etsi gs nfv-sec 014 v0.0.6 - directory listing / · web viewetsi gs nfv-sec 014 v0.0.8...
TRANSCRIPT
Disclaimer
The present document has been produced and approved by the Network Functions Virtualisation (NFV) ETSI Industry Specification Group (ISG) and represents the views of those members who participated in this ISG.
It does not necessarily represent the views of the entire ETSI membership.
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)
Network Functions Virtualisation (NFV);NFV Security;
Security Specification for MANO Components and Reference points
GROUP SPECIFICATION
ReferenceDGS/NFV-SEC014
Keywordsinterface; MANO; NFV; security
ETSI
650 Route des LuciolesF-06921 Sophia Antipolis Cedex - FRANCE
Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16
Siret N° 348 623 562 00017 - NAF 742 CAssociation à but non lucratif enregistrée à laSous-Préfecture de Grasse (06) N° 7803/88
Important notice
The present document can be downloaded from:http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at
https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx
If you find errors in the present document, please send your comment to one of the following services:https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.The copyright and the foregoing restriction extend to reproduction in all media.
© European Telecommunications Standards Institute 2016.All rights reserved.
DECTTM, PLUGTESTSTM, UMTSTM and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.3GPPTM and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)3
Contents
Intellectual Property Rights.................................................................................................................................4
Foreword.............................................................................................................................................................4
Modal verbs terminology....................................................................................................................................4
1 Scope.........................................................................................................................................................5
2 References.................................................................................................................................................52.1 Normative references...........................................................................................................................................52.2 Informative references.........................................................................................................................................5
3 Definitions and abbreviations...................................................................................................................63.1 Definitions...........................................................................................................................................................63.2 Abbreviations.......................................................................................................................................................6
4 NFV-MANO Functional Blocks and Reference points............................................................................6
5 General Security Threats and Requirements............................................................................................7
6 Threat Analysis of NFV-MANO Functional Blocks................................................................................86.1 NFV Orchestrator................................................................................................................................................86.1.1 Overview........................................................................................................................................................86.1.2 Threat analysis for NFV Orchestrator............................................................................................................96.2 VNF Manager(s)................................................................................................................................................246.2.1 Overview......................................................................................................................................................246.2.2 Threat analysis for VNF Manager(s)...........................................................................................................256.3 Virtualised Infrastructure Manager(s)...............................................................................................................406.3.1 Overview......................................................................................................................................................406.3.2 Threat analysis for Virtualised Infrastructure Manager(s)...........................................................................40
7 Threat Analysis of MANO Reference points.........................................................................................527.1 NFV Or-Vi reference point................................................................................................................................527.1.1 Overview......................................................................................................................................................527.1.2 Threat analysis for Or-Vi reference point....................................................................................................537.2 NFV Vi-Vnfm reference point..........................................................................................................................587.2.1 Overview......................................................................................................................................................587.2.2 Threat analysis for Vi-Vnfm reference point...............................................................................................597.3 NFV Or-Vnfm reference point..........................................................................................................................637.3.1 Overview......................................................................................................................................................637.3.2 Threat analysis for Or-Vnfm reference point...............................................................................................65
8 Summary of Security Requirements.......................................................................................................72
Annex B (informative): Authors & contributors.........................................................................................73
Annex C (informative): Change History.......................................................................................................74
History...............................................................................................................................................................75
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)4
Intellectual Property RightsIPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https://ipr.etsi.org/).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document.
ForewordThis Group Specification (GS) has been produced by ETSI Industry Specification Group (ISG) Network Functions Virtualisation (NFV).
Modal verbs terminologyIn the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)5
1 ScopeThe scope of this document is to present threat analysis for NFV-MANO functional blocks (NFVO, VNFM, VIM) and reference points Or-Vnfm, Vi-Vnfm, Or-Vi. The output of this analysis results in the identification of threats and specification of requirements to counter the threats.
This document also provides initial risk analysis and assessments without solutions. Thus the scope of the document is limited but it provides an initial guidance regarding threats associated to NFV-MANO functional blocks and its reference points. Threat analysis is a continual process and should be reviewed regularly.
2 References
2.1 Normative referencesReferences are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at http://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity.
The following referenced documents are necessary for the application of the present document.
[1] ETSI GS NFV-IFA 005: "Network Functions Virtualisation (NFV); Management and Orchestration; Or-Vi reference point - Interface and Information Model Specification".
[2] ETSI GS NFV-IFA 006: "Network Functions Virtualisation (NFV); Management and Orchestration; Vi-Vnfm reference point - Interface and Information Model Specification".
[3] ETSI GS NFV-IFA 007: "Network Functions Virtualisation (NFV); Management and Orchestration; Or-Vnfm reference point - Interface and Information Model Specification".
[4] ETSI GS NFV-IFA 010: "Network Functions Virtualisation (NFV); Management and Orchestration; Functional requirements specification".
2.2 Informative referencesReferences are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area.
[i.1] ETSI GS NFV 003: "Network Functions Virtualisation (NFV); Terminology for Main Concepts in NFV".
[i.2] ETSI GS NFV 002: "Network Functions Virtualisation (NFV); Architecture Framework".
[i.3] ETSI GS NFV-MAN 001: "Network Functions Virtualisation (NFV); Management and Orchestration".
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)6
[i.4] ETSI GS NFV-SEC 006: "Network Functions Virtualisation (NFV); Security Guide; Report on Security Aspects and Regulatory Concerns".
3 Definitions and abbreviations
3.1 DefinitionsFor the purposes of the present document, the terms and definitions given in ETSI GS NFV 003 [i.1] apply.
3.2 AbbreviationsFor the purposes of the present document, the abbreviations given in ETSI GS NFV 003 [i.1] apply.
4 NFV-MANO Functional Blocks and Reference pointsThis clause provides an overview of NFV-MANO functional blocks and its associated reference points [i.3]. There are three main functional blocks associated with NFV-MANO:
i) NFV Orchestrator (NFVO);
ii) VNF Manager (VNFM); and
iii) Virtualised Infrastructure Manager (VIM).
There are six reference points associated with MANO:
i) Or-Vnfm reference point;
ii) Or-Vi reference point;
iii) Vi-Vnfm reference point;
iv) Os-Ma-nfvo reference point;
v) Ve-Vnfm-em reference point; and
vi) Ve-Vnfm-Vnf reference point.
The Or-Vnfm, Or-Vi and Vi-Vnfm reference points are grouped as NFV-MANO internal reference points whereas the Os-Ma-nfvo, Ve-Vnfm-em and Ve-Vnfm-Vnf vnf reference point are grouped as NFV-MANO external reference points.
The Or-Vnfm, Or-Vi and Vi-Vnfm reference points are grouped as NFV-MANO internal reference points whereas the Os-Ma-nfvo, Ve-Vnfm-em and Ve-Vnfm-vnf reference points are grouped as NFV-MANO external reference points.
i) The Or-Vnfm reference point is between NFVO and VNFM.
ii) The Or-Vi reference point is between NFVO and VNFM.
iii) The Vi-Vnfm reference point is between the VIM and VNFM.
iv) The Os-Ma-nfvo reference point is between OSS/BSS and NFVO.
v) The Ve-Vnfm-em reference point is between EM and VNFM.
vi) The Ve-Vnfm-vnf reference point is between VNF and VNFM.
The present document provides a threat analysis for NFV-MANO functional blocks and internal NFV-MANO reference points, i.e. the Or-Vnfm, Vi-Vnfm, Or-Vi reference points. Threats analysis for the external NFV-MANO reference points, i.e. the Os-Ma-nfvo, Ve-Vnfm-em and Ve-Vnfm-Vnf reference points are for further study.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)7
5 General Security Threats and RequirementsGeneral security threats and requirements are presented in this clause with respect to NFV-MANO functional blocks(NFVO, VNFM and VIM), NFV-MANO reference points(Or-Vi, Vi-Vnfm, and Or-Vnfm) and their corresponding interfaces are considered [1-4] and analysed from a security point of view. Security threats (T) and their associated security requirements (R) are identified. For all threat scenarios, the assumption is that the attackers are attached to the network and have the access to the NFV- MANO functional blocks and reference points.
Threat (T1): Eavesdropping - If attackers have access to NFV-MANO reference points, these attackers may request NFV-MANO functional blocks to gather information that may be used to perform attacks.
Requirement (R1)-It shall be possible to verify the authenticity of the information request and response messages exchanged between NFV-MANO functional blocks.
T2: Manipulation of messages - Attackers may modify the request and response messages exchanged between NFV-MANO functional blocks.R2: It shall be possible to verify the integrity of the information request and response messages exchanged between NFV-MANO functional blocks.
T3: Eavesdropping – The passive attackers may monitor/eavesdrop the communicating interface for sensitive data. If sensitive data are transmitted over the interface in plain text, then it will result in security issues.R3: It shall be possible to protect the confidentiality of the information request and response messages exchanged between NFV-MANO functional blocks.
T4: Compromising resource management user interface - Attackers may take control of the management web user interface by exploiting vulnerabilities in the management interface, server, and configuration and deployment flaws.R4: It shall be possible to prevent unauthorized access for the user resource management interface.
T5: Unauthorized Access (Password Guessing) - Attackers may perform brute force attacks to find out the management interface login username and password.R5 (a): It shall be possible to limit the continuous login attempts. R5 (b): It shall be possible to implement password management policy.
T6: Interception - Attackers may redirect or mirror the network traffic by compromising virtual routers, and firewalls.R6: It shall be possible to enforce and implement the network access control policy management.
T7: Traffic Analysis - Attackers may obtain sensitive information through traffic analysis and data access pattern analysis.R7: It shall be possible to protect sensitive information during data communication over the network.
T8: Denial of Service - Attackers may perform the DoS/DDoS attacks by targeting the backend/backup systems, resource and management nodes. Attackers may also intentionally accelerate the scaling and migration process.R8 (a): It shall be possible to protect against the unauthorized access and modification of data.R8 (b): It shall be possible to prevent and mitigate the DoS attacks.R8(c): It shall be possible to prevent and mitigate the DDoS attacks.
T9: Misuse of privileges - Attackers may escalate the privileges to gain unauthorized access.R9: It shall be possible to protect against unauthorized access.
T10: Manipulation of application data - Attackers may maliciously change the patching codes and resource location.R10 (a): It shall be possible to ensure that patching codes are downloaded from a trusted source. R10 (b): It shall be possible to verify the authenticity of the information.R10(c): It shall be possible to verify the integrity of the information.
T11: Unauthorized access of stored data - Attackers may perform side channel attacks to get crypto keys and other sensitive information.R11: It shall be possible to protect crypto keys against side channel attacks.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)8
T12: Resource exhaustion - If attacker’s virtualisation containers consume large amount of resources, then this may degrades the performance of other VMs/VNFs and delays the provisioning of network services and life cycle management (LCM) operations. This may lead to a DoS attack if the performance decrease is severe enough or the network latency is high.R12: Usage of resources beyond the threshold limit by a given VM/VNF shall be notified to the NFVO and permission shall be obtained for usage of additional resources.
T13: Disruption of network service - Attackers may continuously send modified request/response messages that may lead to crashing of the given entity resulting in disruption of the network.R13: It shall be possible to identify and discard the crafted packets.
T14: Masquerading as a legitimate participant - Attackers may resend the previously captured messages to access the network services in the name of genuine entity.R14: It shall be possible to protect against replay attack.
T15: Manipulation of data traffic - Attackers may modify software image file being transferred.R15 (a): It shall be possible to verify the authenticity of the received software image file.R15 (b): It shall be possible to verify the integrity of the received software image file.
T16: Manipulation of data stored in repository - A VNF software image may be tampered and modified while in rest by the attackers.R16: It shall be possible to protect the confidentiality and integrity of the stored software image in the repository and the related keys shall be stored in hardware assisted and tamper resistant trusted environment.
T17: Masquerading as a legitimate entity - The presence of rogue NFV management entities may impact the availability of network services.R17: It shall be possible to enforce mutual authenticity between NFV-MANO functional blocks for any information exchange.
T18: Leakage - Malware may obtain the sensitive information which may corrupt the VNF package.R18: Obfuscation-It shall be possible to obfuscate the sensitive information of the VNF package management into unreadable format.
T19: Manipulation of data - Change of configurations by attackers on the VNF life cycle management operational functions may affect the network services.R19 (a): It shall be possible to protect the VNF configuration file against the un-authorized modifications.
R19 (b) It shall be possible to verify the integrity protection before using the VNF configuration file.
T20: Interception - During migration, high volume VNFs consume maximum available bandwidth and it may be noticeable by attackers. Also it may downgrade the performance and increase the down time, which may lead to migration failure.R20: It shall be possible to migrate VNFs securely without significant performance degradation.
6 Threat Analysis of NFV-MANO Functional Blocks
6.1 NFV Orchestrator
6.1.1 OverviewThe NFV Orchestrator (NFVO) is responsible for life cycle management of network services and VNF packages, validation and authorization of requests, policy management, and managing resources of NFV-PoPs via multiple VIMs and VNFMs. It also tracks the network services and its use of resources by using different data repositories. NFV Orchestrator (NFVO) has two main functional responsibilities, i.e. network service orchestration functions and resource orchestration functions.
a) The network service orchestration functions provide some non-exhaustive set of capabilities such as:
i) Management of network service deployment templates and VNF packages
ii) Network service instantiation and Network service instance lifecycle management
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)9
iii) Management of the instantiations of VNF managers and VNFs, in coordination with VNF managers
iv) Validation and authorization of NFVI resource request from VNF Managers
v) Management of integrity, visibility and topology of the network service instances
vi) Policy management and enforcement for the Network service instances and VNF instances
b) The resource orchestration functions provides some non-exhaustive set of capabilities such as:
i) Validation and authorization of NFVI resource requests from VNF Manager(s)
ii) NFVI resource management across operator's Infrastructure Domains
iii) Management of the relationship between the VNF instances and the NFVI resources
iv) Policy management and enforcement for the Network service instances and VNF instances
v) Collect usage information of NFVI resources
For a detailed description of the NFV orchestrator and its functionalities, refer to clause 5.4.1 in ETSI GS NFV-MAN 001 [i.3].
6.1.2 Threat analysis for NFV OrchestratorThis clause describes the threat analysis and security requirements for NFV orchestrator.
T1: Manipulation of application data - Attackers may modify a NFV packages during on-boarding.R1 (a): Authenticity of a NFV packages shall be verified during on-boarding.R1 (b): Integrity of a NFV package shall be verified during on-boarding.
T1.a.1.1 Internal attackers are attached to the network
T1.a.1.2 Internal attackers have access to Orchestrator
T1.a.1.3 NFVO supports NFV package operations
T1.a.2 Orchestrator
T1.a.3 Authorized administrators with legitimate access to the Orchestrator
T1.a.4.1 Attackers may modify the NFV packages
T1.a.5 Only authorised entity shall access the NFV package operations
T1.b.1.1 NFV packages operations shall be configured using security policy management
T1.b.1.2 Once an NS and VNF package is maliciously altered, the event is logged, and a security alarm is raised to the Security Management system
T1.b.2.1The Security management systems flag the threat agent (internal attackers) for further analysis.
T1.c.1.1 In runtime cases: e.g., Security policy management shall be enforced
T1.c.2.1 Authenticity of the NFV packages shall be validated during on-boarding
T1.c.2.2 Integrity of a NFV packages shall be validated during on-boarding
T2: Disruption of network service - Attackers may forge a NFV descriptor (e.g. NSD, PNFD) during on-boarding, thus resulting in network service interruptions.R2 (a): Authenticity of a NFV descriptor shall be verified during on-boarding.R2 (b): Integrity of a NFV descriptor shall be verified during on-boarding.R2 (c): A NFV descriptor shall be validated against the defined policy management during on-boarding.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)10
T2.a.1.1 Internal attackers are attached to the network
T2.a.1.2 Internal attackers have access to Orchestrator
T2.a.1.3 NFVO supports Network service deployment template operations
T2.a.2 Orchestrator
T2.a.3 Authorized administrators with legitimate access to the Orchestrator
T2.a.4.1 Attackers may forge a NFV descriptor
T2.a.5 Only authorised entity shall access the Network service life cycle management operations
T2.b.1.1 Network service life cycle management operations shall be configured using security policy management
T2.b.1.2 If request operations of Network services life cycle management are disturbed, the event is logged, and a security alarm is raised to the Security management system
T2.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T2.c.2.1 Authenticity of a NFV descriptor shall be validated during on-boarding
T2.c.2.2 Integrity of a NFV descriptor shall be validated during on-boarding
T2.c.2.3 A NFV descriptor shall be validated against the defined policy management during on-boarding.
T3: Misuse of privileges- Attackers may indulge in security breaches and gain unauthorized access by overruling the policy management of Network service instances and VNF instances.R3: Security policy management shall be provided for Network service instances and VNF instances.
T3.a.1.1 Internal attackers are attached to the network
T3.a.1.2 Internal attackers have access to Orchestrator
T3.a.1.3 NFVO supports Network service instances and VNF instances operations
T3.a.2 Orchestrator
T3.a.3 Authorized administrators with legitimate access to the Orchestrator
T3.a.4.1 Attackers may indulge in security breaches and gain unauthorized access by overruling the policy management of Network service instances and VNF instances
T3.a.5 Only authorised entity shall access the Network service instances and VNF instances
T3.b.1.1 Network service instances and VNF instances shall be configured using security policy management
T3.b.1.2 If any security breaches in Network service instances and VNF instances is identified, the event is logged, and a security alarm is raised to the Security management system
T3.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T3.c.2.1 Unauthorized access to Network service instances and VNF instances shall be protected
T4: Manipulation of message request - Attackers may manipulate the NFVI resource allocation (granting) request from VNF Manager(s) regarding resources allocation within one NFVI-PoP or across multiple NFVI-PoPs.R4 (a): Authenticity of NFVI resource allocation requests from VNF Managers shall be verified.R4 (b): Unauthorized access to NFVI resource allocation requests from VNF Managers shall be protected.
T4.a.1.1 Internal attackers are attached to the network
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)11
T4.a.1.2 Internal attackers have access to Orchestrator
T4.a.1.3 NFVO supports resources allocation management operations
T4.a.2 Orchestrator
T4.a.3 Authorized administrators with legitimate access to the Orchestrator
T4.a.4.1 Attackers may manipulate the NFVI resource allocation (granting) request from VNF Manager(s) regarding resources allocation within one NFVI-PoP or across multiple NFVI-PoPs.
T4.a.5 Only authorised entity shall access the resources allocation management
T4.b.1.1 Resources allocation management operations shall be configured using security policy management
T4.b.1.2 If any of the NFVI resource allocation (granting) request is forged, the event is logged, and a security alarm is raised to the Security management system
T4.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T4.c.2.1 Authenticity of the NFVI resource allocation requests from VNF Managers shall be validated
T4.c.2.2 Unauthorized access to NFVI resource allocation requests from VNF Managers shall be protected
T5: Traffic Analysis - Attackers may forge the network service topology which may result in performance degradation or service interruptions.R5: Network service topology shall be validated against the defined policy management.
T5.a.1.1 Internal attackers are attached to the network
T5.a.1.2 Internal attackers have access to Orchestrator
T5.a.1.3 NFVO supports network service topology management operations
T5.a.2 Orchestrator
T5.a.3 Authorized administrators with legitimate access to the Orchestrator
T5.a.4.1 Attackers may forge the network service topology
T5.a.5 Only authorised entity shall access the network service topology management
T5.b.1.1 Network service topology management shall be configured using security policy management
T5.b.1.2 If any network service topology is forged, the event is logged, and a security alarm is raised to the Security management system
T5.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T5.c.2.1 Network service topology shall be validated against the defined policy management
T6: Manipulation of notifications - Attackers may escalate false information or perform service interruptions using the collected usage information of NFVI resources by NFVI instances or group of VNF instances. R6: Usage information of NFVI resources by NFVI instances shall be protected from unauthorized access.
