欢迎来到麦多课文档分享! | 帮助中心 海量文档,免费浏览,给你所需,享你所想!
麦多课文档分享
全部分类
  • 标准规范>
  • 教学课件>
  • 考试资料>
  • 办公文档>
  • 学术论文>
  • 行业资料>
  • 易语言源码>
  • ImageVerifierCode 换一换
    首页 麦多课文档分享 > 资源分类 > PDF文档下载
    分享到微信 分享到微博 分享到QQ空间

    ETSI GS NFV-SEC 003-2014 Network Functions Virtualisation (NFV) NFV Security Security and Trust Guidance (V1 1 1)《网络虚拟化技术 (NFV) NFV安全性 安全和信任指南 (V1 1 1)》.pdf

    • 资源ID:733377       资源大小:667.47KB        全文页数:57页
    • 资源格式: PDF        下载积分:10000积分
    快捷下载 游客一键下载
    账号登录下载
    微信登录下载
    二维码
    微信扫一扫登录
    下载资源需要10000积分(如需开发票,请勿充值!)
    邮箱/手机:
    温馨提示:
    如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
    如需开发票,请勿充值!如填写123,账号就是123,密码也是123。
    支付方式: 支付宝扫码支付    微信扫码支付   
    验证码:   换一换

    加入VIP,交流精品资源
     
    账号:
    密码:
    验证码:   换一换
      忘记密码?
        
    友情提示
    2、PDF文件下载后,可能会被浏览器默认打开,此种情况可以点击浏览器菜单,保存网页到桌面,就可以正常下载了。
    3、本站不支持迅雷下载,请使用电脑自带的IE浏览器,或者360浏览器、谷歌浏览器下载即可。
    4、本站资源下载后的文档和图纸-无水印,预览文档经过压缩,下载后原文更清晰。
    5、试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。

    ETSI GS NFV-SEC 003-2014 Network Functions Virtualisation (NFV) NFV Security Security and Trust Guidance (V1 1 1)《网络虚拟化技术 (NFV) NFV安全性 安全和信任指南 (V1 1 1)》.pdf

    1、 ETSI GS NFV-SEC 003 V1.1.1 (2014-12) Network Functions Virtualisation (NFV); NFV Security; Security and Trust Guidance Disclaimer This document has been produced and approved by the Network Functions Virtualisation (NFV) ETSI Industry Specification Group (ISG) and represents the views of those memb

    2、ers who participated in this ISG. It does not necessarily represent the views of the entire ETSI membership. GROUP SPECIFICATION ETSI ETSI GS NFV-SEC 003 V1.1.1 (2014-12)2Reference DGS/NFV-SEC003 Keywords NFV, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 9

    3、2 94 42 00 Fax: +33 4 93 65 47 16 Siret N 348 623 562 00017 - NAF 742 C Association but non lucratif enregistre la Sous-Prfecture de Grasse (06) N 7803/88 Important notice The present document can be downloaded from: http:/www.etsi.org The present document may be made available in electronic version

    4、s and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the

    5、 print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is availab

    6、le at http:/portal.etsi.org/tb/status/status.asp If you find errors in the present document, please send your comment to one of the following services: http:/portal.etsi.org/chaircor/ETSI_support.asp Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic

    7、 or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media. European Telecommu

    8、nications Standards Institute 2014. All rights reserved. DECTTM, PLUGTESTSTM, UMTSTMand the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members. 3GPPTM and LTE are Trade Marks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. GSM and t

    9、he GSM logo are Trade Marks registered and owned by the GSM Association. ETSI ETSI GS NFV-SEC 003 V1.1.1 (2014-12)3Contents Intellectual Property Rights 6g3Foreword . 6g3Modal verbs terminology 6g31 Scope 7g32 References 7g32.1 Normative references . 7g32.2 Informative references 7g33 Abbreviations

    10、. 7g34 Network Function Virtualisation Security 9g34.1 NFV High-Level Security Goals 9g34.2 NFV Security Use Case Summaries . 9g34.2.1 Intra-VNFSec: Security within Virtual Network Functions . 9g34.2.1.1 VNFC-Specific Security Use Cases 10g34.2.1.1.1 VNFC Creation 10g34.2.1.1.2 VNFC Deletion 10g34.2

