ETSI GS NFV-SEC 003 V1.1.1 (2014-12)

ETSI GS NFV-SEC 003 V1.1.1 (2014-12)






GROUP SPECIFICATION
Network Functions Virtualisation (NFV);
NFV Security;
Security and Trust Guidance
Disclaimer
This document has been produced and approved by the Network Functions Virtualisation (NFV) ETSI Industry Specification
Group (ISG) and represents the views of those members who participated in this ISG.
It does not necessarily represent the views of the entire ETSI membership.

---------------------- Page: 1 ----------------------
2 ETSI GS NFV-SEC 003 V1.1.1 (2014-12)



Reference
DGS/NFV-SEC003
Keywords
NFV, security
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2014.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI GS NFV-SEC 003 V1.1.1 (2014-12)
Contents
Intellectual Property Rights . 6
Foreword . 6
Modal verbs terminology . 6
1 Scope . 7
2 References . 7
2.1 Normative references . 7
2.2 Informative references . 7
3 Abbreviations . 7
4 Network Function Virtualisation Security. 9
4.1 NFV High-Level Security Goals . 9
4.2 NFV Security Use Case Summaries . 9
4.2.1 Intra-VNFSec: Security within Virtual Network Functions . 9
4.2.1.1 VNFC-Specific Security Use Cases . 10
4.2.1.1.1 VNFC Creation . 10
4.2.1.1.2 VNFC Deletion . 10
4.2.1.1.3 VNFC Configuration and Package Management . 10
4.2.1.1.4 VNFCI Migration . 11
4.2.1.1.5 VNFC Operational State Changes . 11
4.2.1.1.6 VNFC Topology Changes . 11
4.2.1.1.7 VNFC Scale-Up and Scale-Down . 11
4.2.1.1.8 VNFC Scale-In and Scale-Out . 11
4.2.2 Infra-VNFSec: Security between Virtual Network Functions . 12
4.2.3 Extra-VNFSec: Security external to Virtual Network Functions . 12
4.3 NFV External Operational Environment . 13
4.3.1 External Physical Security Guidance . 13
4.3.2 External Hardware Guidance . 13
4.3.3 External Service Guidance . 13
4.3.3.1 DNS. 13
4.3.3.2 IP Addressing, DHCP and Routing . 13
4.3.3.3 Time Services and NTP . 13
4.3.3.4 Geolocation . 13
4.3.3.5 Security Visibility and Testing . 13
4.3.3.6 Certificate Authority . 14
4.3.3.7 Identity and Access Management . 14
4.3.4 External Policies, Processes and Practices Guidance . 14
4.3.4.1 Regulatory Compliance Considerations for NFV . 14
4.3.4.2 Forensic Considerations for NFV . 14
4.3.4.3 Legal/Lawful Intercept Considerations for NFV . 14
4.3.4.4 Considerations for NFV Analytics and Service Level Agreements (SLAs) . 14
4.4 NFV Security Management Lifecycle . 15
4.4.1 NFV Threat Landscape . 15
4.4.1.1 Threat Vectors, Monitoring and Detection . 16
4.4.2 NFV Platform Guidance . 16
4.4.2.1 Platform visibility and validation . 16
4.4.2.1.1 Workload Visibility into Physical and Virtualised Resources . 16
4.4.2.1.2 Introspection . 18
4.4.2.2 Access Visibility for Data and Control Packets in Virtualised Environment . 18
4.4.2.3 Validation of Root of Trust and Chain of Trust . 19
4.4.2.4 Services validation . 19
4.4.3 Certificate, Credential and Key Management within NFV . 19
4.4.3.1 Certificate management . 19
4.4.3.2 Credential Management . 19
4.4.3.2.1 Dynamic Credential Management . 19
ETSI

