Skip to main content
SpringerLink
Log in

Trust in SDN/NFV Environments

  • Chapter
  • First Online:
Guide to Security in SDN and NFV

Part of the book series: Computer Communications and Networks ((CCN))

Abstract

The SDN and NFV architectures heavily rely on specific software modules executed at distributed nodes. These modules may act differently from their expected behaviour due to errors or attacks. Remote attestation is a procedure able to reliably report the software state of a node to a third party. It can be used to evaluate the software integrity of a SDN/NFV node and hence its trustworthiness to execute the desired applications. The use of remote attestation in network environments is quite new, and it is raising interest not only in the research community but also in the industry, as demonstrated by its consideration in the ETSI NFV standardisation effort. In this chapter, we present a solution to evaluate trust in SDN/NFV environments by exploiting remote attestation and propose some enhancements with respect to the basic architecture. From the implementation point of view, two approaches are compared for attestation of virtualised instances, and their respective performance is evaluated. Additionally, we discuss how the remote attestation architecture fits in the management and orchestration of SDN/NFV environments.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 69.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    This paper directly considers TPM-1.2 which has been massively deployed in business class laptops, desktops, and servers, but the same concepts apply to the newest TPM 2.0 as well.

  2. 2.

    Sealing is a technique by which a cryptographic key is bound to a specific software state so that it cannot be used in a different state (e.g. the platform has been somehow compromised).

  3. 3.

    Stub domains are the same as other guest domains, but are dedicated for special purposes, such as disaggregated device drivers.

  4. 4.

    Locality is an assertion to the TPM that a command is associated to a particular component. The purpose of setting different localities for dom0 and the vTPM manager is to permit them to use different PCRs and avoid conflicts.

  5. 5.

    http://etsi.org/nfv/

  6. 6.

    Internet Research Task Force, focused on longer-term research issues compared to the shorter-term issues of engineering addressed by the IETF.

References

  1. Sailer R, Zhang X, Jaeger T, van Doorn L (2004) Design and implementation of a TCG-based integrity measurement architecture. In: USENIX’04: 13th USENIX security symposium, San Diego, 27 June–02 July 2004, pp 223–238

    Google Scholar 

  2. Berger S, Cáceres R, Goldman KA, Perez R, Sailer R, van Doorn L (2006) vTPM: virtualizing the trusted platform module. In: USENIX’06: 15th USENIX security symposium, Vancouver, 31 July–4 Aug 2006, pp 305–320

    Google Scholar 

  3. Goldman K, Sailer R, Pendarakis D, Srinivasan D (2010) Scalable integrity monitoring in virtualized environments. In: STC’10: 5th ACM workshop on scalable trusted computing, Chicago, 4–8 Oct 2010, pp 73–78

    Google Scholar 

  4. Garfinkel T, Pfaff B, Chow J, Rosenblum M, Boneh D (2003) Terra: a virtual machine-based platform for trusted computing. In: 19th ACM symposium on operating systems principles, Bolton Landing, 19–22 Oct 2003, pp 193–206

    Google Scholar 

  5. Schiffman J, Vijayakumar H, Jaeger T (2012) Verifying system integrity by proxy. In: 5th International conference on trust and trustworthy computing, Vienna, June 13–15, 2012, pp 179–200

    Google Scholar 

  6. Xen project. https://www.xenproject.org/. Visited 27 Mar 2017

  7. Fioravante M, De Graaf D (2012) Virtual trusted platform module (vTPM) subsystem for Xen, 12 Nov 2012. http://xenbits.xen.org/docs/4.6-testing/misc/vtpm.txt. Visited 27 Mar 2017

  8. OpenAttestation SDK v1.7. https://github.com/OpenAttestation/OpenAttestation/tree/v1.7. Visited 27 Mar 2017

  9. Trusted Computing Group (2006) TCG infrastructure working group integrity report schema specification. http://www.trustedcomputinggroup.org/wp-content/uploads/IWG-IntegrityReport_Schema_Specification_v1.pdf. Visited 27 Mar 2017

  10. Xen project mailing list (2014) vtpmmgr bug: fails to start if locality not 0. https://lists.xen.org/archives/html/xen-devel/2014-11/msg00606.html. Visited 27 Mar 2017

  11. Fioravante M, De Graaf D Virtual TPM interface for Xen. https://www.kernel.org/doc/Documentation/security/tpm/xen-tpmfront.txt. Visited 27 Mar 2017

  12. Docker – home page, https://www.docker.com. Visited 27 March 2017

  13. Brandon J (2015) Deutsche Telekom experimenting with NFV in Docker, 9 Feb 2015. http://www.businesscloudnews.com/2015/02/09/deutsche-telekom-experimenting-with-nfv-in-docker/. Visited 27 Mar 2017

  14. Weijie Liu, Bobba RB, Mohan S, Campbell RH (2015) Inter-flow consistency: a novel SDN update abstraction for supporting inter-flow constraints. In: CNS-2015: IEEE conference on communications and network security, Florence, 28–30 Sept 2015, pp 469–478

    Google Scholar 

  15. Schiff L, Schmid S, Kuznetsov P (2016) In-band synchronization for distributed SDN control planes. ACM SIGCOMM Comput Commun Rev 46(1):37–43. doi:10.1145/2875951.2875957

