
4.4.4.6.3 VNF-Specific Lifecycle Management . 25
4.4.4.6.4 Generic VNF Lifecycle Management . 25
4.4.4.6.5 Inter-Orchestration (Os-Ma) . 25
4.4.4.6.6 Inter-VNFM (Ve-Vnfm) . 25
4.4.4.7 VNF Package and Image Management . 25
4.4.4.7.0 General . 25
4.4.4.7.1 Integrity checks . 26
4.4.4.7.2 Trust checks . 26
4.4.4.8 VNFC Security Overview . 26
4.4.4.8.0 General . 26
4.4.4.8.1 VNFC security scope . 26
4.4.4.9 VNFC Lifecycle Security - Statement of the problem . 27
4.4.4.10 Security Approach . 28
4.4.5 VNF Instantiation . 29
4.4.5.0 General . 29
4.4.5.1 Trustworthy Boot . 29
4.4.5.2 Virtual Trusted Platform Module (VTPM) . 30
4.4.5.3 Attestation . 30
4.4.5.4 Attribution . 30
4.4.5.5 Authenticity . 30
4.4.5.6 Authentication . 30
4.4.5.6.1 User/Tenant Authentication, Authorization and Accounting . 30
4.4.5.7 Authorization . 32
4.4.5.8 Interface Instantiation . 32
4.4.5.9 Levels of assurance . 32
4.4.5.10 Logging, Reporting, Analytics and Metrics . 32
4.4.6 VNF Operation . 33
4.4.6.1 Planned operational lifecycle events . 33
4.4.6.2 VNFC Lifecycle control and authorization . 33
4.4.6.3 Dynamic State Management . 34
4.4.6.3.0 General . 34
4.4.6.3.1 Provision by trusted party - network . 34
4.4.6.3.2 Provision by trusted party - storage . 34
4.4.6.4 Dynamic Integrity Management . 34
ETSI
5 ETSI GR NFV-SEC 003 V1.3.1 (2024-12)
4.4.6.4.1 Secured crash and recovery . 34
4.4.6.5 Application Programming Interfaces (APIs) . 35
4.4.7 VNF Retirement . 35
4.4.7.0 General . 35
4.4.7.1 License retirement . 35
4.4.7.2 Secured wipe . 35
4.5 NVF Security Technologies . 36
4.5.0 General . 36
4.5.1 Technologies and Processes . 36
5 Trusted Network Function Virtualisation . 37
5.1 NFV High-Level Trust Goals . 37
5.1.0 General . 37
5.1.1 Assigning trust . 38
5.1.1.1 Why assign trust? . 38
5.1.1.2 How to assign trust . 38
5.1.2 Evaluating and validating trust . 39
5.1.2.0 General . 39
5.1.2.1 Parameters for trust evaluation . 39
5.1.2.2 Methods for trust evaluation . 40
5.1.3 Re-evaluating trust . 40
5.1.4 Invalidating trust . 41
5.1.5 Re-establishing trust . 41
5.1.5.0 General . 41
5.1.5.1 Delegation up the chain of trust . 42
5.1.5.2 Peer-mediated distrust . 42
5.1.6 Delegating trust . 42
5.1.6.0 General . 42
5.1.6.1 Directly delegated trust . 43
5.1.6.2 Collaborative trust . 44
5.1.6.3 Transitive trust . 45
5.1.6.4 Reputational trust . 45
5.1.7 Scope of trust . 45
5.1.7.0 General . 45
5.1.7.1 Trust manager . 46
5.2 NFV Trust Use Case Summaries . 46
5.2.0 General . 46
5.2.1 Intra-VNF Trust: Trust within Virtual Network Functions . 46
5.2.2 Inter-VNF Trust: Trust between Virtual Network Functions . 47
5.2.2.0 General . 47
5.2.2.1 Managing trust between a VNF instance and its VNFM. 47
5.2.2.1.0 General . 47
5.2.2.1.1 VNF instance's trusting of the VNFM . 48
5.2.2.1.2 VNFM's trusting of the VNF instance . 48
5.2.2.2 Managing trust between VNF instances . 48
5.2.3 Extra-VNF Trust: Trust external to Virtual Network Functions . 49
5.2.3.0 General . 49
5.2.3.1 Establishing trust in a VNF Package for deployment . 49
5.2.3.1.0 General . 49
5.2.3.1.1 NFVI domain . 50
5.2.3.1.2 Management and Operations domain . 50
5.2.3.1.3 VNF provider . 51
5.3 Trust between Management and Orchestration entities . 52
5.3.0 General . 52
5.3.1 Management and Orchestration infrastructure . 52
5.3.2 Implications of long-lived entities . 53
5.4 NFV Trusted Lifecycle Management . 53
5.4.0 General . 53
5.4.1 Objectives and Policy . 53
5.4.2 Defining a Chain of Trust . 54
5.4.3 Establishing Roots of Trust for VNFs . 54
5.4.3.0 General . 54
ETSI
6 ETSI GR NFV-SEC 003 V1.3.1 (2024-12)
5.4.3.1 Initial VNFC root of trust establishment . 54
5.4.3.1.0 General . 54
5.4.3.1.1 Multicast . 55
5.4.3.1.2 Injection by hypervisor . 55
5.4.3.1.3 Initial image . 55
5.4.3.1.4 Hypervisor . 55
5.4.3.1.5 VNFC OS and application . 56
5.4.3.1.6 Deployment state . 57
Annex A: Void . 58
Annex B: Bibliography . 59
Annex C: Change history . 60
History . 61

ETSI
7 ETSI GR NFV-SEC 003 V1.3.1 (2024-12)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations
pertaining to these essential IPRs, if any, are publicly available for ETSI members and non-members, and can be
found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to
ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the
ETSI IPR online database.
Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs,
including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not
referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become,
essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
DECT™, PLUGTESTS™, UMTS™ and the ETSI logo are trademarks of ETSI registered for the benefit of its
Members. 3GPP™, LTE™ and 5G™ logo are trademarks of ETSI registered for the benefit of its Members and of the
3GPP Organizational Partners. oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and of ®
the oneM2M Partners. GSM and the GSM logo are trademarks registered and owned by the GSM Association.
Foreword
This Group Report (GR) has been produced by ETSI Industry Specification Group (ISG) Network Functions
Virtualisation (NFV).
Modal verbs terminology
In the present document "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be
interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
ETSI
8 ETSI GR NFV-SEC 003 V1.3.1 (2024-12)
1 Scope
The present document has been developed to describe the security and trust guidance that is unique to NFV
development, architecture and operation. Guidance consists of items to consider that may be unique to the environment
or deployment. Supplied guidance does not consist of prescriptive requirements or specific implementation details,
which should be built from the considerations supplied.
Guidance is based on defined use cases, included in the present document, that are derived from the Security Problem
Statement in ETSI GS NFV-SEC 001 [i.5] and are unique to NFV. Relevant external guidance will be referenced,
where available.
2 References
2.1 Normative references
Normative references are not applicable in the present document.
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ETSI GS NFV 001: "Network Functions Virtualisation (NFV); Use Cases".
[i.2] CSA CloudTrust.
[i.3] ETSI GS NFV-SWA 001: "Network Functions Virtualisation (NFV); Virtual Network Functions
Architecture".
[i.4] UEFI specifications: "Unified Extensible Firmware Interface (UEFI) Specification", Unified
Extensible Firmware Interface Forum, 2016.
[i.5] ETSI GS NFV-SEC 001: " Network Functions Virtualisation (NFV); NFV Security; Problem
Statement.
3 Definition of terms, symbols and abbreviations
3.1 Terms
Void.
3.2 Symbols
Void.
ETSI
9 ETSI GR NFV-SEC 003 V1.3.1 (2024-12)
3.3 Abbreviations
For the purposes of the present document, the following abbreviations apply:
AAA Authentication, Authorization and Accounting
ABAC Attribute-Based Access Control
ACL Access Control List
API Application Programming Interface
BIOS Basic Input Output System
CA Certificate Authority
CDN Content Distribution Network
CLI Command Line Interface
CPU Central Processing Unit
CPUID CPU IDentifier
CSA Cloud Security Alliance
DDoS Distributed Denial of Service
DHCP Dynamic Host Configuration Protocol
DMA Direct Memory Access
DNA DeoxyriboNucleic Acid
DNS Domain Naming Service
DoS Denial of Service
DPI Deep Packet Inspection
DRM Digital Rights Management
DRTM Dynamic Root of Trust for Measurement
EM Element Manager
EMS Element Management System
EPC Evolved Packet Core
FCAPS Fault, Configuration, Accounting, Performance and Security
FIPS Federal Information Processing Standards
GPS Global Positioning System
GTP-C GPRS Tunnelling Protocol-Control
GTP-U GPRS Tunnelling Protocol-User Data Tunnelling
GUI Graphical User Interface
HBRT Hardware Based Root of Trust
HSM Hardware Security Module
HSS Home Subscriber Server
HVM Hardware Virtual Machine
IAM Identity and Access Management
IMS IP Multimedia Subsystem
IMSI International Mobile Subscriber Identity
IO Input/Output
IP Intellectual Property
IT Information Technology
JVM Java™ Virtual Machines
LI Lawful Intercept
LUN Logical Unit Number
LXC Linux™ Containers
MAC Media Access Control
MANO MANagement and Orchestration
MME Mobile Management Entity
NE Network Element
NF Network Function
NFV Network Function Virtualisation
NFVI Network Function Virtualisation Infrastructure
NFVO Network Function Virtualisation Orchestrator
NIC Network Interface Card
NTP Network Time Protocol
OA&M Operations, Administration and Management
OS Operating System
OSS Operation Support System
PKI Public Key Infrastructure
ETSI
10 ETSI GR NFV-SEC 003 V1.3.1 (2024-12)
RADIUS RADIUS protocol
RAM Random Access Memory
RBAC Rights-Based Access Management
RGW Residential GateWay
SDN Software Defined Networking
SIP Session Initialization Protocol
SLA Service Level Agreement
