ETSI GS NFV-SEC 014 V0.0.6 - Directory Listing / · Web viewETSI GS NFV-SEC 014 V0.0.8 (2017-05) Network Functions Virtualisation (NFV); NFV Security; Security Specification for MANO

Disclaimer

The present document has been produced and approved by the Network Functions Virtualisation (NFV) ETSI Industry Specification Group (ISG) and represents the views of those members who participated in this ISG.

It does not necessarily represent the views of the entire ETSI membership.

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)

Network Functions Virtualisation (NFV);NFV Security;

Security Specification for MANO Components and Reference points

GROUP SPECIFICATION

ReferenceDGS/NFV-SEC014

Keywordsinterface; MANO; NFV; security

ETSI

650 Route des LuciolesF-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 CAssociation à but non lucratif enregistrée à laSous-Préfecture de Grasse (06) N° 7803/88

Important notice

The present document can be downloaded from:http://www.etsi.org/standards-search

The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any

existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.

Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at

https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx

If you find errors in the present document, please send your comment to one of the following services:https://portal.etsi.org/People/CommiteeSupportStaff.aspx

Copyright Notification

No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI.

The content of the PDF version shall not be modified without the written authorization of ETSI.The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2016.All rights reserved.

DECTTM, PLUGTESTSTM, UMTSTM and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.3GPPTM and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and

of the 3GPP Organizational Partners.GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)3

https://portal.etsi.org/People/CommiteeSupportStaff.aspx

https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx

http://www.etsi.org/standards-search

Contents

Intellectual Property Rights.................................................................................................................................4

Foreword.............................................................................................................................................................4

Modal verbs terminology....................................................................................................................................4

1 Scope.........................................................................................................................................................5

2 References.................................................................................................................................................52.1 Normative references...........................................................................................................................................52.2 Informative references.........................................................................................................................................5

3 Definitions and abbreviations...................................................................................................................63.1 Definitions...........................................................................................................................................................63.2 Abbreviations.......................................................................................................................................................6

4 NFV-MANO Functional Blocks and Reference points............................................................................6

5 General Security Threats and Requirements............................................................................................7

6 Threat Analysis of NFV-MANO Functional Blocks................................................................................86.1 NFV Orchestrator................................................................................................................................................86.1.1 Overview........................................................................................................................................................86.1.2 Threat analysis for NFV Orchestrator............................................................................................................96.2 VNF Manager(s)................................................................................................................................................246.2.1 Overview......................................................................................................................................................246.2.2 Threat analysis for VNF Manager(s)...........................................................................................................256.3 Virtualised Infrastructure Manager(s)...............................................................................................................406.3.1 Overview......................................................................................................................................................406.3.2 Threat analysis for Virtualised Infrastructure Manager(s)...........................................................................40

7 Threat Analysis of MANO Reference points.........................................................................................527.1 NFV Or-Vi reference point................................................................................................................................527.1.1 Overview......................................................................................................................................................527.1.2 Threat analysis for Or-Vi reference point....................................................................................................537.2 NFV Vi-Vnfm reference point..........................................................................................................................587.2.1 Overview......................................................................................................................................................587.2.2 Threat analysis for Vi-Vnfm reference point...............................................................................................597.3 NFV Or-Vnfm reference point..........................................................................................................................637.3.1 Overview......................................................................................................................................................637.3.2 Threat analysis for Or-Vnfm reference point...............................................................................................65

8 Summary of Security Requirements.......................................................................................................72

Annex B (informative): Authors & contributors.........................................................................................73

Annex C (informative): Change History.......................................................................................................74

History...............................................................................................................................................................75

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)4

Intellectual Property RightsIPRs essential or potentially essential to the present document may have been declared to ETSI. The information pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web server (https://ipr.etsi.org/).

Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document.

ForewordThis Group Specification (GS) has been produced by ETSI Industry Specification Group (ISG) Network Functions Virtualisation (NFV).

Modal verbs terminologyIn the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and "cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of provisions).

"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)5

https://portal.etsi.org/Services/editHelp!/Howtostart/ETSIDraftingRules.aspx

https://ipr.etsi.org/

1 ScopeThe scope of this document is to present threat analysis for NFV-MANO functional blocks (NFVO, VNFM, VIM) and reference points Or-Vnfm, Vi-Vnfm, Or-Vi. The output of this analysis results in the identification of threats and specification of requirements to counter the threats.

This document also provides initial risk analysis and assessments without solutions. Thus the scope of the document is limited but it provides an initial guidance regarding threats associated to NFV-MANO functional blocks and its reference points. Threat analysis is a continual process and should be reviewed regularly.

2 References

2.1 Normative referencesReferences are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies.

Referenced documents which are not found to be publicly available in the expected location might be found at http://docbox.etsi.org/Reference.

NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity.

The following referenced documents are necessary for the application of the present document.

[1] ETSI GS NFV-IFA 005: "Network Functions Virtualisation (NFV); Management and Orchestration; Or-Vi reference point - Interface and Information Model Specification".

[2] ETSI GS NFV-IFA 006: "Network Functions Virtualisation (NFV); Management and Orchestration; Vi-Vnfm reference point - Interface and Information Model Specification".

[3] ETSI GS NFV-IFA 007: "Network Functions Virtualisation (NFV); Management and Orchestration; Or-Vnfm reference point - Interface and Information Model Specification".

[4] ETSI GS NFV-IFA 010: "Network Functions Virtualisation (NFV); Management and Orchestration; Functional requirements specification".

2.2 Informative referencesReferences are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies.

NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long term validity.

The following referenced documents are not necessary for the application of the present document but they assist the user with regard to a particular subject area.

[i.1] ETSI GS NFV 003: "Network Functions Virtualisation (NFV); Terminology for Main Concepts in NFV".

[i.2] ETSI GS NFV 002: "Network Functions Virtualisation (NFV); Architecture Framework".

[i.3] ETSI GS NFV-MAN 001: "Network Functions Virtualisation (NFV); Management and Orchestration".

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)6

http://docbox.etsi.org/Reference

[i.4] ETSI GS NFV-SEC 006: "Network Functions Virtualisation (NFV); Security Guide; Report on Security Aspects and Regulatory Concerns".

3 Definitions and abbreviations

3.1 DefinitionsFor the purposes of the present document, the terms and definitions given in ETSI GS NFV 003 [i.1] apply.

3.2 AbbreviationsFor the purposes of the present document, the abbreviations given in ETSI GS NFV 003 [i.1] apply.

4 NFV-MANO Functional Blocks and Reference pointsThis clause provides an overview of NFV-MANO functional blocks and its associated reference points [i.3]. There are three main functional blocks associated with NFV-MANO:

i) NFV Orchestrator (NFVO);

ii) VNF Manager (VNFM); and

iii) Virtualised Infrastructure Manager (VIM).

There are six reference points associated with MANO:

i) Or-Vnfm reference point;

ii) Or-Vi reference point;

iii) Vi-Vnfm reference point;

iv) Os-Ma-nfvo reference point;

v) Ve-Vnfm-em reference point; and

vi) Ve-Vnfm-Vnf reference point.

The Or-Vnfm, Or-Vi and Vi-Vnfm reference points are grouped as NFV-MANO internal reference points whereas the Os-Ma-nfvo, Ve-Vnfm-em and Ve-Vnfm-Vnf vnf reference point are grouped as NFV-MANO external reference points.

The Or-Vnfm, Or-Vi and Vi-Vnfm reference points are grouped as NFV-MANO internal reference points whereas the Os-Ma-nfvo, Ve-Vnfm-em and Ve-Vnfm-vnf reference points are grouped as NFV-MANO external reference points.

i) The Or-Vnfm reference point is between NFVO and VNFM.

ii) The Or-Vi reference point is between NFVO and VNFM.

iii) The Vi-Vnfm reference point is between the VIM and VNFM.

iv) The Os-Ma-nfvo reference point is between OSS/BSS and NFVO.

v) The Ve-Vnfm-em reference point is between EM and VNFM.

vi) The Ve-Vnfm-vnf reference point is between VNF and VNFM.

The present document provides a threat analysis for NFV-MANO functional blocks and internal NFV-MANO reference points, i.e. the Or-Vnfm, Vi-Vnfm, Or-Vi reference points. Threats analysis for the external NFV-MANO reference points, i.e. the Os-Ma-nfvo, Ve-Vnfm-em and Ve-Vnfm-Vnf reference points are for further study.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)7

5 General Security Threats and RequirementsGeneral security threats and requirements are presented in this clause with respect to NFV-MANO functional blocks(NFVO, VNFM and VIM), NFV-MANO reference points(Or-Vi, Vi-Vnfm, and Or-Vnfm) and their corresponding interfaces are considered [1-4] and analysed from a security point of view. Security threats (T) and their associated security requirements (R) are identified. For all threat scenarios, the assumption is that the attackers are attached to the network and have the access to the NFV- MANO functional blocks and reference points.

Threat (T1): Eavesdropping - If attackers have access to NFV-MANO reference points, these attackers may request NFV-MANO functional blocks to gather information that may be used to perform attacks.

Requirement (R1)-It shall be possible to verify the authenticity of the information request and response messages exchanged between NFV-MANO functional blocks.

T2: Manipulation of messages - Attackers may modify the request and response messages exchanged between NFV-MANO functional blocks.R2: It shall be possible to verify the integrity of the information request and response messages exchanged between NFV-MANO functional blocks.

T3: Eavesdropping – The passive attackers may monitor/eavesdrop the communicating interface for sensitive data. If sensitive data are transmitted over the interface in plain text, then it will result in security issues.R3: It shall be possible to protect the confidentiality of the information request and response messages exchanged between NFV-MANO functional blocks.

T4: Compromising resource management user interface - Attackers may take control of the management web user interface by exploiting vulnerabilities in the management interface, server, and configuration and deployment flaws.R4: It shall be possible to prevent unauthorized access for the user resource management interface.

T5: Unauthorized Access (Password Guessing) - Attackers may perform brute force attacks to find out the management interface login username and password.R5 (a): It shall be possible to limit the continuous login attempts. R5 (b): It shall be possible to implement password management policy.

T6: Interception - Attackers may redirect or mirror the network traffic by compromising virtual routers, and firewalls.R6: It shall be possible to enforce and implement the network access control policy management.

T7: Traffic Analysis - Attackers may obtain sensitive information through traffic analysis and data access pattern analysis.R7: It shall be possible to protect sensitive information during data communication over the network.

T8: Denial of Service - Attackers may perform the DoS/DDoS attacks by targeting the backend/backup systems, resource and management nodes. Attackers may also intentionally accelerate the scaling and migration process.R8 (a): It shall be possible to protect against the unauthorized access and modification of data.R8 (b): It shall be possible to prevent and mitigate the DoS attacks.R8(c): It shall be possible to prevent and mitigate the DDoS attacks.

T9: Misuse of privileges - Attackers may escalate the privileges to gain unauthorized access.R9: It shall be possible to protect against unauthorized access.

T10: Manipulation of application data - Attackers may maliciously change the patching codes and resource location.R10 (a): It shall be possible to ensure that patching codes are downloaded from a trusted source. R10 (b): It shall be possible to verify the authenticity of the information.R10(c): It shall be possible to verify the integrity of the information.

T11: Unauthorized access of stored data - Attackers may perform side channel attacks to get crypto keys and other sensitive information.R11: It shall be possible to protect crypto keys against side channel attacks.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)8

T12: Resource exhaustion - If attacker’s virtualisation containers consume large amount of resources, then this may degrades the performance of other VMs/VNFs and delays the provisioning of network services and life cycle management (LCM) operations. This may lead to a DoS attack if the performance decrease is severe enough or the network latency is high.R12: Usage of resources beyond the threshold limit by a given VM/VNF shall be notified to the NFVO and permission shall be obtained for usage of additional resources.

T13: Disruption of network service - Attackers may continuously send modified request/response messages that may lead to crashing of the given entity resulting in disruption of the network.R13: It shall be possible to identify and discard the crafted packets.

T14: Masquerading as a legitimate participant - Attackers may resend the previously captured messages to access the network services in the name of genuine entity.R14: It shall be possible to protect against replay attack.

T15: Manipulation of data traffic - Attackers may modify software image file being transferred.R15 (a): It shall be possible to verify the authenticity of the received software image file.R15 (b): It shall be possible to verify the integrity of the received software image file.

T16: Manipulation of data stored in repository - A VNF software image may be tampered and modified while in rest by the attackers.R16: It shall be possible to protect the confidentiality and integrity of the stored software image in the repository and the related keys shall be stored in hardware assisted and tamper resistant trusted environment.

T17: Masquerading as a legitimate entity - The presence of rogue NFV management entities may impact the availability of network services.R17: It shall be possible to enforce mutual authenticity between NFV-MANO functional blocks for any information exchange.

T18: Leakage - Malware may obtain the sensitive information which may corrupt the VNF package.R18: Obfuscation-It shall be possible to obfuscate the sensitive information of the VNF package management into unreadable format.

T19: Manipulation of data - Change of configurations by attackers on the VNF life cycle management operational functions may affect the network services.R19 (a): It shall be possible to protect the VNF configuration file against the un-authorized modifications.

R19 (b) It shall be possible to verify the integrity protection before using the VNF configuration file.

T20: Interception - During migration, high volume VNFs consume maximum available bandwidth and it may be noticeable by attackers. Also it may downgrade the performance and increase the down time, which may lead to migration failure.R20: It shall be possible to migrate VNFs securely without significant performance degradation.

6 Threat Analysis of NFV-MANO Functional Blocks

6.1 NFV Orchestrator

6.1.1 OverviewThe NFV Orchestrator (NFVO) is responsible for life cycle management of network services and VNF packages, validation and authorization of requests, policy management, and managing resources of NFV-PoPs via multiple VIMs and VNFMs. It also tracks the network services and its use of resources by using different data repositories. NFV Orchestrator (NFVO) has two main functional responsibilities, i.e. network service orchestration functions and resource orchestration functions.

a) The network service orchestration functions provide some non-exhaustive set of capabilities such as:

i) Management of network service deployment templates and VNF packages

ii) Network service instantiation and Network service instance lifecycle management

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)9

iii) Management of the instantiations of VNF managers and VNFs, in coordination with VNF managers

iv) Validation and authorization of NFVI resource request from VNF Managers

v) Management of integrity, visibility and topology of the network service instances

vi) Policy management and enforcement for the Network service instances and VNF instances

b) The resource orchestration functions provides some non-exhaustive set of capabilities such as:

i) Validation and authorization of NFVI resource requests from VNF Manager(s)

ii) NFVI resource management across operator's Infrastructure Domains

iii) Management of the relationship between the VNF instances and the NFVI resources

iv) Policy management and enforcement for the Network service instances and VNF instances

v) Collect usage information of NFVI resources

For a detailed description of the NFV orchestrator and its functionalities, refer to clause 5.4.1 in ETSI GS NFV-MAN 001 [i.3].

6.1.2 Threat analysis for NFV OrchestratorThis clause describes the threat analysis and security requirements for NFV orchestrator.