T6.a.1.1 Internal attackers are attached to the network
T6.a.1.2 Internal attackers have access to Orchestrator
T6.a.1.3 NFVO supports NFVI resource information management operations
T6.a.2 Orchestrator
T6.a.3 Authorized administrators with legitimate access to the Orchestrator
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)12
T6.a.4.1 Attackers may escalate false information or perform service interruptions using the collected usage information of NFVI resources by NFVI instances or group of VNF instances
T6.a.5 Only authorised entity shall access the NFVI resource information management
T6.b.1.1 NFVI resource information management shall be configured using security policy management
T6.b.1.2 If any false information regarding collected usage information of NFVI resources is escalated, the event is logged, and a security alarm is raised to the Security management system
T6.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T6.c.2.1 Usage information of NFVI resources by NFVI instances shall be protected from unauthorized access
T7: Manipulation of notifications- Attackers may trigger false automation management notifications of Network service instances and VNF instances leading to failure of NS and VNF on-boarding.R7 (a): Authenticity of the automation management notifications shall be verified.R7 (b): Integrity of the automation management notifications shall be verified.
T7.a.1.1 Internal attackers are attached to the network
T7.a.1.2 Internal attackers have access to Orchestrator
T7.a.1.3 NFVO supports automation management operations
T7.a.2 Orchestrator
T7.a.3 Authorized administrators with legitimate access to the Orchestrator
T7.a.4.1 Attackers may trigger false automation management notifications of Network service instances and VNF instances
T7.a.5 Only authorised entity shall access the automation management
T7.b.1.1 Automation management shall be configured using security policy management
T7.b.1.2 If any automation management notification is forged, the event is logged, and a security alarm is raised to the Security management system
T7.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T7.c.2.1 Authenticity of the automation management notifications shall be validated
T7.c.2.2 Integrity of the automation management notifications shall be validated
T8: Manipulation of application data-Attackers may maliciously change the NFVI resource repository and VIM location information, which are used for distribution, reservation and allocation of NFVI resources to Network service instances and VNF instances R8 (a): Authenticity of the NFVI resource repository and VIM location information shall be verified.R8 (b): Integrity of the NFVI resource repository and VIM location information shall be verified.
T8.a.1.1 Internal attackers are attached to the network
T8.a.1.2 Internal attackers have access to Orchestrator
T8.a.1.3 NFVO supports NFVI resource information management operations
T8.a.2 Orchestrator
T8.a.3 Authorized administrators with legitimate access to the Orchestrator
T8.a.4.1Attackers may maliciously change the NFVI resource repository and VIM location information
T8.a.5 Only authorised entity shall access the NFVI resource information management
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)13
T8.b.1.1 NFVI resource information management shall be configured using security policy management
T8.b.1.2 If any NFVI resource information is altered, the event is logged, and a security alarm is raised to the Security Management system
T8.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T8.c.2.1 Authenticity of the NFVI resource repository and VIM location information shall be validated
T8.c.2.2 Integrity of the NFVI resource repository and VIM location information shall be validated
T9: Manipulation of stored data-Resources usage information and other collected information (records) related to network services may help attackers to launch predefined attacks R9: Usage data and other deployment information stored in repositories shall be only accessible to authenticated entities.
T9.a.1.1 Internal attackers are attached to the network
T9.a.1.2 Internal attackers have access to Orchestrator
T9.a.1.3 NFVO supports resource information management operations
T9.a.2 Orchestrator
T9.a.3 Authorized administrators with legitimate access to the Orchestrator
T9.a.4.1Attackers may perform predefined attacks using Resources usage information and other collected information (records) related to network services
T9.a.5 Only authorised entity shall access the Resource information management
T9.b.1.1 Resource information management operations shall be configured using security policy management
T9.b.1.2 If any predefined attacks is identified, the event is logged, and a security alarm is raised to the Security Management system
T9.b.2.1 Security Management systems flag the threat agent (internal attackers) for further analysis
T9.c.2.1 Usage data and other deployment information stored in repositories shall be only accessible to authenticated entities
T10: Manipulation of network services- Attackers may change the topology of the network services.R10: Security policy based routing shall be configured by administrator.
T10.a.1.1 Internal attackers are attached to the network
T10.a.1.2 Internal attackers have access to Orchestrator
T10.a.1.3 NFVO supports Network service operations
T10.a.2 Orchestrator
T10.a.3 Authorized administrators with legitimate access to the Orchestrator
T10.a.4.1 Attackers may alter the topology of the network services
T10.a.5 Only authorised entity shall access the Network service operations
T10.b.1.1 Network service operations shall be configured using security policy management
T10.b.1.2 If any alteration is identified in topology of the network services, the event is logged, and a security alarm is raised to the Security management system
T10.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)14
T10.c.2.1 Security policy based routing shall be configured by authorised administrator
T11: Disruption of network service- Attackers may disturb the request operations (e.g. disable or delete a NSD) that may impact the Network services life cycle management, potentially interrupting the running network services.R11(a): Authenticity of request operations of Network services life cycle management shall be validated. R11 (b): Integrity of request operations of Network services life cycle management shall be validated.
T11.a.1.1 Internal attackers are attached to the network
T11.a.1.2 Internal attackers have access to Orchestrator
T11.a.1.3 NFVO supports Network service life cycle management operations
T11.a.2 Orchestrator
T11.a.3 Authorized administrators with legitimate access to the Orchestrator
T11.a.4.1 Attackers may disturb the request operations for life cycle management of network services
T11.a.5 Only authorised entity shall access the Network service life cycle management operations
T11.b.1.1 Network service life cycle management operations shall be configured using security policy management
T11.b.1.2 If request operations of Network services life cycle management are disturbed, the event is logged, and a security alarm is raised to the Security management system
T11.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T11.c.2.1 Authenticity of request operations of Network services life cycle management shall be validated
T11.c.2.2 Integrity of request operations of Network services life cycle management shall be validated
T12: Misuse of Privileges- Attackers may use external interfaces (e.g., Os-Ma-nfvo) to infiltrate into the NFV-MANO to gain access.R12: Unauthorized access to NFV-MANO from external interface shall be protected.
T12.a.1.1 Internal attackers are attached to the network
T`12.a.1.2 Internal attackers have access to Orchestrator
T12.a.1.3 NFVO supports access management operations
T12.a.2 Orchestrator
T12.a.3 Authorized administrators with legitimate access to the Orchestrator
T12.a.4.1 Attackers may use external interfaces (e.g., Os-Ma-nfvo) to infiltrate into the NFV-MANO to gain some access
T12.a.5 Only authorised entity shall access the external interfaces (e.g., Os-Ma-nfvo)
T12.b.1.1 External interfaces (e.g., Os-Ma-nfvo) shall be configured using security policy management
T12.b.1.2 If any misuse of privilege is identified, the event is logged, and a security alarm is raised to the Security management system
T12.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T12.c.2.1 Unauthorized access to NFV-MANO from external interface shall be protected
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)15
T13: Unauthorized access- In multi-tenancy environment, Network service deployment template or VNF package assigned to particular tenants may expose to other tenants.R13: Tenants deployment templates or VNF packages shall be protected from unauthorized access.
T13.a.1.1 Internal attackers are attached to the network
T13.a.1.2 Internal attackers have access to Orchestrator
T13.a.1.3 NFVO supports Network service deployment template or VNF package operations
T13.a.2 Orchestrator
T13.a.3 Authorized administrators with legitimate access to the Orchestrator
T13.a.4.1 Attackers may expose the access permission of Network service deployment template or VNF package operations assigned to particular tenants
T13.a.5 Only authorised entity shall access the Network service deployment template or VNF package operations
T13.b.1.1 Network service deployment template or VNF package operations shall be configured using security policy management
T13.b.1.2 If Network service deployment template or VNF package operation fails, the event is logged, and a security alarm is raised to the Security management system
T13.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T13.c.2.1 Tenants deployment templates or VNF packages shall be protected from unauthorized access
T14: Manipulation of application data-NFVO supports to share resources including software images among VIMs (NFV-PoPs). Attackers may share compromised or manipulated software images among VIMs.R14 (a): Authenticity of the shared resources shall be validated.R14 (b): Integrity of the shared resources shall be validated.
T14. Manipulation of Application Data
T14.a.1.1 Internal attackers are attached to the network
T14.a.1.2 Internal attackers have access to Orchestrator
T14.a.1.3 NFVO supports to share resources including software images among VIMs (NFV-PoPs)
T14.a.2 Orchestrator
T14.a.3 Authorized administrators with legitimate access to the Orchestrator
T14.a.4.1Attackers may share compromised or manipulated software images among VIMs
T14.a.5 Remote attestation shall be performed before any image is instantiated
T14.b.1.1 Only signed and remotely attested Orchestrators shall be instantiated.
T14.b.1.2 Once an Orchestrator image fails attestation, the event is logged, and a security alarm is raised to the Security Management system
T14.b.2.1 Security Management systems flag the threat agent (internal attackers) for further analysis.
T14.c.1.1 N/A
T14.c.1.2 N/A
T14.c.2.1 Authenticity of the shared resources shall be validated through Remote Attestation.
T14.c.2.1 Integrity of the shared resources shall be validated through Remote Attestation.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)16
T15: Manipulation of data- Attackers may fake the received acceleration capability information from VIM towards NFVO, which may interrupt the NFV acceleration management operations.R15 (a): NFVO shall verify the authenticity of the received acceleration capability information from VIM.R15 (b): NFVO shall verify the integrity of the received acceleration capability information from VIM.
T15.a.1.1 Internal attackers are attached to the network
T15.a.1.2 Internal attackers have access to Orchestrator
T15.a.1.3 NFVO supports NFV acceleration management operations
T15.a.2 Orchestrator
T15.a.3 Authorized administrators with legitimate access to the Orchestrator
T15.a.4.1Attackers may fake the received acceleration capability information from VIM towards NFVO
T15.a.5 Only authorised entity shall access the NFV acceleration management operations
T15.b.1.1 NFV acceleration management operations shall be configured using security policy management
T15.b.1.2 If any NFV acceleration management operations fail, the event is logged, and a security alarm is raised to the Security Management system
T15.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T15.c.2.1 Authenticity of the received acceleration capability information from VIM shall be validated
T15.c.2.2 Integrity of the received acceleration capability information from VIM shall be validated
T16: Manipulation of request message- Attackers may forge the NFVO request messages that were sent to the VIM for allocation and release of acceleration resources that may interrupt the NFV acceleration management operations.R16 (a): NFVO shall verify the authenticity of the request messages that were sent to the VIM for allocation and release of acceleration resources.R16 (b): NFVO shall verify the integrity of the request messages that were sent to the VIM for allocation and release of acceleration resources.
T16.a.1.1 Internal attackers are attached to the network
T16.a.1.2 Internal attackers have access to Orchestrator
T16.a.1.3 NFVO supports NFV acceleration management operations
T16.a.2 Orchestrator
T16.a.3 Authorized administrators with legitimate access to the Orchestrator
T16.a.4.1Attackers may forge the NFVO request messages that were sent to the VIM for allocation and release of acceleration resources
T16.a.5 Only authorised entity shall access the NFV acceleration management operations
T16.b.1.1 NFV acceleration management operations shall be configured using security policy management
T16.b.1.2 If any of the NFVO request messages that were sent to the VIM is forged, the event is logged, and a security alarm is raised to the Security management system
T16.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T16.c.2.1 Authenticity of the request messages that were sent to the VIM for allocation and release of acceleration resources shall be validated
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)17
T16.c.2.2 Integrity of the request messages that were sent to the VIM for allocation and release of acceleration resources shall be validated
T17: Manipulation of request- Attackers may maliciously modify the query request regarding information about software images to VIM that may interrupt the software image management operations.R17 (a): NFVO shall verify the authenticity of the query request regarding information about software image to VIM.R17 (b): NFVO shall verify the integrity of the query request regarding information about software image to VIM.
T17.a.1.1 Internal attackers are attached to the network
T17.a.1.2 Internal attackers have access to Orchestrator
T17.a.1.3 NFVO supports software images management operations
T17.a.2 Orchestrator
T17.a.3 Authorized administrators with legitimate access to the Orchestrator
T17.a.4.1 Attackers may maliciously modify the query request regarding information about software images to VIM
T17.a.5 Remote attestation shall be performed before any image is instantiated
T17.b.1.1 Software image management shall be configured using security policy management
T17.b.1.2 If any query request regarding information about software images is forged, the event is logged, and a security alarm is raised to the Security management system
T17.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T17.c.2.1 Authenticity of the query request regarding information about software image to VIM shall be validated
T17.c.2.2 Integrity of the query request regarding information about software image to VIM shall be validated
T18: Manipulation of request- Attackers may fake the request regarding invoked software image deletion to VIM that may interrupt the software image management operations.R18 (a): NFVO shall verify the authenticity of the invoked software image deletion request to VIM.R18 (b): NFVO shall verify the integrity of the invoked software image deletion request to VIM.
T18.a.1.1 Internal attackers are attached to the network
T18.a.1.2 Internal attackers have access to Orchestrator
T18.a.1.3 NFVO supports to share resources including software images operations
T18.a.2 Orchestrator
T18.a.3 Authorized administrators with legitimate access to the Orchestrator
T18.a.4.1 Attackers may fake the request regarding invoked software image deletion to VIM
T18.a.5 Remote attestation shall be performed before any image is invoked
T18.b.1.1 Only signed and remotely attested Orchestrators shall be invoked
T18.b.1.2Once an Orchestrator image fails attestation, the event is logged, and a security alarm is raised to the Security Management system
T18.b.2.1The Security management systems flag the threat agent (internal attackers) for further analysis.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)18
T18.c.1.1 In case of runtime threats: e.g., the Orchestrator shall not be invoked without an associated Security Agent running first.
T18.c.1.2 In runtime cases: e.g., Security Policy Management shall enforce data rate policies
T18.c.2.1 Authenticity of the invoked software image deletion request to VIM validated through Remote Attestation
T18.c.2.2 Integrity of the invoked software image deletion request to VIM validated through Remote Attestation
T19: Manipulation of application data- Attackers may modify and forge the user-defined metadata for the selected software images that may interrupt the software image management operations.R19: NFVO shall protect the user-defined metadata for the selected software images from unauthorized access.
T19.a.1.1 Internal attackers are attached to the network
T19.a.1.2 Internal attackers have access to Orchestrator
T19.a.1.3 NFVO supports to share resources including software images operations
T19.a.2 Orchestrator
T19.a.3 Authorized administrators with legitimate access to the Orchestrator
T19.a.4.1 Attackers may modify and forge the user-defined metadata for the selected software images
T19.a.5 Remote attestation shall be performed before any image is instantiated.
T19.b.1.1 Only signed and remotely attested Orchestrators shall be instantiated.
T19.b.1.2 Once an Orchestrator image fails attestation, the event is logged, and a security alarm is raised to the Security Management system
T19.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis.
T19.c.1.1 In case of runtime threats: e.g., the Orchestrator shall not be instantiated without an associated Security Agent running first.
T19.c.1.2 In runtime cases: e.g., Security Policy Management shall enforce data rate policies
T19.c.2.1 Authenticity of the user-defined metadata for the selected software images shall be validated through Remote Attestation
T19.c.2.2 Integrity of the user-defined metadata for the selected software images shall be validated through Remote Attestation
T20: Manipulation of notifications- Attackers may fake the fault information notifications issued by VNFM related to the Network service managed by NFVO that may interrupt the network service operationsR20(a): NFVO shall verify the authenticity of the fault information notifications related to the Network service.R20(b): NFVO shall verify the integrity of the fault information notifications related to the Network service.
T20.a.1.1 Internal attackers are attached to the network
T20.a.1.2 Internal attackers have access to Orchestrator
T20.a.1.3 NFVO supports fault information management operations
T20.a.2 Orchestrator
T20.a.3 Authorized administrators with legitimate access to the Orchestrator
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)19
T20.a.4.1 Attackers may fake the fault information notifications issued by VNFM related to the Network service managed by NFVO
T20.a.5 Only authorised entity shall access the fault information management
T20.b.1.1 Fault information management shall be configured using security policy management
T20.b.1.2 If any fault information notification is faked, the event is logged, and a security alarm is raised to the Security management system
T20.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T20.c.2.1 Authenticity of the fault information notifications related to the Network service shall be validated
T20.c.2.2 Integrity of the fault information notifications related to the Network service shall be validated
T21: Manipulation of messages- Attackers may tamper the messages exchanged between NFVO and consumer.R21 (a): Messages exchanged between NFVO and consumer shall be protected from unauthorized access.R21 (b): Integrity of the messages exchanged between NFVO and consumer shall be verified.R21 (c): Authenticity of the messages exchanged between NFVO and consumer shall be verified.
T21.a.1.1 Internal attackers are attached to the network
T21.a.1.2 Internal attackers have access to Orchestrator
T21.a.1.3 NFVO supports messages exchanged between NFVO and consumer
T21.a.2 Orchestrator
T21.a.3 Authorized administrators with legitimate access to the Orchestrator
T21.a.4.1Attackers may tamper the messages exchanged between NFVO and consumer
T21.a.5 Only authorised entity shall access the messages exchanged between NFVO and consumer
T21.b.1.1 Messages exchanged between NFVO and consumer shall be configured using endpoint authentication
T21.b.1.2 If any of the message between NFVO and consumer is tampered, the event is logged, and a security alarm is raised to the Security management system
T21.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T21.c.2.1 Messages exchanged between NFVO and consumer shall be protected from unauthorized access
T21.c.2.2 Integrity of the messages exchanged between NFVO and consumer shall be validated
T21.c.2.3 Authenticity of the messages exchanged between NFVO and consumer shall be validated
T22: Privacy preservation - Attackers may forge the personally-identifiable information about NFVI-PoPs that may interrupt the infrastructure resource management operations.R22 (a): NFVO shall ensure that personally-identifiable information about NFVI-PoPs shall be protected from unauthorized accessR22 (b): NFVO shall verify the integrity of the personally-identifiable information about NFVI-PoPs.R22(c): NFVO shall verify the authenticity of the personally-identifiable information about NFVI-PoPs.R22 (d): NFVO shall provide privacy for the personally-identifiable information about NFVI-PoPs such as geographical location.
T22.a.1.1 Internal attackers are attached to the network
T22.a.1.2 Internal attackers have access to Orchestrator
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)20
T22.a.1.3 NFVO supports infrastructure resource management operations
T22.a.2 Orchestrator
T22.a.3 Authorized administrators with legitimate access to the Orchestrator
T22.a.4.1Attackers may forge the personally-identifiable information about NFVI-PoPs
T22.a.5 Only authorised entity shall access the infrastructure resource management operations
T22.b.1.1 NFVI-PoPs operations shall be configured using security policy management
T22.b.1.2 If any infrastructure resource management operations fail, the event is logged, and a security alarm is raised to the Security management system
T22.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T22.c.2.1 Personally-identifiable information about NFVI-PoPs shall be protected from unauthorized access
T22.c.2.2 Integrity of the personally-identifiable information about NFVI-PoPs shall be validated
T22.c.2.3 Authenticity of the personally-identifiable information about NFVI-PoPs shall be validated
T22.c.2.4 Privacy for the personally-identifiable information about NFVI-PoPs such as geographical location shall be protected
T23: Manipulation of notifications- Attackers may fake the error notifications during Network service lifecycle procedure that may interrupt the network service operations.R23 (a): NFVO shall verify the authenticity of the error notifications during Network service lifecycle procedure. R23 (b): NFVO shall verify the integrity of the error notifications during Network service lifecycle procedure.
T23.a.1.1 Internal attackers are attached to the network
T23.a.1.2 Internal attackers have access to Orchestrator
T23.a.1.3 NFVO supports Network service lifecycle operations
T23.a.2 Orchestrator
T23.a.3 Authorized administrators with legitimate access to the Orchestrator
T23.a.4.1Attackers may fake the error notifications during Network service lifecycle procedure
T23.a.5 Only authorised entity shall access the Network service lifecycle procedure
T23.b.1.1 Network service lifecycle management shall be configured using security policy management
T23.b.1.2 If any error notification related to Network service lifecycle operations fails, the event is logged; and a security alarm is raised to the Security management system
T23.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T23.c.2.1 Authenticity of the error notifications during Network service lifecycle procedure shall be validated
T23.c.2.2 Integrity of the error notifications during Network service lifecycle procedure shall be validated
T24: Manipulation of request- Attackers may fake the change request of fault information related to the Network services that may interrupt the network service operations.R24 (a): Authenticity of the change request regarding fault information shall be verified by the NFVO.R24 (b): Integrity of the change request regarding fault information shall be verified by the NFVO.