---------------------- Page: 3 ----------------------
4 ETSI GS NFV-SEC 003 V1.1.1 (2014-12)
4.4.3.2.2 Role of Identity, keys and certificates . 19
4.4.3.2.3 Credential Injection by hypervisor . 20
4.4.3.3 Key Management . 20
4.4.3.3.1 Key Management and security within cloned images . 20
4.4.3.3.2 Key Management and security within migrated images . 21
4.4.3.3.3 Self-generation of key pairs . 21
4.4.4 Multiparty Administrative domains . 21
4.4.4.1 Rational . 21
4.4.4.2 Administrative domains . 21
4.4.4.3 Infrastructure Domain . 22
4.4.4.4 Tenant Domain . 22
4.4.4.5 Implications . 22
4.4.4.6 Inter-Domain functional blocks and reference points . 23
4.4.4.6.1 Network Service Orchestration . 23
4.4.4.6.2 Infrastructure Orchestration . 23
4.4.4.6.3 VNF-Specific Lifecycle Management . 23
4.4.4.6.4 Generic VNF Lifecycle Management . 23
4.4.4.6.5 Inter-Orchestration (Os-Ma) . 23
4.4.4.6.6 Inter-VNFM (Ve-Vnfm) . 23
4.4.4.7 VNF Package and Image Management . 23
4.4.4.7.1 Integrity checks . 24
4.4.4.7.2 Trust checks . 24
4.4.4.8 VNFC Security Overview . 24
4.4.4.8.1 VNFC security scope . 24
4.4.4.9 VNFC Lifecycle Security - Statement of the problem . 25
4.4.4.10 Security Approach . 26
4.4.5 VNF Instantiation . 27
4.4.5.1 Secured Boot . 27
4.4.5.2 VTPM (Virtual Trusted Platform Module) . 28
4.4.5.3 Attestation . 28
4.4.5.4 Attribution . 28
4.4.5.5 Authenticity . 28
4.4.5.6 Authentication . 28
4.4.5.6.1 User/Tenant Authentication, Authorization and Accounting . 28
4.4.5.7 Authorization . 30
4.4.5.8 Interface Instantiation . 30
4.4.5.9 Levels of assurance . 30
4.4.5.10 Logging, Reporting, Analytics and Metrics . 30
4.4.6 VNF Operation . 31
4.4.6.1 Planned operational lifecycle events . 31
4.4.6.2 VNFC Lifecycle control and authorization . 31
4.4.6.3 Dynamic State Management . 32
4.4.6.3.1 Provision by trusted party - network . 32
4.4.6.3.2 Provision by trusted party - storage . 32
4.4.6.4 Dynamic Integrity Management . 32
4.4.6.4.1 Secured crash and recovery . 32
4.4.6.5 Application Programming Interfaces (APIs) . 32
4.4.7 VNF Retirement . 32
4.4.7.1 License retirement . 33
4.4.7.2 Secured wipe . 33
4.5 NVF Security Technologies . 33
4.5.1 Technologies and Processes . 34
5 Trusted Network Function Virtualisation . 34
5.1 NFV High-Level Trust Goals . 34
5.1.1 Assigning trust . 35
5.1.1.1 Why assign trust? . 35
5.1.1.2 How to assign trust . 35
5.1.2 Evaluating and validating trust . 36
5.1.2.1 Parameters for trust evaluation . 36
5.1.2.2 Methods for trust evaluation . 37
5.1.3 Re-evaluating trust . 37
ETSI

---------------------- Page: 4 ----------------------
5 ETSI GS NFV-SEC 003 V1.1.1 (2014-12)
5.1.4 Invalidating trust . 38
5.1.5 Re-establishing trust . 39
5.1.5.1 Delegation up the chain of trust . 39
5.1.5.2 Peer-mediated distrust . 39
5.1.6 Delegating trust . 40
5.1.6.1 Directly delegated trust . 41
5.1.6.2 Collaborative trust . 41
5.1.6.3 Transitive trust . 42
5.1.6.4 Reputational trust . 43
5.1.7 Scope of trust . 43
5.1.7.1 Trust manager . 43
5.2 NFV Trust Use Case Summaries . 44
5.2.1 Intra-VNF Trust: Trust within Virtual Network Functions . 44
5.2.2 Inter-VNF Trust: Trust between Virtual Network Functions . 44
5.2.2.1 Managing trust between a VNF instance and its VNFM. 45
5.2.2.1.1 VNF instance's trusting of the VNFM . 45
5.2.2.1.2 VNFM's trusting of the VNF instance . 45
5.2.2.2 Managing trust between VNF instances . 46
5.2.3 Extra-VNF Trust: Trust external to Virtual Network Functions . 47
5.2.3.1 Establishing trust in a VNF Package for deployment . 47
5.2.3.1.1 NFVI domain . 47
5.2.3.1.2 Management and Operations domain . 48
5.2.3.1.3 VNF provider . 49
5.3 Trust between Management and Orchestration entities . 49
5.3.1 Management and Orchestration infrastructure . 50
5.3.2 Implications of long-lived entities . 50
5.4 NFV Trusted Lifecycle Management . 51
5.4.1 Objectives and Policy . 51
5.4.2 Defining a Chain of Trust . 52
5.4.3 Establishing Roots of Trust for VNFs . 52
5.4.3.1 Initial VNFC root of trust establishment . 52
5.4.3.1.1 Multicast . 53
5.4.3.1.2 Injection by hypervisor . 53
5.4.3.1.3 Initial image . 53
5.4.3.1.4 Hypervisor . 53
5.4.3.1.5 VNFC OS and application . 53
5.4.3.1.6 Deployment state . 54
Annex A (informative): Authors & contributors . 55
Annex B (informative): Bibliography . 56
History . 57

ETSI

---------------------- Page: 5 ----------------------
6 ETSI GS NFV-SEC 003 V1.1.1 (2014-12)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://ipr.etsi.org).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Group Specification (GS) has been produced by ETSI Industry Specification Group (ISG) Network Functions
Virtualisation (NFV).
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "may not", "need", "need not", "will",
"will not", "can" and "cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms
for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
ETSI

---------------------- Page: 6 ----------------------
7 ETSI GS NFV-SEC 003 V1.1.1 (2014-12)
1 Scope
The present document has been developed to describe the security and trust guidance that is unique to NFV
development, architecture and operation. Guidance consists of items to consider that may be unique to the environment
or deployment. Supplied guidance does not consist of prescriptive requirements or specific implementation details,
which should be built from the considerations supplied.
Guidance is based on defined use cases, included in the present document, that are derived from the Security Problem
Statement and are unique to NFV. Relevant external guidance will be referenced, where available.
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are necessary for the application of the present document.
[1] ETSI GS NFV 001: "Network Functions Virtualisation (NFV); Use Cases".
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not
...