T1: Manipulation of application data - Attackers may modify a NFV packages during on-boarding.R1 (a): Authenticity of a NFV packages shall be verified during on-boarding.R1 (b): Integrity of a NFV package shall be verified during on-boarding.

T1.a.1.1 Internal attackers are attached to the network

T1.a.1.2 Internal attackers have access to Orchestrator

T1.a.1.3 NFVO supports NFV package operations

T1.a.2 Orchestrator

T1.a.3 Authorized administrators with legitimate access to the Orchestrator

T1.a.4.1 Attackers may modify the NFV packages

T1.a.5 Only authorised entity shall access the NFV package operations

T1.b.1.1 NFV packages operations shall be configured using security policy management

T1.b.1.2 Once an NS and VNF package is maliciously altered, the event is logged, and a security alarm is raised to the Security Management system

T1.b.2.1The Security management systems flag the threat agent (internal attackers) for further analysis.

T1.c.1.1 In runtime cases: e.g., Security policy management shall be enforced

T1.c.2.1 Authenticity of the NFV packages shall be validated during on-boarding

T1.c.2.2 Integrity of a NFV packages shall be validated during on-boarding

T2: Disruption of network service - Attackers may forge a NFV descriptor (e.g. NSD, PNFD) during on-boarding, thus resulting in network service interruptions.R2 (a): Authenticity of a NFV descriptor shall be verified during on-boarding.R2 (b): Integrity of a NFV descriptor shall be verified during on-boarding.R2 (c): A NFV descriptor shall be validated against the defined policy management during on-boarding.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)10



T2.a.1.3 NFVO supports Network service deployment template operations

T2.a.2 Orchestrator


T2.a.4.1 Attackers may forge a NFV descriptor

T2.a.5 Only authorised entity shall access the Network service life cycle management operations

T2.b.1.1 Network service life cycle management operations shall be configured using security policy management

T2.b.1.2 If request operations of Network services life cycle management are disturbed, the event is logged, and a security alarm is raised to the Security management system

T2.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis

T2.c.2.1 Authenticity of a NFV descriptor shall be validated during on-boarding

T2.c.2.2 Integrity of a NFV descriptor shall be validated during on-boarding

T2.c.2.3 A NFV descriptor shall be validated against the defined policy management during on-boarding.

T3: Misuse of privileges- Attackers may indulge in security breaches and gain unauthorized access by overruling the policy management of Network service instances and VNF instances.R3: Security policy management shall be provided for Network service instances and VNF instances.



T3.a.1.3 NFVO supports Network service instances and VNF instances operations

T3.a.2 Orchestrator


T3.a.4.1 Attackers may indulge in security breaches and gain unauthorized access by overruling the policy management of Network service instances and VNF instances

T3.a.5 Only authorised entity shall access the Network service instances and VNF instances

T3.b.1.1 Network service instances and VNF instances shall be configured using security policy management

T3.b.1.2 If any security breaches in Network service instances and VNF instances is identified, the event is logged, and a security alarm is raised to the Security management system


T3.c.2.1 Unauthorized access to Network service instances and VNF instances shall be protected

T4: Manipulation of message request - Attackers may manipulate the NFVI resource allocation (granting) request from VNF Manager(s) regarding resources allocation within one NFVI-PoP or across multiple NFVI-PoPs.R4 (a): Authenticity of NFVI resource allocation requests from VNF Managers shall be verified.R4 (b): Unauthorized access to NFVI resource allocation requests from VNF Managers shall be protected.


ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)11


T4.a.1.3 NFVO supports resources allocation management operations

T4.a.2 Orchestrator


T4.a.4.1 Attackers may manipulate the NFVI resource allocation (granting) request from VNF Manager(s) regarding resources allocation within one NFVI-PoP or across multiple NFVI-PoPs.

T4.a.5 Only authorised entity shall access the resources allocation management

T4.b.1.1 Resources allocation management operations shall be configured using security policy management

T4.b.1.2 If any of the NFVI resource allocation (granting) request is forged, the event is logged, and a security alarm is raised to the Security management system


T4.c.2.1 Authenticity of the NFVI resource allocation requests from VNF Managers shall be validated

T4.c.2.2 Unauthorized access to NFVI resource allocation requests from VNF Managers shall be protected

T5: Traffic Analysis - Attackers may forge the network service topology which may result in performance degradation or service interruptions.R5: Network service topology shall be validated against the defined policy management.



T5.a.1.3 NFVO supports network service topology management operations

T5.a.2 Orchestrator


T5.a.4.1 Attackers may forge the network service topology

T5.a.5 Only authorised entity shall access the network service topology management

T5.b.1.1 Network service topology management shall be configured using security policy management

T5.b.1.2 If any network service topology is forged, the event is logged, and a security alarm is raised to the Security management system


T5.c.2.1 Network service topology shall be validated against the defined policy management

T6: Manipulation of notifications - Attackers may escalate false information or perform service interruptions using the collected usage information of NFVI resources by NFVI instances or group of VNF instances. R6: Usage information of NFVI resources by NFVI instances shall be protected from unauthorized access.



T6.a.1.3 NFVO supports NFVI resource information management operations

T6.a.2 Orchestrator


ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)12

T6.a.4.1 Attackers may escalate false information or perform service interruptions using the collected usage information of NFVI resources by NFVI instances or group of VNF instances

T6.a.5 Only authorised entity shall access the NFVI resource information management

T6.b.1.1 NFVI resource information management shall be configured using security policy management

T6.b.1.2 If any false information regarding collected usage information of NFVI resources is escalated, the event is logged, and a security alarm is raised to the Security management system


T6.c.2.1 Usage information of NFVI resources by NFVI instances shall be protected from unauthorized access

T7: Manipulation of notifications- Attackers may trigger false automation management notifications of Network service instances and VNF instances leading to failure of NS and VNF on-boarding.R7 (a): Authenticity of the automation management notifications shall be verified.R7 (b): Integrity of the automation management notifications shall be verified.



T7.a.1.3 NFVO supports automation management operations

T7.a.2 Orchestrator


T7.a.4.1 Attackers may trigger false automation management notifications of Network service instances and VNF instances

T7.a.5 Only authorised entity shall access the automation management

T7.b.1.1 Automation management shall be configured using security policy management

T7.b.1.2 If any automation management notification is forged, the event is logged, and a security alarm is raised to the Security management system


T7.c.2.1 Authenticity of the automation management notifications shall be validated

T7.c.2.2 Integrity of the automation management notifications shall be validated

T8: Manipulation of application data-Attackers may maliciously change the NFVI resource repository and VIM location information, which are used for distribution, reservation and allocation of NFVI resources to Network service instances and VNF instances R8 (a): Authenticity of the NFVI resource repository and VIM location information shall be verified.R8 (b): Integrity of the NFVI resource repository and VIM location information shall be verified.



T8.a.1.3 NFVO supports NFVI resource information management operations

T8.a.2 Orchestrator


T8.a.4.1Attackers may maliciously change the NFVI resource repository and VIM location information

T8.a.5 Only authorised entity shall access the NFVI resource information management

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)13

T8.b.1.1 NFVI resource information management shall be configured using security policy management

T8.b.1.2 If any NFVI resource information is altered, the event is logged, and a security alarm is raised to the Security Management system


T8.c.2.1 Authenticity of the NFVI resource repository and VIM location information shall be validated

T8.c.2.2 Integrity of the NFVI resource repository and VIM location information shall be validated

T9: Manipulation of stored data-Resources usage information and other collected information (records) related to network services may help attackers to launch predefined attacks R9: Usage data and other deployment information stored in repositories shall be only accessible to authenticated entities.



T9.a.1.3 NFVO supports resource information management operations

T9.a.2 Orchestrator


T9.a.4.1Attackers may perform predefined attacks using Resources usage information and other collected information (records) related to network services

T9.a.5 Only authorised entity shall access the Resource information management

T9.b.1.1 Resource information management operations shall be configured using security policy management

T9.b.1.2 If any predefined attacks is identified, the event is logged, and a security alarm is raised to the Security Management system

T9.b.2.1 Security Management systems flag the threat agent (internal attackers) for further analysis

T9.c.2.1 Usage data and other deployment information stored in repositories shall be only accessible to authenticated entities

T10: Manipulation of network services- Attackers may change the topology of the network services.R10: Security policy based routing shall be configured by administrator.



T10.a.1.3 NFVO supports Network service operations

T10.a.2 Orchestrator


T10.a.4.1 Attackers may alter the topology of the network services

T10.a.5 Only authorised entity shall access the Network service operations

T10.b.1.1 Network service operations shall be configured using security policy management

T10.b.1.2 If any alteration is identified in topology of the network services, the event is logged, and a security alarm is raised to the Security management system


ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)14

T10.c.2.1 Security policy based routing shall be configured by authorised administrator

T11: Disruption of network service- Attackers may disturb the request operations (e.g. disable or delete a NSD) that may impact the Network services life cycle management, potentially interrupting the running network services.R11(a): Authenticity of request operations of Network services life cycle management shall be validated. R11 (b): Integrity of request operations of Network services life cycle management shall be validated.



T11.a.1.3 NFVO supports Network service life cycle management operations



T11.a.4.1 Attackers may disturb the request operations for life cycle management of network services

T11.a.5 Only authorised entity shall access the Network service life cycle management operations

T11.b.1.1 Network service life cycle management operations shall be configured using security policy management

T11.b.1.2 If request operations of Network services life cycle management are disturbed, the event is logged, and a security alarm is raised to the Security management system


T11.c.2.1 Authenticity of request operations of Network services life cycle management shall be validated

T11.c.2.2 Integrity of request operations of Network services life cycle management shall be validated

T12: Misuse of Privileges- Attackers may use external interfaces (e.g., Os-Ma-nfvo) to infiltrate into the NFV-MANO to gain access.R12: Unauthorized access to NFV-MANO from external interface shall be protected.


T`12.a.1.2 Internal attackers have access to Orchestrator

T12.a.1.3 NFVO supports access management operations



T12.a.4.1 Attackers may use external interfaces (e.g., Os-Ma-nfvo) to infiltrate into the NFV-MANO to gain some access

T12.a.5 Only authorised entity shall access the external interfaces (e.g., Os-Ma-nfvo)

T12.b.1.1 External interfaces (e.g., Os-Ma-nfvo) shall be configured using security policy management

T12.b.1.2 If any misuse of privilege is identified, the event is logged, and a security alarm is raised to the Security management system


T12.c.2.1 Unauthorized access to NFV-MANO from external interface shall be protected

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)15

T13: Unauthorized access- In multi-tenancy environment, Network service deployment template or VNF package assigned to particular tenants may expose to other tenants.R13: Tenants deployment templates or VNF packages shall be protected from unauthorized access.



T13.a.1.3 NFVO supports Network service deployment template or VNF package operations



T13.a.4.1 Attackers may expose the access permission of Network service deployment template or VNF package operations assigned to particular tenants

T13.a.5 Only authorised entity shall access the Network service deployment template or VNF package operations

T13.b.1.1 Network service deployment template or VNF package operations shall be configured using security policy management

T13.b.1.2 If Network service deployment template or VNF package operation fails, the event is logged, and a security alarm is raised to the Security management system


T13.c.2.1 Tenants deployment templates or VNF packages shall be protected from unauthorized access

T14: Manipulation of application data-NFVO supports to share resources including software images among VIMs (NFV-PoPs). Attackers may share compromised or manipulated software images among VIMs.R14 (a): Authenticity of the shared resources shall be validated.R14 (b): Integrity of the shared resources shall be validated.

T14. Manipulation of Application Data



T14.a.1.3 NFVO supports to share resources including software images among VIMs (NFV-PoPs)



T14.a.4.1Attackers may share compromised or manipulated software images among VIMs

T14.a.5 Remote attestation shall be performed before any image is instantiated

T14.b.1.1 Only signed and remotely attested Orchestrators shall be instantiated.

T14.b.1.2 Once an Orchestrator image fails attestation, the event is logged, and a security alarm is raised to the Security Management system

T14.b.2.1 Security Management systems flag the threat agent (internal attackers) for further analysis.

T14.c.1.1 N/A

T14.c.1.2 N/A

T14.c.2.1 Authenticity of the shared resources shall be validated through Remote Attestation.

T14.c.2.1 Integrity of the shared resources shall be validated through Remote Attestation.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)16

T15: Manipulation of data- Attackers may fake the received acceleration capability information from VIM towards NFVO, which may interrupt the NFV acceleration management operations.R15 (a): NFVO shall verify the authenticity of the received acceleration capability information from VIM.R15 (b): NFVO shall verify the integrity of the received acceleration capability information from VIM.



T15.a.1.3 NFVO supports NFV acceleration management operations



T15.a.4.1Attackers may fake the received acceleration capability information from VIM towards NFVO

T15.a.5 Only authorised entity shall access the NFV acceleration management operations

T15.b.1.1 NFV acceleration management operations shall be configured using security policy management

T15.b.1.2 If any NFV acceleration management operations fail, the event is logged, and a security alarm is raised to the Security Management system


T15.c.2.1 Authenticity of the received acceleration capability information from VIM shall be validated

T15.c.2.2 Integrity of the received acceleration capability information from VIM shall be validated

T16: Manipulation of request message- Attackers may forge the NFVO request messages that were sent to the VIM for allocation and release of acceleration resources that may interrupt the NFV acceleration management operations.R16 (a): NFVO shall verify the authenticity of the request messages that were sent to the VIM for allocation and release of acceleration resources.R16 (b): NFVO shall verify the integrity of the request messages that were sent to the VIM for allocation and release of acceleration resources.



T16.a.1.3 NFVO supports NFV acceleration management operations



T16.a.4.1Attackers may forge the NFVO request messages that were sent to the VIM for allocation and release of acceleration resources

T16.a.5 Only authorised entity shall access the NFV acceleration management operations

T16.b.1.1 NFV acceleration management operations shall be configured using security policy management

T16.b.1.2 If any of the NFVO request messages that were sent to the VIM is forged, the event is logged, and a security alarm is raised to the Security management system


T16.c.2.1 Authenticity of the request messages that were sent to the VIM for allocation and release of acceleration resources shall be validated

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)17

T16.c.2.2 Integrity of the request messages that were sent to the VIM for allocation and release of acceleration resources shall be validated

T17: Manipulation of request- Attackers may maliciously modify the query request regarding information about software images to VIM that may interrupt the software image management operations.R17 (a): NFVO shall verify the authenticity of the query request regarding information about software image to VIM.R17 (b): NFVO shall verify the integrity of the query request regarding information about software image to VIM.



T17.a.1.3 NFVO supports software images management operations



T17.a.4.1 Attackers may maliciously modify the query request regarding information about software images to VIM

T17.a.5 Remote attestation shall be performed before any image is instantiated

T17.b.1.1 Software image management shall be configured using security policy management

T17.b.1.2 If any query request regarding information about software images is forged, the event is logged, and a security alarm is raised to the Security management system


T17.c.2.1 Authenticity of the query request regarding information about software image to VIM shall be validated

T17.c.2.2 Integrity of the query request regarding information about software image to VIM shall be validated

T18: Manipulation of request- Attackers may fake the request regarding invoked software image deletion to VIM that may interrupt the software image management operations.R18 (a): NFVO shall verify the authenticity of the invoked software image deletion request to VIM.R18 (b): NFVO shall verify the integrity of the invoked software image deletion request to VIM.