T24.a.1.1 Internal attackers are attached to the network
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)21
T24.a.1.2 Internal attackers have access to Orchestrator
T24.a.1.3 NFVO supports VNF fault management operations
T24.a.2 Orchestrator
T24.a.3 Authorized administrators with legitimate access to the Orchestrator
T24.a.4.1Attackers may fake the change request of fault information related to the Network services
T24.a.5 Only authorised entity shall access the VNF fault management operations
T24.b.1.1 VNF fault management shall be configured using security policy management
T24.b.1.2 If any change request of fault information fails, the event is logged, and a security alarm is raised to the Security management system
T24.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T24.c.2.1 Authenticity of the change request regarding fault information shall be validated
T24.c.2.2 Integrity of the change request regarding fault information shall be validated
T25: Manipulation of request- Attackers may forge the VNF healing request to VNFM that may interrupt the VNF fault management operations.R25 (a): NFVO shall verify the authenticity of the VNF healing request to VNFM.R25 (b): NFVO shall verify the integrity of the VNF healing request to VNFM.
T25.a.1.1 Internal attackers are attached to the network
T25.a.1.2 Internal attackers have access to Orchestrator
T25.a.1.3 NFVO supports VNF fault management operations
T25.a.2 Orchestrator
T25.a.3 Authorized administrators with legitimate access to the Orchestrator
T25.a.4.1Attackers may forge the VNF healing request to VNFM
T25.a.5 Only authorised entity shall access the VNF fault management operations
T25.b.1.1 VNF fault management shall be configured using security policy management
T25.b.1.2 If any VNF healing request fails, the event is logged, and a security alarm is raised to the Security management system
T25.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T25.c.1.1 In runtime cases: e.g., Security policy management shall be enforced
T25.c.2.1 Authenticity of the VNF healing request to VNFM shall be validated
T25.c.2.2 Integrity of the VNF healing request to VNFM shall be validated
T26: Manipulation of notifications- Attackers may forge the state change alarm notifications during VNF instances that may interrupt the VNF fault management operations.R26 (a): NFVO shall verify the authenticity of alarms notifications during VNF instances.R26 (b): NFVO shall verify the integrity of alarms notifications during VNF instances.
T26.a.1.1 Internal attackers are attached to the network
T26.a.1.2 Internal attackers have access to Orchestrator
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)22
T26.a.1.3 NFVO supports VNF instance operations
T26.a.2 Orchestrator
T26.a.3 Authorized administrators with legitimate access to the Orchestrator
T26.a.4.1Attackers may forge the notifications about availability of performance information on the Network services
T26.a.5 Only authorised entity shall access the VNF performance management information
T26.b.1.1 VNF performance management shall be configured using security policy management
T26.b.1.2 If any notifications about availability of performance information on the Network services fail, the event is logged, and a security alarm is raised to the Security management system
T26.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T26.c.1.1 In runtime cases: e.g., Security policy management shall be enforced
T26.c.2.1 Authenticity of the information regarding active PM jobs shall be validated
T26.c.2.2 Integrity of the information regarding active PM jobs shall be validated
T27: Manipulation of notifications- Attackers may forge the notifications about availability of performance information on the Network services that may interrupt network services.R27 (a): NFVO shall verify the authenticity of notifications about availability of performance information on the Network services.R27 (b): NFVO shall verify the integrity of notifications about availability of performance information on the Network services.
T27.a.1.1 Internal attackers are attached to the network
T27.a.1.2 Internal attackers have access to Orchestrator
T27.a.1.3 NFVO supports VNF performance management operations
T27.a.2 Orchestrator
T27.a.3 Authorized administrators with legitimate access to the Orchestrator
T27.a.4.1Attackers may forge the notifications about availability of performance information on the Network services
T27.a.5 Only authorised entity shall access the VNF performance management information
T27.b.1.1 VNF performance management shall be configured using security policy management
T27.b.1.2 If any notifications about availability of performance information on the Network services fail, the event is logged, and a security alarm is raised to the Security management system
T27.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T27.c.1.1 In runtime cases: e.g., Security policy management shall be enforced
T27.c.2.1 Authenticity of the information regarding active PM jobs shall be validated
T27.c.2.2 Integrity of the information regarding active PM jobs shall be validated
T28: Manipulation of data- Attackers may maliciously modify the information regarding active PM jobs that may interrupt the network services.R28 (a): NFVO shall verify the authenticity of the information regarding active PM jobs.R28 (b): NFVO shall verify the integrity of the information regarding active PM jobs.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)23
T28.a.1.1 Internal attackers are attached to the network
T28.a.1.2 Internal attackers have access to Orchestrator
T28.a.1.3 NFVO supports VNF performance management operations
T29.a.2 Orchestrator
T28.a.3 Authorized administrators with legitimate access to the Orchestrator
T28.a.4.1Attackers may maliciously modify the information regarding active PM jobs
T28.a.5 Only authorised entity shall access the VNF performance management information
T28.b.1.1 VNF performance management shall be configured using security policy management
T28.b.1.2 If any active PM jobs fails, the event is logged, and a security alarm is raised to the Security management system
T28.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T28.c.1.1 In runtime cases: e.g., Security policy management shall be enforced
T28.c.2.1 Authenticity of the information regarding active PM jobs shall be validated
T28.c.2.2 Integrity of the information regarding active PM jobs shall be validated
T29: Manipulation of data- Attackers may forge the VNF instance information (related to modification request) that may interrupt the VNF information management operations.R29 (a): NFVO shall verify the authenticity of the modification request message related to VNF instance.R29 (b): NFVO shall verify the integrity of the modification request message related to VNF instance.
T29.a.1.1 Internal attackers are attached to the network
T29.a.1.2 Internal attackers have access to Orchestrator
T29.a.1.3 NFVO supports VNF information management operations
T29.a.2 Orchestrator
T29.a.3 Authorized administrators with legitimate access to the Orchestrator
T29.a.4.1Attackers may forge the VNF instance information
T29.a.5 Only authorised entity shall access the VNF instance information
T29.b.1.1 VNF information management shall be configured using security policy management
T29.b.1.2 If any VNF information management operation fails, the event is logged, and a security alarm is raised to the Security Management system
T29.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T29.c.1.1 Security policy management shall be enforced
T29.c.2.1 Authenticity of the VNF instance information shall be validated
T29.c.2.2 Integrity of the VNF instance information shall be validated
T30: Manipulation of data- Attackers may maliciously modify the mandatory information in the VNF package that may interrupt the VNF information management operations.R30: Mandatory information in the VNF package shall be protected from the unauthorized access.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)24
T30.a.1.1 Internal attackers are attached to the network
T30.a.1.2 Internal attackers have access to Orchestrator
T30.a.1.3 NFVO supports VNF package management operations
T30.a.2 Orchestrator
T30.a.3 Authorized administrators with legitimate access to the Orchestrator
T30.a.4.1 Attackers may forge the mandatory information in VNF package
T30.a.5 Only authorised entity shall access the VNF package’s mandatory information
T30.b.1.1 VNF package shall be configured using security policy management
T30.b.1.2 Once VNF package access permission fails, the event is logged, and a security alarm is raised to the Security Management system
T30.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T30.c.1.1 In runtime cases: e.g., Security policy management shall be enforced
T30.c.2.1 VNF package’s mandatory information shall be protected from unauthorised access
T31: Manipulation of data- Attackers may forge the information of VNFD in the VNF package that may interrupt the VNF information management operations.R31: VNFD information in the VNF package shall be protected from unauthorized access by NFVO.
T31.a.1.1 Internal attackers are attached to the network
T31.a.1.2 Internal attackers have access to Orchestrator
T31.a.1.3 NFVO supports VNF package management operations
T31.a.2 Orchestrator
T31.a.3 Authorized administrators with legitimate access to the Orchestrator
T31.a.4.1 Attackers may forge the information of VNFD in the VNF package
T31.a.5 Only authorised entity shall access the VNFD information
T31.b.1.1 VNFD shall be configured using security policy management
T31.b.1.2 Once VNFD fails access permission, the event is logged, and a security alarm is raised to the Security Management system
T31.b.2.1 Security Management systems flag the threat agent (internal attackers) for further analysis
T31.c.1.1Security Policy Management shall be enforced
T31.c.2.1 VNFD information shall be protected from unauthorised access
6.2 VNF Manager(s)
6.2.1 OverviewVNF Manager (VNFM) is responsible for the lifecycle management of VNF instances. Each VNF instance is implicit to have associated VNF manager. VNF manager functions are generic in nature and applicable to any type of VNF. VNFM manages virtualised resources associated to the VNF it manages via the interfaces exposed by the VIM or NFVO. VNFM exposes VNF lifecycle management interfaces/APIs to the VNF, EM and NFVO. VNFM sends VNF
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)25
lifecycle management notifications to the VNF, EM and NFVO.VNFM manages VNF initial configuration via the interfaces exposed by the VNF. The VNF Manager functional block performs some non-exhaustive set of functions such as:
a) VNF instantiation and VNF configuration;
b) VNF instance software update/upgrade;
c) VNF instance modification;
d) VNF instance scaling out/in and up/down;
e) VNF instance-related collection of NFVI performance measurement results and faults/events information, and correlation to VNF instance-related events/faults;
f) VNF instance assisted or automated healing;
g) VNF instance termination;
h) VNF lifecycle management change notifications;
i) Management of the integrity of the VNF instance through its lifecycle;
j) Overall coordination and adaptation role for configuration and event reporting between the VIM and the EM.
The detail description of VNF managers and its functionalities can be referred from clause 5.4.2 in ETSI GS NFV-MAN 001 [i.3].
6.2.2 Threat analysis for VNF Manager(s)In this clause, threat analysis of VNF Manager(s) is discussed.
T1: Manipulation of data- Attackers may change the VNF configurations during VNF life cycle management process that may affect the network services.R1 (a): VNF configurations shall be protected from unauthorized access during VNF life cycle management process.R1 (b): Integrity of the VNF configurations during VNF life cycle management process shall be verified.
T1.a.1.1 Internal attackers are attached to the network
T1.a.1.2 Internal attackers have access to VNF Manager(s)
T1.a.1.3 VNF Manager(s) supports VNF life cycle management operations
T1.a.2 VNF Manager(s)
T1.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T1.a.4.1 Attackers may change the VNF configurations during VNF life cycle management process
T1.a.5 Only authorised entity shall access the VNF life cycle management operations
T1.b.1.1 VNF life cycle management shall be configured using security policy management
T1.b.1.2 If any VNF life cycle management operation fails, the event is logged, and a security alarm is raised to the Security management system
T1.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T1.c.2.1 Authenticity of the VNF configurations during VNF life cycle management process shall be validated
T1.c.2.2 Integrity of the VNF configurations during VNF life cycle management process shall be validated
T2: Manipulation of request message- Attackers may send fake VNF configurations change request between VIM and EM that may disrupt the network service.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)26
R2 (a): Authenticity of the VNF configurations change request between VIM and EM shall be verified.R2 (b): Integrity of the VNF configurations change request between VIM and EM shall be verified.
T2.a.1.1 Internal attackers are attached to the network
T2.a.1.2 Internal attackers have access to VNF Manager(s)
T2.a.1.3 VNF Manager(s) supports VNF configuration management operations
T2.a.2 VNF Manager(s)
T2.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T2.a.4.1Attackers may send fake VNF configurations change request between VIM and EM
T2.a.5 Only authorised entity shall access the VNF configuration management
T2.b.1.1 VNF configuration management shall be configured using security policy management
T2.b.1.2 If any fake VNF configurations change request is identified, the event is logged, and a security alarm is raised to the Security management system
T2.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T2.c.2.1 Authenticity of the VNF configurations change request between VIM and EM shall be validated
T2.c.2.2 Integrity of the VNF configurations change request between VIM and EM shall be validated
T3: Manipulation of notifications- Attackers may send masquerade notifications during VNF instantiation operations.R3 (a): Authenticity of the VNF instantiation operations shall be verified.R3 (b): Integrity of the VNF instantiation operations shall be verified.
T3.a.1.1 Internal attackers are attached to the network
T3.a.1.2 Internal attackers have access to VNF Manager(s)
T3.a.1.3 VNF Manager(s) supports VNF instantiation operations
T3.a.2 VNF Manager(s)
T3.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T3.a.4.1Attackers may send masquerade notifications during VNF instantiation operations
T3.a.5 Only authorised entity shall access the VNF instantiation operations
T3.b.1.1 VNF instantiation operations shall be configured using security policy management
T3.b.1.2 If any VNF instantiation operations fail, the event is logged, and a security alarm is raised to the Security management system
T3.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T3.c.2.1 Authenticity of the VNF instantiation operations shall be validated
T3.c.2.2 Integrity of the VNF instantiation operations shall be validated
T4: Manipulation of application data-Attackers may maliciously change the VNF software update/upgrade during VNF instantiation.R4 (a): Authenticity of the VNF software update/upgrade shall be verified.R4 (b): Integrity of the VNF software update/upgrade shall be verified.
T4.a.1.1 Internal attackers are attached to the network
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)27
T4.a.1.2 Internal attackers have access to VNF Manager(s)
T4.a.1.3 VNF Manager(s) supports VNF software management operations
T4.a.2 VNF Manager(s)
T4.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T4.a.4.1 Attackers may maliciously change the VNF software update/upgrade during VNF instantiation
T4.a.5 Only authorised entity shall access the VNF software management operations
T4.b.1.1 VNF software management shall be configured using security policy management
T4.b.1.2 If any VNF instantiation operation fails, the event is logged, and a security alarm is raised to the Security management system
T4.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T4.c.2.1 Authenticity of the VNF software update/upgrade shall be validated
T4.c.2.2 Integrity of the VNF software update/upgrade shall be validated
T5: Manipulation of request message- Attackers may forge the VNF instance scaling out/in and up/down requests.R5 (a): Authenticity of the VNF instance scaling out/in and up/down requests shall be verified.R5 (b): Integrity of the VNF instance scaling out/in and up/down requests shall be verified.
T5.a.1.1 Internal attackers are attached to the network
T5.a.1.2 Internal attackers have access to VNF Manager(s)
T5.a.1.3 VNF Manager(s) supports VNF instance operations
T5.a.2 VNF Manager(s)
T5.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T5.a.4.1Attackers may forge the VNF instance scaling out/in and up/down requests
T5.a.5 Only authorised entity shall access the VNF instance operations
T5.b.1.1 VNF instance operations shall be configured using security policy management
T5.b.1.2 If any VNF instance operations fail, the event is logged, and a security alarm is raised to the Security management system
T5.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T5.c.2.1 Authenticity of the VNF instance scaling out/in and up/down requests shall be validated
T5.c.2.2 Integrity of the VNF instance scaling out/in and up/down requests shall be validated
T6: Manipulation of notifications- Fake performance, fault information and correlation measurement notifications of VNF instance may interrupt the functionality of VNF operations.R6 (a): Authenticity of the performance, fault information and correlation measurement notifications shall be verified.R6 (b): Integrity of the performance, fault information and correlation measurement notifications shall be verified.
T6.a.1.1 Internal attackers are attached to the network
T6.a.1.2 Internal attackers have access to VNF Manager(s)
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)28
T6.a.1.3 VNF Manager(s) supports performance, fault information and correlation measurement operations of VNF
T6.a.2 VNF Manager(s)
T6.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T6.a.4.1Attackers may fake the performance, fault information and correlation measurement notifications of VNF instance
T6.a.5 Only authorised entity shall access the VNF operations
T6.b.1.1 VNF operations shall be configured using security policy management
T6.b.1.2 If any VNF operation (performance, fault information and correlation measurement operations) fails, the event is logged, and a security alarm is raised to the Security management system
T6.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T6.c.2.1 Authenticity of the performance, fault information and correlation measurement notifications shall be validated
T6.c.2.2 Integrity of the performance, fault information and correlation measurement notifications shall be validated
T7: Manipulation of notifications- Fake VNF lifecycle management change notifications may interrupt the functionality of VNF operations.R7 (a): Authenticity of the VNF lifecycle management change notifications shall be verified.R7 (b): Integrity of the VNF lifecycle management change notifications shall be verified.
T7.a.1.1 Internal attackers are attached to the network
T7.a.1.2 Internal attackers have access to VNF Manager(s)
T7.a.1.3 VNF Manager(s) supports VNF life cycle management operations
T7.a.2 VNF Manager(s)
T7.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T7.a.4.1Attackers may fake the VNF lifecycle management change notifications
T7.a.5 Only authorised entity shall access the VNF life cycle management operations
T7.b.1.1 VNF life cycle management shall be configured using security policy management
T7.b.1.2 If any VNF life cycle management operation fails, the event is logged, and a security alarm is raised to the Security management system
T7.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T7.c.2.1 Authenticity of the VNF lifecycle management change notifications shall be validated
T7.c.2.2 Integrity of the VNF lifecycle management change notifications shall be validated
T8: Manipulation of notifications- Attackers may fake the VNF instance modification notifications.R8 (a): Authenticity of the VNF instance modification notifications shall be verified.R8 (b): Integrity of the VNF instance modification notifications shall be verified.
T8.a.1.1 Internal attackers are attached to the network
T8.a.1.2 Internal attackers have access to VNF Manager(s)
T8.a.1.3 VNF Manager(s) supports VNF instance operations
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)29
T8.a.2 VNF Manager(s)
T8.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T8.a.4.1Attackers may fake the VNF instance modification notifications
T8.a.5 Only authorised entity shall access the VNF instance operations
T8.b.1.1 VNF instance operations shall be configured using security policy management
T8.b.1.2 If any VNF instance operation fails, the event is logged, and a security alarm is raised to the Security management system
T8.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T8.c.2.1 Authenticity of the VNF instance modification notifications shall be validated
T8.c.2.2 Integrity of the VNF instance modification notifications shall be validated
T9: Manipulation of notifications- Attackers may forge the VNFD information such as deployment information, operational behaviour, policies, software image information, connectivity, etc.R9 (a): Authenticity of the VNFD information shall be verified.R9 (b): Integrity of the VNFD information shall be verified.R9 (c): Confidentiality of the VNFD information shall be protected.R9 (d): VNFD information shall be protected from unauthorized access.
T9.a.1.1 Internal attackers are attached to the network
T9.a.1.2 Internal attackers have access to VNF Manager(s)
T9.a.1.3 VNF Manager(s) supports VNFD information management operations
T9.a.2 VNF Manager(s)
T9.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T9.a.4.1Attackers may forge the VNFD information such as deployment information, operational behaviour, policies, software image information, connectivity, etc
T9.a.5 Only authorised entity shall access the VNFD information management
T9.b.1.1 VNFD information management shall be configured using security policy management
T9.b.1.2 If any VNFD information management operation fails, the event is logged, and a security alarm is raised to the Security management system
T9.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T9.c.2.1 Authenticity of the VNFD information shall be validated
T9.c.2.2 Integrity of the VNFD information shall be validated
T9.c.2.3 Confidentiality of the VNFD information shall be protected
T9.c.2.4 VNFD information shall be protected from unauthorized access
T10: Manipulation of request message- Attackers may maliciously fake the VNFM resource allocation request to NFVO during VNF's instantiation, scaling and termination that may interrupt the VNF resource management operations.R10 (a): VNFM shall verify the authenticity of the VNFM request to NFVO during VNFs instantiation, scaling and termination.R10 (b): VNFM shall verify the integrity of the VNFM request to NFVO during VNFs instantiation, scaling and termination.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)30
T10.a.1.1 Internal attackers are attached to the network
T10.a.1.2 Internal attackers have access to VNF Manager(s)
T10.a.1.3 VNF Manager(s) supports VNF resource management operations
T10.a.2 VNF Manager(s)
T10.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T10.a.4.1Attackers may maliciously fake the VNFM resource allocation request to NFVO during VNF's instantiation
T10.a.5 Only authorised entity shall access the VNF resource management
T10.b.1.1 VNF resource management shall be configured using security policy management
T10.b.1.2 If any VNF resource management operation fails, the event is logged, and a security alarm is raised to the Security management system
T10.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T10.c.2.1 Authenticity of the VNFM request to NFVO during VNFs instantiation, scaling and termination shall be validated
T10.c.2.2 Integrity of the VNFM request to NFVO during VNFs instantiation, scaling and termination shall be validated
T11: Unauthorized Access- Attackers may access the VIM without authorized permission to enable VNFM.R11: Information which is used to enable the VNFM to access VIM shall be protected from unauthorized access.