SOC System and Organization Controls
SPAN Switched Port Analyser
SSAE Statement on Standards for Attestation Engagements
SVA Security Virtual Appliance
SWA SoftWare Architecture
TBOOT Trusted Boot
TOR Top Of Rack
TPM Trusted Platform Module
TXT Trusted eXecution Technology
UEFI Unified Extensible Firmware Interface
UUID Unique Universal IDentifier
VA Virtual Appliance
vFEP virtual Front End Processor
VIM Virtual Infrastructure Manager
VLAN Virtual Local Access Network
VM Virtual Machine
VMM Virtual Machine Monitor
vMME virtual Mobility Management Entity
VNF Virtual Network Function
VNFC Virtual Network Function Component
VNFCI Virtual Network Function Component Instance
VNFD Virtual Network Function Descriptor
VNFM Virtual Network Function Manager
vNIC virtual Network Interface Controller
VoLTE Voice over LTE
VPC Virtual Private Cloud
vSwitch virtual Switch
VTPM Virtual Trusted Platform Module
4 Network Function Virtualisation Security
4.1 NFV High-Level Security Goals
Security is Embedded in NFV DNA
Security is defined as the state of being protected (secured) as well as those measures applied to
achieve/maintain/validate protection.
The dynamic nature of Network Function Virtualisation demands that security technologies, policies, processes and
practices are embedded in the genetic fabric of NFV.
Additional high-level security goals for NFV include:
• Establish a secured baseline of guidance for NFV operation, while highlighting optional measures that enhance
security to be commensurate with risks to confidentiality, integrity and availability.
• Define areas of consideration where security technologies, practices and processes have different requirements
than non-NFV systems and operations.
• Supply guidance for the operational environment that supports and interfaces with NFV systems and
operations, but avoid redefining any security considerations that are not specific to NFV.
ETSI
11 ETSI GR NFV-SEC 003 V1.3.1 (2024-12)
NOTE: NFV security considerations are very similar to hypervisor-based virtualisation security considerations in
their architecture and interfaces. However, security architects and operations managers are instructed to
consider use cases beyond hypervisor-based constructs to include cloud orchestration, virtual appliances
and empower future innovations.
4.2 NFV Security Use Case Summaries
4.2.0 General
The following use cases describe the need for security within the VNF, between VNFs and secured interfaces and
interchanges external to the VNF. The use cases are summarized for brevity, highlighting important security functions
and considerations unique to NFV.
4.2.1 Intra-VNFSec: Security within Virtual Network Functions
4.2.1.0 General
Within the VNF, security measures and processes are required for VNF operations, for contained VNFC operations, and
for secured interface with external assets and services. Specifically, this clause describes the use cases that are unique
within a VNF.
4.2.1.1 VNFC-Specific Security Use Cases
4.2.1.1.0 General
Sensitive authentication data in workloads
NFV workloads routinely possess sensitive authentication data used for authenticating the workload, its processes and
users. This sensitive authentication data can consist of passwords, private keys, cryptographic certificates, tokens and
other secrets. This data should be protected during all phases of the NFV security and trust lifecycle and should be
considered highly dynamic in nature, with updates likely during instantiation, hibernation/suspension, and VNF
retirement. NFV workloads containing sensitive authentication data reside within and may be described as VMs, VAs,
VNFs and VNFCs. Guidance for this use case should describe the processes, procedures and technologies unique to
NFV that would satisfy the use case, pointing to external best practices where available.
Function and capability authorization control for VNFs
There are many functions and capabilities that will be provided by various parts of a VNF and various different entities
within NFV may request that these functions and capabilities are employed. It is not always appropriate to provide
authorization for an entity to access these, even when the same entity has previously done so. Authorization for use of
these functions and capabilities may be controlled by a number of techniques and across a number of variables,
including identity, trust, joint or delegated decision making and API security.
Guidance for this use case should describe the key technologies for use
...