T18.a.1.3 NFVO supports to share resources including software images operations



T18.a.4.1 Attackers may fake the request regarding invoked software image deletion to VIM

T18.a.5 Remote attestation shall be performed before any image is invoked

T18.b.1.1 Only signed and remotely attested Orchestrators shall be invoked

T18.b.1.2Once an Orchestrator image fails attestation, the event is logged, and a security alarm is raised to the Security Management system

T18.b.2.1The Security management systems flag the threat agent (internal attackers) for further analysis.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)18

T18.c.1.1 In case of runtime threats: e.g., the Orchestrator shall not be invoked without an associated Security Agent running first.

T18.c.1.2 In runtime cases: e.g., Security Policy Management shall enforce data rate policies

T18.c.2.1 Authenticity of the invoked software image deletion request to VIM validated through Remote Attestation

T18.c.2.2 Integrity of the invoked software image deletion request to VIM validated through Remote Attestation

T19: Manipulation of application data- Attackers may modify and forge the user-defined metadata for the selected software images that may interrupt the software image management operations.R19: NFVO shall protect the user-defined metadata for the selected software images from unauthorized access.



T19.a.1.3 NFVO supports to share resources including software images operations



T19.a.4.1 Attackers may modify and forge the user-defined metadata for the selected software images

T19.a.5 Remote attestation shall be performed before any image is instantiated.

T19.b.1.1 Only signed and remotely attested Orchestrators shall be instantiated.

T19.b.1.2 Once an Orchestrator image fails attestation, the event is logged, and a security alarm is raised to the Security Management system

T19.b.2.1 Security management systems flag the threat agent (internal attackers) for further analysis.

T19.c.1.1 In case of runtime threats: e.g., the Orchestrator shall not be instantiated without an associated Security Agent running first.

T19.c.1.2 In runtime cases: e.g., Security Policy Management shall enforce data rate policies

T19.c.2.1 Authenticity of the user-defined metadata for the selected software images shall be validated through Remote Attestation

T19.c.2.2 Integrity of the user-defined metadata for the selected software images shall be validated through Remote Attestation

T20: Manipulation of notifications- Attackers may fake the fault information notifications issued by VNFM related to the Network service managed by NFVO that may interrupt the network service operationsR20(a): NFVO shall verify the authenticity of the fault information notifications related to the Network service.R20(b): NFVO shall verify the integrity of the fault information notifications related to the Network service.



T20.a.1.3 NFVO supports fault information management operations



ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)19

T20.a.4.1 Attackers may fake the fault information notifications issued by VNFM related to the Network service managed by NFVO

T20.a.5 Only authorised entity shall access the fault information management

T20.b.1.1 Fault information management shall be configured using security policy management

T20.b.1.2 If any fault information notification is faked, the event is logged, and a security alarm is raised to the Security management system


T20.c.2.1 Authenticity of the fault information notifications related to the Network service shall be validated

T20.c.2.2 Integrity of the fault information notifications related to the Network service shall be validated

T21: Manipulation of messages- Attackers may tamper the messages exchanged between NFVO and consumer.R21 (a): Messages exchanged between NFVO and consumer shall be protected from unauthorized access.R21 (b): Integrity of the messages exchanged between NFVO and consumer shall be verified.R21 (c): Authenticity of the messages exchanged between NFVO and consumer shall be verified.



T21.a.1.3 NFVO supports messages exchanged between NFVO and consumer



T21.a.4.1Attackers may tamper the messages exchanged between NFVO and consumer

T21.a.5 Only authorised entity shall access the messages exchanged between NFVO and consumer

T21.b.1.1 Messages exchanged between NFVO and consumer shall be configured using endpoint authentication

T21.b.1.2 If any of the message between NFVO and consumer is tampered, the event is logged, and a security alarm is raised to the Security management system


T21.c.2.1 Messages exchanged between NFVO and consumer shall be protected from unauthorized access

T21.c.2.2 Integrity of the messages exchanged between NFVO and consumer shall be validated

T21.c.2.3 Authenticity of the messages exchanged between NFVO and consumer shall be validated

T22: Privacy preservation - Attackers may forge the personally-identifiable information about NFVI-PoPs that may interrupt the infrastructure resource management operations.R22 (a): NFVO shall ensure that personally-identifiable information about NFVI-PoPs shall be protected from unauthorized accessR22 (b): NFVO shall verify the integrity of the personally-identifiable information about NFVI-PoPs.R22(c): NFVO shall verify the authenticity of the personally-identifiable information about NFVI-PoPs.R22 (d): NFVO shall provide privacy for the personally-identifiable information about NFVI-PoPs such as geographical location.



ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)20

T22.a.1.3 NFVO supports infrastructure resource management operations



T22.a.4.1Attackers may forge the personally-identifiable information about NFVI-PoPs

T22.a.5 Only authorised entity shall access the infrastructure resource management operations

T22.b.1.1 NFVI-PoPs operations shall be configured using security policy management

T22.b.1.2 If any infrastructure resource management operations fail, the event is logged, and a security alarm is raised to the Security management system


T22.c.2.1 Personally-identifiable information about NFVI-PoPs shall be protected from unauthorized access

T22.c.2.2 Integrity of the personally-identifiable information about NFVI-PoPs shall be validated

T22.c.2.3 Authenticity of the personally-identifiable information about NFVI-PoPs shall be validated

T22.c.2.4 Privacy for the personally-identifiable information about NFVI-PoPs such as geographical location shall be protected

T23: Manipulation of notifications- Attackers may fake the error notifications during Network service lifecycle procedure that may interrupt the network service operations.R23 (a): NFVO shall verify the authenticity of the error notifications during Network service lifecycle procedure. R23 (b): NFVO shall verify the integrity of the error notifications during Network service lifecycle procedure.



T23.a.1.3 NFVO supports Network service lifecycle operations



T23.a.4.1Attackers may fake the error notifications during Network service lifecycle procedure

T23.a.5 Only authorised entity shall access the Network service lifecycle procedure

T23.b.1.1 Network service lifecycle management shall be configured using security policy management

T23.b.1.2 If any error notification related to Network service lifecycle operations fails, the event is logged; and a security alarm is raised to the Security management system


T23.c.2.1 Authenticity of the error notifications during Network service lifecycle procedure shall be validated

T23.c.2.2 Integrity of the error notifications during Network service lifecycle procedure shall be validated

T24: Manipulation of request- Attackers may fake the change request of fault information related to the Network services that may interrupt the network service operations.R24 (a): Authenticity of the change request regarding fault information shall be verified by the NFVO.R24 (b): Integrity of the change request regarding fault information shall be verified by the NFVO.


ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)21


T24.a.1.3 NFVO supports VNF fault management operations



T24.a.4.1Attackers may fake the change request of fault information related to the Network services

T24.a.5 Only authorised entity shall access the VNF fault management operations

T24.b.1.1 VNF fault management shall be configured using security policy management

T24.b.1.2 If any change request of fault information fails, the event is logged, and a security alarm is raised to the Security management system


T24.c.2.1 Authenticity of the change request regarding fault information shall be validated

T24.c.2.2 Integrity of the change request regarding fault information shall be validated

T25: Manipulation of request- Attackers may forge the VNF healing request to VNFM that may interrupt the VNF fault management operations.R25 (a): NFVO shall verify the authenticity of the VNF healing request to VNFM.R25 (b): NFVO shall verify the integrity of the VNF healing request to VNFM.



T25.a.1.3 NFVO supports VNF fault management operations



T25.a.4.1Attackers may forge the VNF healing request to VNFM

T25.a.5 Only authorised entity shall access the VNF fault management operations


T25.b.1.2 If any VNF healing request fails, the event is logged, and a security alarm is raised to the Security management system



T25.c.2.1 Authenticity of the VNF healing request to VNFM shall be validated

T25.c.2.2 Integrity of the VNF healing request to VNFM shall be validated

T26: Manipulation of notifications- Attackers may forge the state change alarm notifications during VNF instances that may interrupt the VNF fault management operations.R26 (a): NFVO shall verify the authenticity of alarms notifications during VNF instances.R26 (b): NFVO shall verify the integrity of alarms notifications during VNF instances.



ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)22

T26.a.1.3 NFVO supports VNF instance operations



T26.a.4.1Attackers may forge the notifications about availability of performance information on the Network services

T26.a.5 Only authorised entity shall access the VNF performance management information

T26.b.1.1 VNF performance management shall be configured using security policy management

T26.b.1.2 If any notifications about availability of performance information on the Network services fail, the event is logged, and a security alarm is raised to the Security management system



T26.c.2.1 Authenticity of the information regarding active PM jobs shall be validated

T26.c.2.2 Integrity of the information regarding active PM jobs shall be validated

T27: Manipulation of notifications- Attackers may forge the notifications about availability of performance information on the Network services that may interrupt network services.R27 (a): NFVO shall verify the authenticity of notifications about availability of performance information on the Network services.R27 (b): NFVO shall verify the integrity of notifications about availability of performance information on the Network services.



T27.a.1.3 NFVO supports VNF performance management operations



T27.a.4.1Attackers may forge the notifications about availability of performance information on the Network services



T27.b.1.2 If any notifications about availability of performance information on the Network services fail, the event is logged, and a security alarm is raised to the Security management system





T28: Manipulation of data- Attackers may maliciously modify the information regarding active PM jobs that may interrupt the network services.R28 (a): NFVO shall verify the authenticity of the information regarding active PM jobs.R28 (b): NFVO shall verify the integrity of the information regarding active PM jobs.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)23



T28.a.1.3 NFVO supports VNF performance management operations



T28.a.4.1Attackers may maliciously modify the information regarding active PM jobs



T28.b.1.2 If any active PM jobs fails, the event is logged, and a security alarm is raised to the Security management system





T29: Manipulation of data- Attackers may forge the VNF instance information (related to modification request) that may interrupt the VNF information management operations.R29 (a): NFVO shall verify the authenticity of the modification request message related to VNF instance.R29 (b): NFVO shall verify the integrity of the modification request message related to VNF instance.



T29.a.1.3 NFVO supports VNF information management operations



T29.a.4.1Attackers may forge the VNF instance information

T29.a.5 Only authorised entity shall access the VNF instance information

T29.b.1.1 VNF information management shall be configured using security policy management

T29.b.1.2 If any VNF information management operation fails, the event is logged, and a security alarm is raised to the Security Management system


T29.c.1.1 Security policy management shall be enforced

T29.c.2.1 Authenticity of the VNF instance information shall be validated

T29.c.2.2 Integrity of the VNF instance information shall be validated

T30: Manipulation of data- Attackers may maliciously modify the mandatory information in the VNF package that may interrupt the VNF information management operations.R30: Mandatory information in the VNF package shall be protected from the unauthorized access.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)24



T30.a.1.3 NFVO supports VNF package management operations



T30.a.4.1 Attackers may forge the mandatory information in VNF package

T30.a.5 Only authorised entity shall access the VNF package’s mandatory information

T30.b.1.1 VNF package shall be configured using security policy management

T30.b.1.2 Once VNF package access permission fails, the event is logged, and a security alarm is raised to the Security Management system



T30.c.2.1 VNF package’s mandatory information shall be protected from unauthorised access

T31: Manipulation of data- Attackers may forge the information of VNFD in the VNF package that may interrupt the VNF information management operations.R31: VNFD information in the VNF package shall be protected from unauthorized access by NFVO.



T31.a.1.3 NFVO supports VNF package management operations



T31.a.4.1 Attackers may forge the information of VNFD in the VNF package

T31.a.5 Only authorised entity shall access the VNFD information

T31.b.1.1 VNFD shall be configured using security policy management

T31.b.1.2 Once VNFD fails access permission, the event is logged, and a security alarm is raised to the Security Management system

T31.b.2.1 Security Management systems flag the threat agent (internal attackers) for further analysis

T31.c.1.1Security Policy Management shall be enforced

T31.c.2.1 VNFD information shall be protected from unauthorised access

6.2 VNF Manager(s)

6.2.1 OverviewVNF Manager (VNFM) is responsible for the lifecycle management of VNF instances. Each VNF instance is implicit to have associated VNF manager. VNF manager functions are generic in nature and applicable to any type of VNF. VNFM manages virtualised resources associated to the VNF it manages via the interfaces exposed by the VIM or NFVO. VNFM exposes VNF lifecycle management interfaces/APIs to the VNF, EM and NFVO. VNFM sends VNF

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)25

lifecycle management notifications to the VNF, EM and NFVO.VNFM manages VNF initial configuration via the interfaces exposed by the VNF. The VNF Manager functional block performs some non-exhaustive set of functions such as:

a) VNF instantiation and VNF configuration;

b) VNF instance software update/upgrade;

c) VNF instance modification;

d) VNF instance scaling out/in and up/down;

e) VNF instance-related collection of NFVI performance measurement results and faults/events information, and correlation to VNF instance-related events/faults;

f) VNF instance assisted or automated healing;

g) VNF instance termination;

h) VNF lifecycle management change notifications;

i) Management of the integrity of the VNF instance through its lifecycle;

j) Overall coordination and adaptation role for configuration and event reporting between the VIM and the EM.

The detail description of VNF managers and its functionalities can be referred from clause 5.4.2 in ETSI GS NFV-MAN 001 [i.3].

6.2.2 Threat analysis for VNF Manager(s)In this clause, threat analysis of VNF Manager(s) is discussed.

T1: Manipulation of data- Attackers may change the VNF configurations during VNF life cycle management process that may affect the network services.R1 (a): VNF configurations shall be protected from unauthorized access during VNF life cycle management process.R1 (b): Integrity of the VNF configurations during VNF life cycle management process shall be verified.


T1.a.1.2 Internal attackers have access to VNF Manager(s)

T1.a.1.3 VNF Manager(s) supports VNF life cycle management operations

T1.a.2 VNF Manager(s)

T1.a.3 Authorized administrators with legitimate access to the VNF Manager(s)

T1.a.4.1 Attackers may change the VNF configurations during VNF life cycle management process

T1.a.5 Only authorised entity shall access the VNF life cycle management operations

T1.b.1.1 VNF life cycle management shall be configured using security policy management

T1.b.1.2 If any VNF life cycle management operation fails, the event is logged, and a security alarm is raised to the Security management system


T1.c.2.1 Authenticity of the VNF configurations during VNF life cycle management process shall be validated

T1.c.2.2 Integrity of the VNF configurations during VNF life cycle management process shall be validated

T2: Manipulation of request message- Attackers may send fake VNF configurations change request between VIM and EM that may disrupt the network service.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)26

R2 (a): Authenticity of the VNF configurations change request between VIM and EM shall be verified.R2 (b): Integrity of the VNF configurations change request between VIM and EM shall be verified.