T11.a.1.1 Internal attackers are attached to the network
T11.a.1.2 Internal attackers have access to VNF Manager(s)
T11.a.1.3 VNF Manager(s) supports access management operations
T11.a.2 VNF Manager(s)
T11.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T11.a.4.1Attackers may access the VIM without authorized permission to enable VNFM
T11.a.5 Only authorised entity shall access the VIM and VNFM
T11.b.1.1 VIM shall be configured using security policy management
T11.b.1.2 If any misuse of VIM access privilege is identified, the event is logged, and a security alarm is raised to the Security management system
T11.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T11.c.2.1 Information which is used to enable the VNFM to access VIM shall be protected from unauthorized access
T12: Manipulation of notifications- Attackers may forge the change notifications of VNF indicator value.R12 (a): VNFM shall verify the authenticity of the change notifications of VNF indicator value.R12 (b): VNFM shall verify the integrity of the change notifications of VNF indicator value.
T12.a.1.1 Internal attackers are attached to the network
T12.a.1.2 Internal attackers have access to VNF Manager(s)
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)31
T12.a.1.3 VNF Manager(s) supports VNF operations
T12.a.2 VNF Manager(s)
T12.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T12.a.4.1Attackers may forge the change notifications of VNF indicator value
T12.a.5 Only authorised entity shall access the VNF operations
T12.b.1.1 VNF operations shall be configured using security policy management
T12.b.1.2 If any VNF operation fails related to VNF indicator value, the event is logged, and a security alarm is raised to the Security management system
T12.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T12.c.2.1 Authenticity of the change notifications of VNF indicator value shall be validated
T12.c.2.2 Integrity of the change notifications of VNF indicator value shall be validated
T13: Misuse of privileges - Attackers may gain the access to restricted operation of the virtualised resource groups (related to tenant service request) without privileges.R13: VNFM shall validate the granted privileges of the resource groups.
T13.a.1.1 Internal attackers are attached to the network
T13.a.1.2 Internal attackers have access to VNF Manager(s)
T13.a.1.3 VNF Manager(s) supports access management
T13.a.2 VNF Manager(s)
T13.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T13.a.4.1Attackers may gain the access to restricted operation of the resource groups (related to tenant service request) without privileges
T13.a.5 Only authorised entity shall access the resource group(e.g., tenant service)
T13.b.1.1 Virtualised resource groups (e.g., tenant service) shall be configured using security policy management
T13.b.1.2 If any misuse of privilege related to tenant service is identified, the event is logged, and a security alarm is raised to the Security management system
T13.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T13.c.2.1 Granted privileges of the resource groups shall be protected from unauthorised entity
T14: Manipulation of messages- Attackers may tamper the messages exchanged between VNFM and consumer.R14 (a): Confidentiality shall be provided to the messages exchanged between VNFM and consumer.R14 (b): Messages exchanged between VNFM and consumer shall be protected from unauthorized access.R14 (c): Integrity shall be verified to the messages exchanged between VNFM and consumer.R14 (d): Authenticity shall be verified to the messages exchanged between VNFM and consumer.
T14.a.1.1 Internal attackers are attached to the network
T14.a.1.2 Internal attackers have access to VNF Manager(s)
T14.a.1.3 VNF Manager(s) supports messages exchanged between VNFM and consumer
T14.a.2 VNF Manager(s)
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)32
T14.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T14.a.4.1Attackers may tamper the messages exchanged between VNFM and consumer
T14.a.5 Only authorised entity shall access the messages exchanged between VNFM and consumer
T14.b.1.1 Messages exchanged between VNFM and consumer shall be configured using endpoint authentication
T14.b.1.2 If any of the message between VNFM and consumer is tampered, the event is logged, and a security alarm is raised to the Security management system
T14.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T14.c.2.1 Confidentiality shall be provided to the messages exchanged between VNFM and consumer
T14.c.2.2 Messages exchanged between VNFM and consumer shall be protected from unauthorized access
T14.c.2.3 Integrity of the messages exchanged between VNFM and consumer shall be validated
T14.c.2.4Authenticity of the messages exchanged between VNFM and consumer shall be validated
T15: Manipulation of request message- Attackers may fake the query request to VIM for the software image information.R15 (a): VNFM shall verify the authenticity of the query request to VIM for the software image information.R15 (b): VNFM shall verify the integrity of the query request to VIM for the software image information.
T15.a.1.1 Internal attackers are attached to the network
T15.a.1.2 Internal attackers have access to VNF Manager(s)
T15.a.1.3 VNF Manager(s) supports VNF software image management operations
T15.a.2 VNF Manager(s)
T15.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T15.a.4.1Attackers may fake the query request to VIM for the software image information
T15.a.5 Only authorised entity shall access the VNF software image management
T15.b.1.1 VNF software image management shall be configured using security policy management
T15.b.1.2 If any query request fails related to software image information, the event is logged, and a security alarm is raised to the Security management system
T15.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T15.c.2.1 Authenticity of the query request to VIM for the software image information shall be validated
T15.c.2.2 Integrity of the query request to VIM for the software image information shall be validated
T16: Manipulation of notification- Fake notifications of virtualised resource-related fault information on the VNFs may interrupt the functionality of VNFM.R16 (a): VNFM shall verify the authenticity of the virtualised resource-related fault notifications.R16 (b): VNFM shall verify the integrity of the virtualised resource-related fault notifications.
T16.a.1.1 Internal attackers are attached to the network
T16.a.1.2 Internal attackers have access to VNF Manager(s)
T16.a.1.3 VNF Manager(s) supports virtualised resource fault management operations
T16.a.2 VNF Manager(s)
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)33
T16.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T16.a.4.1Attackers may fake the notifications of virtualised resource-related fault information on the VNFs
T16.a.5 Only authorised entity shall access the virtualised resource fault management
T16.b.1.1 Virtualised resource fault management shall be configured using security policy management
T16.b.1.2 If any virtualised resource fault management operation fails, the event is logged, and a security alarm is raised to the Security management system
T16.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T16.c.2.1 Authenticity of the virtualised resource-related fault notifications shall be validated
T16.c.2.2 Integrity of the virtualised resource-related fault notifications shall be validated
T17: Manipulation of notification- Attackers may fake the change request of virtualised resource-related fault information and alarm notifications that may interrupt the functionality of VNFs.R17(a): VNFM shall verify the authenticity of the virtualised resource-related fault information and alarm notifications that may interrupt the functionality of VNFs.R17(b): VNFM shall verify the integrity of the virtualised resource-related fault information and alarm notifications that may interrupt the functionality of VNFs.
T17.a.1.1 Internal attackers are attached to the network
T17.a.1.2 Internal attackers have access to VNF Manager(s)
T17.a.1.3 VNF Manager(s) supports virtualised resource fault management operations
T17.a.2 VNF Manager(s)
T17.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T17.a.4.1Attackers may fake the change request of virtualised resource-related fault information and alarm notifications
T17.a.5 Only authorised entity shall access the virtualised resource reservation management
T17.b.1.1 Virtualised resource fault management shall be configured using security policy management
T17.b.1.2 If any virtualised resource fault management operation fails, the event is logged, and a security alarm is raised to the Security management system
T17.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T17.c.2.1 Authenticity of the virtualised resource-related fault information and alarm notifications shall be validated
T17.c.2.2 Integrity of the virtualised resource-related fault information and alarm notifications shall be validated
T18: Manipulation of request- Attackers may forge the corrective operations request on virtualised resources to VIM in order to perform VNF healing that may interrupt the functionality of VNF fault management system.R18 (a): VNFM shall verify the authenticity of the corrective operations request on virtualised resources to VIM in order to perform VNF healing.R18 (b): VNFM shall verify the integrity of the corrective operations request on virtualised resources to VIM in order to perform VNF healing.
T18.a.1.1 Internal attackers are attached to the network
T18.a.1.2 Internal attackers have access to VNF Manager(s)
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)34
T18.a.1.3 VNF Manager(s) supports VNF fault management operations
T18.a.2 VNF Manager(s)
T18.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T18.a.4.1Attackers may forge the corrective operations request on virtualised resources to VIM in order to perform VNF healing
T18.a.5 Only authorised entity shall access the VNF fault management
T18.b.1.1 VNF fault management shall be configured using security policy management
T18.b.1.2 If any VNF fault management operation fails, the event is logged, and a security alarm is raised to the Security management system
T18.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T18.c.2.1 Authenticity of the corrective operations request on virtualised resources to VIM in order to perform VNF healing shall be validated
T18.c.2.2 Integrity of the corrective operations request on virtualised resources to VIM in order to perform VNF healing shall be validated
T19: Manipulation of data - Attackers may modify the receive run-time data (such as VNF instance address, record of significant VNF lifecycle events related) to VNF instances that may interrupt the VNF operations.R19 (a): VNFM shall verify the authenticity of the receive run-time data to VNF instances.R19 (b): VNFM shall verify the integrity of the receive run-time data to VNF instances.
T19.a.1.1 Internal attackers are attached to the network
T19.a.1.2 Internal attackers have access to VNF Manager(s)
T19.a.1.3 VNF Manager(s) supports VNF instance operations
T19.a.2 VNF Manager(s)
T19.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T19.a.4.1 Attackers may modify the receive run-time data (such as VNF instance address, record of significant VNF lifecycle event related) to VNF instances
T19.a.5 Only authorised entity shall access the VNF instance operations
T19.b.1.1 VNF instance operations shall be configured using security policy management
T19.b.1.2 If any VNF instance operation fails, the event is logged, and a security alarm is raised to the Security management system
T19.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T14.c.1.1 VNF Manager(s) shall not be instantiated without an associated Security Agent running first
T14.c.1.2 Security Policy Management shall enforce data rate policies
T19.c.2.1 Authenticity of the receive run-time data to VNF instances shall be validated
T19.c.2.2 Integrity of the receive run-time data to VNF instances shall be validated
T20: Manipulation of data - The attackers may forge the mapping information between the VNF instance(s) and associated virtualised resource that may result in service interruptions during VNF instances.R20 (a): VNFM shall verify the authenticity of the mapping information between the VNF instance(s) and associated virtualised resource.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)35
R20 (b): VNFM shall verify the integrity of the mapping information between the VNF instance(s) and associated virtualised resource.
T20.a.1.1 Internal attackers are attached to the network
T20.a.1.2 Internal attackers have access to VNF Manager(s)
T20.a.1.3 VNF Manager(s) supports VNF instance operations
T20.a.2 VNF Manager(s)
T20.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T20.a.4.1 Attackers may forge the mapping information between the VNF instance(s) and associated virtualised resource
T20.a.5 Only authorised entity shall access the VNF instance operations
T20.b.1.1 VNF instance operations shall be configured using security policy management
T20.b.1.2 If any VNF instance operation fails, the event is logged, and a security alarm is raised to the Security management system
T20.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T20.c.2.1 Authenticity of the mapping information between the VNF instance(s) and associated virtualised resource shall be validated
T20.c.2.2 Integrity of the mapping information between the VNF instance(s) and associated virtualised resource shall be validated
T21: Manipulation of data - The attackers may forge the VNF instance information refers to a different VNF package that may interrupt VNF instances operations.R21 (a): VNFM shall verify the authenticity of the VNF instance information refers to a different VNF Package.R21 (b): VNFM shall verify the integrity of the VNF instance information refers to a different VNF Package.
T21.a.1.1 Internal attackers are attached to the network
T21.a.1.2 Internal attackers have access to VNF Manager(s)
T21.a.1.3 VNF Manager(s) supports VNF instant information management operations
T21.a.2 VNF Manager(s)
T21.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T21.a.4.1 Attackers may forge the VNF instance information refers to a different VNF package
T21.a.5 Only authorised entity shall access the VNF instant information management
T21.b.1.1 VNF instant information management shall be configured using security policy management
T21.b.1.2 If any VNF instances operation fails, the event is logged, and a security alarm is raised to the Security management system
T21.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T21.c.2.1 Authenticity of the VNF instance information refers to a different VNF package shall be validated
T21.c.2.2 Integrity of the VNF instance information refers to a different VNF package shall be validated
T22: Manipulation of notification- Attackers may fake the notifications regarding state change of VNF packages that may interrupt the VNF package management operations.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)36
R22 (a): VNFM shall verify the authenticity of the received notifications regarding state change message of VNF package.R22 (b): VNFM shall verify the integrity of the received notifications regarding state change message of VNF package.
T22.a.1.1 Internal attackers are attached to the network
T22.a.1.2 Internal attackers have access to VNF Manager(s)
T22.a.1.3 VNF Manager(s) supports VNF package management operations
T22.a.2 VNF Manager(s)
T22.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T22.a.4.1Attackers may fake the notifications regarding state change of VNF packages
T22.a.5 Only authorised entity shall access the VNF package management operations
T22.b.1.1 VNF package management shall be configured using security policy management
T22.b.1.2 If any notifications regarding state change of VNF package operation fails, the event is logged, and a security alarm is raised to the Security management system
T22.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T22.c.2.1 Authenticity of the received notifications regarding state change message of VNF package shall be validated
T22.c.2.2 Integrity of the received notifications regarding state change message of VNF package shall be validated
T23: Manipulation of notification- Attackers may forge the notifications about virtual networks and connection points that are added/deleted as part of the VNF lifecycle operation that may interrupt the services in VNF lifecycle management.R23 (a): VNFM shall verify the authenticity of notifications about virtual networks and connection points that are added/deleted as part of the VNF lifecycle operations.R23 (b): VNFM shall verify the integrity of notifications about virtual networks and connection points that are added/deleted as part of the VNF lifecycle operations.
T23.a.1.1 Internal attackers are attached to the network
T23.a.1.2 Internal attackers have access to VNF Manager(s)
T23.a.1.3 VNF Manager(s) supports VNF lifecycle management operations
T23.a.2 VNF Manager(s)
T23.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T23.a.4.1Attackers may forge the notifications about virtual networks and connection points that are added/deleted as part of the VNF lifecycle operation
T23.a.5 Only authorised entity shall access the VNF lifecycle management
T23.b.1.1 VNF lifecycle management shall be configured using security policy management
T23.b.1.2 If any notifications about virtual networks and connection points that are added/deleted as part of the VNF lifecycle operation fails, the event is logged, and a security alarm is raised to the Security management system
T23.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T23.c.2.1 Authenticity of notifications about virtual networks and connection points that are added/deleted as part of the VNF lifecycle operations
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)37
T23.c.2.2 Integrity of notifications about virtual networks and connection points that are added/deleted as part of the VNF lifecycle operations
T24: Manipulation of request- Attackers may fake the VNF lifecycle operation requests using information specified in the VNF package that may interrupt the VNF lifecycle management operations.R24 (a): VNFM shall verify the authenticity of VNF lifecycle operation requests using information specified in the VNF package.R24 (b): VNFM shall verify the integrity of VNF lifecycle operation requests using information specified in the VNF package.
T24.a.1.1 Internal attackers are attached to the network
T24.a.1.2 Internal attackers have access to VNF Manager(s)
T24.a.1.3 VNF Manager(s) supports VNF lifecycle management operations
T24.a.2 VNF Manager(s)
T24.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T24.a.4.1Attackers may fake the VNF lifecycle operation requests using information specified in the VNF package
T24.a.5 Only authorised entity shall access the VNF lifecycle management
T24.b.1.1 VNF lifecycle management shall be configured using security policy management
T24.b.1.2 If any VNF lifecycle operation requests using information specified in the VNF package is faked, the event is logged, and a security alarm is raised to the Security management system
T24.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T24.c.2.1 Authenticity of the VNF lifecycle operation requests using information specified in the VNF package shall be validated
T24.c.2.2 Integrity of the VNF lifecycle operation requests using information specified in the VNF package shall be validated
T25: Manipulation of data- Attackers may fake the information received by the VNFM from NFVO regarding the quota(s) availability, which may interrupt the quota management operations.R25 (a): VNFM shall verify the authenticity of the received information from NFVO regarding the quota(s) availability.R25 (b): VNFM shall verify the integrity of the received information from NFVO regarding the quota(s) availability.
T25.a.1.1 Internal attackers are attached to the network
T25.a.1.2 Internal attackers have access to VNF Manager(s)
T25.a.1.3 VNF Manager(s) supports virtualised quota management operations
T25.a.2 VNF Manager(s)
T25.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T25.a.4.1 Attackers may fake the information received by the VNFM from NFVO regarding the quota(s) availability
T25.a.5 Only authorised entity shall access the Virtualised quota management operations
T25.b.1.1 Virtualised quota management shall be configured using security policy management
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)38
T25.b.1.2 If the information received by the VNFM from NFVO regarding the quota(s) availability is faked, the event is logged, and a security alarm is raised to the Security management system
T25.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T25.c.2.1 Authenticity of the received information from NFVO regarding the quota(s) availability shall be validated
T25.c.2.2 Integrity of the received information from NFVO regarding the quota(s) availability shall be validated
T26: Manipulation of notifications- Attackers may fake the notifications received by the VNFM regarding the changes of information on consumable virtualised resources, which may interrupt the virtualised resource information management operations.R26 (a): VNFM shall verify the authenticity of the received notifications regarding the changes of information on consumable virtualised resources.R26 (b): VNFM shall verify the integrity of the received notifications regarding the changes of information on consumable virtualised resources.
T26.a.1.1 Internal attackers are attached to the network
T26.a.1.2 Internal attackers have access to VNF Manager(s)
T26.a.1.3 VNF Manager(s) supports virtualised resource information management operations
T26.a.2 VNF Manager(s)
T26.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T26.a.4.1Attackers may fake the notifications received by the VNFM regarding the changes of information on consumable virtualised resources
T26.a.5 Only authorised entity shall access the virtualised resource information management operations
T26.b.1.1 Virtualised resource information management operations shall be configured using security policy management
T26.b.1.2 If any notifications received by the VNFM regarding the changes of information on consumable virtualised resources are faked, the event is logged, and a security alarm is raised to the Security management system
T26.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T26.c.2.1 Authenticity of the received notifications regarding the changes of information on consumable virtualised resources shall be validated
T26.c.2.2 Integrity of the received notifications regarding the changes of information on consumable virtualised resources shall be validated
T27: Manipulation of data- Attackers may fake performance information received by the VNFM related to virtualised resources for the VNF instance(s), which may interrupt the virtualised resource performance management operations.R27 (a): VNFM shall verify the authenticity of the received performance information related to virtualised resources for the VNF instance(s).R27 (b): VNFM shall verify the integrity of the received performance information related to virtualised resources for the VNF instance(s).
T27.a.1.1 Internal attackers are attached to the network
T27.a.1.2 Internal attackers have access to VNF Manager(s)
T27.a.1.3 VNF Manager(s) supports virtualised resource performance management operations
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)39
T27.a.2 VNF Manager(s)
T27.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T27.a.4.1 Attackers may fake performance information received by the VNFM related to virtualised resources for the VNF instance(s)
T27.a.5 Only authorised entity shall access the virtualised resource performance management operations
T27.b.1.1 Virtualised resource performance management shall be configured using security policy management
T27.b.1.2 If any virtualised resource performance management operation fails, the event is logged, and a security alarm is raised to the Security Management system
T27.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T27.c.2.1 Authenticity of the received performance information related to virtualised resources for the VNF instance(s) shall be validated
T27.c.2.2 Integrity of the received performance information related to virtualised resources for the VNF instance(s) shall be validated
T28: Manipulation of notifications- Attackers may fake the notifications regarding state change of virtualised resource reservation that received by the VNFM, which may interrupt the resource reservation management operations.R28 (a): VNFM shall verify the authenticity of the received change notifications regarding virtualised resource reservation.R28 (b): VNFM shall verify the integrity of the received change notifications regarding virtualised resource reservation.
T28.a.1.1 Internal attackers are attached to the network
T28.a.1.2 Internal attackers have access to VNF Manager(s)
T28.a.1.3 VNF Manager(s) supports VNF resource reservation management operations
T28.a.2 VNF Manager(s)
T28.a.3 Authorized administrators with legitimate access to the VNF Manager(s)
T28.a.4.1Attackers may fake the notifications regarding state change of virtualised resource reservation that received by the VNFM
T28.a.5 Only authorised entity shall access the VNF resource reservation management
T28.b.1.1 VNF resource reservation management shall be configured using security policy management
T28.b.1.2 If any VNF resource reservation management operation fails, the event is logged, and a security alarm is raised to the Security management system
T28.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T28.c.2.1 Authenticity of the received change notifications regarding virtualised resource reservation shall be validated
T28.c.2.2 Integrity of the received change notifications regarding virtualised resource reservation shall be validated
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)40
6.3 Virtualised Infrastructure Manager(s)
6.3.1 OverviewVirtualised Infrastructure Manager (VIM) is responsible for controlling and managing the NFVI resources such as compute, storage and network resource of one or more NFVI-PoPs. VIM exposes virtualised resource management interfaces/APIs to the VNFM and NFVO. VIM sends virtualised resource management notifications to the VNFM and the NFVO. NFVO may control multiple VIMs to orchestrate the resources and network services across the regions. VIM performs some set of functions which may be exposed by means of interfaces consumed by other NFV-MANO functional blocks or by authorized external entities, which are:
i) Orchestrating the allocation/upgrade/release/reclamation of NFVI resources.
ii) Supporting the management of VNF Forwarding Graphs.
iii) Managing in repository inventory related information of NFVI hardware resources and software resources.
iv) Management of the virtualised resource capacity.
v) Management of software images.
vi) Collection of performance and fault information of hardware resources, software resources, and virtualised resources.
vii) Management of catalogues of virtualised resources.
The detail description of VIM and its functionalities can be referred from clause 5.4.3 in ETSI GS NFV-MAN 001 [i.3].
6.3.2 Threat analysis for Virtualised Infrastructure Manager(s)In this clause, threat analysis of VIM(s) is discussed.
T1: Unauthorized access of stored data - Attackers may exploit the catalogue information such as virtualised resource configuration, network connectivity, templates which may affect the network services and system configurations.R1 (a): Authenticity of the catalogues information requests shall be verified.R1 (b): Integrity of the catalogues information requests shall be verified.R1 (c): Catalogue configuration file shall be protected from unauthorized access.
T2: Manipulation of notification - Attackers may forge the performance information related to software and hardware resources within the NFVI that may interrupt the network services or degrade the performance.R2 (a): VIM shall support the capabilities to verify the authenticity of the performance information related to software and hardware resources within the NFVI.R2 (b): VIM shall support the capabilities to verify the integrity of the performance information related to software and hardware resources within the NFVI.
T2.a.1.1 Internal attackers are attached to the network
T2.a.1.2 Internal attackers have access to VIM
T2.a.1.3 VIM supports virtualised performance management operations
T2.a.2 VIM
T2.a.3 Authorized administrators with legitimate access to the VIM
T2.a.4.1Attackers may forge the performance information related to software and hardware resources within the NFVI
T2.a.5 Only authorised entity shall access the virtualised performance management operations
T2.b.1.1 Virtualised performance management shall be configured using security policy management
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)41
T2.b.1.2 If any performance information related to software and hardware resources within the NFVI are forged, the event is logged, and a security alarm is raised to the Security management system
T2.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T2.c.2.1 Authenticity of the performance information related to software and hardware resources within the NFVI shall be validated
T2.c.2.2 Integrity of the performance information related to software and hardware resources within the NFVI shall be validated
T3: Manipulation of application data - Attackers may modify the software image requests from NFVO to VIM.R3 (a): Authenticity of the software image requests from NFVO to VIM shall be verified.R3 (b): Integrity of the software image requests from NFVO to VIM shall be verified.
T3.a.1.1 Internal attackers are attached to the network
T3.a.1.2 Internal attackers have access to VIM
T3.a.1.3 VNF Manager(s) supports software image management operations
T3.a.2 VIM
T3.a.3 Authorized administrators with legitimate access to the VIM
T3.a.4.1 Attackers may modify the software image requests from NFVO to VIM
T3.a.5 Only authorised entity shall access the software image management operations
T3.b.1.1 Software image management operations shall be configured using security policy management
T3.b.1.2 If any of the software image requests from NFVO to VIM is modified, the event is logged, and a security alarm is raised to the Security Management system
T3.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T3.c.2.1 Authenticity of the software image requests from NFVO to VIM shall be validated
T3.c.2.2 Integrity of the software image requests from NFVO to VIM shall be validated
T4: Manipulation of software images - Attackers may modify the software images before which are stored in VIM repositories.R4 (a): Authenticity of the software images shall be verified by the VIM before stored in VIM repositories.R4 (b): Integrity of the software images shall be verified by the VIM before stored in VIM repositories.
T5: Manipulation of application data - During run time such as instantiation or scaling operations, attackers may modify the software images which are being transferred from VIM repositories (or storage node) to compute nodes.R5 (a): Authenticity of the software images being transferred to the compute nodes shall be verified before instantiating or scaling VNFs.R5(b): Integrity of the software images being transferred to the compute nodes shall be verified before instantiating or scaling VNFs.
T6: Manipulation of notification - Fake resource capacity information notifications may interrupt the functionality of virtual resource.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)42
R6 (a): Authenticity of the resource capacity information notifications from VIM to NFVI shall be verified.R6 (b): Integrity of the resource capacity information notifications from VIM to NFVI shall be verified.
T6.a.1.1 Internal attackers are attached to the network
T6.a.1.2 Internal attackers have access to VIM
T6.a.1.3 VIM supports virtualised resource capacity information management operations
T6.a.2 VIM
T6.a.3 Authorized administrators with legitimate access to the VIM
T6.a.4.1Attackers may fake the resource capacity information notifications
T6.a.5 Only authorised entity shall access the virtualised resource capacity information management operations
T6.b.1.1 Virtualised resource capacity information management shall be configured using security policy management
T6.b.1.2 If any notification resource capacity information is faked, the event is logged, and a security alarm is raised to the Security management system
T6.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T6.c.2.1 Authenticity of the resource capacity information notifications from VIM to NFVI shall be validated
T6.c.2.2 Integrity of the resource capacity information notifications from VIM to NFVI shall be validated
T7: Unauthorized access of stored data - Attackers may maliciously access and corrupt the sensitive data stored in VIM repository.R7 (a): Authenticity of the stored data in the VIM repository shall be verified.R7 (b): Integrity of the stored data in the VIM repository shall be verified.R7(c): Confidentiality of the stored data in the VIM shall be protected.R7 (d): The data stored in VIM repository shall be protected from unauthorized access.
T8: Redirecting logical connectivity - Attackers may compromise and forge the virtual links or virtual networks to modify the logical connections of VNFs using VNF forwarding graphs.R8: It shall be possible to protect the logical connectivity policy configuration files from unauthorized modifications.
T9: Manipulation of user data - Attackers may compromise the infrastructure management by introducing the malicious tenant.R9 (a): Authenticity shall be validated by the infrastructure management during create, read, update and delete of tenant in VIM.R9 (b): Authenticity shall be validated by the infrastructure management during create, read, update and delete of tenant in VIM.R9(c): It shall be possible to protect against the unauthorized access to the infrastructure management during create, read, update and delete of tenant in VIM.
T10: Unauthorized Access - Attackers may gain the infrastructure management privileges and access the infrastructure resource of the other designated tenants.R10: It shall be possible to protect against the unauthorized access to the infrastructure resources which are assigned / reserved to other tenants.
T11: Manipulation of data- The attackers may forge the information provided by the NFV acceleration resources during discovery, allocation, release, reprogram in VIM that may results in performance degradation
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)43
or service interruptions.R11 (a): VIM shall support the capabilities to verify the authenticity of the acceleration resource management information.R11 (b): VIM shall support the capabilities to verify the integrity of the acceleration resource management information.
T12: Manipulation of message - The attackers may fool-proof and play MitM attack when the messages are received from a consumer or sending the messages to the consumer.R12 (a): VIM shall support the capabilities to verify the authenticity of the received messages from an authenticated and authorized consumer.R12 (b): VIM shall support the capabilities to verify the integrity of the received messages from an authenticated and authorized consumer.R12(c): VIM shall support the capabilities to encrypt the sent message or decrypt the received message using negotiated key and algorithm to or from an authenticated and authorized consumer or producer.
T13: Manipulation of information - The attackers may forge the correlated fault information on virtualised resources that may results in performance degradation or service interruptions.R13 (a): VIM shall verify the authenticity of the correlate fault information on virtualised resources.R13 (b): VIM shall verify the integrity of the correlate fault information on virtualised resources.
T14: Manipulation of information: The attackers may forge the correlated fault information related to software and hardware resources within the NFVI that may results in performance degradation or service interruptions.R14 (a): VIM shall verify the authenticity of the correlate fault information related to software and hardware resources within the NFVI.R14 (b): VIM shall verify the integrity of the correlate fault information related to software and hardware resources within the NFVI.
T15: Manipulation of data stored in repository - Attackers may maliciously upload the software images.R15 (a): VIM shall verify the authenticity of the software image before storing in VIM repositories.R15 (b): VIM shall verify the integrity of the software image before storing in VIM repositories.
T16: Manipulation of data stored in repository - Attackers may alter or corrupt the information provided on the software images.R16 (a): VIM shall support the capabilities to verify the authenticity of the information provided on the software images.R16 (b): VIM shall support the capabilities to verify the integrity of the information provided on the software images.
T17: Manipulation of data stored in repository - Attackers may maliciously corrupt the software image management.R17 (a): VIM shall support the capabilities to verify the authenticity of the information regarding software image management.R17 (b): VIM shall support the capabilities to verify the integrity of the information regarding software image management.R17(c): VIM shall support the capabilities to protect the software image management from unauthorized access.
T18: Inference and sensitive data analysis - In multi-tenancy environment, software images belong to a single tenant or particular group of tenants may be placed in common storage area which may allow other tenants to gather sensitive data (by doing reverse engineering, etc.) and other useful details.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)44
R18 (a): VIM shall verify the authenticity of the private and shared software images which are stored in repository, and the related keys shall be stored in trusted environment.R18 (b): VIM shall verify the integrity of the private and shared software images which are stored in repository, and the related keys shall be stored in trusted environment.R18(c): The private and shared software images which are stored in repository shall be protected from unauthorized access, and the related keys shall be stored in trusted environment.R18 (d): VIM shall provide confidentiality for the private and shared software images which are stored in repository, and the related keys shall be stored in trusted environment.
T19: Manipulation of data stored in repository - Attackers may alter existing software image versions in VIM repository or load images which bypass the VIM loading procedures.R19 (a): During loading, VIM shall only load software image if the authenticity is verified.R19 (b): During loading, VIM shall only load software image if the integrity is verified.R19(c): Verification shall include software image versions.
NOTE: Verify the hash value with VNFD.
T20: Manipulation of policies: Attackers may maliciously alter the affinity and anti-affinity policies of NFVI resource management that may interrupt the NFVI resource management operations.R20 (a): VIM shall verify the authenticity of the enforced affinity and anti-affinity policies for NFVI resource management.R20 (b): Affinity and anti-affinity policies for NFVI resource management shall be protected from unauthorized access.
T21: Manipulation of notifications: Attackers may fake the change notifications request about the allocated and reserved virtualised resources that may violate the allocation and de-allocation operations.R21 (a): VIM shall verify the authenticity of change notifications request about the allocated and reserved virtualised resources.R21 (b): VIM shall verify the integrity of change notifications request about the allocated and reserved virtualised resources.
T21.a.1.1 Internal attackers are attached to the network
T21.a.1.2 Internal attackers have access to VIM
T21.a.1.3 VIM supports virtualised resource reservation management operations
T21.a.2 VIM
T21.a.3 Authorized administrators with legitimate access to the VIM
T21.a.4.1Attackers may fake the change notifications request about the allocated and reserved virtualised resources
T21.a.5 Only authorised entity shall access the virtualised resource reservation management operations
T21.b.1.1 Virtualised resource reservation management shall be configured using security policy management
T21.b.1.2 If any change notifications request about the allocated and reserved virtualised resources is faked, the event is logged, and a security alarm is raised to the Security management system
T21.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T21.c.2.1 Authenticity of change notifications request about the allocated and reserved virtualised resources shall be validated
T21.c.2.2 Integrity of change notifications request about the allocated and reserved virtualised resources shall be validated
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)45
T22: Manipulation of request messages: Attackers may forge the virtualised resource allocation requests that resources are allocated from a resource reservation management.R22 (a): VIM shall verify the authenticity of the virtualised resource allocation or update requests that resources are allocated or updated from a resource reservation management.R22 (b): VIM shall verify the integrity of the virtualised resource allocation or update requests that resources are allocated or updated from a resource reservation management.
T22.a.1.1 Internal attackers are attached to the network
T22.a.1.2 Internal attackers have access to VIM
T22.a.1.3 VIM supports virtualised resource reservation management operations
T22.a.2 VIM
T22.a.3 Authorized administrators with legitimate access to the VIM
T22.a.4.1Attackers may forge the virtualised resource allocation requests that resources are allocated from a resource reservation management.
T22.a.5 Only authorised entity shall access the virtualised resource reservation management operations
T22.b.1.1 Virtualised resource reservation management shall be configured using security policy management
T22.b.1.2 If any virtualised resource allocation requests from resource reservation management are forged, the event is logged, and a security alarm is raised to the Security management system
T22.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T22.c.2.1 Authenticity of the virtualised resource allocation or update requests that resources are allocated or updated from a resource reservation management shall be validated
T22.c.2.2 Integrity of the virtualised resource allocation or update requests that resources are allocated or updated from a resource reservation management shall be validated
T23: Manipulation of request messages: Attackers may fake the infer information of the virtualised resource that may result in compromise of resource reservation management.R23 (a): VIM shall verify the authenticity of the infer information.R23 (b): VIM shall verify the integrity of the infer information.
T24: Manipulation of identity: Attackers may forge the reservation identity to access virtualised resources in the name of legitimate user/admin.R24 (a): VIM shall verify the authenticity of the reservation identification which is used to map to the applicable resource reservation.R24 (b): VIM shall verify the integrity of the reservation identification which is used to map to the applicable resource reservation.
T25: Manipulation of identity: Attackers may forge the consumer/tenant identification and access into the resource reservation management to indulge in forgery.R25 (a): VIM shall verify the authenticity of the consumer/tenant identification which is used to map to the applicable resource reservation when explicit reservation identification is not indicated.R25 (b): VIM shall verify the integrity of consumer/tenant identification which is used to map to the applicable resource reservation when explicit reservation identification is not indicated.
T26: Manipulation of policies: Attackers may modify the affinity and anti-affinity policies for reservation resource management maliciously that may interrupt the reservation resource management operations.R26 (a): VIM shall verify the authenticity of the enforced affinity and anti-affinity policies for reservation
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)46
resource management.R26 (b): Affinity and anti-affinity policies for reservation resource management shall be protected from unauthorized access.
T27: Manipulation of notifications: Attackers may fake the change notifications request about virtualised resource reservation that may interrupt the reservation resource management operations.R27 (a): VIM shall verify the authenticity of change notifications request about the virtualised resource reservation.R27 (b): VIM shall verify the integrity of change notifications request about the virtualised resource reservation.
T27.a.1.1 Internal attackers are attached to the network
T27.a.1.2 Internal attackers have access to VIM
T27.a.1.3 VIM supports virtualised resource reservation management operations
T27.a.2 VIM
T27.a.3 Authorized administrators with legitimate access to the VIM
T27.a.4.1Attackers may fake the change notifications request about virtualised resource reservation
T27.a.5 Only authorised entity shall access the virtualised resource reservation management operations
T27.b.1.1 Virtualised resource reservation management shall be configured using security policy management
T27.b.1.2 If any change notifications request about virtualised resource reservation is faked, the event is logged, and a security alarm is raised to the Security management system
T27.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T27.c.2.1 Authenticity of change notifications request about the virtualised resource reservation shall be validated
T27.c.2.2 Integrity of change notifications request about the virtualised resource reservation shall be validated
T28: Manipulation of information: The attackers may forge the collected and maintained information regarding the capacity of the NFVI which it manages, that may impact the performance degradation or service interruptions of NFVI.R28 (a): VIM shall verify the authenticity of the collected and maintained information regarding the capacity of the NFVI.R28 (b): VIM shall verify the integrity of the collected and maintained information regarding the capacity of the NFVI.
T29: Manipulation of information: The attackers may maliciously fake the correlated information regarding the allocated and reserved virtualised resources with changes on underlying hardware/software resources due to maintenance, operation and management of the NFVI that may interrupt the operations of NFVIs.R29 (a): VIM shall verify the authenticity of the information regarding the correlate allocated and reserved virtualised resources with changes on underlying hardware/software resources.R29 (b): VIM shall verify the integrity of the information regarding the correlate allocated and reserved virtualised resources with changes on underlying hardware/software resources.
T30: Manipulation of information: Attackers may forge the information related to available, allocated, reserved and all virtualised resource capacity that may interrupt the performance of the virtualised resources.R30 (a): VIM shall verify the authenticity of the information related to available, allocated, reserved and all virtualised resource capacity.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)47
R30 (b): VIM shall verify the integrity of the information related to available, allocated, reserved and all virtualised resource capacity.
T31: Manipulation of notifications: Attackers may fake the change notifications request related to the capacity of the virtualised resource that may interrupt the virtualised resource capacity management operations.R31 (a): VIM shall verify the authenticity of change notifications request related to the capacity of the virtualised resource.R31 (b): VIM shall verify the integrity of change notifications request related to the capacity of the virtualised resource.
T31.a.1.1 Internal attackers are attached to the network
T31.a.1.2 Internal attackers have access to VIM
T31.a.1.3 VIM supports virtualised resource capacity management operations
T31.a.2 VIM
T31.a.3 Authorized administrators with legitimate access to the VIM
T31.a.4.1Attackers may fake the change notifications request related to the capacity of the virtualised resource
T31.a.5 Only authorised entity shall access the virtualised resource capacity management operations
T31.b.1.1 Virtualised resource capacity management shall be configured using security policy management
T31.b.1.2 If any change notification request related to the capacity of the virtualised resource is faked, the event is logged, and a security alarm is raised to the Security management system
T31.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T31.c.2.1 Authenticity of change notifications request related to the capacity of the virtualised resource shall be validated
T31.c.2.2 Integrity of change notifications request related to the capacity of the virtualised resource shall be validated
T32: Manipulation of information: Attackers may forge the provided information about NFVI-PoP(s) such as network connectivity endpoints and geographical location that may impact the network services.R32 (a): VIM shall verify the authenticity of the provided information about NFVI-PoP(s) such as network connectivity endpoints and geographical location.R32 (b): VIM shall verify the integrity of the provided information about NFVI-PoP(s) such as network connectivity endpoints and geographical location.R32(c): VIM shall provide privacy protection for the information about NFVI-PoP(s) such as network connectivity endpoints and geographical location.
T33: Manipulation of information: Attackers may forge the provided information about Resource Zones in the NFVI that may impact virtualised resource capacity management operations.R33 (a): VIM shall verify the authenticity of the provided information about Resource Zones in the NFVI.R33 (b): VIM shall verify the integrity of the provided information provide information about Resource Zones in the NFVI.
