The document discusses assuring the integrity of virtual network function (VNF) images and sealing VNFs to specific host platforms in telco clouds. It proposes using a trusted platform module (TPM) to measure and store hashes of system components during boot to verify the boot integrity. A verification process is described that uses cryptographic signatures to check VNF image integrity and seals VNFs to host platforms matching a policy based on their TPM measurements. Experiments show the overhead of these methods is minimal while protecting against unauthorized image tampering or running VNFs on unintended platforms.
Future Work
Encrypt and sign and store in TPM
Place diagram on one slide above??
Etsi architecture
Telco cloud
Specialised cloud towards telecommunication
Increased bandwidth, to do specialised jobs, hardware routing controlled
Standardised telecommunication cloud
Hardware → virtualized components
Cloud hardware, VNF, MANO
VNFs->VNFc->VM
External policy mechanism
In case of multiple policies, we can order in terms of strength. Weaker policies can have mitigations which will be further investigated
Measurement = hash
Policy = where the image can be instantiated out of combinations of PCR
Only run on machines with certain configurations