Networking

The present document has been developed to describe the security and trust guidance that is unique to NFV development, architecture and operation. Guidance consists of items to consider that may be unique to the environment or deployment. Supplied guidance does not consist of prescriptive requirements or specific implementation details, which should be built from the considerations supplied.
 
Guidance is based on defined use cases, included in the present document, that are derived from the Security Problem Statement and are unique to NFV. Relevant external guidance will be referenced, where available.

The present document aims to:

• To identify potential security vulnerabilities of NFV and to determine whether they are new problems, or just existing problems in different guises.
• To provide a reference framework within which these vulnerabilities can be defined.

Out of scope: To list vulnerabilities that NFV suffers from that are no different from pre-existing vulnerabilities of networking and virtualisation technologies and are not altered by the virtualisation of network functions.
 
Intended audience: Security experts wanting to deploy NFV but needing to identify and solve potential security issues and then to attain security accreditation for systems.
 
Ultimate goal of the NFV Security Expert Group: Identify and propose solutions to any new vulnerabilities that result from the introduction of NFV. To enable checks for these vulnerabilities to be incorporated into processes for security accreditation of products based on NFV.

The present document outlines the requirements for integrity and authenticity protection by signing VNF Package artifacts and verifying these artifacts during instantiation. The present document also considers the confidentiality of VNF Package artifacts and outlines a process for the service provider to provide confidentiality during onboarding. The present document expands on requirements for security and integrity of a VNF Package that is defined in ETSI GS NFV-IFA 011, clause 6.2.4 and ETSI GS NFV-SOL 004, clause 5.
 
VNF Package security validation check during the onboarding is a crucial factor for the successful deployment of VNFs. During the onboarding, the authenticity and integrity of the VNF Package is verified against the signature provided by the VNF provider. There are more potential ways to exploit the VNF Packages while it is in the NFV- MANO domain (i.e. while the VNF package is stored within different NFV-MANO catalogues). The existing methods do not ensure that the operator has the opportunity and means to authorize VNF Packages for deployment on their network (e.g. avoid a VNF intended for one deployment scenario with a valid VNF provider certificate being loaded by an attacker into another network operator's catalogue). Furthermore, some operators might wish to undertake additional security validation of the VNF Package during the onboarding process and operator's signing could be used to certify the VNF as authorized to onboard into the operator's network.

The present document outlines the requirements for integrity and authenticity protection by signing VNF Package artifacts and verifying these artifacts during instantiation. The present document also considers the confidentiality of VNF Package artifacts and outlines a process for the service provider to provide confidentiality during onboarding. The present document expands on requirements for security and integrity of a VNF Package that is defined in ETSI GS NFV-IFA 011, clause 6.2.4 and ETSI GS NFV-SOL 004, clause 5.
 
VNF Package security validation check during the onboarding is a crucial factor for the successful deployment of VNFs. During the onboarding, the authenticity and integrity of the VNF Package is verified against the signature provided by the VNF provider. There are more potential ways to exploit the VNF Packages while it is in the NFV- MANO domain (i.e. while the VNF package is stored within different NFV-MANO catalogues). The existing methods do not ensure that the operator has the opportunity and means to authorize VNF Packages for deployment on their network (e.g. avoid a VNF intended for one deployment scenario with a valid VNF provider certificate being loaded by an attacker into another network operator's catalogue). Furthermore, some operators might wish to undertake additional security validation of the VNF Package during the onboarding process and operator's signing could be used to certify the VNF as authorized to onboard into the operator's network.

The present document specifies common aspects of RESTful protocols and data models for ETSI NFV management and orchestration (MANO) interfaces.

The present document defines the protocol and data model for the following interfaces used over the Or-Vnfm reference point, in the form of RESTful Application Programming Interface (APIs) specifications:

• VNF Lifecycle Management interface (as produced by the VNFM towards the NFVO).
• VNF Performance Management interface (as produced by the VNFM towards the NFVO).
• VNF Fault Management interface (as produced by the VNFM towards the NFVO).
• VNF Indicator interface (as produced by the VNFM towards the NFVO).
• VNF Lifecycle Operation Granting interface (as produced by the NFVO towards the VNFM).
• VNF Package Management interface (as produced by the NFVO towards the VNFM).
• Virtualised Resources Quota Available Notification interface (as produced by the NFVO towards the VNFM).

The present document specifies the YANG models for representing Network Functions Virtualisation (NFV) descriptors, fulfilling the requirements specified in ETSI GS NFV-IFA 011 and ETSI GS NFV-IFA 014 applicable to a Virtualised Network Function Descriptor (VNFD), a Physical Network Functions Descriptor (PNFD) and a Network Service Descriptor (NSD).

The present document specifies the structure and format of a VNF package file and its constituents, fulfilling the requirements specified in ETSI GS NFV-IFA 011 for a VNF package.
 
The present document also specifies the structure and format of a PNFD archive file and its constituents, fulfilling the requirements specified in ETSI GS NFV-IFA 014 for a PNFD archive.

ISG NFV has developed over 80 different reports and specifications for the virtualisation of network functions. NFV publications describe and specify virtualisation requirements, architecture framework, functional components and their interfaces, as well as the protocols and the APIs for these interfaces. ISG NFV also studies VNF performance, reliability, and resiliency matters, analyses the security challenges linked to virtualisation (trust, attestation, regulation). NFV specifies requirements for Management and Orchestration, for hardware acceleration, etc. And a lot is ongoing!

The present document specifies a set of RESTful protocols and data models fulfilling the requirements specified in ETSI GS NFV-IFA 031 for the interfaces that enable the management of NFV-MANO functional entities.
It defines the protocol and data model for the interfaces used for the management of NFV-MANO functional entities, in the form of RESTful Application Programming Interface (APIs) specifications:

• NFV-MANO configuration and information management interface;
• NFV-MANO performance management interface;
• NFV-MANO fault management interface;
• NFV-MANO state management interface;
• NFV-MANO log management interface. The interfaces are produced by the NFV-MANO functional entity, which acts as API producer, and can be consumed by an authorized external entity, which acts as API consumer. For more information, clause 4.2 of ETSI GS NFV-IFA 031 defines the framework for the management of NFV-MANO.