Abstract
The SDN and NFV architectures heavily rely on specific software modules executed at distributed nodes. These modules may act differently from their expected behaviour due to errors or attacks. Remote attestation is a procedure able to reliably report the software state of a node to a third party. It can be used to evaluate the software integrity of a SDN/NFV node and hence its trustworthiness to execute the desired applications. The use of remote attestation in network environments is quite new, and it is raising interest not only in the research community but also in the industry, as demonstrated by its consideration in the ETSI NFV standardisation effort. In this chapter, we present a solution to evaluate trust in SDN/NFV environments by exploiting remote attestation and propose some enhancements with respect to the basic architecture. From the implementation point of view, two approaches are compared for attestation of virtualised instances, and their respective performance is evaluated. Additionally, we discuss how the remote attestation architecture fits in the management and orchestration of SDN/NFV environments.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
This paper directly considers TPM-1.2 which has been massively deployed in business class laptops, desktops, and servers, but the same concepts apply to the newest TPM 2.0 as well.
- 2.
Sealing is a technique by which a cryptographic key is bound to a specific software state so that it cannot be used in a different state (e.g. the platform has been somehow compromised).
- 3.
Stub domains are the same as other guest domains, but are dedicated for special purposes, such as disaggregated device drivers.
- 4.
Locality is an assertion to the TPM that a command is associated to a particular component. The purpose of setting different localities for dom0 and the vTPM manager is to permit them to use different PCRs and avoid conflicts.
- 5.
- 6.
Internet Research Task Force, focused on longer-term research issues compared to the shorter-term issues of engineering addressed by the IETF.
References
Sailer R, Zhang X, Jaeger T, van Doorn L (2004) Design and implementation of a TCG-based integrity measurement architecture. In: USENIX’04: 13th USENIX security symposium, San Diego, 27 June–02 July 2004, pp 223–238
Berger S, Cáceres R, Goldman KA, Perez R, Sailer R, van Doorn L (2006) vTPM: virtualizing the trusted platform module. In: USENIX’06: 15th USENIX security symposium, Vancouver, 31 July–4 Aug 2006, pp 305–320
Goldman K, Sailer R, Pendarakis D, Srinivasan D (2010) Scalable integrity monitoring in virtualized environments. In: STC’10: 5th ACM workshop on scalable trusted computing, Chicago, 4–8 Oct 2010, pp 73–78
Garfinkel T, Pfaff B, Chow J, Rosenblum M, Boneh D (2003) Terra: a virtual machine-based platform for trusted computing. In: 19th ACM symposium on operating systems principles, Bolton Landing, 19–22 Oct 2003, pp 193–206
Schiffman J, Vijayakumar H, Jaeger T (2012) Verifying system integrity by proxy. In: 5th International conference on trust and trustworthy computing, Vienna, June 13–15, 2012, pp 179–200
Xen project. https://www.xenproject.org/. Visited 27 Mar 2017
Fioravante M, De Graaf D (2012) Virtual trusted platform module (vTPM) subsystem for Xen, 12 Nov 2012. http://xenbits.xen.org/docs/4.6-testing/misc/vtpm.txt. Visited 27 Mar 2017
OpenAttestation SDK v1.7. https://github.com/OpenAttestation/OpenAttestation/tree/v1.7. Visited 27 Mar 2017
Trusted Computing Group (2006) TCG infrastructure working group integrity report schema specification. http://www.trustedcomputinggroup.org/wp-content/uploads/IWG-IntegrityReport_Schema_Specification_v1.pdf. Visited 27 Mar 2017
Xen project mailing list (2014) vtpmmgr bug: fails to start if locality not 0. https://lists.xen.org/archives/html/xen-devel/2014-11/msg00606.html. Visited 27 Mar 2017
Fioravante M, De Graaf D Virtual TPM interface for Xen. https://www.kernel.org/doc/Documentation/security/tpm/xen-tpmfront.txt. Visited 27 Mar 2017
Docker – home page, https://www.docker.com. Visited 27 March 2017