  16. Jacquin L, Shaw A, Dalton C (2015) Towards trusted software-defined networks using a hardware-based integrity measurement architecture. In: 1st IEEE conference on network softwarization, London, 13–17 Apr 2015, pp 1–6

    Google Scholar 

  17. McKeown N, Anderson T, Balakrishnan H, Parulkar G, Peterson L, Rexford J, Shenker S, Turner J (2008) OpenFlow: enabling innovation in campus networks. ACM SIGCOMM Comput Commun Rev 38(2):69–74. doi:10.1145/1355734.1355746

  18. Pfaff B, Pettit J, Koponen T, Jackson E, Zhou A, Rajahalme J, Gross J, Wang A, Stringer J, Shelar P, Amidon K (2015) The design and implementation of open vSwitch. In: NSDI’15: 12th USENIX conference on networked systems design and implementation, Oakland, 4–6 May 2015, pp 117–130

    Google Scholar 

  19. Cesena E, Ramunno G, Sassu R, Vernizzi D, Lioy A (2011) On scalability of remote attestation. In: STC’11: 6th ACM workshop on scalable trusted computing, Chicago, 17–21 Oct 2011, pp 25–30

    Google Scholar 

  20. Skoudis E, Zeltser L (2004) Malware: fighting malicious code. Prentice Hall Professional, Upper Saddle River, pp 465–481

    Google Scholar 

  21. Trusted Computing Group (2011) Virtualized trusted platform architecture specification, Sept 2011. http://www.trustedcomputinggroup.org/resources/virtualized_trusted_platform_architecture_specification. Visited 27 Mar 2017

  22. ETSI (2014) Network functions virtualisation (NFV); NFV security; problem statement, ETSI GS NFV-SEC 001 v1.1.1, Oct 2014. http://www.etsi.org/deliver/etsi_gs/NFV-SEC/001_099/001/01.01.01_60/gs_NFV-SEC001v010101p.pdf. Visited 27 Mar 2017

  23. ETSI, Network function virtualisation (NFV); trust; report on attestation technologies and practices for secure deployments, ETSI GS NFV-SEC 007 (draft). http://docbox.etsi.org/ISG/NFV/Open/Drafts/SEC007_NFV_Attestation_report/. Visited 27 Mar 2017

  24. IETF Interface to Network Security Functions Working Group. https://datatracker.ietf.org/wg/i2nsf/charter/. Visited 27 Mar 2017

  25. Hares S, Dunbar L, Lopez D, Zarny M, Jacquenet C (2016) I2NSF problem statement and use cases. Internet-Draft draft-ietf-i2nsf-problem-and-use-cases-01, July 2016. https://datatracker.ietf.org/doc/draft-ietf-i2nsf-problem-and-use-cases/. Visited 27 Mar 2017

  26. Lopez E, Lopez D, Dunbar L, Strassner J, Zhuang X, Parrott J, Krishnan RR, Durbha S, Kumar R, Lohiya A (2016) Framework for interface to network security functions. Internet-Draft draft-ietf-i2nsf-framework-03, Aug 2016. https://datatracker.ietf.org/doc/draft-ietf-i2nsf-framework/. Visited 27 Mar 2017

  27. Pastor A, Lopez D, Shaw A (2016) Remote attestation procedures for network security functions (NSFs) through the I2NSF security controller, Internet-draft draft-pastor-i2nsf-vnsf-attestation-03, July 2016. https://datatracker.ietf.org/doc/draft-pastor-i2nsf-vnsf-attestation/. Visited 27 Mar 2017

  28. NSA, Security-enhanced Linux. https://www.nsa.gov/what-we-do/research/selinux/. Visited 27 Mar 2017

Download references

Acknowledgements

The research described in this paper has been supported by the European Commission under the FP7 programme (project SECURED, grant agreement no. 611458).

Author information

Authors and Affiliations

  1. Dipartimento di Automatica e Informatica, Politecnico di Torino, 10129, corso Duca degli Abruzzi, 24, Torino, Italy

    Antonio Lioy & Tao Su

  2. Hewlett Packard Enterprise, Bristol, UK

    Adrian L. Shaw & Hamza Attak

  3. Telefonica I+D, Seville, Spain

    Diego R. Lopez

  4. Telefonica I+D, Distrito Telefonica, West 1 Building, Ronda de la Comunicación S/N, 28050, Madrid, Spain

    Antonio Pastor

Authors
  1. Antonio Lioy
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tao Su
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Adrian L. Shaw
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Hamza Attak
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Diego R. Lopez
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Antonio Pastor
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Antonio Lioy .

Editor information

Editors and Affiliations

  1. University of Derby, Derby, United Kingdom

    Shao Ying Zhu

  2. Queen’s University Belfast, Belfast, United Kingdom

    Sandra Scott-Hayward

  3. Hewlett Packard Labs, Bristol, United Kingdom

    Ludovic Jacquin

  4. University of Huddersfield, Huddersfield, United Kingdom

    Richard Hill

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Lioy, A., Su, T., Shaw, A.L., Attak, H., Lopez, D.R., Pastor, A. (2017). Trust in SDN/NFV Environments. In: Zhu, S., Scott-Hayward, S., Jacquin, L., Hill, R. (eds) Guide to Security in SDN and NFV. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-64653-4_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-64653-4_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64652-7

  • Online ISBN: 978-3-319-64653-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation