The document discusses assuring the integrity of virtual network function (VNF) images and sealing VNFs to specific host platforms in telco clouds. It proposes using a trusted platform module (TPM) to measure and store hashes of system components during boot to verify the boot integrity. A verification process is described that uses cryptographic signatures to check VNF image integrity and seals VNFs to host platforms matching a policy based on their TPM measurements. Experiments show the overhead of these methods is minimal while protecting against unauthorized image tampering or running VNFs on unintended platforms.

1. © 2017 Nokia1
Assuring Virtual Network Function Image Integrity and
Host Sealing in Telco Cloud
Shankar Lal, Sowmya Ravidas, Ian Oliver, Tarik Taleb
24-05-2017

2. © 2017 Nokia2
Outline
• Rise of NFV & Security challenges
• Trusted Cloud Setup
• Testbed Experiment:
VNF Verification and Sealing process
• Performance Evaluation
• Use Cases & Conclusion

3. © 2017 Nokia3
Rise of NFV & Security Challenges

4. © 2017 Nokia4
Rise of NFV
• Dependency free software applications that can run on common of the shelf (COTS) computing platform
• Flexible and cost effective service without compromising the end user quality of service
• Operators can save their equipment costs, power consumption, specialized maintenance costs and enable network services quicker
which are mainly controlled by programmable software
• But NFV adds additional security challenges posed by cloud computing, Core virtualization and software defined network aspects of
the network.
<Document ID: change ID in footer or remove> <Change information classification in footer>

5. © 2017 Nokia5
Telco Cloud Security Requirement
<Document ID: change ID in footer or remove> <Change information classification in footer>
●TelcoCloud runs mission critical infrastructure for its communications systems
• Cannot trust just anyone for: security reasons,
• privacy reasons, legal reasons (telco law, surveillance etc)
• TelcoCloud is NOT a general purpose environment
●Detection of unauthorized modification
●Reduce blind trust in platform

6. © 2017 Nokia6
6
Our Focused Security Problems
Geographical locality of VNFsVNF image modification

7. © 2017 Nokia7
Trusted Cloud Setup

8. © 2017 Nokia8
Components of Trusted Cloud
• Trusted Platform Module (TPM)
Hardware module used to store passwords, cryptographic keys, certificates and other sensitive information in its
PCR registers.
• Trusted Boot
Measures all the binaries of the system components (i.e., firmware code,
BIOS, OS kernel and hypervisor code) at boot time and writes the hash measurements in TPM’s secure storage.
• Remote Attestation Service
Software mechanism integrated with TPM, for attestating the boot time integrity of the remote hosts.
<Document ID: change ID in footer or remove> <Change information classification in footer>

9. © 2017 Nokia9
9
Trusted Cloud Setup
TPM as a core root of trust
Attestation of NFVI hosts

10. © 2017 Nokia10
Testbed Experiment:
VNF Verification and Sealing process

11. © 2017 Nokia11
Testbed Setup
• OpenStack based cloud infrastructure (Kilo version)
• Four phyiscal server machines: Two Intel Xeon Servers E5-2600 v3 @2.20 GHz with 72 GB RAM and TPM version 1.2,
two HP ProLiant servers DL360 G5 having Intel Xeon CPU 5160 @3.00GHz and 24GB RAM.
• Security Orchestrator (SecO) server based on NodeJS platform
• Attestation Server (OpenCIT)
• Experiments on both KVM and Docker container

12. © 2017 Nokia12
Modified NFV Reference Architecture

13. © 2017 Nokia13
13
Verification and Sealing process
(1/5)
1. VNF image integrity verification using cryptographic signature verification
-SHA256 hash digest of VNF image is signed and signature stored in TSECO.
-For verification, fresh hash digest is recalculated and verified against the signature to detect tampering at VNF launch
time.
2. VNF host sealing using TPM PCR registers
-Sealing policy (based on PCR values) is defined in image metadata
-Current PCR values of platforms are fetched using Attestation server

14. © 2017 Nokia14
14
VNF Startup Integrity: Signing Mechanism
Verification Process
Signing Process
Verification and Sealing process (2/5)

15. © 2017 Nokia15
15
Sealing VNFs to Specific Platforms having TPM module
Verification and Sealing process (3/5)

16. © 2017 Nokia16
16
VNF-Host Sealing Process
Verification and Sealing process (4/5)

17. © 2017 Nokia17
Verification and Sealing process (5/5)

18. © 2017 Nokia18
Performance Evaluation

19. © 2017 Nokia19
Performance Evaluation (1/4)
Performance Metrics:
• Average overhead time after incorporating these solutions
• Selection of best hashing algorithm
• Mean response time of SECO to response to signature verification requests

20. © 2017 Nokia20
20
Performance Evaluation (2/4)
Comparison of VNF normal launch time and with signature verification and host sealing

21. © 2017 Nokia21
21
Performance Evaluation (3/4)
Comparison of time calculation of hash digest of VNF images

22. © 2017 Nokia22
Performance Evaluation (4/4)
SecO performance test on KVM and Docker

23. © 2017 Nokia23
Use Cases & Conclusion

24. © 2017 Nokia24
24
Use Cases
• Detection of unauthorized VNF image tampering
• VNF vendors can sign their VNF images to facilitate the mobile operators to verify the proof of ownership.
• VNF-Host sealing method can be useful in applications which require digital right management (DRM). A MNO can
define custom policies that would enforce VNFs to start only on particular platforms and refuse to launch them if the
platform is different.

25. © 2017 Nokia25
25
Conclusion
●A TPM alone does not and can not secure a system
●Many additional challenges arise in Trusted NFV:
− Resource management and fault tolerance
− Extensive resource selection policies and fault tolerant mechanism needs be defined on trusted resources
●Run time trust:
● What happens when system compromises during run time
● Definition is very vague and ill-defined
●Trust chain management is unsolved
● Identity management of NFV nodes
● Placement of MANO components
● Multiple attestation

26. © 2017 Nokia26
Thank you for your attention.
Questions?

29. © 2017 Nokia29
Copyright and confidentiality
The contents of this document are proprietary and confidential property of
Nokia. This document is provided subject to confidentiality obligations of the
applicable agreement(s).
This document is intended for use of Nokia’s customers and collaborators only
for the purpose for which this document is submitted by Nokia. No part of this
document may be reproduced or made available to the public or to any third
party in any form or means without the prior written permission of Nokia. This
document is to be used by properly trained professional personnel. Any use of
the contents in this document is limitedstrictly to the use(s) specifically created
in the applicable agreement(s) under which the document is submitted. The
user of this document may voluntarily provide suggestions, comments or other
feedback to Nokia in respect of the contents of this document ("Feedback").
Such Feedback may be used in Nokia products and related specifications or
other documentation. Accordingly, if the user of this document gives Nokia
Feedback on the contents of this document, Nokia may freely use, disclose,
reproduce, license, distribute and otherwise commercialize the feedback in any
Nokia product, technology, service, specificationor other documentation.
Nokia operates a policy of ongoing development. Nokia reserves the right to
make changes and improvements to any of the products and/or services
described in this document or withdraw this document at any time without prior
notice.
The contents of this document are provided "as is". Except as required by
applicable law, no warranties of any kind, either express or implied,including,
but not limitedto, the implied warranties of merchantability and fitness for a
particular purpose, are made in relation to the accuracy, reliability or contents of
this document. NOKIA SHALL NOT BE RESPONSIBLE IN ANY EVENT FOR
ERRORS IN THIS DOCUMENT or for any loss of data or income or any special,
incidental, consequential, indirect or direct damages howsoever caused, that
might arise from the use of this document or any contents of this document.
This document and the product(s) it describes
are protected by copyright according to the
applicable laws.
Nokia is a registered trademark of Nokia Corporation. Other product and
company names mentioned herein may be trademarks or trade names of their
respective owners.
<Document ID: change ID in footer or remove> <Change information classification in footer>

30. © 2017 Nokia30
Please delete this slide if document is uncontrolled
Revision history and metadata
<Document ID: change ID in footer or remove> <Change information classification in footer>
Document ID: DXXXXXXXXX
Document Location:
Organization:
Version Description of charges Date Author Owner Status
Reviewed by Reviewed date
Approver
Approval date
DD-MM-YYYY DD-MM-YYYY DD-MM-YYYY