T2.a.1.3 VNF Manager(s) supports VNF configuration management operations



T2.a.4.1Attackers may send fake VNF configurations change request between VIM and EM

T2.a.5 Only authorised entity shall access the VNF configuration management

T2.b.1.1 VNF configuration management shall be configured using security policy management

T2.b.1.2 If any fake VNF configurations change request is identified, the event is logged, and a security alarm is raised to the Security management system


T2.c.2.1 Authenticity of the VNF configurations change request between VIM and EM shall be validated

T2.c.2.2 Integrity of the VNF configurations change request between VIM and EM shall be validated

T3: Manipulation of notifications- Attackers may send masquerade notifications during VNF instantiation operations.R3 (a): Authenticity of the VNF instantiation operations shall be verified.R3 (b): Integrity of the VNF instantiation operations shall be verified.



T3.a.1.3 VNF Manager(s) supports VNF instantiation operations



T3.a.4.1Attackers may send masquerade notifications during VNF instantiation operations

T3.a.5 Only authorised entity shall access the VNF instantiation operations

T3.b.1.1 VNF instantiation operations shall be configured using security policy management

T3.b.1.2 If any VNF instantiation operations fail, the event is logged, and a security alarm is raised to the Security management system


T3.c.2.1 Authenticity of the VNF instantiation operations shall be validated

T3.c.2.2 Integrity of the VNF instantiation operations shall be validated

T4: Manipulation of application data-Attackers may maliciously change the VNF software update/upgrade during VNF instantiation.R4 (a): Authenticity of the VNF software update/upgrade shall be verified.R4 (b): Integrity of the VNF software update/upgrade shall be verified.


ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)27


T4.a.1.3 VNF Manager(s) supports VNF software management operations



T4.a.4.1 Attackers may maliciously change the VNF software update/upgrade during VNF instantiation

T4.a.5 Only authorised entity shall access the VNF software management operations

T4.b.1.1 VNF software management shall be configured using security policy management

T4.b.1.2 If any VNF instantiation operation fails, the event is logged, and a security alarm is raised to the Security management system


T4.c.2.1 Authenticity of the VNF software update/upgrade shall be validated

T4.c.2.2 Integrity of the VNF software update/upgrade shall be validated

T5: Manipulation of request message- Attackers may forge the VNF instance scaling out/in and up/down requests.R5 (a): Authenticity of the VNF instance scaling out/in and up/down requests shall be verified.R5 (b): Integrity of the VNF instance scaling out/in and up/down requests shall be verified.



T5.a.1.3 VNF Manager(s) supports VNF instance operations



T5.a.4.1Attackers may forge the VNF instance scaling out/in and up/down requests

T5.a.5 Only authorised entity shall access the VNF instance operations

T5.b.1.1 VNF instance operations shall be configured using security policy management

T5.b.1.2 If any VNF instance operations fail, the event is logged, and a security alarm is raised to the Security management system


T5.c.2.1 Authenticity of the VNF instance scaling out/in and up/down requests shall be validated

T5.c.2.2 Integrity of the VNF instance scaling out/in and up/down requests shall be validated

T6: Manipulation of notifications- Fake performance, fault information and correlation measurement notifications of VNF instance may interrupt the functionality of VNF operations.R6 (a): Authenticity of the performance, fault information and correlation measurement notifications shall be verified.R6 (b): Integrity of the performance, fault information and correlation measurement notifications shall be verified.



ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)28

T6.a.1.3 VNF Manager(s) supports performance, fault information and correlation measurement operations of VNF



T6.a.4.1Attackers may fake the performance, fault information and correlation measurement notifications of VNF instance

T6.a.5 Only authorised entity shall access the VNF operations

T6.b.1.1 VNF operations shall be configured using security policy management

T6.b.1.2 If any VNF operation (performance, fault information and correlation measurement operations) fails, the event is logged, and a security alarm is raised to the Security management system


T6.c.2.1 Authenticity of the performance, fault information and correlation measurement notifications shall be validated

T6.c.2.2 Integrity of the performance, fault information and correlation measurement notifications shall be validated

T7: Manipulation of notifications- Fake VNF lifecycle management change notifications may interrupt the functionality of VNF operations.R7 (a): Authenticity of the VNF lifecycle management change notifications shall be verified.R7 (b): Integrity of the VNF lifecycle management change notifications shall be verified.



T7.a.1.3 VNF Manager(s) supports VNF life cycle management operations



T7.a.4.1Attackers may fake the VNF lifecycle management change notifications

T7.a.5 Only authorised entity shall access the VNF life cycle management operations

T7.b.1.1 VNF life cycle management shall be configured using security policy management

T7.b.1.2 If any VNF life cycle management operation fails, the event is logged, and a security alarm is raised to the Security management system


T7.c.2.1 Authenticity of the VNF lifecycle management change notifications shall be validated

T7.c.2.2 Integrity of the VNF lifecycle management change notifications shall be validated

T8: Manipulation of notifications- Attackers may fake the VNF instance modification notifications.R8 (a): Authenticity of the VNF instance modification notifications shall be verified.R8 (b): Integrity of the VNF instance modification notifications shall be verified.




ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)29



T8.a.4.1Attackers may fake the VNF instance modification notifications



T8.b.1.2 If any VNF instance operation fails, the event is logged, and a security alarm is raised to the Security management system


T8.c.2.1 Authenticity of the VNF instance modification notifications shall be validated

T8.c.2.2 Integrity of the VNF instance modification notifications shall be validated

T9: Manipulation of notifications- Attackers may forge the VNFD information such as deployment information, operational behaviour, policies, software image information, connectivity, etc.R9 (a): Authenticity of the VNFD information shall be verified.R9 (b): Integrity of the VNFD information shall be verified.R9 (c): Confidentiality of the VNFD information shall be protected.R9 (d): VNFD information shall be protected from unauthorized access.



T9.a.1.3 VNF Manager(s) supports VNFD information management operations



T9.a.4.1Attackers may forge the VNFD information such as deployment information, operational behaviour, policies, software image information, connectivity, etc

T9.a.5 Only authorised entity shall access the VNFD information management

T9.b.1.1 VNFD information management shall be configured using security policy management

T9.b.1.2 If any VNFD information management operation fails, the event is logged, and a security alarm is raised to the Security management system


T9.c.2.1 Authenticity of the VNFD information shall be validated

T9.c.2.2 Integrity of the VNFD information shall be validated

T9.c.2.3 Confidentiality of the VNFD information shall be protected

T9.c.2.4 VNFD information shall be protected from unauthorized access

T10: Manipulation of request message- Attackers may maliciously fake the VNFM resource allocation request to NFVO during VNF's instantiation, scaling and termination that may interrupt the VNF resource management operations.R10 (a): VNFM shall verify the authenticity of the VNFM request to NFVO during VNFs instantiation, scaling and termination.R10 (b): VNFM shall verify the integrity of the VNFM request to NFVO during VNFs instantiation, scaling and termination.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)30



T10.a.1.3 VNF Manager(s) supports VNF resource management operations



T10.a.4.1Attackers may maliciously fake the VNFM resource allocation request to NFVO during VNF's instantiation

T10.a.5 Only authorised entity shall access the VNF resource management

T10.b.1.1 VNF resource management shall be configured using security policy management

T10.b.1.2 If any VNF resource management operation fails, the event is logged, and a security alarm is raised to the Security management system


T10.c.2.1 Authenticity of the VNFM request to NFVO during VNFs instantiation, scaling and termination shall be validated

T10.c.2.2 Integrity of the VNFM request to NFVO during VNFs instantiation, scaling and termination shall be validated

T11: Unauthorized Access- Attackers may access the VIM without authorized permission to enable VNFM.R11: Information which is used to enable the VNFM to access VIM shall be protected from unauthorized access.



T11.a.1.3 VNF Manager(s) supports access management operations



T11.a.4.1Attackers may access the VIM without authorized permission to enable VNFM

T11.a.5 Only authorised entity shall access the VIM and VNFM

T11.b.1.1 VIM shall be configured using security policy management

T11.b.1.2 If any misuse of VIM access privilege is identified, the event is logged, and a security alarm is raised to the Security management system


T11.c.2.1 Information which is used to enable the VNFM to access VIM shall be protected from unauthorized access

T12: Manipulation of notifications- Attackers may forge the change notifications of VNF indicator value.R12 (a): VNFM shall verify the authenticity of the change notifications of VNF indicator value.R12 (b): VNFM shall verify the integrity of the change notifications of VNF indicator value.



ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)31

T12.a.1.3 VNF Manager(s) supports VNF operations



T12.a.4.1Attackers may forge the change notifications of VNF indicator value

T12.a.5 Only authorised entity shall access the VNF operations

T12.b.1.1 VNF operations shall be configured using security policy management

T12.b.1.2 If any VNF operation fails related to VNF indicator value, the event is logged, and a security alarm is raised to the Security management system


T12.c.2.1 Authenticity of the change notifications of VNF indicator value shall be validated

T12.c.2.2 Integrity of the change notifications of VNF indicator value shall be validated

T13: Misuse of privileges - Attackers may gain the access to restricted operation of the virtualised resource groups (related to tenant service request) without privileges.R13: VNFM shall validate the granted privileges of the resource groups.



T13.a.1.3 VNF Manager(s) supports access management



T13.a.4.1Attackers may gain the access to restricted operation of the resource groups (related to tenant service request) without privileges

T13.a.5 Only authorised entity shall access the resource group(e.g., tenant service)

T13.b.1.1 Virtualised resource groups (e.g., tenant service) shall be configured using security policy management

T13.b.1.2 If any misuse of privilege related to tenant service is identified, the event is logged, and a security alarm is raised to the Security management system


T13.c.2.1 Granted privileges of the resource groups shall be protected from unauthorised entity

T14: Manipulation of messages- Attackers may tamper the messages exchanged between VNFM and consumer.R14 (a): Confidentiality shall be provided to the messages exchanged between VNFM and consumer.R14 (b): Messages exchanged between VNFM and consumer shall be protected from unauthorized access.R14 (c): Integrity shall be verified to the messages exchanged between VNFM and consumer.R14 (d): Authenticity shall be verified to the messages exchanged between VNFM and consumer.



T14.a.1.3 VNF Manager(s) supports messages exchanged between VNFM and consumer


ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)32


T14.a.4.1Attackers may tamper the messages exchanged between VNFM and consumer

T14.a.5 Only authorised entity shall access the messages exchanged between VNFM and consumer

T14.b.1.1 Messages exchanged between VNFM and consumer shall be configured using endpoint authentication

T14.b.1.2 If any of the message between VNFM and consumer is tampered, the event is logged, and a security alarm is raised to the Security management system


T14.c.2.1 Confidentiality shall be provided to the messages exchanged between VNFM and consumer

T14.c.2.2 Messages exchanged between VNFM and consumer shall be protected from unauthorized access

T14.c.2.3 Integrity of the messages exchanged between VNFM and consumer shall be validated

T14.c.2.4Authenticity of the messages exchanged between VNFM and consumer shall be validated

T15: Manipulation of request message- Attackers may fake the query request to VIM for the software image information.R15 (a): VNFM shall verify the authenticity of the query request to VIM for the software image information.R15 (b): VNFM shall verify the integrity of the query request to VIM for the software image information.



T15.a.1.3 VNF Manager(s) supports VNF software image management operations



T15.a.4.1Attackers may fake the query request to VIM for the software image information

T15.a.5 Only authorised entity shall access the VNF software image management

T15.b.1.1 VNF software image management shall be configured using security policy management

T15.b.1.2 If any query request fails related to software image information, the event is logged, and a security alarm is raised to the Security management system


T15.c.2.1 Authenticity of the query request to VIM for the software image information shall be validated

T15.c.2.2 Integrity of the query request to VIM for the software image information shall be validated

T16: Manipulation of notification- Fake notifications of virtualised resource-related fault information on the VNFs may interrupt the functionality of VNFM.R16 (a): VNFM shall verify the authenticity of the virtualised resource-related fault notifications.R16 (b): VNFM shall verify the integrity of the virtualised resource-related fault notifications.



T16.a.1.3 VNF Manager(s) supports virtualised resource fault management operations


ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)33


T16.a.4.1Attackers may fake the notifications of virtualised resource-related fault information on the VNFs

T16.a.5 Only authorised entity shall access the virtualised resource fault management

T16.b.1.1 Virtualised resource fault management shall be configured using security policy management

T16.b.1.2 If any virtualised resource fault management operation fails, the event is logged, and a security alarm is raised to the Security management system


T16.c.2.1 Authenticity of the virtualised resource-related fault notifications shall be validated

T16.c.2.2 Integrity of the virtualised resource-related fault notifications shall be validated

T17: Manipulation of notification- Attackers may fake the change request of virtualised resource-related fault information and alarm notifications that may interrupt the functionality of VNFs.R17(a): VNFM shall verify the authenticity of the virtualised resource-related fault information and alarm notifications that may interrupt the functionality of VNFs.R17(b): VNFM shall verify the integrity of the virtualised resource-related fault information and alarm notifications that may interrupt the functionality of VNFs.



T17.a.1.3 VNF Manager(s) supports virtualised resource fault management operations



T17.a.4.1Attackers may fake the change request of virtualised resource-related fault information and alarm notifications

T17.a.5 Only authorised entity shall access the virtualised resource reservation management

T17.b.1.1 Virtualised resource fault management shall be configured using security policy management

T17.b.1.2 If any virtualised resource fault management operation fails, the event is logged, and a security alarm is raised to the Security management system


T17.c.2.1 Authenticity of the virtualised resource-related fault information and alarm notifications shall be validated

T17.c.2.2 Integrity of the virtualised resource-related fault information and alarm notifications shall be validated

T18: Manipulation of request- Attackers may forge the corrective operations request on virtualised resources to VIM in order to perform VNF healing that may interrupt the functionality of VNF fault management system.R18 (a): VNFM shall verify the authenticity of the corrective operations request on virtualised resources to VIM in order to perform VNF healing.R18 (b): VNFM shall verify the integrity of the corrective operations request on virtualised resources to VIM in order to perform VNF healing.



ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)34

T18.a.1.3 VNF Manager(s) supports VNF fault management operations



T18.a.4.1Attackers may forge the corrective operations request on virtualised resources to VIM in order to perform VNF healing

T18.a.5 Only authorised entity shall access the VNF fault management


T18.b.1.2 If any VNF fault management operation fails, the event is logged, and a security alarm is raised to the Security management system


T18.c.2.1 Authenticity of the corrective operations request on virtualised resources to VIM in order to perform VNF healing shall be validated

T18.c.2.2 Integrity of the corrective operations request on virtualised resources to VIM in order to perform VNF healing shall be validated

T19: Manipulation of data - Attackers may modify the receive run-time data (such as VNF instance address, record of significant VNF lifecycle events related) to VNF instances that may interrupt the VNF operations.R19 (a): VNFM shall verify the authenticity of the receive run-time data to VNF instances.R19 (b): VNFM shall verify the integrity of the receive run-time data to VNF instances.