T34: Manipulation of information- Attackers may forge the collected virtualised resource performance information such as CPU utilization, memory usage and bandwidth consumption, that may interrupt or degrade the performance of the virtualised resources.R34 (a): VIM shall verify the authenticity of the collected virtualised resource performance information.R34 (b): VIM shall verify the integrity of the collected virtualised resource performance information.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)48
T35: Manipulation of request message- Attackers may maliciously fake the resource performance management requests that may interrupt or degrade the performance of the virtualised resources.R35 (a): VIM shall verify the authenticity of the resource performance management requests.R35 (b): VIM shall verify the integrity of the resource performance management requests.
T35.a.1.1 Internal attackers are attached to the network
T35.a.1.2 Internal attackers have access to VIM
T35.a.1.3 VIM supports resource performance management operations
T35.a.2 VIM
T35.a.3 Authorized administrators with legitimate access to the VIM
T35.a.4.1Attackers may maliciously fake the resource performance management requests
T35.a.5 Only authorised entity shall access the resource performance management operations
T35.b.1.1 Resource performance management shall be configured using security policy management
T35.b.1.2 If resource performance management request is maliciously faked, the event is logged, and a security alarm is raised to the Security management system
T35.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T35.c.2.1 Authenticity of the resource performance management requests shall be validated
T35.c.2.2 Integrity of the received virtualised resource management requests from VNFM and/or NFVO shall be validated
T36: Manipulation of information- Attackers may forge the collected virtualised resource fault information related to virtualised resources that may result in failure for optimizing and detecting the malfunction.R36 (a): VIM shall verify the authenticity of the collected virtualised resource fault information.R36 (b): VIM shall verify the integrity of the collected virtualised resource fault information.
T37: Manipulation of information- Attackers may fake the fault change notifications on virtualised resources that may result in failure for optimizing and detecting the malfunction.R37 (a): VIM shall verify the authenticity of the fault change notifications on virtualised resources.R37 (b): VIM shall verify the integrity of the fault change notifications on virtualised resources.
T38: Manipulation of information- Attackers may maliciously deny/stop performing automated or on-demand corrective operations on virtualised resources failure that may interrupt the virtualised resource fault management services.R38 (a): VIM shall verify the authenticity of the automated or on-demand corrective operations on virtualised resources failure.R38 (b): VIM shall verify the integrity of the automated or on-demand corrective operations on virtualised resources failure.
T39: Manipulation of information- Attackers may forge the provided fault information on virtualised resources that are allocated in response to a query that may interrupt the virtualised resource fault management services.R39 (a): VIM shall verify the authenticity of the provided fault information on virtualised resources that are allocated in response to a query.R39 (b): VIM shall verify the integrity of the provided fault information on virtualised resources that are allocated in response to a query.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)49
T40: Manipulation of notifications- Attackers may forge the information related to change notifications on virtualised resources which is consumed within its area of responsibility that may affect the network services and system configurations.R40 (a): VIM shall verify the authenticity of the information related to change notifications on virtualised resources.R40 (b): VIM shall verify the integrity of the information related to change notifications on virtualised resources.
T40.a.1.1 Internal attackers are attached to the network
T40.a.1.2 Internal attackers have access to VIM
T40.a.1.3 VIM supports virtualised resource management operations
T40.a.2 VIM
T40.a.3 Authorized administrators with legitimate access to the VIM
T40.a.4.1Attackers may forge the information change notifications on virtualised resources
T40.a.5 Only authorised entity shall access the virtualised resource management operations
T40.b.1.1 Virtualised resource management shall be configured using security policy management
T40.b.1.2 If any information related to change notifications on virtualised resource is forged, the event is logged, and a security alarm is raised to the Security management system
T40.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T40.c.2.1 Authenticity of the information related to change notifications on virtualised resources shall be validated
T40.c.2.2 Integrity of the information related to change notifications on virtualised resources shall be validated
T41: Manipulation of configuration: Attackers may alter or modify the configuration management functions of an individual virtualised resource using specific deployment configuration information.R41: Configuration management of an individual virtualised resource using specific deployment configuration information shall be protected from the unauthorized access.
T42: Manipulation of configuration: Attackers may alter or modify the configuration management functions of a set of related virtualised resources using specific deployment configuration information.R42: Configuration management of a set of related virtualised resources using specific deployment configuration information shall be protected from unauthorized access.
T43: Denial of Service - Attackers may perform DoS attacks during Network Forwarding Path operations such as creating, updating, and delete.R43 (a): VIM shall verify the authenticity of the management operations of Network Forwarding Paths.R43 (b): VIM shall verify the integrity of the management operations of Network Forwarding Paths.
T44: Manipulation of notifications- Attackers may forge the fault notifications about the virtualised resources associated with a specific Network Forwarding Path instance that may interrupt the network forwarding path management operations.R44 (a): VIM shall verify the authenticity of the fault notifications about the virtualised resources associated with a specific Network Forwarding Path instance.R44 (b): VIM shall verify the integrity of the fault notifications about the virtualised resources associated with a specific Network Forwarding Path instance.
T44.a.1.1 Internal attackers are attached to the network
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)50
T44.a.1.2 Internal attackers have access to VIM
T44.a.1.3 VIM supports network forwarding path management operations
T44.a.2 VIM
T44.a.3 Authorized administrators with legitimate access to the VIM
T44.a.4.1Attackers may forge the fault notifications about the virtualised resources associated with a specific Network Forwarding Path instance
T44.a.5 Only authorised entity shall access the network forwarding path management operations
T44.b.1.1 Network forwarding path management operations shall be configured using security policy management
T44.b.1.2 If fault notifications about the virtualised resources associated with a specific Network Forwarding Path instance is forged, the event is logged, and a security alarm is raised to the Security management system
T44.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T44.c.2.1 Authenticity of the fault notifications about the virtualised resources associated with a specific Network Forwarding Path instance shall be validated
T44.c.2.2 Integrity of the fault notifications about the virtualised resources associated with a specific Network Forwarding Path instance shall be validated
T45: Manipulation of request messages- Attackers may maliciously forge the rejection request of virtualised resource allocation that may interrupt the quota management operations.R45 (a): VIM shall verify the authenticity of the rejection request of virtualised resource allocation.R45 (b): VIM shall verify the integrity of the rejection request of virtualised resource allocation.
T45.a.1.1 Internal attackers are attached to the network
T45.a.1.2 Internal attackers have access to VIM
T45.a.1.3 VIM supports virtualised quota management operations
T45.a.2 VIM
T45.a.3 Authorized administrators with legitimate access to the VIM
T45.a.4.1Attackers may maliciously forge the rejection request of virtualised resource allocation
T45.a.5 Only authorised entity shall access the virtualised quota management operations
T45.b.1.1 Virtualised quota management operations shall be configured using security policy management
T45.b.1.2 If any rejection request of virtualised resource allocation is forged, the event is logged, and a security alarm is raised to the Security management system
T45.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T45.c.2.1 Authenticity of the rejection request of virtualised resource allocation shall be validated
T45.c.2.2 Integrity of the rejection request of virtualised resource allocation shall be validated
T46: Manipulation of request messages- Attackers may fake the create/update/delete request of resource quota for the consumer of the virtualised resources, which may interrupt the quota management operations.R46 (a): VIM shall verify the authenticity of the create/update/delete request of resource quota for the consumer of the virtualised resources.R46 (b): VIM shall verify the integrity of the create/update/delete request of resource quota for the consumer of the virtualised resources.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)51
T46.a.1.1 Internal attackers are attached to the network
T46.a.1.2 Internal attackers have access to VIM
T46.a.1.3 VIM supports virtualised quota management operations
T46.a.2 VIM
T46.a.3 Authorized administrators with legitimate access to the VIM
T46.a.4.1Attackers may fake the create/update/delete request of resource quota for the consumer of the virtualised resources
T46.a.5 Only authorised entity shall access the virtualised quota management operations
T46.b.1.1 Virtualised quota management shall be configured using security policy management
T46.b.1.2 If any request of resource quota of the virtualised resources is faked, the event is logged, and a security alarm is raised to the Security management system
T46.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T46.c.2.1 Authenticity of the create/update/delete request of resource quota for the consumer of the virtualised resources shall be validated
T46.c.2.2 Integrity of the create/update/delete request of resource quota for the consumer of the virtualised resources shall be validated
T47: Manipulation of information- Attackers may maliciously forge the provided information on the resource quota for the consumer of the virtualised resources, which may interrupt the quota management operations.R47 (a): VIM shall verify the authenticity of the provided information on the resource quota for the consumer of the virtualised resources.R47 (b): VIM shall verify the integrity of the provided information on the resource quota for the consumer of the virtualised resources.
T48: Manipulation of notifications - Attackers may fake the resource quota change notifications for the consumer of the virtualised resources, which may interrupt the quota management operations.R48 (a): VIM shall verify the authenticity of the resource quota change notifications for the consumer of the virtualised resources.R48 (b): VIM shall verify the integrity of the resource quota change notifications for the consumer of the virtualised resources.
T48.a.1.1 Internal attackers are attached to the network
T48.a.1.2 Internal attackers have access to VIM
T48.a.1.3 VIM supports virtualised quota management operations
T48.a.2 VIM
T48.a.3 Authorized administrators with legitimate access to the VIM
T48.a.4.1Attackers may fake the resource quota change notifications for the consumer of the virtualised resources
T48.a.5 Only authorised entity shall access the virtualised quota management operations
T48.b.1.1 Virtualised quota management shall be configured using security policy management
T48.b.1.2 If any resource quota change notification is forged, the event is logged, and a security alarm is raised to the Security management system
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)52
T48.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T48.c.2.1 Authenticity of the resource quota change notifications for the consumer of the virtualised resources shall be validated
T48.c.2.2 Integrity of the resource quota change notifications for the consumer of the virtualised resources shall be validated
T49: Manipulation of request messages: Attackers may forge the received virtualised resource management requests from VNFM and/or NFVO, which conduct the corresponding resource management operations.R49 (a): VIM shall verify the authenticity of the received virtualised resource management requests from VNFM and/or NFVO.R49 (b): VIM shall verify the integrity of the received virtualised resource management requests from VNFM and/or NFVO.
T49.a.1.1 Internal attackers are attached to the network
T49.a.1.2 Internal attackers have access to VIM
T49.a.1.3 VIM supports virtualised resource management operations
T49.a.2 VIM
T49.a.3 Authorized administrators with legitimate access to the VIM
T49.a.4.1Attackers may forge the received virtualised resource management requests from VNFM and/or NFVO which conduct the corresponding resource management operations
T49.a.5 Only authorised entity shall access the virtualised resource management operations
T49.b.1.1 Virtualised resource management shall be configured using security policy management
T49.b.1.2 If any received virtualised resource management request from VNFM and/or NFVO is forged, the event is logged, and a security alarm is raised to the Security management system
T49.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis
T49.c.2.1 Authenticity of the received virtualised resource management requests from VNFM and/or NFVO shall be validated
T49.c.2.2 Integrity of the received virtualised resource management requests from VNFM and/or NFVO shall be validated
7 Threat Analysis of MANO Reference points
7.1 NFV Or-Vi reference point
7.1.1 OverviewThe reference point Or-Vi is used to exchange information elements between NFV Orchestrator (NFVO) and Virtual Infrastructure Manager (VIM) via various interfaces. Or-Vi reference point also supports the VNF and NS lifecycle management operations. The Or-Vi reference point between NFVO and VIM supports the following interfaces as defined in ETSI GS NFV-IFA 005 [1], all these interfaces are produced by VIM and consumed by NFVO (i.e. all requested by NFVO and responded by VIM):
a) Software Image Management: It supports to add, delete and update software images in the VIM image repository. Also it supports to query information about the software images in VIM image repository.
b) Virtualised Resources Information Management: It supports to query and notify the information related to consumable virtualised compute, network, and storage resources.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)53
c) Virtualised Resources Capacity Management:
i) It supports to query and notify changes about the amount of available, allocated, reserved and total resources information details.
ii) It also supports to query about the resource zones and NFVI-PoPs information details.
d) Virtualised Resources Management:
i) It supports to manage the compute, network and storage virtualised resources either individually or any combination of them.
ii) It supports to create, update, query and delete the instantiated virtualised resources.
iii) It supports to create, update, query and delete the resource reservations. Also it supports to specify the information about the resource reservation start time and end time, and creation/update of the resource zones where the resources need to be reserved.
iv) It supports the resource reservation at different resource granularities and virtual container granularity level.
v) It also supports to identify consumer details of the reserved resources.
e) Virtualised Resources Change Notification: It supports to provide state change notifications about virtualised compute, network, and storage resources.
f) Virtualised Resources Performance Management:
i) It supports to perform the performance management related operations such as measurement, collection, threshold setting and reporting, and these operations can be controlled by NFVO. Also it supports to query the performance information details such as for which virtualised resources VIM collects information, PM types and other related information.
ii) It supports to create and notify PMjob with various granularity levels, specified resources and performance information type.
g) Virtualised Resources Fault Management: It supports to perform various FM related operations such as collect virtualised resources fault information, notify alarms, creation, clear and change in alarms notifications. It also supports to notify alarms with its reasons without any ambiguity.
h) Network Forwarding Path Management: It supports to create, delete and update Network Forwarding Paths. It also supports to query information about the Network Forwarding Paths.
7.1.2 Threat analysis for Or-Vi reference pointIn this clause, threat analysis for the defined interfaces in the Or-Vi reference point is discussed. For all the threat scenarios, the assumption is that internal attackers are attached to the network and have the access to the Or-Vi reference points.
a) Software Image Management
T1: Data tampering - Malicious images could be added or updated into the image repository.R1 (a): It shall be possible to verify the authenticity of the images which are added or updated in the image repository.R1 (b): It shall be possible to verify the integrity of the images which are added or updated in the image repository.
T1.a.1.1 Internal attackers are attached to the network
T1.a.1.2 Internal attackers have access to Or-Vi reference point
T1.a.1.3 Or-Vi supports software image management
T1.a.2 Or-Vi reference point
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)54
T1.a.3 Authorized administrators with legitimate access to the Or-Vi reference point
T1.a.4.1 Attackers may add or update the malicious image into image repository
T1.a.5 Remote attestation shall be performed for the software images
T1.b.1.1 Only signed and remotely attested interface shall access the image repository
T1.b.1.2 Once software image fails attestation, the event is logged, and a security alarm is raised to the Security Management system
T1.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T1.c.2.1 Authenticity of the software images which are added or updated in the image repository shall be validated through Remote Attestation
T1.c.2.2 Integrity of the software images which are added or updated in the image repository shall be validated through Remote Attestation
b) Virtualised Resources Information Management
T2: Traffic analysis - Attackers may notice the query request and response, and notifications over the Or-Vi interface.R2: It shall be possible to prevent attackers from obtaining the communication information over the interface.
T2.a.1.1 Internal attackers are attached to the network
T2.a.1.2 Internal attackers have access to Or-Vi reference point
T2.a.1.3 Or-Vi supports virtualised resource information management notifications
T2.a.2 Or-Vi reference point
T2.a.3 Authorized administrators with legitimate access to the Or-Vi reference point
T2.a.4.1 Attackers may fake notifications over the interface regarding consumable virtualised resources
T2.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resource information management
T2.b.1.1 Virtualised resource information management shall be configured using security monitoring system
T2.b.1.2 If any fake notifications regarding resource information management is identified, the notification is logged, and a security alarm is raised to the Security monitoring system
T2.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T2.c.2.1 Communication information over the interface shall be prevented from attackers
T3: Traffic analysis - Based on the collected information through passive traffic analysis they may send fake notifications over the interface regarding consumable virtualised resources.R3 (a): It shall be possible to validate the authenticity of the virtualised resources information management notifications.R3 (b): It shall be possible to validate the integrity of the virtualised resources information management notifications.
T3.a.1.1 Internal attackers are attached to the network
T3.a.1.2 Internal attackers have access to Or-Vi reference point
T3.a.1.3 Or-Vi supports virtualised resource information management notifications
T3.a.2 Or-Vi reference point
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)55
T3.a.3 Authorized administrators with legitimate access to the Or-Vi reference point
T3.a.4.1Attackers may fake notifications over the interface regarding consumable virtualised resources
T3.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resource information management
T3.b.1.1 Virtualised resource information management shall be configured using security monitoring system
T3.b.1.2 If any fake notifications regarding resource information management is identified, the notification is logged, and a security alarm is raised to the Security monitoring system
T3.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T3.c.2.1 Authenticity of the virtualised resource management notifications shall be validated
T3.c.2.2 Integrity of the virtualised resource management notifications shall be validated
c) Virtualised Resources Capacity Management
T4: Masquerading subscriber notifications - Attackers may send masquerade notifications to the subscribers regarding the resource availability over the interface.R4 (a): It shall be possible to validate the authenticity of the virtualised resource capacity management related operations notifications.R4 (b): It shall be possible to validate the integrity of the virtualised resource capacity management related operations notifications.
T4.a.1.1 Internal attackers are attached to the network
T4.a.1.2 Internal attackers have access to Or-Vi reference point
T4.a.1.3 Or-Vi supports virtualised resource capacity management notifications
T4.a.2 Or-Vi reference point
T4.a.3 Authorized administrators with legitimate access to the Or-Vi reference point
T4.a.4.1Attackers may send masquerade notifications to the subscribers regarding the resource availability over the interface
T4.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resource capacity management
T4.b.1.1 Virtualised resource capacity management shall be configured using security monitoring system
T4.b.1.2 If any masquerade notifications regarding resource capacity management is identified, the notification is logged, and a security alarm is raised to the Security monitoring system
T4.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T4.c.2.1 Authenticity of the virtualised resource capacity management related operations notifications shall be validated
T4.c.2.2 Integrity of the virtualised resource capacity management related operations notifications shall be validated
d) Virtualised Resources Management
T5: Denial of service attack by masquerading resource management request - Attackers may forge the request message on this interface for scaling up/down, scaling out/in, and migration operations to turn down the network functions and services which may result in denial of service attacks.R5 (a): It shall be possible to validate the authenticity of the scaling and migration operations request.R5 (b): It shall be possible to validate the integrity of the scaling and migration operations request.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)56
T5.a.1.1 Internal attackers are attached to the network
T5.a.1.2 Internal attackers have access to Or-Vi reference point
T5.a.1.3 Or-Vi supports virtualised resource management request
T5.a.2 Or-Vi reference point
T5.a.3 Authorized administrators with legitimate access to the Or-Vi reference point
T5.a.4.1 Attackers may forge the request message for scaling up/down, scaling out/in, and migration operations
T5.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resource management
T5.b.1.1 Virtualised resource management shall be configured using security monitoring system
T5.b.1.2 If any malicious request regarding of the scaling and migration operations is identified, the request is logged, and a security alarm is raised to the Security monitoring system
T5.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T5.c.2.1 Authenticity of the scaling and migration operations request shall be validated
T5.c.2.2 Integrity of the scaling and migration operations request shall be validated
e) Virtualised Resources Change Notification
T6: Denial of service attack by masquerading resources change notifications - Fake consumable virtualised resources change notifications may disrupt the network services.R6 (a): It shall be possible to validate the authenticity of the virtualised resources change notifications.R6 (b): It shall be possible to validate the integrity of the virtualised resources change notifications.
T6.a.1.1 Internal attackers are attached to the network
T6.a.1.2 Internal attackers have access to Or-Vi reference point
T6.a.1.3 Or-Vi supports virtualised resources change notifications
T6.a.2 Or-Vi reference point
T6.a.3 Authorized administrators with legitimate access to the Or-Vi reference point
T6.a.4.1 Attackers may manipulate the virtualised resources change notifications
T6.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resources change notifications
T6.b.1.1 Virtualised resources management shall be configured using security monitoring system
T6.b.1.2 If any fake notifications regarding virtualised resources change is identified, the notification is logged, and a security alarm is raised to the Security monitoring system
T6.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T6.c.2.1 Authenticity of the virtualised resources change notifications shall be validated
T6.c.2.2 Integrity of the virtualised resources change notifications shall be validated
f) Virtualised Resources Performance Management
T7: Manipulation of notifications - Attackers may disable the reporting of performance measurements or change the threshold conditions maliciously, which results in performance degrade or service interruptions.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)57
R7 (a): It shall be possible to validate the authenticity of the virtualised resources performance management request.R7 (b): It shall be possible to validate the integrity of the virtualised resources performance management request.