    11、.1.1.3 VNFC Configuration and Package Management 10g34.2.1.1.4 VNFCI Migration 11g34.2.1.1.5 VNFC Operational State Changes . 11g34.2.1.1.6 VNFC Topology Changes . 11g34.2.1.1.7 VNFC Scale-Up and Scale-Down . 11g34.2.1.1.8 VNFC Scale-In and Scale-Out 11g34.2.2 Infra-VNFSec: Security between Virtual

    12、Network Functions 12g34.2.3 Extra-VNFSec: Security external to Virtual Network Functions 12g34.3 NFV External Operational Environment 13g34.3.1 External Physical Security Guidance 13g34.3.2 External Hardware Guidance 13g34.3.3 External Service Guidance 13g34.3.3.1 DNS. 13g34.3.3.2 IP Addressing, DHC

    13、P and Routing . 13g34.3.3.3 Time Services and NTP 13g34.3.3.4 Geolocation . 13g34.3.3.5 Security Visibility and Testing 13g34.3.3.6 Certificate Authority . 14g34.3.3.7 Identity and Access Management . 14g34.3.4 External Policies, Processes and Practices Guidance . 14g34.3.4.1 Regulatory Compliance C

    14、onsiderations for NFV . 14g34.3.4.2 Forensic Considerations for NFV . 14g34.3.4.3 Legal/Lawful Intercept Considerations for NFV 14g34.3.4.4 Considerations for NFV Analytics and Service Level Agreements (SLAs) . 14g34.4 NFV Security Management Lifecycle 15g34.4.1 NFV Threat Landscape . 15g34.4.1.1 Th

    15、reat Vectors, Monitoring and Detection 16g34.4.2 NFV Platform Guidance . 16g34.4.2.1 Platform visibility and validation 16g34.4.2.1.1 Workload Visibility into Physical and Virtualised Resources . 16g34.4.2.1.2 Introspection 18g34.4.2.2 Access Visibility for Data and Control Packets in Virtualised En

    16、vironment 18g34.4.2.3 Validation of Root of Trust and Chain of Trust 19g34.4.2.4 Services validation 19g34.4.3 Certificate, Credential and Key Management within NFV . 19g34.4.3.1 Certificate management 19g34.4.3.2 Credential Management 19g34.4.3.2.1 Dynamic Credential Management . 19g3ETSI ETSI GS N

    17、FV-SEC 003 V1.1.1 (2014-12)44.4.3.2.2 Role of Identity, keys and certificates . 19g34.4.3.2.3 Credential Injection by hypervisor 20g34.4.3.3 Key Management 20g34.4.3.3.1 Key Management and security within cloned images . 20g34.4.3.3.2 Key Management and security within migrated images 21g34.4.3.3.3

    18、Self-generation of key pairs . 21g34.4.4 Multiparty Administrative domains 21g34.4.4.1 Rational . 21g34.4.4.2 Administrative domains 21g34.4.4.3 Infrastructure Domain . 22g34.4.4.4 Tenant Domain 22g34.4.4.5 Implications. 22g34.4.4.6 Inter-Domain functional blocks and reference points . 23g34.4.4.6.1

    19、 Network Service Orchestration . 23g34.4.4.6.2 Infrastructure Orchestration . 23g34.4.4.6.3 VNF-Specific Lifecycle Management . 23g34.4.4.6.4 Generic VNF Lifecycle Management 23g34.4.4.6.5 Inter-Orchestration (Os-Ma) 23g34.4.4.6.6 Inter-VNFM (Ve-Vnfm) 23g34.4.4.7 VNF Package and Image Management . 2

    20、3g34.4.4.7.1 Integrity checks . 24g34.4.4.7.2 Trust checks. 24g34.4.4.8 VNFC Security Overview . 24g34.4.4.8.1 VNFC security scope. 24g34.4.4.9 VNFC Lifecycle Security - Statement of the problem 25g34.4.4.10 Security Approach . 26g34.4.5 VNF Instantiation . 27g34.4.5.1 Secured Boot . 27g34.4.5.2 VTP

    21、M (Virtual Trusted Platform Module) . 28g34.4.5.3 Attestation . 28g34.4.5.4 Attribution . 28g34.4.5.5 Authenticity . 28g34.4.5.6 Authentication . 28g34.4.5.6.1 User/Tenant Authentication, Authorization and Accounting 28g34.4.5.7 Authorization 30g34.4.5.8 Interface Instantiation 30g34.4.5.9 Levels of

    22、 assurance . 30g34.4.5.10 Logging, Reporting, Analytics and Metrics 30g34.4.6 VNF Operation . 31g34.4.6.1 Planned operational lifecycle events . 31g34.4.6.2 VNFC Lifecycle control and authorization . 31g34.4.6.3 Dynamic State Management . 32g34.4.6.3.1 Provision by trusted party - network . 32g34.4.