T19.a.4.1 Attackers may modify the receive run-time data (such as VNF instance address, record of significant VNF lifecycle event related) to VNF instances





T14.c.1.1 VNF Manager(s) shall not be instantiated without an associated Security Agent running first

T14.c.1.2 Security Policy Management shall enforce data rate policies

T19.c.2.1 Authenticity of the receive run-time data to VNF instances shall be validated

T19.c.2.2 Integrity of the receive run-time data to VNF instances shall be validated

T20: Manipulation of data - The attackers may forge the mapping information between the VNF instance(s) and associated virtualised resource that may result in service interruptions during VNF instances.R20 (a): VNFM shall verify the authenticity of the mapping information between the VNF instance(s) and associated virtualised resource.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)35

R20 (b): VNFM shall verify the integrity of the mapping information between the VNF instance(s) and associated virtualised resource.






T20.a.4.1 Attackers may forge the mapping information between the VNF instance(s) and associated virtualised resource





T20.c.2.1 Authenticity of the mapping information between the VNF instance(s) and associated virtualised resource shall be validated

T20.c.2.2 Integrity of the mapping information between the VNF instance(s) and associated virtualised resource shall be validated

T21: Manipulation of data - The attackers may forge the VNF instance information refers to a different VNF package that may interrupt VNF instances operations.R21 (a): VNFM shall verify the authenticity of the VNF instance information refers to a different VNF Package.R21 (b): VNFM shall verify the integrity of the VNF instance information refers to a different VNF Package.



T21.a.1.3 VNF Manager(s) supports VNF instant information management operations



T21.a.4.1 Attackers may forge the VNF instance information refers to a different VNF package

T21.a.5 Only authorised entity shall access the VNF instant information management

T21.b.1.1 VNF instant information management shall be configured using security policy management

T21.b.1.2 If any VNF instances operation fails, the event is logged, and a security alarm is raised to the Security management system


T21.c.2.1 Authenticity of the VNF instance information refers to a different VNF package shall be validated

T21.c.2.2 Integrity of the VNF instance information refers to a different VNF package shall be validated

T22: Manipulation of notification- Attackers may fake the notifications regarding state change of VNF packages that may interrupt the VNF package management operations.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)36

R22 (a): VNFM shall verify the authenticity of the received notifications regarding state change message of VNF package.R22 (b): VNFM shall verify the integrity of the received notifications regarding state change message of VNF package.



T22.a.1.3 VNF Manager(s) supports VNF package management operations



T22.a.4.1Attackers may fake the notifications regarding state change of VNF packages

T22.a.5 Only authorised entity shall access the VNF package management operations

T22.b.1.1 VNF package management shall be configured using security policy management

T22.b.1.2 If any notifications regarding state change of VNF package operation fails, the event is logged, and a security alarm is raised to the Security management system


T22.c.2.1 Authenticity of the received notifications regarding state change message of VNF package shall be validated

T22.c.2.2 Integrity of the received notifications regarding state change message of VNF package shall be validated

T23: Manipulation of notification- Attackers may forge the notifications about virtual networks and connection points that are added/deleted as part of the VNF lifecycle operation that may interrupt the services in VNF lifecycle management.R23 (a): VNFM shall verify the authenticity of notifications about virtual networks and connection points that are added/deleted as part of the VNF lifecycle operations.R23 (b): VNFM shall verify the integrity of notifications about virtual networks and connection points that are added/deleted as part of the VNF lifecycle operations.



T23.a.1.3 VNF Manager(s) supports VNF lifecycle management operations



T23.a.4.1Attackers may forge the notifications about virtual networks and connection points that are added/deleted as part of the VNF lifecycle operation

T23.a.5 Only authorised entity shall access the VNF lifecycle management

T23.b.1.1 VNF lifecycle management shall be configured using security policy management

T23.b.1.2 If any notifications about virtual networks and connection points that are added/deleted as part of the VNF lifecycle operation fails, the event is logged, and a security alarm is raised to the Security management system


T23.c.2.1 Authenticity of notifications about virtual networks and connection points that are added/deleted as part of the VNF lifecycle operations

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)37

T23.c.2.2 Integrity of notifications about virtual networks and connection points that are added/deleted as part of the VNF lifecycle operations

T24: Manipulation of request- Attackers may fake the VNF lifecycle operation requests using information specified in the VNF package that may interrupt the VNF lifecycle management operations.R24 (a): VNFM shall verify the authenticity of VNF lifecycle operation requests using information specified in the VNF package.R24 (b): VNFM shall verify the integrity of VNF lifecycle operation requests using information specified in the VNF package.



T24.a.1.3 VNF Manager(s) supports VNF lifecycle management operations



T24.a.4.1Attackers may fake the VNF lifecycle operation requests using information specified in the VNF package

T24.a.5 Only authorised entity shall access the VNF lifecycle management

T24.b.1.1 VNF lifecycle management shall be configured using security policy management

T24.b.1.2 If any VNF lifecycle operation requests using information specified in the VNF package is faked, the event is logged, and a security alarm is raised to the Security management system


T24.c.2.1 Authenticity of the VNF lifecycle operation requests using information specified in the VNF package shall be validated

T24.c.2.2 Integrity of the VNF lifecycle operation requests using information specified in the VNF package shall be validated

T25: Manipulation of data- Attackers may fake the information received by the VNFM from NFVO regarding the quota(s) availability, which may interrupt the quota management operations.R25 (a): VNFM shall verify the authenticity of the received information from NFVO regarding the quota(s) availability.R25 (b): VNFM shall verify the integrity of the received information from NFVO regarding the quota(s) availability.



T25.a.1.3 VNF Manager(s) supports virtualised quota management operations



T25.a.4.1 Attackers may fake the information received by the VNFM from NFVO regarding the quota(s) availability

T25.a.5 Only authorised entity shall access the Virtualised quota management operations

T25.b.1.1 Virtualised quota management shall be configured using security policy management

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)38

T25.b.1.2 If the information received by the VNFM from NFVO regarding the quota(s) availability is faked, the event is logged, and a security alarm is raised to the Security management system


T25.c.2.1 Authenticity of the received information from NFVO regarding the quota(s) availability shall be validated

T25.c.2.2 Integrity of the received information from NFVO regarding the quota(s) availability shall be validated

T26: Manipulation of notifications- Attackers may fake the notifications received by the VNFM regarding the changes of information on consumable virtualised resources, which may interrupt the virtualised resource information management operations.R26 (a): VNFM shall verify the authenticity of the received notifications regarding the changes of information on consumable virtualised resources.R26 (b): VNFM shall verify the integrity of the received notifications regarding the changes of information on consumable virtualised resources.



T26.a.1.3 VNF Manager(s) supports virtualised resource information management operations



T26.a.4.1Attackers may fake the notifications received by the VNFM regarding the changes of information on consumable virtualised resources

T26.a.5 Only authorised entity shall access the virtualised resource information management operations

T26.b.1.1 Virtualised resource information management operations shall be configured using security policy management

T26.b.1.2 If any notifications received by the VNFM regarding the changes of information on consumable virtualised resources are faked, the event is logged, and a security alarm is raised to the Security management system


T26.c.2.1 Authenticity of the received notifications regarding the changes of information on consumable virtualised resources shall be validated

T26.c.2.2 Integrity of the received notifications regarding the changes of information on consumable virtualised resources shall be validated

T27: Manipulation of data- Attackers may fake performance information received by the VNFM related to virtualised resources for the VNF instance(s), which may interrupt the virtualised resource performance management operations.R27 (a): VNFM shall verify the authenticity of the received performance information related to virtualised resources for the VNF instance(s).R27 (b): VNFM shall verify the integrity of the received performance information related to virtualised resources for the VNF instance(s).



T27.a.1.3 VNF Manager(s) supports virtualised resource performance management operations

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)39



T27.a.4.1 Attackers may fake performance information received by the VNFM related to virtualised resources for the VNF instance(s)

T27.a.5 Only authorised entity shall access the virtualised resource performance management operations

T27.b.1.1 Virtualised resource performance management shall be configured using security policy management

T27.b.1.2 If any virtualised resource performance management operation fails, the event is logged, and a security alarm is raised to the Security Management system


T27.c.2.1 Authenticity of the received performance information related to virtualised resources for the VNF instance(s) shall be validated

T27.c.2.2 Integrity of the received performance information related to virtualised resources for the VNF instance(s) shall be validated

T28: Manipulation of notifications- Attackers may fake the notifications regarding state change of virtualised resource reservation that received by the VNFM, which may interrupt the resource reservation management operations.R28 (a): VNFM shall verify the authenticity of the received change notifications regarding virtualised resource reservation.R28 (b): VNFM shall verify the integrity of the received change notifications regarding virtualised resource reservation.



T28.a.1.3 VNF Manager(s) supports VNF resource reservation management operations



T28.a.4.1Attackers may fake the notifications regarding state change of virtualised resource reservation that received by the VNFM

T28.a.5 Only authorised entity shall access the VNF resource reservation management

T28.b.1.1 VNF resource reservation management shall be configured using security policy management

T28.b.1.2 If any VNF resource reservation management operation fails, the event is logged, and a security alarm is raised to the Security management system


T28.c.2.1 Authenticity of the received change notifications regarding virtualised resource reservation shall be validated

T28.c.2.2 Integrity of the received change notifications regarding virtualised resource reservation shall be validated

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)40

6.3 Virtualised Infrastructure Manager(s)

6.3.1 OverviewVirtualised Infrastructure Manager (VIM) is responsible for controlling and managing the NFVI resources such as compute, storage and network resource of one or more NFVI-PoPs. VIM exposes virtualised resource management interfaces/APIs to the VNFM and NFVO. VIM sends virtualised resource management notifications to the VNFM and the NFVO. NFVO may control multiple VIMs to orchestrate the resources and network services across the regions. VIM performs some set of functions which may be exposed by means of interfaces consumed by other NFV-MANO functional blocks or by authorized external entities, which are:

i) Orchestrating the allocation/upgrade/release/reclamation of NFVI resources.

ii) Supporting the management of VNF Forwarding Graphs.

iii) Managing in repository inventory related information of NFVI hardware resources and software resources.

iv) Management of the virtualised resource capacity.

v) Management of software images.

vi) Collection of performance and fault information of hardware resources, software resources, and virtualised resources.

vii) Management of catalogues of virtualised resources.

The detail description of VIM and its functionalities can be referred from clause 5.4.3 in ETSI GS NFV-MAN 001 [i.3].

6.3.2 Threat analysis for Virtualised Infrastructure Manager(s)In this clause, threat analysis of VIM(s) is discussed.

T1: Unauthorized access of stored data - Attackers may exploit the catalogue information such as virtualised resource configuration, network connectivity, templates which may affect the network services and system configurations.R1 (a): Authenticity of the catalogues information requests shall be verified.R1 (b): Integrity of the catalogues information requests shall be verified.R1 (c): Catalogue configuration file shall be protected from unauthorized access.

T2: Manipulation of notification - Attackers may forge the performance information related to software and hardware resources within the NFVI that may interrupt the network services or degrade the performance.R2 (a): VIM shall support the capabilities to verify the authenticity of the performance information related to software and hardware resources within the NFVI.R2 (b): VIM shall support the capabilities to verify the integrity of the performance information related to software and hardware resources within the NFVI.


T2.a.1.2 Internal attackers have access to VIM

T2.a.1.3 VIM supports virtualised performance management operations

T2.a.2 VIM

T2.a.3 Authorized administrators with legitimate access to the VIM

T2.a.4.1Attackers may forge the performance information related to software and hardware resources within the NFVI

T2.a.5 Only authorised entity shall access the virtualised performance management operations

T2.b.1.1 Virtualised performance management shall be configured using security policy management

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)41

T2.b.1.2 If any performance information related to software and hardware resources within the NFVI are forged, the event is logged, and a security alarm is raised to the Security management system


T2.c.2.1 Authenticity of the performance information related to software and hardware resources within the NFVI shall be validated

T2.c.2.2 Integrity of the performance information related to software and hardware resources within the NFVI shall be validated

T3: Manipulation of application data - Attackers may modify the software image requests from NFVO to VIM.R3 (a): Authenticity of the software image requests from NFVO to VIM shall be verified.R3 (b): Integrity of the software image requests from NFVO to VIM shall be verified.



T3.a.1.3 VNF Manager(s) supports software image management operations

T3.a.2 VIM


T3.a.4.1 Attackers may modify the software image requests from NFVO to VIM

T3.a.5 Only authorised entity shall access the software image management operations

T3.b.1.1 Software image management operations shall be configured using security policy management

T3.b.1.2 If any of the software image requests from NFVO to VIM is modified, the event is logged, and a security alarm is raised to the Security Management system


T3.c.2.1 Authenticity of the software image requests from NFVO to VIM shall be validated

T3.c.2.2 Integrity of the software image requests from NFVO to VIM shall be validated

T4: Manipulation of software images - Attackers may modify the software images before which are stored in VIM repositories.R4 (a): Authenticity of the software images shall be verified by the VIM before stored in VIM repositories.R4 (b): Integrity of the software images shall be verified by the VIM before stored in VIM repositories.

T5: Manipulation of application data - During run time such as instantiation or scaling operations, attackers may modify the software images which are being transferred from VIM repositories (or storage node) to compute nodes.R5 (a): Authenticity of the software images being transferred to the compute nodes shall be verified before instantiating or scaling VNFs.R5(b): Integrity of the software images being transferred to the compute nodes shall be verified before instantiating or scaling VNFs.

T6: Manipulation of notification - Fake resource capacity information notifications may interrupt the functionality of virtual resource.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)42

R6 (a): Authenticity of the resource capacity information notifications from VIM to NFVI shall be verified.R6 (b): Integrity of the resource capacity information notifications from VIM to NFVI shall be verified.



T6.a.1.3 VIM supports virtualised resource capacity information management operations

T6.a.2 VIM


T6.a.4.1Attackers may fake the resource capacity information notifications

T6.a.5 Only authorised entity shall access the virtualised resource capacity information management operations

T6.b.1.1 Virtualised resource capacity information management shall be configured using security policy management

T6.b.1.2 If any notification resource capacity information is faked, the event is logged, and a security alarm is raised to the Security management system


T6.c.2.1 Authenticity of the resource capacity information notifications from VIM to NFVI shall be validated

T6.c.2.2 Integrity of the resource capacity information notifications from VIM to NFVI shall be validated

T7: Unauthorized access of stored data - Attackers may maliciously access and corrupt the sensitive data stored in VIM repository.R7 (a): Authenticity of the stored data in the VIM repository shall be verified.R7 (b): Integrity of the stored data in the VIM repository shall be verified.R7(c): Confidentiality of the stored data in the VIM shall be protected.R7 (d): The data stored in VIM repository shall be protected from unauthorized access.

T8: Redirecting logical connectivity - Attackers may compromise and forge the virtual links or virtual networks to modify the logical connections of VNFs using VNF forwarding graphs.R8: It shall be possible to protect the logical connectivity policy configuration files from unauthorized modifications.