T7.a.1.1 Internal attackers are attached to the network
T7.a.1.2 Internal attackers have access to Or-Vi reference point
T7.a.1.3 Or-Vi supports virtualised resource performance management notifications
T7.a.2 Or-Vi reference point
T7.a.3 Authorized administrators with legitimate access to the Or-Vi reference point
T7.a.4.1 Attackers may disable the reporting of performance measurements or change the threshold conditions maliciously
T7.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resource performance management
T7.b.1.1 Virtualised resource performance management shall be configured using security monitoring system
T7.b.1.2 If any malicious notifications regarding virtualised resource performance management is identified, the notification is logged, and a security alarm is raised to the Security monitoring system
T7.b.2.1 Security monitoring systems flag the threat agent (internal Attackers) for further analysis
T7.c.2.1 Authenticity of the virtualised resource performance management request shall be validated
T7.c.2.2 Integrity of the virtualised resource performance management request shall be validated
g) Virtualised Resources Fault Management
T8: Manipulation of notifications - Attackers may disable the reporting of fault notifications and alarms or change the threshold conditions maliciously, which results in service interruptions and permanent failure of the systems.R8 (a): It shall be possible to validate the authenticity of the virtualised resource fault management notifications. R8 (b): It shall be possible to validate the integrity of the virtualised resource fault management notifications.
T8.a.1.1 Internal attackers are attached to the network
T8.a.1.2 Internal attackers have access to Or-Vi reference point
T8.a.1.3 Or-Vi supports virtualised resource fault management notifications
T8.a.2 Or-Vi reference point
T8.a.3 Authorized administrators with legitimate access to the Or-Vi reference point
T8.a.4.1 Attackers may disable the reporting of fault notifications and alarms or change the threshold conditions maliciously
T8.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resource fault management
T8.b.1.1 Virtualised resource fault management shall be configured using security monitoring system
T8.b.1.2 If any malicious notifications regarding virtualised resource fault management is identified, the notification is logged, and a security alarm is raised to the Security monitoring system
T8.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T8.c.2.1 Authenticity of the virtualised resource fault management notifications shall be validated
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)58
T8.c.2.2 Integrity of the virtualised resource fault management notifications shall be validated
h) Network Forwarding Path Management
T9: Denial of service by masquerading network forwarding path management request - Attackers may execute Network Forwarding Path LCM operations to perform DoS attacks on the interface.R9 (a): It shall be possible to validate the authenticity of the network forwarding path management request.R9 (b): It shall be possible to validate the integrity of the network forwarding path management request.
T9.a.1.1 Internal attackers are attached to the network
T9.a.1.2 Internal attackers have access to Or-Vi reference point
T9.a.1.3 Or-Vi supports Network forward path management notifications
T9.a.2 Or-Vi reference point
T9.a.3 Authorized administrators with legitimate access to the Or-Vi reference point
T9.a.4.1 Attackers may execute Network Forwarding Path LCM operations to perform DoS attacks
T9.a.5 Security monitoring system and Security policy management shall be enabled for Network forward path management
T9.b.1.1 Network forward path management shall be configured using security monitoring system
T9.b.1.2 If any malicious notifications regarding Network forward path management are identified, the notification is logged, and a security alarm is raised to the Security monitoring system
T9.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T9.c.2.1 Authenticity of the Network forward path management shall be validated
T9.c.2.2 Integrity of the Network forward path management shall be validated
7.2 NFV Vi-Vnfm reference point
7.2.1 OverviewThe reference point Vi-Vnfm is used to exchange information elements between Virtualised Infrastructure Manager (VIM) and VNF Manager (VNFM). Vi-Vnfm reference point also supports the VNF lifecycle management operations. The Vi-Vnfm reference point between VIM and VNFM supports the following six interfaces as defined in ETSI GS NFV-IFA 006 [2], all these interfaces are produced by VIM and consumed by VNFM:
a) VNF software image management interface: It supports to query the information regarding software images stored in the image repository.
b) Virtualised resources information management interface:
i) It supports to query the information related to consumable virtualised compute, network, and storage resources.
ii) It supports to perform the operations such as subscribe and notify resources information changes operation, and query resources information operation.
c) Virtualised resources management interface:
i) It supports to perform the operations such as allocate, create, update, query, and terminate operations on virtualised compute, network, and storage resources.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)59
ii) It also supports to perform the operations such as scale and migrate operations on virtualised compute and storage resources.
d) Virtualised resources change notifications interface: It supports to subscribe and notify virtualised compute, network, and storage resources change and changes on reservation of virtualised compute, network, and storage resources.
e) Virtualised resources performance management interface: It supports to perform the performance management related operations such as measurement and threshold create, delete, query, subscribe, and notify operations.
f) Virtualised resources fault management interface: It supports to perform the fault management related operations such as subscribe and notify alarms resulting from the faults related to virtualised resources, and get the alarms list operation.
7.2.2 Threat analysis for Vi-Vnfm reference pointIn this clause, threat analysis for the defined interfaces in the Vi-Vnfm reference point is discussed. For all the threat scenarios, the assumption is that internal attackers are attached to the network and have the access to the Vi-Vnfm reference points.
a) VNF software image management
T1: Unauthorized access - API based attacks could be used to extract additional information from the image repository or perform DoS attacks.R1: It shall be possible to protect against the unauthorized access to the image repository.
T1.a.1.1 Internal attackers are attached to the network
T1.a.1.2 Internal attackers have access to Vi-Vnfm reference point
T1.a.1.3 Vi-Vnfm supports VNF software image management notifications
T1.a.2 Vi-Vnfm reference point
T1.a.3 Authorized administrators with legitimate access to the Vi-Vnfm reference point
T1.a.4.1 Attackers may perform API based attacks to extract additional information from the image repository
T1.a.5 Remote attestation shall be performed for the VNF image
T1.b.1.1 Only signed and remotely attested interface shall access the image repository
T1.b.1.2 Once VNF image fails attestation, the event is logged, and a security alarm is raised to the Security Management system
T1.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T1.c.2.1 VNF image shall be validated protected from unauthorised access
b) Virtualised resources information management
T2: Compromise of location information - For the consumable virtualised resource request, the attackers might respond with the resource location where the attackers have control.R2(a): It shall be possible to validate the authenticity of the consumable virtualised resource request notifications.R2(b): It shall be possible to validate the integrity of the consumable virtualised resource request notifications.
T2.a.1.1 Internal attackers are attached to the network
T2.a.1.2 Internal attackers have access to Vi-Vnfm reference point
T2.a.1.3 Vi-Vnfm supports virtualised resource information management notifications
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)60
T2.a.2 Vi-Vnfm reference point
T2.a.3 Authorized administrators with legitimate access to the Vi-Vnfm reference point
T2.a.4.1 Attackers may manipulate the virtualised resource information management notifications
T2.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resource information management
T2.b.1.1 Virtualised resource information management shall be configured using security monitoring system
T2.b.1.2 If any false notifications regarding resource information management are identified, the notification is logged, and a security alarm is raised to the Security monitoring system
T2.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T2.c.2.1 Authenticity of the virtualised resource management notifications shall be validated
T2.c.2.2 Integrity of the virtualised resource management notifications shall be validated
T3: Denial of Service by masquerading virtualised resources information management request - If the subscriber information details and the virtualised resource information management notifications request known to the attackers, then false notifications may be sent by the attackers that may disrupt the running network services.R3 (a): It shall be possible to prevent attackers from obtaining the subscriber information details. R3 (b): It shall be possible to validate the authenticity of the virtualised resource information management notifications. R3(c): It shall be possible to validate the integrity of the virtualised resource information management notifications.
T3.a.1.1 Internal attackers are attached to the network
T3.a.1.2 Internal attackers have access to Vi-Vnfm reference point
T3.a.1.3 Vi-Vnfm supports virtualised resource information management notifications
T3.a.2 Vi-Vnfm reference point
T3.a.3 Authorized administrators with legitimate access to the Vi-Vnfm reference point
T3.a.4.1 Attackers may manipulate the virtualised resource information management notifications
T3.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resource information management
T3.b.1.1 Virtualised resource information management shall be configured using security monitoring system
T3.b.1.2 If any false notifications regarding resource information management are identified, the notification is logged, and a security alarm is raised to the Security monitoring system
T3.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T3.c.2.1 Authenticity of the virtualised resource management notifications shall be validated
T3.c.2.2 Integrity of the virtualised resource management notifications shall be validated
T3.c.2.3 Subscriber information details shall be protected from unauthorised users.
c) Virtualised resources management
T4: Denial of service by masquerading virtualised resource management request - Fake virtualised resource management notifications such as query, add or delete may disturb the resource management
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)61
operations.R4 (a): It shall be possible to validate the authenticity of the virtualised resource management notifications.R4 (b): It shall be possible to validate the integrity of the virtualised resource management notifications.
T4.a.1.1 Internal attackers are attached to the network
T4.a.1.2 Internal attackers have access to Vi-Vnfm reference point
T4.a.1.3 Vi-Vnfm supports virtualised resource management notifications
T4.a.2 Vi-Vnfm reference point
T4.a.3 Authorized administrators with legitimate access to the Vi-Vnfm reference point
T4.a.4.1 Attackers may manipulate the virtualised resource management notifications
T4.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resource management
T4.b.1.1 Virtualised resource management shall be configured using security monitoring system
T4.b.1.2 If any fake notifications regarding virtualised resource management is identified, the notification is logged, and a security alarm is raised to the Security monitoring system
T4.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T4.c.2.1 Authenticity of the virtualised resource management notifications shall be validated
T4.c.2.2 Integrity of the virtualised resource management notifications shall be validated
d) Virtualised resources change notifications
T5: Denial of service by masquerading virtualised resource change notifications - Fake consumable virtualised resources change notifications may disrupt the network services.R5 (a): It shall be possible to validate the authenticity of the consumable virtualised resources change notifications. R5 (b): It shall be possible to validate the integrity of the consumable virtualised resources change notifications.R5(c): It shall be possible to protect the consumable virtualised resources change notifications from anti-replay attacks.R5 (d): It shall be possible to provide non-repudiation services for consumable virtualised resources change notifications.
T5.a.1.1 Internal attackers are attached to the network
T5.a.1.2 Internal attackers have access to Vi-Vnfm reference point
T5.a.1.3 Vi-Vnfm supports virtualised resources change notifications
T5.a.2 Vi-Vnfm reference point
T5.a.3 Authorized administrators with legitimate access to the Vi-Vnfm reference point
T6.a.4.1 Attackers may manipulate the virtualised resources change notifications
T5.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resources change notifications
T5.b.1.1 Virtualised resources management shall be configured using security monitoring system
T5.b.1.2 If any fake notifications regarding virtualised resources change is identified, the notification is logged, and a security alarm is raised to the Security monitoring system
T5.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)62
T6.c.2.1 Authenticity of the virtualised resources change notifications shall be validated
T6.c.2.2 Integrity of the virtualised resources change notifications shall be validated
T6.c.2.Virtualised resources change notifications shall be protected from anti-replay attacks
T6.c.2.4 Non-repudiation services shall be provided for virtualised resources change notifications
e) Virtualised resources performance management
T6: Denial of service by masquerading virtualised resources performance management request - Fake virtualised resource performance management report/notifications may disrupt the network service.R6(a): It shall be possible to validate the authenticity of the virtualised resources performance management related information notifications/alarms. R6 (b): It shall be possible to validate the integrity of the virtualised resources performance management related information notifications/alarms.R6(c): It shall be possible to provide non-repudiation services for virtualised resources performance management related information notifications/alarms.
T6.a.1.1 Internal attackers are attached to the network
T6.a.1.2 Internal attackers have access to Vi-Vnfm reference point
T6.a.1.3 Vi-Vnfm supports virtualised resource performance management notifications
T6.a.2 Vi-Vnfm reference point
T6.a.3 Authorized administrators with legitimate access to the Vi-Vnfm reference point
T6.a.4.1 Attackers may manipulate the virtualised resource performance management notifications
T6.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resource performance management
T6.b.1.1 Virtualised resource performance management shall be configured using security monitoring system
T6.b.1.2 If any fake notifications regarding virtualised resource performance management is identified, the notification is logged, and a security alarm is raised to the Security monitoring system
T6.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T6.c.2.1 Authenticity of the virtualised resource performance management notifications shall be validated
T6.c.2.2 Integrity of the virtualised resource performance management notifications shall be validated
T6.c.2.3 Non-repudiation services shall be provided for virtualised resource performance management notifications
f) Virtualised resources fault management
T7: Denial of service by masquerading virtualised resource fault management request - Fake virtualised resource fault management notifications/alarms may disrupt the network service.R7 (a): It shall be possible to validate the authenticity of the virtualised resource fault management notifications and prevent from disrupting the running network services. R7 (b): It shall be possible to validate the integrity of the virtualised resource fault management notifications and prevent from disrupting the running network services.R7(c): It shall be possible to provide non-repudiation services for virtualised resource fault management notifications.
T7.a.1.1 Internal attackers are attached to the network
T7.a.1.2 Internal attackers have access to Vi-Vnfm reference point
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)63
T7.a.1.3 Vi-Vnfm supports virtualised resource fault management notifications
T7.a.2 Vi-Vnfm reference point
T7.a.3 Authorized administrators with legitimate access to the Vi-Vnfm reference point
T7.a.4.1 Attackers may manipulate the virtualised resource fault management notifications
T7.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resource fault management
T7.b.1.1 Virtualised resource fault management shall be configured using security monitoring system
T7.b.1.2 If any fake notifications regarding virtualised resource fault management is identified, the notification is logged, and a security alarm is raised to the Security monitoring system
T7.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T7.c.2.1 Authenticity of the virtualised resource fault management notifications shall be validated
T7.c.2.2 Integrity of the virtualised resource fault management notifications shall be validated
T7.c.2.3 Non-repudiation services shall be provided for virtualised resource fault management notifications
7.3 NFV Or-Vnfm reference point
7.3.1 OverviewThe reference point Or-Vnfm is used to exchange information elements between NFV Orchestrator (NFVO) and VNF Manager (VNFM) via various interfaces. Vi-Vnfm reference point also supports the VNF lifecycle management operations. The Or-Vnfm reference point between NFV Orchestrator and VNFM supports the following interfaces as defined in ETSI GS NFV-IFA 007 [3].
a) VNF Package Management: The capabilities discussed below are applicable to the VNF package management interface produced by the NFVO on the Or-Vnfm reference point:
i) It supports querying VNF package information.
ii) It supports providing notifications for both results of changes on VNF package information.
iii) It supports providing notifications about the on-boarding of VNF packages.
b) VNF Lifecycle Operation Granting: The capabilities discussed below are applicable to the VNF lifecycle operation granting interface produced by the NFVO on the Or-Vnfm reference point:
i) It supports by granting lifecycle operations.
ii) It supports by indicating the lifecycle event for which a granting is being requested.
iii) It enables the VNFM to indicate the virtualised resources impacted by the VNF lifecycle operation.
iv) It enables the VNFM obtaining information about the identification and configuration to access the VIM.
v) It enables the VNFM obtaining, if a reservation is applicable, resource reservation identification information applicable for consuming virtualised resources as part of the lifecycle operation.
vi) It enables the VNFM to provide information to identify the VNF instance and the intended lifecycle operation.
c) Virtualised Resources Management: The capabilities discussed below are applicable to the virtualised resources information management interface produced by the NFVO on the Or-Vnfm reference point. This interface consists of four sub interfaces such as:
Virtualised Resources Information Management interface capabilities:
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)64
i) It supports providing the indication information to enable the NFVO to invoke the virtualised resources information management operations towards the appropriate VIM.
Virtualised Resources Management interface capabilities:
i) It supports providing the indication information to enable the NFVO to invoke the virtualised resources management operations towards the appropriate VIM.
Virtualised Resources Reservation Management interface capabilities:
i) It supports providing the indication information to enable the NFVO to invoke the virtualised resources reservation management operations towards the appropriate VIM.
Virtualised Resources Change Notifications interface capabilities:
i) It supports providing the indication information to enable the NFVO to invoke the virtualised resources change notifications towards the appropriate VIM.
d) VNF Lifecycle Management: The capabilities discussed below are applicable to the VNF lifecycle management interface produced by the VNFM on the Or-Vnfm reference point:
i) It supports instantiating, terminating, scaling, querying information and requesting to change the state of a VNF instance.
ii) It supports querying the status of an ongoing VNF lifecycle management operation.
iii) It supports requesting VNF healing.
e) VNF Lifecycle Change Notification: The capabilities discussed below are applicable to the VNF lifecycle change notifications interface produced by the VNFM on the Or-Vnfm reference point:
i) It supports by notifying the NFVO about the changes of a VNF instance that are related to VNF lifecycle management operations.
ii) Notifications contain information about the type of the VNF lifecycle change such as add, delete and changes on virtualised resources associated to VNF components.
iii) Notifications also contain information about the virtual networks and connection points that are added/deleted as part of the VNF lifecycle operation.
vi) It support indicating the start, end and results of the lifecycle procedure including any error produced from the lifecycle procedure.
v) It support by notifying the result of VNF instantiation with indicating the VNF instance identifier.
f) VNF Performance Management: The capabilities discussed below are applicable to the VNF performance management interface produced by the VNFM on the Or-Vnfm reference point:
i) It supports the NFVO to control the collection and reporting of VNF performance information, resulting from virtualised resources performance information on the VNF(s) it manages.
ii) It notifies NFVO about the availability of VNF performance information.
iii) It supports the NFVO to create a PMjob specifying the VNF performance information that the NFVO requires from the VNFM.
vi) It supports the NFVO to delete and query one or more PM job(s).
v) It supports the NFVO to subscribe for the notifications related to VNF performance information with the VNFM.
vi) It supports the NFVO to manage the thresholds on specified VNF performance information and VNF(s).
g) VNF Fault Management: The capabilities discussed below are applicable to the VNF fault management interface produced by the VNFM on the Or-Vnfm reference point:
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)65
i) It supports by notifying the NFVO about the alarms on a VNF instance as a consequence of state changes in the virtualised resources used by the VNF.
ii) Notifications contain information necessary to identify the VNF and the VNFC(s), the origin of the virtualised resource change notifications(s), the type of alarm, and information about the cause of the alarm.
h) VNF Configuration Management: The requirement discussed below is applicable to the VNF configuration management interface produced by the VNFM on the Or-Vnfm reference point:
i) It supports by providing the configuration parameters for a VNF instance.
i) Virtualised Resources Quota Available Notification: The requirements discussed below are applicable to the Virtualised Resources Quota Available Notification interface produced by the NFVO on the Or-Vnfm reference point:
i) It supports requesting subscription to information on the availability of the virtualised resources quota(s).
ii) It supports providing notification on the availability of the virtualised resources quota(s).
j) VNF indicator: The requirements discussed below are applicable to the VNF indicator interface produced by the VNFM on the Or-Vnfm reference point:
i) It supports requesting subscription to information on on value changes of VNF related indicators.
ii) It supports providing notification on value changes of VNF related indicators.
7.3.2 Threat analysis for Or-Vnfm reference pointIn this clause, threat analysis for the defined interfaces in the Or-Vnfm reference point is discussed. For all the threat scenarios, the assumption is that internal attackers are attached to the network and have the access to the Or-Vnfm reference points.
1) VNF Package Management
T1: Manipulation by masquerading VNF package management request - VNF package management notifications such as result of changes on VNF package states and on-boarding VNF package could be manipulated by the attackers. It may impact the on-boarding functionality of VNF package management.R1 (a): It shall be possible to validate the authenticity of the VNF package management notifications.R1 (b): It shall be possible to validate the integrity of the VNF package management notifications.