    23、6.3.2 Provision by trusted party - storage . 32g34.4.6.4 Dynamic Integrity Management 32g34.4.6.4.1 Secured crash and recovery . 32g34.4.6.5 Application Programming Interfaces (APIs) . 32g34.4.7 VNF Retirement 32g34.4.7.1 License retirement . 33g34.4.7.2 Secured wipe . 33g34.5 NVF Security Technolog

    24、ies . 33g34.5.1 Technologies and Processes 34g35 Trusted Network Function Virtualisation . 34g35.1 NFV High-Level Trust Goals . 34g35.1.1 Assigning trust 35g35.1.1.1 Why assign trust? 35g35.1.1.2 How to assign trust 35g35.1.2 Evaluating and validating trust . 36g35.1.2.1 Parameters for trust evaluat

    25、ion 36g35.1.2.2 Methods for trust evaluation . 37g35.1.3 Re-evaluating trust 37g3ETSI ETSI GS NFV-SEC 003 V1.1.1 (2014-12)55.1.4 Invalidating trust . 38g35.1.5 Re-establishing trust . 39g35.1.5.1 Delegation up the chain of trust 39g35.1.5.2 Peer-mediated distrust . 39g35.1.6 Delegating trust . 40g35

    26、.1.6.1 Directly delegated trust . 41g35.1.6.2 Collaborative trust . 41g35.1.6.3 Transitive trust 42g35.1.6.4 Reputational trust 43g35.1.7 Scope of trust 43g35.1.7.1 Trust manager . 43g35.2 NFV Trust Use Case Summaries 44g35.2.1 Intra-VNF Trust: Trust within Virtual Network Functions . 44g35.2.2 Inte

    27、r-VNF Trust: Trust between Virtual Network Functions 44g35.2.2.1 Managing trust between a VNF instance and its VNFM. 45g35.2.2.1.1 VNF instances trusting of the VNFM . 45g35.2.2.1.2 VNFMs trusting of the VNF instance . 45g35.2.2.2 Managing trust between VNF instances 46g35.2.3 Extra-VNF Trust: Trust

    28、 external to Virtual Network Functions . 47g35.2.3.1 Establishing trust in a VNF Package for deployment . 47g35.2.3.1.1 NFVI domain . 47g35.2.3.1.2 Management and Operations domain 48g35.2.3.1.3 VNF provider 49g35.3 Trust between Management and Orchestration entities 49g35.3.1 Management and Orchest

    29、ration infrastructure 50g35.3.2 Implications of long-lived entities 50g35.4 NFV Trusted Lifecycle Management . 51g35.4.1 Objectives and Policy . 51g35.4.2 Defining a Chain of Trust . 52g35.4.3 Establishing Roots of Trust for VNFs 52g35.4.3.1 Initial VNFC root of trust establishment . 52g35.4.3.1.1 M

    30、ulticast 53g35.4.3.1.2 Injection by hypervisor 53g35.4.3.1.3 Initial image . 53g35.4.3.1.4 Hypervisor . 53g35.4.3.1.5 VNFC OS and application . 53g35.4.3.1.6 Deployment state . 54g3Annex A (informative): Authors Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards“

    31、, which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (http:/ipr.etsi.org). Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not reference

    32、d in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document. Foreword This Group Specification (GS) has been produced by ETSI Industry Specification Group (ISG) Network Functions Virtualisation (NFV). Modal verbs terminology In

    33、the present document “shall“, “shall not“, “should“, “should not“, “may“, “may not“, “need“, “need not“, “will“, “will not“, “can“ and “cannot“ are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions). “must“ and “must not“ are NOT a

    34、llowed in ETSI deliverables except when used in direct citation. ETSI ETSI GS NFV-SEC 003 V1.1.1 (2014-12)71 Scope The present document has been developed to describe the security and trust guidance that is unique to NFV development, architecture and operation. Guidance consists of items to consider

