An End-to-End Security Model of Inter-Domain Communication in Network Function Virtualization


  • Håkon Gunleifsen Norwegian University of Science and Technology, NTNU, Gjøvik
  • Thomas Kemmerich Norwegian University of Science and Technology, NTNU, Gjøvik
  • Slobodan Petrovic Norwegian University of Science and Technology, NTNU, Gjøvik


This paper presents a new end-to-end security model for interconnected Virtual Network domains. Network Function Virtualization (NFV) has gained wide attention among Internet Service Providers during the last years. The standardization work from ETSI has outlined a common framework for Network Function Virtualization, open for multiple combinations of interdomain communication. The communication methods consist of multiple NFV interconnection technologies and interfaces, that open up for a variety of NFV models and increased complexity. From an Internet Service Provider (ISP) perspective, the ultimate goal is to be able to freely interconnect NFV services with other ISPs in a secure and automated manner. Hence, this paper presents an abstraction model of the current NFV end-to-end network transport mechanisms for inter-domain communication, to model the end-toend security. The general work within the NFV domain is driven by multiple research contributors where academia, standardization organizations and the open-source community further develop the technology. To verify the model and contribute avoiding research silos, it is also important to classify the related research. We use the presented model for such classification of NFV interconnection mechanisms. By categorizing the differences between the NFV interconnection layers, we show that the model can be used to identify the security gap for secure network channels in NFV.

Author Biographies

Håkon Gunleifsen, Norwegian University of Science and Technology, NTNU, Gjøvik

Norwegian Information Security Laboratory

Thomas Kemmerich, Norwegian University of Science and Technology, NTNU, Gjøvik

Norwegian Information Security Laboratory

Slobodan Petrovic, Norwegian University of Science and Technology, NTNU, Gjøvik

Norwegian Information Security Laboratory


ETSI WG. Network function virtualization (nfv) use cases, 2013.

ETSI WG. Nfv-sec 001 problem statement, 2014.

Rashid Mijumbi, Joan Serrat, Juan-Luis Gorricho, Niels Bouten, Filip De Turck,
and Raouf Boutaba. Network function virtualization: State-of-the-art and research challenges. ETSI, 2015.

ETSI WG. Nfv-sec 003 security and trust guidance, 2014.

ETSI WG. Nfv 2.1 architectual framework 1, 2014.

ETSI WG. Nfv-rel 003 models for end-to-end reliability, 2016.

ETSI WG. Nfv-eve 005 sdn usage in nfv architectural framework, 2015.

ETSI WG. Nfv-man 001 management and orchestration, 2014.

5G PPP Architecture WG. View on 5g architecture. 5GPP Whitepaper, 2016.

IETF WG. Authenticated and encrypted nsh service chains, 2015.

IRTF NFV Research Group. Policy architecture and framework for nfv infrastructures. IRTF draft, March 9,2016.

Open Networking Foundation. Functional requirements for transport api. ONF TR-527, June 10, 2016.

Max Alaluna, Fernando Ramos, and Nuno Neves. (literally) above the clouds:
virtualizing the network over multiple clouds. arXiv arXiv:1512.01196, 2015.

Roberto Bifulco, Anton Matsiuk, and Alessio Silvestro. Ready-to-deploy service
function chaining for mobile networks. In 2016 IEEE NetSoft Conference and
Workshops (NetSoft), pages 175–183. IEEE, 2016.

Villinger and Jung. Establishing a continuous corporate business model innovation process: Process antecedents. In ISPIM Conference Proceedings, page 1, 2015.

Naudt, Tavernier, Verbrugge, Colle, and Pickavet. Deploying sdn and nfv at the
speed of innovation: Toward a new bond between standards development organizations, industry fora, and open-source software projects. IEEE Communications Magazine, 54(3):46–53, 2016.

Ahmed Abujoda and Panagiotis Papadimitriou. Distnse: Distributed network service embedding across multiple providers. In 2016 8th International Conference on Communication Systems and Networks (COMSNETS), pages 1–8. IEEE, 2016.

OpenStack community. The openstack api, 2016. networking-sfc/api.html, Visited:01.08.2016.

The OpenDaylight community. Opendaylight sdni, 2016., Visited:01.08.2016.

OPNFV and OpenvSwitch community. The open virtual network, 2016., Visited:01.08.2016.

S Bradner. Rfc 2119, key words for use in rfcs to indicate requirements. 1997.

A Jøsang. Prospectives for modelling trust in information security. In Australasian Conference on Information Security and Privacy, pages 2–13. Springer, 1997.

R Atkinson and S Kent. Security architecture for the internet protocol. 1998.

Network Working Group et al. Internet x. 509 public key infrastructure certificate and certificate revocation list (crl) profile. RFC5280, 2008.

Abhishek Gupta, M Farhan Habib, Pulak Chowdhury, Massimo Tornatore, and
Biswanath Mukherjee. Joint virtual network function placement and routing of
traffic in operator networks. UC Davis, Davis, CA, USA, Tech. Rep, 2015.

IETF WG. Network service header. draft-ietf-sfc-nsh-05, 2016.

Clarence Filsfils, Nagendra Kumar Nainar, Carlos Pignataro, Juan Camilo Cardona, and Pierre Francois. The segment routing architecture. In 2015 IEEE Global Communications Conference (GLOBECOM), pages 1–6. IEEE, 2015.

Adrian Farrel, J-P Vasseur, and Jerry Ash. A path computation element (pce)-based architecture. Technical report, 2006.

Siamak Azodolmolky, Philipp Wieder, and Ramin Yahyapour. Sdn-based cloud
computing networking. In 2013 15th International Conference on Transparent
Optical Networks (ICTON), pages 1–4. IEEE, 2013.

Sandra Scott-Hayward, Sriram Natarajan, and Sakir Sezer. A survey of security in software defined networks. IEEE Communications Surveys & Tutorials, 18(1):623–654, 2015.

Teemu Koponen, Keith Amidon, Peter Balland, Martín Casado, Anupam Chanda, Bryan Fulton, Igor Ganichev, Jesse Gross, Paul Ingram, Ethan Jackson, et al. Network virtualization in multi-tenant datacenters. In 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14), pages 203–216, 2014.

Hassan Hawilo, Abdallah Shami, Maysam Mirahmadi, and Rasool Asal. Nfv:
state of the art, challenges, and implementation in next generation mobile networks (vepc). Network, IEEE, 28(6):18–26, 2014.

J Garay, J Matias, J Unzilla, and E Jacob. Service description in the nfv revolution: Trends, challenges and a way forward. IEEE Communications Magazine, 54(3): 68–74, 2016.

Juniper. Case study rolling out hybrid cloud services across europe., June,2015.

D.W. Bachmann, N.G. Harlow, H.M. Hinton, and P.R. Wardrop. Token caching in trust chain processing, April 26 2016. US Patent 9,325,695.





Norsk Informasjonssikkerhetskonferanse 2016