T9: Manipulation of user data - Attackers may compromise the infrastructure management by introducing the malicious tenant.R9 (a): Authenticity shall be validated by the infrastructure management during create, read, update and delete of tenant in VIM.R9 (b): Authenticity shall be validated by the infrastructure management during create, read, update and delete of tenant in VIM.R9(c): It shall be possible to protect against the unauthorized access to the infrastructure management during create, read, update and delete of tenant in VIM.

T10: Unauthorized Access - Attackers may gain the infrastructure management privileges and access the infrastructure resource of the other designated tenants.R10: It shall be possible to protect against the unauthorized access to the infrastructure resources which are assigned / reserved to other tenants.

T11: Manipulation of data- The attackers may forge the information provided by the NFV acceleration resources during discovery, allocation, release, reprogram in VIM that may results in performance degradation

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)43

or service interruptions.R11 (a): VIM shall support the capabilities to verify the authenticity of the acceleration resource management information.R11 (b): VIM shall support the capabilities to verify the integrity of the acceleration resource management information.

T12: Manipulation of message - The attackers may fool-proof and play MitM attack when the messages are received from a consumer or sending the messages to the consumer.R12 (a): VIM shall support the capabilities to verify the authenticity of the received messages from an authenticated and authorized consumer.R12 (b): VIM shall support the capabilities to verify the integrity of the received messages from an authenticated and authorized consumer.R12(c): VIM shall support the capabilities to encrypt the sent message or decrypt the received message using negotiated key and algorithm to or from an authenticated and authorized consumer or producer.

T13: Manipulation of information - The attackers may forge the correlated fault information on virtualised resources that may results in performance degradation or service interruptions.R13 (a): VIM shall verify the authenticity of the correlate fault information on virtualised resources.R13 (b): VIM shall verify the integrity of the correlate fault information on virtualised resources.

T14: Manipulation of information: The attackers may forge the correlated fault information related to software and hardware resources within the NFVI that may results in performance degradation or service interruptions.R14 (a): VIM shall verify the authenticity of the correlate fault information related to software and hardware resources within the NFVI.R14 (b): VIM shall verify the integrity of the correlate fault information related to software and hardware resources within the NFVI.

T15: Manipulation of data stored in repository - Attackers may maliciously upload the software images.R15 (a): VIM shall verify the authenticity of the software image before storing in VIM repositories.R15 (b): VIM shall verify the integrity of the software image before storing in VIM repositories.

T16: Manipulation of data stored in repository - Attackers may alter or corrupt the information provided on the software images.R16 (a): VIM shall support the capabilities to verify the authenticity of the information provided on the software images.R16 (b): VIM shall support the capabilities to verify the integrity of the information provided on the software images.

T17: Manipulation of data stored in repository - Attackers may maliciously corrupt the software image management.R17 (a): VIM shall support the capabilities to verify the authenticity of the information regarding software image management.R17 (b): VIM shall support the capabilities to verify the integrity of the information regarding software image management.R17(c): VIM shall support the capabilities to protect the software image management from unauthorized access.

T18: Inference and sensitive data analysis - In multi-tenancy environment, software images belong to a single tenant or particular group of tenants may be placed in common storage area which may allow other tenants to gather sensitive data (by doing reverse engineering, etc.) and other useful details.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)44

R18 (a): VIM shall verify the authenticity of the private and shared software images which are stored in repository, and the related keys shall be stored in trusted environment.R18 (b): VIM shall verify the integrity of the private and shared software images which are stored in repository, and the related keys shall be stored in trusted environment.R18(c): The private and shared software images which are stored in repository shall be protected from unauthorized access, and the related keys shall be stored in trusted environment.R18 (d): VIM shall provide confidentiality for the private and shared software images which are stored in repository, and the related keys shall be stored in trusted environment.

T19: Manipulation of data stored in repository - Attackers may alter existing software image versions in VIM repository or load images which bypass the VIM loading procedures.R19 (a): During loading, VIM shall only load software image if the authenticity is verified.R19 (b): During loading, VIM shall only load software image if the integrity is verified.R19(c): Verification shall include software image versions.

NOTE: Verify the hash value with VNFD.

T20: Manipulation of policies: Attackers may maliciously alter the affinity and anti-affinity policies of NFVI resource management that may interrupt the NFVI resource management operations.R20 (a): VIM shall verify the authenticity of the enforced affinity and anti-affinity policies for NFVI resource management.R20 (b): Affinity and anti-affinity policies for NFVI resource management shall be protected from unauthorized access.

T21: Manipulation of notifications: Attackers may fake the change notifications request about the allocated and reserved virtualised resources that may violate the allocation and de-allocation operations.R21 (a): VIM shall verify the authenticity of change notifications request about the allocated and reserved virtualised resources.R21 (b): VIM shall verify the integrity of change notifications request about the allocated and reserved virtualised resources.



T21.a.1.3 VIM supports virtualised resource reservation management operations

T21.a.2 VIM


T21.a.4.1Attackers may fake the change notifications request about the allocated and reserved virtualised resources

T21.a.5 Only authorised entity shall access the virtualised resource reservation management operations

T21.b.1.1 Virtualised resource reservation management shall be configured using security policy management

T21.b.1.2 If any change notifications request about the allocated and reserved virtualised resources is faked, the event is logged, and a security alarm is raised to the Security management system


T21.c.2.1 Authenticity of change notifications request about the allocated and reserved virtualised resources shall be validated

T21.c.2.2 Integrity of change notifications request about the allocated and reserved virtualised resources shall be validated

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)45

T22: Manipulation of request messages: Attackers may forge the virtualised resource allocation requests that resources are allocated from a resource reservation management.R22 (a): VIM shall verify the authenticity of the virtualised resource allocation or update requests that resources are allocated or updated from a resource reservation management.R22 (b): VIM shall verify the integrity of the virtualised resource allocation or update requests that resources are allocated or updated from a resource reservation management.




T22.a.2 VIM


T22.a.4.1Attackers may forge the virtualised resource allocation requests that resources are allocated from a resource reservation management.



T22.b.1.2 If any virtualised resource allocation requests from resource reservation management are forged, the event is logged, and a security alarm is raised to the Security management system


T22.c.2.1 Authenticity of the virtualised resource allocation or update requests that resources are allocated or updated from a resource reservation management shall be validated

T22.c.2.2 Integrity of the virtualised resource allocation or update requests that resources are allocated or updated from a resource reservation management shall be validated

T23: Manipulation of request messages: Attackers may fake the infer information of the virtualised resource that may result in compromise of resource reservation management.R23 (a): VIM shall verify the authenticity of the infer information.R23 (b): VIM shall verify the integrity of the infer information.

T24: Manipulation of identity: Attackers may forge the reservation identity to access virtualised resources in the name of legitimate user/admin.R24 (a): VIM shall verify the authenticity of the reservation identification which is used to map to the applicable resource reservation.R24 (b): VIM shall verify the integrity of the reservation identification which is used to map to the applicable resource reservation.

T25: Manipulation of identity: Attackers may forge the consumer/tenant identification and access into the resource reservation management to indulge in forgery.R25 (a): VIM shall verify the authenticity of the consumer/tenant identification which is used to map to the applicable resource reservation when explicit reservation identification is not indicated.R25 (b): VIM shall verify the integrity of consumer/tenant identification which is used to map to the applicable resource reservation when explicit reservation identification is not indicated.

T26: Manipulation of policies: Attackers may modify the affinity and anti-affinity policies for reservation resource management maliciously that may interrupt the reservation resource management operations.R26 (a): VIM shall verify the authenticity of the enforced affinity and anti-affinity policies for reservation

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)46

resource management.R26 (b): Affinity and anti-affinity policies for reservation resource management shall be protected from unauthorized access.

T27: Manipulation of notifications: Attackers may fake the change notifications request about virtualised resource reservation that may interrupt the reservation resource management operations.R27 (a): VIM shall verify the authenticity of change notifications request about the virtualised resource reservation.R27 (b): VIM shall verify the integrity of change notifications request about the virtualised resource reservation.




T27.a.2 VIM


T27.a.4.1Attackers may fake the change notifications request about virtualised resource reservation



T27.b.1.2 If any change notifications request about virtualised resource reservation is faked, the event is logged, and a security alarm is raised to the Security management system


T27.c.2.1 Authenticity of change notifications request about the virtualised resource reservation shall be validated

T27.c.2.2 Integrity of change notifications request about the virtualised resource reservation shall be validated

T28: Manipulation of information: The attackers may forge the collected and maintained information regarding the capacity of the NFVI which it manages, that may impact the performance degradation or service interruptions of NFVI.R28 (a): VIM shall verify the authenticity of the collected and maintained information regarding the capacity of the NFVI.R28 (b): VIM shall verify the integrity of the collected and maintained information regarding the capacity of the NFVI.

T29: Manipulation of information: The attackers may maliciously fake the correlated information regarding the allocated and reserved virtualised resources with changes on underlying hardware/software resources due to maintenance, operation and management of the NFVI that may interrupt the operations of NFVIs.R29 (a): VIM shall verify the authenticity of the information regarding the correlate allocated and reserved virtualised resources with changes on underlying hardware/software resources.R29 (b): VIM shall verify the integrity of the information regarding the correlate allocated and reserved virtualised resources with changes on underlying hardware/software resources.

T30: Manipulation of information: Attackers may forge the information related to available, allocated, reserved and all virtualised resource capacity that may interrupt the performance of the virtualised resources.R30 (a): VIM shall verify the authenticity of the information related to available, allocated, reserved and all virtualised resource capacity.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)47

R30 (b): VIM shall verify the integrity of the information related to available, allocated, reserved and all virtualised resource capacity.

T31: Manipulation of notifications: Attackers may fake the change notifications request related to the capacity of the virtualised resource that may interrupt the virtualised resource capacity management operations.R31 (a): VIM shall verify the authenticity of change notifications request related to the capacity of the virtualised resource.R31 (b): VIM shall verify the integrity of change notifications request related to the capacity of the virtualised resource.



T31.a.1.3 VIM supports virtualised resource capacity management operations

T31.a.2 VIM


T31.a.4.1Attackers may fake the change notifications request related to the capacity of the virtualised resource

T31.a.5 Only authorised entity shall access the virtualised resource capacity management operations

T31.b.1.1 Virtualised resource capacity management shall be configured using security policy management

T31.b.1.2 If any change notification request related to the capacity of the virtualised resource is faked, the event is logged, and a security alarm is raised to the Security management system


T31.c.2.1 Authenticity of change notifications request related to the capacity of the virtualised resource shall be validated

T31.c.2.2 Integrity of change notifications request related to the capacity of the virtualised resource shall be validated

T32: Manipulation of information: Attackers may forge the provided information about NFVI-PoP(s) such as network connectivity endpoints and geographical location that may impact the network services.R32 (a): VIM shall verify the authenticity of the provided information about NFVI-PoP(s) such as network connectivity endpoints and geographical location.R32 (b): VIM shall verify the integrity of the provided information about NFVI-PoP(s) such as network connectivity endpoints and geographical location.R32(c): VIM shall provide privacy protection for the information about NFVI-PoP(s) such as network connectivity endpoints and geographical location.

T33: Manipulation of information: Attackers may forge the provided information about Resource Zones in the NFVI that may impact virtualised resource capacity management operations.R33 (a): VIM shall verify the authenticity of the provided information about Resource Zones in the NFVI.R33 (b): VIM shall verify the integrity of the provided information provide information about Resource Zones in the NFVI.

T34: Manipulation of information- Attackers may forge the collected virtualised resource performance information such as CPU utilization, memory usage and bandwidth consumption, that may interrupt or degrade the performance of the virtualised resources.R34 (a): VIM shall verify the authenticity of the collected virtualised resource performance information.R34 (b): VIM shall verify the integrity of the collected virtualised resource performance information.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)48

T35: Manipulation of request message- Attackers may maliciously fake the resource performance management requests that may interrupt or degrade the performance of the virtualised resources.R35 (a): VIM shall verify the authenticity of the resource performance management requests.R35 (b): VIM shall verify the integrity of the resource performance management requests.



T35.a.1.3 VIM supports resource performance management operations

T35.a.2 VIM


T35.a.4.1Attackers may maliciously fake the resource performance management requests

T35.a.5 Only authorised entity shall access the resource performance management operations

T35.b.1.1 Resource performance management shall be configured using security policy management

T35.b.1.2 If resource performance management request is maliciously faked, the event is logged, and a security alarm is raised to the Security management system


T35.c.2.1 Authenticity of the resource performance management requests shall be validated

T35.c.2.2 Integrity of the received virtualised resource management requests from VNFM and/or NFVO shall be validated

T36: Manipulation of information- Attackers may forge the collected virtualised resource fault information related to virtualised resources that may result in failure for optimizing and detecting the malfunction.R36 (a): VIM shall verify the authenticity of the collected virtualised resource fault information.R36 (b): VIM shall verify the integrity of the collected virtualised resource fault information.

T37: Manipulation of information- Attackers may fake the fault change notifications on virtualised resources that may result in failure for optimizing and detecting the malfunction.R37 (a): VIM shall verify the authenticity of the fault change notifications on virtualised resources.R37 (b): VIM shall verify the integrity of the fault change notifications on virtualised resources.

T38: Manipulation of information- Attackers may maliciously deny/stop performing automated or on-demand corrective operations on virtualised resources failure that may interrupt the virtualised resource fault management services.R38 (a): VIM shall verify the authenticity of the automated or on-demand corrective operations on virtualised resources failure.R38 (b): VIM shall verify the integrity of the automated or on-demand corrective operations on virtualised resources failure.

T39: Manipulation of information- Attackers may forge the provided fault information on virtualised resources that are allocated in response to a query that may interrupt the virtualised resource fault management services.R39 (a): VIM shall verify the authenticity of the provided fault information on virtualised resources that are allocated in response to a query.R39 (b): VIM shall verify the integrity of the provided fault information on virtualised resources that are allocated in response to a query.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)49

T40: Manipulation of notifications- Attackers may forge the information related to change notifications on virtualised resources which is consumed within its area of responsibility that may affect the network services and system configurations.R40 (a): VIM shall verify the authenticity of the information related to change notifications on virtualised resources.R40 (b): VIM shall verify the integrity of the information related to change notifications on virtualised resources.



T40.a.1.3 VIM supports virtualised resource management operations

T40.a.2 VIM


T40.a.4.1Attackers may forge the information change notifications on virtualised resources

T40.a.5 Only authorised entity shall access the virtualised resource management operations

T40.b.1.1 Virtualised resource management shall be configured using security policy management

T40.b.1.2 If any information related to change notifications on virtualised resource is forged, the event is logged, and a security alarm is raised to the Security management system


T40.c.2.1 Authenticity of the information related to change notifications on virtualised resources shall be validated

T40.c.2.2 Integrity of the information related to change notifications on virtualised resources shall be validated

T41: Manipulation of configuration: Attackers may alter or modify the configuration management functions of an individual virtualised resource using specific deployment configuration information.R41: Configuration management of an individual virtualised resource using specific deployment configuration information shall be protected from the unauthorized access.