T1.a.1.1 Internal attackers are attached to the network
T1.a.1.2 Internal attackers have access to Or-Vnfm reference point
T1.a.1.3 Or-Vnfm supports VNF package management notifications such as result of changes on VNF package states and on-boarding VNF package
T1.a.2 Or-Vnfm reference point
T1.a.3 Authorized administrators with legitimate access to the Or-Vnfm reference point
T1.a.4.1 Attackers may manipulate the notifications such as result of changes on VNF package states and on-boarding VNF package that may impact the on-boarding functionality of VNF package management
T1.a.5 Security monitoring system and Security policy management shall be enabled for VNF package management
T1.b.1.1 VNF package management shall be configured using security monitoring system
T1.b.1.2 If any manipulated notifications regarding VNF package management is identified, the notification is logged, and a security alarm is raised to the Security monitoring system
T1.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)66
T1.c.2.1 Authenticity of the VNF package management notifications shall be validated
T1.c.2.2 Integrity of the VNF package management notifications shall be validated
2) VNF Lifecycle Operation Granting
T2: Misuse of privileges - During VNF lifecycle operation, VNFM obtains the information from NFVO regarding the identification and configuration information to access the VIM. Attackers may fool the VNFM/NFVO and gain access to VIM without authorization by sending the manipulated request.R2: It shall be possible to protect against unauthorized modification of the VNF lifecycle operation granting interface notifications.
T2.a.1.1 Internal attackers are attached to the network
T2.a.1.2 Internal attackers have access to Or-Vnfm reference point
T2.a.1.3 Or-VNFM supports VNF lifecycle operation granting interface for reporting the identification and configuration information to access the VIM.
T2.a.2 Or-Vnfm reference point
T2.a.3 Authorized administrators with legitimate access to the Or-Vnfm reference point
T2.a.4.1Attackers may fool the VNFM/NFVO and gain access to VIM without authorization by sending the manipulated request
T2.a.5 Security monitoring system and Security policy management shall be enabled for VNF lifecycle operation granting interface
T2.b.1.1 VNF lifecycle operation granting shall be configured using security monitoring system
T2.b.1.2 If any manipulated request regarding the identification and configuration information to access the VIM is identified, the request is logged, and a security alarm is raised to the Security monitoring system
T2.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T2.c.2.1 VNF lifecycle operation granting interface notifications shall be protected from unauthorised access
T3: Manipulation of the identity - If the identity information of the VNF instance transmitted over the interface is known to the attackers, they may send false notifications to interrupt VNF lifecycle operations.R3 (a): It shall be possible to introduce anonymity over the network communication during VNFM information provisioning to identify the VNF instances which intend for VNF lifecycle operations. So the VNF instant information may remain anonymous from the attackers.R3 (b): It shall be possible to validate the authenticity of VNF lifecycle operation granting notifications.
T3.a.1.1 Internal attackers are attached to the network
T3.a.1.2 Internal attackers have access to Or-Vnfm reference point
T3.a.1.3 Or-Vnfm supports VNF lifecycle operation granting for reporting the identity information of VNF instance notifications
T3.a.2 Or-Vnfm reference point
T3.a.3 Authorized administrators with legitimate access to the Or-Vnfm reference point
T3.a.4.1Attackers may send false notifications regarding identity information of VNF instance
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)67
T3.a.5 Security monitoring system and Security policy management shall be enabled for VNF lifecycle operation granting
T3.b.1.1 VNF lifecycle operation granting shall be configured using security monitoring system
T3.b.1.2If any false notifications regarding identity information of VNF instance is identified, the notification is logged, and a security alarm is raised to the Security monitoring system
T3.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T3.c.2.1 Anonymity shall be introduced over the network communication during VNFM information provisioning to identify the VNF instances which intend for VNF lifecycle operations
T3.c.2.2 Authenticity of VNF lifecycle operation granting notifications shall be validated
3) Virtualised Resources Management
T4: Denial of service attack by masquerading resource management request - Attackers may forge the request message on this interface for scaling up/down, scaling out/in, and migration operations to turn down the network functions and services which may result in denial of service attacks.R4(a): It shall be possible to validate the authenticity of the scaling and migration operations request.R4(b): It shall be possible to validate the integrity of the scaling and migration operations request.
T4.a.1.1 Internal attackers are attached to the network
T4.a.1.2 Internal attackers have access to Or-Vnfm reference point
T4.a.1.3 Or-Vnfm supports Virtualised Resource Management for reporting the scaling and migration operations request
T4.a.2 Or-Vnfm reference point
T4.a.3 Authorized administrators with legitimate access to the Or-Vnfm reference point
T4.a.4.1 Attackers may forge the request message for scaling up/down, scaling out/in, and migration operations to turn down the network functions and services
T4.a.5 Security monitoring system shall be enabled for Virtualised Resource Management
T4.b.1.1 Virtualised Resource Management shall be configured using security monitoring system.
T4.b.1.2 If any scaling and migration operations request fails, the request is logged, and a security alarm is raised to the Security monitoring system
T4.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T4.c.2.1 Authenticity of the scaling and migration operations request shall be validated
T4.c.2.1 Integrity of the scaling and migration operations request shall be validated
4) VNF Lifecycle Management
T5: Denial of service by masquerading VNF lifecycle management request - False state of change of VNF instance notifications may disrupt the network services.R5 (a): It shall be possible to validate the authenticity for state of change of VNF instance notifications. R5 (b): It shall be possible to validate the integrity for state of change of VNF instance notifications.R5 (c): It shall be possible to provide non-repudiation services for state of change of VNF instance notifications.
T5.a.1.1 Internal attackers are attached to the network
T5.a.1.2 Internal attackers have access to Or-Vnfm reference point
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)68
T5.a.1.3 Or-Vnfm supports VNF lifecycle management for reporting the state of change of VNF instance notifications
T5.a.2 Or-Vnfm reference point
T5.a.3 Authorized administrators with legitimate access to the Or-Vnfm reference point
T5.a.4.1 Attackers may fake the state of change of VNF instance notifications
T5.a.5 Security monitoring system and Security policy management shall be enabled for VNF lifecycle management
T5.b.1.1 VNF lifecycle management shall be configured using security monitoring system
T5.b.1.2 If any state of change of VNF instance notifications fails, the notification is logged, and a security alarm is raised to the Security monitoring system
T5.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T5.c.2.1 Authenticity for the state of change of VNF instance notifications shall be validated
T5.c.2.1 Integrity for the state of change of VNF instance notifications shall be validated
T5.c.2.2 Non-repudiation services shall be provided for the state of change of VNF instance notifications
5) VNF Lifecycle Change Notification
T6: Manipulation of privileges - Fake VNF lifecycle change notifications by VNFM and NFVO subscribe using input filter for specifying the type of changes may lead to violation of the security policy due to filtering mechanism.R6: It shall be possible to deploy a dynamic security policy management to overcome security violations of the VNF Lifecycle change notifications interface.T6.a.1.1 Internal attackers are attached to the network
T6.a.1.2 Internal attackers have access to Or-Vnfm reference point
T6.a.1.3 Or-Vnfm supports VNF lifecycle management for reporting the VNF lifecycle change notifications
T6.a.2 Or-Vnfm reference point
T6.a.3 Authorized administrators with legitimate access to the Or-Vnfm reference point
T6.a.4.1Attackers may fake the VNF lifecycle change notifications
T6.a.5 Security monitoring system and Security policy management shall be enabled for VNF lifecycle management
T6.b.1.1 VNF lifecycle management shall be configured using security policy management.
T6.b.1.2 If any VNF lifecycle change notifications fails, the notification is logged, and a security alarm is raised to the Security monitoring system
T6.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T6.c.2.1 Deploy a dynamic security policy management to overcome security violations of the VNF Lifecycle change notifications
T7: Denial of service by masquerading VNF lifecycle change request - Fake VNF lifecycle change notifications such as add, update or delete resource may disrupt the network services.R7 (a): It shall be possible to validate the authenticity of the VNF lifecycle change notifications.R7 (b): It shall be possible to validate the integrity of the VNF lifecycle change notifications.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)69
T7.a.1.1 Internal attackers are attached to the network
T7.a.1.2 Internal attackers have access to Or-Vnfm reference point
T7.a.1.3 Or-Vnfm supports VNF lifecycle management for reporting the VNF lifecycle change notifications
T7.a.2 Or-Vnfm reference point
T7.a.3 Authorized administrators with legitimate access to the Or-Vnfm reference point
T7.a.4.1Attackers may fake the VNF lifecycle change notifications such as add, update or delete resource may disrupt the network services
T7.a.5 Security monitoring system and Security policy management shall be enabled for VNF lifecycle management
T7.b.1.1 VNF lifecycle management shall be configured using security monitoring system
T7.b.1.2 If any VNF lifecycle change notifications fails, the notification is logged, and a security alarm is raised to the Security monitoring system
T7.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T7.c.2.1 Authenticity of the VNF lifecycle change notifications shall be validated
T7.c.2.2 Integrity of the VNF lifecycle change notifications shall be validated
6) VNF Performance Management
T8: Denial of service attack by masquerading VNF performance management request - Fake VNF performance management notifications may disrupt the network service.R8 (a): It shall be possible to validate the authenticity of the VNF performance management related information notifications and prevent from disrupting the running network services. R8 (b): It shall be possible to validate the integrity of the VNF performance management related information notifications and prevent from disrupting the running network servicesR8(c): It shall be possible to provide non-repudiation services VNF performance management notifications.T8.a.1.1 Internal attackers are attached to the network
T8.a.1.2 Internal attackers have access to Or-Vnfm reference point
T8.a.1.3 Or-Vnfm supports VNF performance management for reporting the VNF performance management notifications
T8.a.2 Or-Vnfm reference point
T8.a.3 Authorized administrators with legitimate access to the Or-Vnfm reference point
T8.a.4.1 Attackers may fake the VNF performance management notifications
T8.a.5 Security monitoring system and Security policy management shall be enabled for VNF performance Management
T8.b.1.1 VNF performance management shall be configured using security monitoring system.
T8.b.1.2 If any VNF performance management notifications fails, the notification is logged, and a security alarm is raised to the Security monitoring system
T8.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T8.c.2.1 Authenticity of the VNF performance management notifications shall be validated
T8.c.2.2 Integrity of the VNF performance management notifications shall be validated
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)70
T8.c.2.3 Non-repudiation services shall be provided for VNF performance management notifications
T9: Manipulation of notifications - The attackers may disable the reporting of VNF performance measurements maliciously, which results in VNF performance degrade or service interruptions.R9 (a): It shall be possible to validate the authenticity of the VNF performance management notifications. R9 (b): It shall be possible to validate the integrity of the VNF performance management notifications.
T9.a.1.1 Internal attackers are attached to the network
T9.a.1.2 Internal attackers have access to Or-Vnfm reference point
T9.a.1.3 Or-Vnfm supports VNF performance management for reporting the VNF performance management request
T9.a.2 Or-Vnfm reference point
T9.a.3 Authorized administrators with legitimate access to the Or-Vnfm reference point
T9.a.4.1 Attackers may fake the VNF performance management request
T9.a.5 Security monitoring system and Security policy management shall be enabled for performance management
T9.b.1.1 VNF performance management shall be configured using security monitoring system.
T9.b.1.2 If any VNF performance management request fails, the request is logged, and a security alarm is raised to the Security monitoring system
T9.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T9.c.2.1 Authenticity of the VNF performance management shall be validated
T9.c.2.2 Integrity of the VNF performance management shall be validated
7) VNF Fault Management
T10: Manipulation of notifications - The attackers may disable the reporting of VNF fault notifications and alarms or change the threshold conditions maliciously, which results in service interruptions and permanent failure of the systems.R10(a): It shall be possible to validate the authenticity of the VNF fault management notificationsR10 (b): It shall be possible to validate the integrity of the VNF fault management notifications
T10.a.1.1 Internal attackers are attached to the network
T10.a.1.2 Internal attackers have access to Or-Vnfm reference point
T10.a.1.3 Or-Vnfm supports VNF fault management for reporting the VNF fault notifications
T10.a.2 Or-Vnfm reference point
T10.a.3 Authorized administrators with legitimate access to the Or-Vnfm reference point
T10.a.4.1Attackers may fake the VNF fault notifications
T10.a.5 Security monitoring system and Security policy management shall be enabled for VNF Fault management
T10.b.1.1 VNF fault management shall be configured using security monitoring system.
T10.b.1.2 If any VNF fault Incorporating Orange comments OTD comments notifications fails, the notification is logged, and a security alarm is raised to the Security monitoring system
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)71
T10.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T10.c.2.1 Authenticity of the VNF fault notifications shall be validated
T10.c.2.2 Integrity of the VNF fault notifications shall be validated
T11: Denial of service by masquerading VNF fault management request - Fake VNF fault management notifications/alarms may disrupt the network service.R11 (a): It shall be possible to validate the authenticity of the VNF fault management notifications and prevent from disrupting the running network services. It shall be possible to provide non-repudiation services.R11 (b): It shall be possible to validate the integrity of the VNF fault management notifications and prevent from disrupting the running network services.R11(c): It shall be possible to provide non-repudiation services.
T11.a.1.1 Internal attackers are attached to the network
T11.a.1.2 Internal attackers have access to Or-Vnfm reference point
T11.a.1.3 Or-Vnfm supports VNF fault management for reporting the VNF fault management alarm
T11.a.2 Or-Vnfm reference point
T11.a.3 Authorized administrators with legitimate access to the Or-Vnfm reference point
T11.a.4.1 Attackers may fake the VNF fault management alarms
T11.a.5 Security monitoring system and Security policy management shall be enabled for VNF Fault management
T11.b.1.1 VNF fault management shall be configured using security monitoring system
T11.b.1.2 If any VNF fault management request fails, the request is logged, and a security alarm is raised to the Security monitoring system
T11.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis
T11.c.2.1 Authenticity of the VNF fault management shall be validated
T11.c.2.2 Integrity of the VNF fault management shall be validated
8) Virtualised Resources Quota Available Notification
T12: Manipulation of privileges - Fake Virtualised Resources Quota Available notifications by NFVO and VNFM subscribe using input filter for specifying the type of changes can lead to violation of the security policy due to filtering mechanism.R12: It shall be possible to deploy a dynamic security policy management to overcome security violations of the Virtualised Resources Quota Available notification interface.
T13: Denial of service by masquerading Virtualised Resources Quota Available request - Fake Virtualised Resources Quota Available notifications can disrupt the network services management.R13: It shall be possible to validate the authenticity of the Virtualised Resources Quota Available. R13: It shall be possible to validate the integrity of the Virtualised Resources Quota Available.
9) VNF Indicator
T14: Manipulation of privileges - Fake VNF Indicator notifications by VNFM and NFVO subscribe using input filter for specifying the type of changes can lead to violation of the security policy due to filtering mechanism.R14: It shall be possible to deploy a dynamic security policy management to overcome security violations of the VNF Indicator interface.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)72
T15: Denial of service by masquerading VNF Indicator - Fake VNF Indicator notifications can disrupt the network services management.R15 (a): It shall be possible to validate the authenticity of the Virtualised Resources Quota Available. R15 (b): It shall be possible to validate the integrity of the Virtualised Resources Quota Available.
8 Summary of Security RequirementsThe present document addresses the security requirement specifications and threat analysis for MANO components (NFVO, VNFM, and VIM) and MANO reference point’s Or-Vnfm, Or-Vi, Vi-Vnfm. The security analysis addressed in the present document shows that there are various threats that pose significant risks for the MANO components and reference points. Future large scale threats and malicious activities like malware and DDoS attack will cause a further rise of the risk level. NFV system will provide the ability for communications service providers to significantly transform their networks over the next few years and beyond, so as security requirements and threat analysis for each MANO component and reference points will play a vitally important role for securing the NFV-MANO and all the applications trusting on them. These inputs are limited, but it shall provide guidance on which entity and what kind of threat to focus on in order to reduce the overall risks of MANO components and interfaces most efficiently. This analysis is a continual process that should be reviewed regularly to ensure that security requirement and specification shall meet the required objective. NFV systems complying with the present document adequately address the security requirements in terms of authenticity, integrity, confidentiality, privacy, etc. The security and threat analysis should be an integral part of an overall lifecycle of NFV system.
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)73
Annex B (informative):Authors & contributorsThe following people have contributed to this specification:
Rapporteur:Dr. Pradheepkumar Singaravelu, NEC Corporation
Other contributors:Mr. Prabhu T, NEC Europe Ltd
Dr. Sivabalan Arumugam, NEC Europe Ltd
Dr. Anand R. Prasad, NEC Corporation
Dr. Zarrar Yousaf, NEC Europe Ltd
Mr. Kapil Sood, Intel Corporation
Dr. Ashutosh Dutta, AT&T
Mr. Ihab Guirguis, Sprint
Mr. Esa Salahuddin, Cisco
Mr. Diego Lopez, Telefonica
Mr. Scott, Cadzow
Mr. Michael Bilca
Mr.Olivier Legrand
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)74
Annex C (informative):Change History
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)75
Date Version Information about changes
February 2016 0.0.1 Updating the scope and TOC for the SEC014 draft. Both scope and TOC was approved during NFVSEC#65 meeting
March 2016 0.0.2
Below mentioned contribution document accepted in NFVSEC#68 meeting:
NFVSEC(16)000017r3_General_Security_Threats_and_requirements in Section 5
NFVSEC(16)000018r3_Threat_Analysis_for_NFV_Or-Vi_reference point in Section 7.1
NFVSEC(16)000019r3_Threat Analysis_for_NFV_Vi-Vnfm_reference point in Section 7.2
NFVSEC(16)000020r3_Threat_Analysis_for_NFV_Or-Vnfm_reference_point in Section 7.3
Annex A updates
A.1 Risk analysis and assessment for general threats and requirements
A.2 Risk analysis and assessment for Or-Vi reference point
A.3 Risk analysis and assessment for Vi-Vnfm reference point
A.4 Risk analysis and assessment for Or-Vnfm reference point
April 2016 0.0.3
Below mentioned contribution document accepted in NFVSEC#74 meeting:
NFVSEC(16)000091,Threat Analysis for NFV Orchestrator in Section 6.1
NFVSEC(16)000092 Threat Analysis for VNF Manager(s) in Section 6.2
Annex A updates
A.5 Risk analysis and assessment for NFV orchestrator
A.6 Risk analysis and assessment for VNF Manger(s)
May 2016 0.0.4
Below mentioned contribution document accepted in NFVSEC#75 meeting:
NFVSEC(16)000093r1CoverPage_Threat Analysis for Virtualised Infrastructure Manager(s)_r1 in Section 6.3
NFVSEC(16)000119CoverPage_Additional text to section 6.3.2-Threat Analysis for Virtualised Infrastructure Manager(s)
Annex A updatesA.7 Risk analysis and assessment for Virtualised Infrastructure Manager
June 2016 0.0.5
Below mentioned contribution document accepted in NFVSEC#78 meeting:
NFVSEC(16)077003r1 Additional Text to Section 6.1Threat Analysis for NFV Orchestrator
NFVSEC(16)077004r1 Additional text to Section 6.2 Threat Analysis for VNF Manager(s)
July 2016 0.0.6
Below mentioned contribution document accepted in NFVSEC#81 meeting:
NFVSEC(16)000141 [SEC 014]Section 8 Summary of Security Requirements
NFVSEC(16)000142 [SEC 014] Section 1 MANO and Interfaces
August 2016 0.0.7 Updated the ETSI Comments
May 2017 0.0.8Changing Internal Interface to reference point (recommended by IFA WG). Some Editorial change recommended by SECWG and Incorporating Orange comments OTD comments
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)76
Date Version Information about changes
HistoryDocument history
V0.0.6 August 2016 Clean-up done by editHelp!E-mail: mailto:[email protected]
ETSI
ETSI GS NFV-SEC 014 V0.0.8 (2017-05)77