Brandon J (2015) Deutsche Telekom experimenting with NFV in Docker, 9 Feb 2015. http://www.businesscloudnews.com/2015/02/09/deutsche-telekom-experimenting-with-nfv-in-docker/. Visited 27 Mar 2017
Weijie Liu, Bobba RB, Mohan S, Campbell RH (2015) Inter-flow consistency: a novel SDN update abstraction for supporting inter-flow constraints. In: CNS-2015: IEEE conference on communications and network security, Florence, 28–30 Sept 2015, pp 469–478
Schiff L, Schmid S, Kuznetsov P (2016) In-band synchronization for distributed SDN control planes. ACM SIGCOMM Comput Commun Rev 46(1):37–43. doi:10.1145/2875951.2875957
Jacquin L, Shaw A, Dalton C (2015) Towards trusted software-defined networks using a hardware-based integrity measurement architecture. In: 1st IEEE conference on network softwarization, London, 13–17 Apr 2015, pp 1–6
McKeown N, Anderson T, Balakrishnan H, Parulkar G, Peterson L, Rexford J, Shenker S, Turner J (2008) OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput Commun Rev 38(2):69–74. doi:10.1145/1355734.1355746
Pfaff B, Pettit J, Koponen T, Jackson E, Zhou A, Rajahalme J, Gross J, Wang A, Stringer J, Shelar P, Amidon K (2015) The design and implementation of open vSwitch. In: NSDI’15: 12th USENIX conference on networked systems design and implementation, Oakland, 4–6 May 2015, pp 117–130
Cesena E, Ramunno G, Sassu R, Vernizzi D, Lioy A (2011) On scalability of remote attestation. In: STC’11: 6th ACM workshop on scalable trusted computing, Chicago, 17–21 Oct 2011, pp 25–30
Skoudis E, Zeltser L (2004) Malware: fighting malicious code. Prentice Hall Professional, Upper Saddle River, pp 465–481
Trusted Computing Group (2011) Virtualized trusted platform architecture specification, Sept 2011. http://www.trustedcomputinggroup.org/resources/virtualized_trusted_platform_architecture_specification. Visited 27 Mar 2017
ETSI (2014) Network functions virtualisation (NFV); NFV security; problem statement, ETSI GS NFV-SEC 001 v1.1.1, Oct 2014. http://www.etsi.org/deliver/etsi_gs/NFV-SEC/001_099/001/01.01.01_60/gs_NFV-SEC001v010101p.pdf. Visited 27 Mar 2017
ETSI, Network function virtualisation (NFV); trust; report on attestation technologies and practices for secure deployments, ETSI GS NFV-SEC 007 (draft). http://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC007_NFV_Attestation_report/. Visited 27 Mar 2017
IETF Interface to Network Security Functions Working Group. https://datatracker.ietf.org/wg/i2nsf/charter/. Visited 27 Mar 2017
Hares S, Dunbar L, Lopez D, Zarny M, Jacquenet C (2016) I2NSF problem statement and use cases. Internet-Draft draft-ietf-i2nsf-problem-and-use-cases-01, July 2016. https://datatracker.ietf.org/doc/draft-ietf-i2nsf-problem-and-use-cases/. Visited 27 Mar 2017
Lopez E, Lopez D, Dunbar L, Strassner J, Zhuang X, Parrott J, Krishnan RR, Durbha S, Kumar R, Lohiya A (2016) Framework for interface to network security functions. Internet-Draft draft-ietf-i2nsf-framework-03, Aug 2016. https://datatracker.ietf.org/doc/draft-ietf-i2nsf-framework/. Visited 27 Mar 2017
Pastor A, Lopez D, Shaw A (2016) Remote attestation procedures for network security functions (NSFs) through the I2NSF security controller, Internet-draft draft-pastor-i2nsf-vnsf-attestation-03, July 2016. https://datatracker.ietf.org/doc/draft-pastor-i2nsf-vnsf-attestation/. Visited 27 Mar 2017
NSA, Security-enhanced Linux. https://www.nsa.gov/what-we-do/research/selinux/. Visited 27 Mar 2017
Acknowledgements
The research described in this paper has been supported by the European Commission under the FP7 programme (project SECURED, grant agreement no. 611458).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this chapter
Cite this chapter
Lioy, A., Su, T., Shaw, A.L., Attak, H., Lopez, D.R., Pastor, A. (2017). Trust in SDN/NFV Environments. In: Zhu, S., Scott-Hayward, S., Jacquin, L., Hill, R. (eds) Guide to Security in SDN and NFV. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-64653-4_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-64653-4_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-64652-7
Online ISBN: 978-3-319-64653-4
eBook Packages: Computer ScienceComputer Science (R0)