T42: Manipulation of configuration: Attackers may alter or modify the configuration management functions of a set of related virtualised resources using specific deployment configuration information.R42: Configuration management of a set of related virtualised resources using specific deployment configuration information shall be protected from unauthorized access.

T43: Denial of Service - Attackers may perform DoS attacks during Network Forwarding Path operations such as creating, updating, and delete.R43 (a): VIM shall verify the authenticity of the management operations of Network Forwarding Paths.R43 (b): VIM shall verify the integrity of the management operations of Network Forwarding Paths.

T44: Manipulation of notifications- Attackers may forge the fault notifications about the virtualised resources associated with a specific Network Forwarding Path instance that may interrupt the network forwarding path management operations.R44 (a): VIM shall verify the authenticity of the fault notifications about the virtualised resources associated with a specific Network Forwarding Path instance.R44 (b): VIM shall verify the integrity of the fault notifications about the virtualised resources associated with a specific Network Forwarding Path instance.


ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)50


T44.a.1.3 VIM supports network forwarding path management operations

T44.a.2 VIM


T44.a.4.1Attackers may forge the fault notifications about the virtualised resources associated with a specific Network Forwarding Path instance

T44.a.5 Only authorised entity shall access the network forwarding path management operations

T44.b.1.1 Network forwarding path management operations shall be configured using security policy management

T44.b.1.2 If fault notifications about the virtualised resources associated with a specific Network Forwarding Path instance is forged, the event is logged, and a security alarm is raised to the Security management system


T44.c.2.1 Authenticity of the fault notifications about the virtualised resources associated with a specific Network Forwarding Path instance shall be validated

T44.c.2.2 Integrity of the fault notifications about the virtualised resources associated with a specific Network Forwarding Path instance shall be validated

T45: Manipulation of request messages- Attackers may maliciously forge the rejection request of virtualised resource allocation that may interrupt the quota management operations.R45 (a): VIM shall verify the authenticity of the rejection request of virtualised resource allocation.R45 (b): VIM shall verify the integrity of the rejection request of virtualised resource allocation.



T45.a.1.3 VIM supports virtualised quota management operations

T45.a.2 VIM


T45.a.4.1Attackers may maliciously forge the rejection request of virtualised resource allocation

T45.a.5 Only authorised entity shall access the virtualised quota management operations

T45.b.1.1 Virtualised quota management operations shall be configured using security policy management

T45.b.1.2 If any rejection request of virtualised resource allocation is forged, the event is logged, and a security alarm is raised to the Security management system


T45.c.2.1 Authenticity of the rejection request of virtualised resource allocation shall be validated

T45.c.2.2 Integrity of the rejection request of virtualised resource allocation shall be validated

T46: Manipulation of request messages- Attackers may fake the create/update/delete request of resource quota for the consumer of the virtualised resources, which may interrupt the quota management operations.R46 (a): VIM shall verify the authenticity of the create/update/delete request of resource quota for the consumer of the virtualised resources.R46 (b): VIM shall verify the integrity of the create/update/delete request of resource quota for the consumer of the virtualised resources.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)51




T46.a.2 VIM


T46.a.4.1Attackers may fake the create/update/delete request of resource quota for the consumer of the virtualised resources



T46.b.1.2 If any request of resource quota of the virtualised resources is faked, the event is logged, and a security alarm is raised to the Security management system


T46.c.2.1 Authenticity of the create/update/delete request of resource quota for the consumer of the virtualised resources shall be validated

T46.c.2.2 Integrity of the create/update/delete request of resource quota for the consumer of the virtualised resources shall be validated

T47: Manipulation of information- Attackers may maliciously forge the provided information on the resource quota for the consumer of the virtualised resources, which may interrupt the quota management operations.R47 (a): VIM shall verify the authenticity of the provided information on the resource quota for the consumer of the virtualised resources.R47 (b): VIM shall verify the integrity of the provided information on the resource quota for the consumer of the virtualised resources.

T48: Manipulation of notifications - Attackers may fake the resource quota change notifications for the consumer of the virtualised resources, which may interrupt the quota management operations.R48 (a): VIM shall verify the authenticity of the resource quota change notifications for the consumer of the virtualised resources.R48 (b): VIM shall verify the integrity of the resource quota change notifications for the consumer of the virtualised resources.




T48.a.2 VIM


T48.a.4.1Attackers may fake the resource quota change notifications for the consumer of the virtualised resources



T48.b.1.2 If any resource quota change notification is forged, the event is logged, and a security alarm is raised to the Security management system

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)52


T48.c.2.1 Authenticity of the resource quota change notifications for the consumer of the virtualised resources shall be validated

T48.c.2.2 Integrity of the resource quota change notifications for the consumer of the virtualised resources shall be validated

T49: Manipulation of request messages: Attackers may forge the received virtualised resource management requests from VNFM and/or NFVO, which conduct the corresponding resource management operations.R49 (a): VIM shall verify the authenticity of the received virtualised resource management requests from VNFM and/or NFVO.R49 (b): VIM shall verify the integrity of the received virtualised resource management requests from VNFM and/or NFVO.



T49.a.1.3 VIM supports virtualised resource management operations

T49.a.2 VIM


T49.a.4.1Attackers may forge the received virtualised resource management requests from VNFM and/or NFVO which conduct the corresponding resource management operations

T49.a.5 Only authorised entity shall access the virtualised resource management operations

T49.b.1.1 Virtualised resource management shall be configured using security policy management

T49.b.1.2 If any received virtualised resource management request from VNFM and/or NFVO is forged, the event is logged, and a security alarm is raised to the Security management system


T49.c.2.1 Authenticity of the received virtualised resource management requests from VNFM and/or NFVO shall be validated

T49.c.2.2 Integrity of the received virtualised resource management requests from VNFM and/or NFVO shall be validated

7 Threat Analysis of MANO Reference points

7.1 NFV Or-Vi reference point

7.1.1 OverviewThe reference point Or-Vi is used to exchange information elements between NFV Orchestrator (NFVO) and Virtual Infrastructure Manager (VIM) via various interfaces. Or-Vi reference point also supports the VNF and NS lifecycle management operations. The Or-Vi reference point between NFVO and VIM supports the following interfaces as defined in ETSI GS NFV-IFA 005 [1], all these interfaces are produced by VIM and consumed by NFVO (i.e. all requested by NFVO and responded by VIM):

a) Software Image Management: It supports to add, delete and update software images in the VIM image repository. Also it supports to query information about the software images in VIM image repository.

b) Virtualised Resources Information Management: It supports to query and notify the information related to consumable virtualised compute, network, and storage resources.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)53

c) Virtualised Resources Capacity Management:

i) It supports to query and notify changes about the amount of available, allocated, reserved and total resources information details.

ii) It also supports to query about the resource zones and NFVI-PoPs information details.

d) Virtualised Resources Management:

i) It supports to manage the compute, network and storage virtualised resources either individually or any combination of them.

ii) It supports to create, update, query and delete the instantiated virtualised resources.

iii) It supports to create, update, query and delete the resource reservations. Also it supports to specify the information about the resource reservation start time and end time, and creation/update of the resource zones where the resources need to be reserved.

iv) It supports the resource reservation at different resource granularities and virtual container granularity level.

v) It also supports to identify consumer details of the reserved resources.

e) Virtualised Resources Change Notification: It supports to provide state change notifications about virtualised compute, network, and storage resources.

f) Virtualised Resources Performance Management:

i) It supports to perform the performance management related operations such as measurement, collection, threshold setting and reporting, and these operations can be controlled by NFVO. Also it supports to query the performance information details such as for which virtualised resources VIM collects information, PM types and other related information.

ii) It supports to create and notify PMjob with various granularity levels, specified resources and performance information type.

g) Virtualised Resources Fault Management: It supports to perform various FM related operations such as collect virtualised resources fault information, notify alarms, creation, clear and change in alarms notifications. It also supports to notify alarms with its reasons without any ambiguity.

h) Network Forwarding Path Management: It supports to create, delete and update Network Forwarding Paths. It also supports to query information about the Network Forwarding Paths.

7.1.2 Threat analysis for Or-Vi reference pointIn this clause, threat analysis for the defined interfaces in the Or-Vi reference point is discussed. For all the threat scenarios, the assumption is that internal attackers are attached to the network and have the access to the Or-Vi reference points.

a) Software Image Management

T1: Data tampering - Malicious images could be added or updated into the image repository.R1 (a): It shall be possible to verify the authenticity of the images which are added or updated in the image repository.R1 (b): It shall be possible to verify the integrity of the images which are added or updated in the image repository.


T1.a.1.2 Internal attackers have access to Or-Vi reference point

T1.a.1.3 Or-Vi supports software image management

T1.a.2 Or-Vi reference point

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)54

T1.a.3 Authorized administrators with legitimate access to the Or-Vi reference point

T1.a.4.1 Attackers may add or update the malicious image into image repository

T1.a.5 Remote attestation shall be performed for the software images

T1.b.1.1 Only signed and remotely attested interface shall access the image repository

T1.b.1.2 Once software image fails attestation, the event is logged, and a security alarm is raised to the Security Management system

T1.b.2.1 Security monitoring systems flag the threat agent (internal attackers) for further analysis

T1.c.2.1 Authenticity of the software images which are added or updated in the image repository shall be validated through Remote Attestation

T1.c.2.2 Integrity of the software images which are added or updated in the image repository shall be validated through Remote Attestation

b) Virtualised Resources Information Management

T2: Traffic analysis - Attackers may notice the query request and response, and notifications over the Or-Vi interface.R2: It shall be possible to prevent attackers from obtaining the communication information over the interface.



T2.a.1.3 Or-Vi supports virtualised resource information management notifications



T2.a.4.1 Attackers may fake notifications over the interface regarding consumable virtualised resources

T2.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resource information management

T2.b.1.1 Virtualised resource information management shall be configured using security monitoring system

T2.b.1.2 If any fake notifications regarding resource information management is identified, the notification is logged, and a security alarm is raised to the Security monitoring system


T2.c.2.1 Communication information over the interface shall be prevented from attackers

T3: Traffic analysis - Based on the collected information through passive traffic analysis they may send fake notifications over the interface regarding consumable virtualised resources.R3 (a): It shall be possible to validate the authenticity of the virtualised resources information management notifications.R3 (b): It shall be possible to validate the integrity of the virtualised resources information management notifications.



T3.a.1.3 Or-Vi supports virtualised resource information management notifications


ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)55


T3.a.4.1Attackers may fake notifications over the interface regarding consumable virtualised resources



T3.b.1.2 If any fake notifications regarding resource information management is identified, the notification is logged, and a security alarm is raised to the Security monitoring system


T3.c.2.1 Authenticity of the virtualised resource management notifications shall be validated

T3.c.2.2 Integrity of the virtualised resource management notifications shall be validated

c) Virtualised Resources Capacity Management

T4: Masquerading subscriber notifications - Attackers may send masquerade notifications to the subscribers regarding the resource availability over the interface.R4 (a): It shall be possible to validate the authenticity of the virtualised resource capacity management related operations notifications.R4 (b): It shall be possible to validate the integrity of the virtualised resource capacity management related operations notifications.



T4.a.1.3 Or-Vi supports virtualised resource capacity management notifications



T4.a.4.1Attackers may send masquerade notifications to the subscribers regarding the resource availability over the interface

T4.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resource capacity management

T4.b.1.1 Virtualised resource capacity management shall be configured using security monitoring system

T4.b.1.2 If any masquerade notifications regarding resource capacity management is identified, the notification is logged, and a security alarm is raised to the Security monitoring system


T4.c.2.1 Authenticity of the virtualised resource capacity management related operations notifications shall be validated

T4.c.2.2 Integrity of the virtualised resource capacity management related operations notifications shall be validated

d) Virtualised Resources Management

T5: Denial of service attack by masquerading resource management request - Attackers may forge the request message on this interface for scaling up/down, scaling out/in, and migration operations to turn down the network functions and services which may result in denial of service attacks.R5 (a): It shall be possible to validate the authenticity of the scaling and migration operations request.R5 (b): It shall be possible to validate the integrity of the scaling and migration operations request.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)56



T5.a.1.3 Or-Vi supports virtualised resource management request



T5.a.4.1 Attackers may forge the request message for scaling up/down, scaling out/in, and migration operations

T5.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resource management

T5.b.1.1 Virtualised resource management shall be configured using security monitoring system

T5.b.1.2 If any malicious request regarding of the scaling and migration operations is identified, the request is logged, and a security alarm is raised to the Security monitoring system


T5.c.2.1 Authenticity of the scaling and migration operations request shall be validated

T5.c.2.2 Integrity of the scaling and migration operations request shall be validated

e) Virtualised Resources Change Notification

T6: Denial of service attack by masquerading resources change notifications - Fake consumable virtualised resources change notifications may disrupt the network services.R6 (a): It shall be possible to validate the authenticity of the virtualised resources change notifications.R6 (b): It shall be possible to validate the integrity of the virtualised resources change notifications.



T6.a.1.3 Or-Vi supports virtualised resources change notifications



T6.a.4.1 Attackers may manipulate the virtualised resources change notifications

T6.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resources change notifications

T6.b.1.1 Virtualised resources management shall be configured using security monitoring system

T6.b.1.2 If any fake notifications regarding virtualised resources change is identified, the notification is logged, and a security alarm is raised to the Security monitoring system


T6.c.2.1 Authenticity of the virtualised resources change notifications shall be validated

T6.c.2.2 Integrity of the virtualised resources change notifications shall be validated

f) Virtualised Resources Performance Management

T7: Manipulation of notifications - Attackers may disable the reporting of performance measurements or change the threshold conditions maliciously, which results in performance degrade or service interruptions.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)57

R7 (a): It shall be possible to validate the authenticity of the virtualised resources performance management request.R7 (b): It shall be possible to validate the integrity of the virtualised resources performance management request.



T7.a.1.3 Or-Vi supports virtualised resource performance management notifications



T7.a.4.1 Attackers may disable the reporting of performance measurements or change the threshold conditions maliciously

T7.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resource performance management

T7.b.1.1 Virtualised resource performance management shall be configured using security monitoring system

T7.b.1.2 If any malicious notifications regarding virtualised resource performance management is identified, the notification is logged, and a security alarm is raised to the Security monitoring system

T7.b.2.1 Security monitoring systems flag the threat agent (internal Attackers) for further analysis

T7.c.2.1 Authenticity of the virtualised resource performance management request shall be validated

T7.c.2.2 Integrity of the virtualised resource performance management request shall be validated

g) Virtualised Resources Fault Management

T8: Manipulation of notifications - Attackers may disable the reporting of fault notifications and alarms or change the threshold conditions maliciously, which results in service interruptions and permanent failure of the systems.R8 (a): It shall be possible to validate the authenticity of the virtualised resource fault management notifications. R8 (b): It shall be possible to validate the integrity of the virtualised resource fault management notifications.