    35、 that may be unique to the environment or deployment. Supplied guidance does not consist of prescriptive requirements or specific implementation details, which should be built from the considerations supplied. Guidance is based on defined use cases, included in the present document, that are derived

    36、 from the Security Problem Statement and are unique to NFV. Relevant external guidance will be referenced, where available. 2 References 2.1 Normative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific r

    37、eferences, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies. Referenced documents which are not found to be publicly available in the expected location might be found at http:/docbox.etsi.org/Reference. NOTE

    38、: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are necessary for the application of the present document. 1 ETSI GS NFV 001: “Network Functions Virtualisation (NFV); Use Cases“.

    39、2.2 Informative references References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any am

    40、endments) applies. NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity. The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a part

    41、icular subject area. i.1 Popek and Goldberg 1974 paper: “Formal Requirements for Virtualizable Third Generation Architectures“. i.2 CSA CloudTrust. i.3 GS NFV-SWA 001: “Network Functions Virtualisation (NFV); Virtual Network Function Architecture“. 3 Abbreviations For the purposes of the present doc

    42、ument, the following abbreviations apply: ABAC Attribute-Based Access Control API Application Programming Interface BIOS Basic Input Output System CA Certificate Authority ETSI ETSI GS NFV-SEC 003 V1.1.1 (2014-12)8CDN Content Distribution Network CLI Command Line Interface CPU Central Processing Uni

    43、t CPUID CPU Identifier CSA Cloud Security Alliance DDoS Distributed Denial of Service DHCP Dynamic Host Configuration Protocol DMA Direct Memory Access DNA DeoxyriboNucleic AcidDNS Domain Naming Service DoS Denial of ServiceDPI Deep Packet Inspection DRM Digital Rights Management EM Element ManagerE

    44、MS Element Management System FIPS Federal Information Processing Standards GPS Global Positioning System GTP-C GPRS Tunnelling Protocol-Control GTP-U GPRS Tunnelling Protocol-User Data Tunneling GUI Graphical User Interface HSM Hardware Security Module HSS Home Subscriber Server HVM Hardware Virtual

    45、 Machine IAM Identity and Access Management IMS IP Multimedia Subsystem IMSI International Mobile Subscriber Identity IO Input/Output IP Intellectual Property IT Information Technology LI Lawful InterceptLUN Logical Unit Number MAC Media Access Control MANO Management and Orchestration MME Mobile Ma

    46、nagement Entity NE Network Element NF Network FunctionNFV Network Function Virtualization NFVI Network Function Virtualization Infrastructure NFVO Network Function Virtualization Orchestrator NIC Network Interface Card NTP Network Time Protocol OA make unauthorized changes to NE configuration, etc.

    47、Theft of Service: Attackers exploit a flaw to use services without being charged. For example, attacker exploits a flaw in HSS/PCRF/PCEF to use services without being charged. 4.4.2 NFV Platform Guidance This clause describes guidance for the hardware, software and service platform that directly sup

    48、ports NFV resources. 4.4.2.1 Platform visibility and validation Platform visibility and validation describes the mechanisms to view and verify resources and services within the NFV environment. These capabilities are typically utilized to validate running processes, for workloads to have visibility

    49、into their operating environment and resources, as well as for introspection into the virtual environment. 4.4.2.1.1 Workload Visibility into Physical and Virtualised Resources Workloads, including virtual machines, virtual appliances and VNFs need to have carefully prescribed interfaces into physical and virtualised resources to ensure appropriate visibility. In some instances, it is not permissible or desirable for a workload to have any visibility or knowledge as to the operating environment and whether the workload is running virtualised. In other instances, w


    注意事项

    本文(ETSI GS NFV-SEC 003-2014 Network Functions Virtualisation (NFV) NFV Security Security and Trust Guidance (V1 1 1)《网络虚拟化技术 (NFV) NFV安全性 安全和信任指南 (V1 1 1)》.pdf)为本站会员(lawfemale396)主动上传,麦多课文档分享仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文档分享(点击联系客服),我们立即给予删除!




    关于我们 - 网站声明 - 网站地图 - 资源地图 - 友情链接 - 网站客服 - 联系我们

    copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
    备案/许可证编号:苏ICP备17064731号-1 

    收起
    展开