T8.a.1.3 Or-Vi supports virtualised resource fault management notifications



T8.a.4.1 Attackers may disable the reporting of fault notifications and alarms or change the threshold conditions maliciously

T8.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resource fault management

T8.b.1.1 Virtualised resource fault management shall be configured using security monitoring system

T8.b.1.2 If any malicious notifications regarding virtualised resource fault management is identified, the notification is logged, and a security alarm is raised to the Security monitoring system


T8.c.2.1 Authenticity of the virtualised resource fault management notifications shall be validated

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)58

T8.c.2.2 Integrity of the virtualised resource fault management notifications shall be validated

h) Network Forwarding Path Management

T9: Denial of service by masquerading network forwarding path management request - Attackers may execute Network Forwarding Path LCM operations to perform DoS attacks on the interface.R9 (a): It shall be possible to validate the authenticity of the network forwarding path management request.R9 (b): It shall be possible to validate the integrity of the network forwarding path management request.



T9.a.1.3 Or-Vi supports Network forward path management notifications



T9.a.4.1 Attackers may execute Network Forwarding Path LCM operations to perform DoS attacks

T9.a.5 Security monitoring system and Security policy management shall be enabled for Network forward path management

T9.b.1.1 Network forward path management shall be configured using security monitoring system

T9.b.1.2 If any malicious notifications regarding Network forward path management are identified, the notification is logged, and a security alarm is raised to the Security monitoring system


T9.c.2.1 Authenticity of the Network forward path management shall be validated

T9.c.2.2 Integrity of the Network forward path management shall be validated

7.2 NFV Vi-Vnfm reference point

7.2.1 OverviewThe reference point Vi-Vnfm is used to exchange information elements between Virtualised Infrastructure Manager (VIM) and VNF Manager (VNFM). Vi-Vnfm reference point also supports the VNF lifecycle management operations. The Vi-Vnfm reference point between VIM and VNFM supports the following six interfaces as defined in ETSI GS NFV-IFA 006 [2], all these interfaces are produced by VIM and consumed by VNFM:

a) VNF software image management interface: It supports to query the information regarding software images stored in the image repository.

b) Virtualised resources information management interface:

i) It supports to query the information related to consumable virtualised compute, network, and storage resources.

ii) It supports to perform the operations such as subscribe and notify resources information changes operation, and query resources information operation.

c) Virtualised resources management interface:

i) It supports to perform the operations such as allocate, create, update, query, and terminate operations on virtualised compute, network, and storage resources.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)59

ii) It also supports to perform the operations such as scale and migrate operations on virtualised compute and storage resources.

d) Virtualised resources change notifications interface: It supports to subscribe and notify virtualised compute, network, and storage resources change and changes on reservation of virtualised compute, network, and storage resources.

e) Virtualised resources performance management interface: It supports to perform the performance management related operations such as measurement and threshold create, delete, query, subscribe, and notify operations.

f) Virtualised resources fault management interface: It supports to perform the fault management related operations such as subscribe and notify alarms resulting from the faults related to virtualised resources, and get the alarms list operation.

7.2.2 Threat analysis for Vi-Vnfm reference pointIn this clause, threat analysis for the defined interfaces in the Vi-Vnfm reference point is discussed. For all the threat scenarios, the assumption is that internal attackers are attached to the network and have the access to the Vi-Vnfm reference points.

a) VNF software image management

T1: Unauthorized access - API based attacks could be used to extract additional information from the image repository or perform DoS attacks.R1: It shall be possible to protect against the unauthorized access to the image repository.


T1.a.1.2 Internal attackers have access to Vi-Vnfm reference point

T1.a.1.3 Vi-Vnfm supports VNF software image management notifications

T1.a.2 Vi-Vnfm reference point

T1.a.3 Authorized administrators with legitimate access to the Vi-Vnfm reference point

T1.a.4.1 Attackers may perform API based attacks to extract additional information from the image repository

T1.a.5 Remote attestation shall be performed for the VNF image

T1.b.1.1 Only signed and remotely attested interface shall access the image repository

T1.b.1.2 Once VNF image fails attestation, the event is logged, and a security alarm is raised to the Security Management system


T1.c.2.1 VNF image shall be validated protected from unauthorised access

b) Virtualised resources information management

T2: Compromise of location information - For the consumable virtualised resource request, the attackers might respond with the resource location where the attackers have control.R2(a): It shall be possible to validate the authenticity of the consumable virtualised resource request notifications.R2(b): It shall be possible to validate the integrity of the consumable virtualised resource request notifications.



T2.a.1.3 Vi-Vnfm supports virtualised resource information management notifications

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)60



T2.a.4.1 Attackers may manipulate the virtualised resource information management notifications



T2.b.1.2 If any false notifications regarding resource information management are identified, the notification is logged, and a security alarm is raised to the Security monitoring system




T3: Denial of Service by masquerading virtualised resources information management request - If the subscriber information details and the virtualised resource information management notifications request known to the attackers, then false notifications may be sent by the attackers that may disrupt the running network services.R3 (a): It shall be possible to prevent attackers from obtaining the subscriber information details. R3 (b): It shall be possible to validate the authenticity of the virtualised resource information management notifications. R3(c): It shall be possible to validate the integrity of the virtualised resource information management notifications.



T3.a.1.3 Vi-Vnfm supports virtualised resource information management notifications



T3.a.4.1 Attackers may manipulate the virtualised resource information management notifications



T3.b.1.2 If any false notifications regarding resource information management are identified, the notification is logged, and a security alarm is raised to the Security monitoring system




T3.c.2.3 Subscriber information details shall be protected from unauthorised users.

c) Virtualised resources management

T4: Denial of service by masquerading virtualised resource management request - Fake virtualised resource management notifications such as query, add or delete may disturb the resource management

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)61

operations.R4 (a): It shall be possible to validate the authenticity of the virtualised resource management notifications.R4 (b): It shall be possible to validate the integrity of the virtualised resource management notifications.



T4.a.1.3 Vi-Vnfm supports virtualised resource management notifications



T4.a.4.1 Attackers may manipulate the virtualised resource management notifications

T4.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resource management

T4.b.1.1 Virtualised resource management shall be configured using security monitoring system

T4.b.1.2 If any fake notifications regarding virtualised resource management is identified, the notification is logged, and a security alarm is raised to the Security monitoring system




d) Virtualised resources change notifications

T5: Denial of service by masquerading virtualised resource change notifications - Fake consumable virtualised resources change notifications may disrupt the network services.R5 (a): It shall be possible to validate the authenticity of the consumable virtualised resources change notifications. R5 (b): It shall be possible to validate the integrity of the consumable virtualised resources change notifications.R5(c): It shall be possible to protect the consumable virtualised resources change notifications from anti-replay attacks.R5 (d): It shall be possible to provide non-repudiation services for consumable virtualised resources change notifications.



T5.a.1.3 Vi-Vnfm supports virtualised resources change notifications



T6.a.4.1 Attackers may manipulate the virtualised resources change notifications

T5.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resources change notifications

T5.b.1.1 Virtualised resources management shall be configured using security monitoring system

T5.b.1.2 If any fake notifications regarding virtualised resources change is identified, the notification is logged, and a security alarm is raised to the Security monitoring system


ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)62

T6.c.2.1 Authenticity of the virtualised resources change notifications shall be validated

T6.c.2.2 Integrity of the virtualised resources change notifications shall be validated

T6.c.2.Virtualised resources change notifications shall be protected from anti-replay attacks

T6.c.2.4 Non-repudiation services shall be provided for virtualised resources change notifications

e) Virtualised resources performance management

T6: Denial of service by masquerading virtualised resources performance management request - Fake virtualised resource performance management report/notifications may disrupt the network service.R6(a): It shall be possible to validate the authenticity of the virtualised resources performance management related information notifications/alarms. R6 (b): It shall be possible to validate the integrity of the virtualised resources performance management related information notifications/alarms.R6(c): It shall be possible to provide non-repudiation services for virtualised resources performance management related information notifications/alarms.



T6.a.1.3 Vi-Vnfm supports virtualised resource performance management notifications



T6.a.4.1 Attackers may manipulate the virtualised resource performance management notifications

T6.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resource performance management

T6.b.1.1 Virtualised resource performance management shall be configured using security monitoring system

T6.b.1.2 If any fake notifications regarding virtualised resource performance management is identified, the notification is logged, and a security alarm is raised to the Security monitoring system


T6.c.2.1 Authenticity of the virtualised resource performance management notifications shall be validated

T6.c.2.2 Integrity of the virtualised resource performance management notifications shall be validated

T6.c.2.3 Non-repudiation services shall be provided for virtualised resource performance management notifications

f) Virtualised resources fault management

T7: Denial of service by masquerading virtualised resource fault management request - Fake virtualised resource fault management notifications/alarms may disrupt the network service.R7 (a): It shall be possible to validate the authenticity of the virtualised resource fault management notifications and prevent from disrupting the running network services. R7 (b): It shall be possible to validate the integrity of the virtualised resource fault management notifications and prevent from disrupting the running network services.R7(c): It shall be possible to provide non-repudiation services for virtualised resource fault management notifications.



ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)63

T7.a.1.3 Vi-Vnfm supports virtualised resource fault management notifications



T7.a.4.1 Attackers may manipulate the virtualised resource fault management notifications

T7.a.5 Security monitoring system and Security policy management shall be enabled for virtualised resource fault management

T7.b.1.1 Virtualised resource fault management shall be configured using security monitoring system

T7.b.1.2 If any fake notifications regarding virtualised resource fault management is identified, the notification is logged, and a security alarm is raised to the Security monitoring system


T7.c.2.1 Authenticity of the virtualised resource fault management notifications shall be validated

T7.c.2.2 Integrity of the virtualised resource fault management notifications shall be validated

T7.c.2.3 Non-repudiation services shall be provided for virtualised resource fault management notifications

7.3 NFV Or-Vnfm reference point

7.3.1 OverviewThe reference point Or-Vnfm is used to exchange information elements between NFV Orchestrator (NFVO) and VNF Manager (VNFM) via various interfaces. Vi-Vnfm reference point also supports the VNF lifecycle management operations. The Or-Vnfm reference point between NFV Orchestrator and VNFM supports the following interfaces as defined in ETSI GS NFV-IFA 007 [3].

a) VNF Package Management: The capabilities discussed below are applicable to the VNF package management interface produced by the NFVO on the Or-Vnfm reference point:

i) It supports querying VNF package information.

ii) It supports providing notifications for both results of changes on VNF package information.

iii) It supports providing notifications about the on-boarding of VNF packages.

b) VNF Lifecycle Operation Granting: The capabilities discussed below are applicable to the VNF lifecycle operation granting interface produced by the NFVO on the Or-Vnfm reference point:

i) It supports by granting lifecycle operations.

ii) It supports by indicating the lifecycle event for which a granting is being requested.

iii) It enables the VNFM to indicate the virtualised resources impacted by the VNF lifecycle operation.

iv) It enables the VNFM obtaining information about the identification and configuration to access the VIM.

v) It enables the VNFM obtaining, if a reservation is applicable, resource reservation identification information applicable for consuming virtualised resources as part of the lifecycle operation.

vi) It enables the VNFM to provide information to identify the VNF instance and the intended lifecycle operation.

c) Virtualised Resources Management: The capabilities discussed below are applicable to the virtualised resources information management interface produced by the NFVO on the Or-Vnfm reference point. This interface consists of four sub interfaces such as:

Virtualised Resources Information Management interface capabilities:

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)64

i) It supports providing the indication information to enable the NFVO to invoke the virtualised resources information management operations towards the appropriate VIM.

Virtualised Resources Management interface capabilities:

i) It supports providing the indication information to enable the NFVO to invoke the virtualised resources management operations towards the appropriate VIM.

Virtualised Resources Reservation Management interface capabilities:

i) It supports providing the indication information to enable the NFVO to invoke the virtualised resources reservation management operations towards the appropriate VIM.

Virtualised Resources Change Notifications interface capabilities:

i) It supports providing the indication information to enable the NFVO to invoke the virtualised resources change notifications towards the appropriate VIM.

d) VNF Lifecycle Management: The capabilities discussed below are applicable to the VNF lifecycle management interface produced by the VNFM on the Or-Vnfm reference point:

i) It supports instantiating, terminating, scaling, querying information and requesting to change the state of a VNF instance.

ii) It supports querying the status of an ongoing VNF lifecycle management operation.

iii) It supports requesting VNF healing.

e) VNF Lifecycle Change Notification: The capabilities discussed below are applicable to the VNF lifecycle change notifications interface produced by the VNFM on the Or-Vnfm reference point:

i) It supports by notifying the NFVO about the changes of a VNF instance that are related to VNF lifecycle management operations.

ii) Notifications contain information about the type of the VNF lifecycle change such as add, delete and changes on virtualised resources associated to VNF components.

iii) Notifications also contain information about the virtual networks and connection points that are added/deleted as part of the VNF lifecycle operation.

vi) It support indicating the start, end and results of the lifecycle procedure including any error produced from the lifecycle procedure.

v) It support by notifying the result of VNF instantiation with indicating the VNF instance identifier.

f) VNF Performance Management: The capabilities discussed below are applicable to the VNF performance management interface produced by the VNFM on the Or-Vnfm reference point:

i) It supports the NFVO to control the collection and reporting of VNF performance information, resulting from virtualised resources performance information on the VNF(s) it manages.

ii) It notifies NFVO about the availability of VNF performance information.

iii) It supports the NFVO to create a PMjob specifying the VNF performance information that the NFVO requires from the VNFM.

vi) It supports the NFVO to delete and query one or more PM job(s).

v) It supports the NFVO to subscribe for the notifications related to VNF performance information with the VNFM.

vi) It supports the NFVO to manage the thresholds on specified VNF performance information and VNF(s).

g) VNF Fault Management: The capabilities discussed below are applicable to the VNF fault management interface produced by the VNFM on the Or-Vnfm reference point:

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)65

i) It supports by notifying the NFVO about the alarms on a VNF instance as a consequence of state changes in the virtualised resources used by the VNF.

ii) Notifications contain information necessary to identify the VNF and the VNFC(s), the origin of the virtualised resource change notifications(s), the type of alarm, and information about the cause of the alarm.

h) VNF Configuration Management: The requirement discussed below is applicable to the VNF configuration management interface produced by the VNFM on the Or-Vnfm reference point:

i) It supports by providing the configuration parameters for a VNF instance.

i) Virtualised Resources Quota Available Notification: The requirements discussed below are applicable to the Virtualised Resources Quota Available Notification interface produced by the NFVO on the Or-Vnfm reference point:

i) It supports requesting subscription to information on the availability of the virtualised resources quota(s).

ii) It supports providing notification on the availability of the virtualised resources quota(s).

j) VNF indicator: The requirements discussed below are applicable to the VNF indicator interface produced by the VNFM on the Or-Vnfm reference point:

i) It supports requesting subscription to information on on value changes of VNF related indicators.

ii) It supports providing notification on value changes of VNF related indicators.

7.3.2 Threat analysis for Or-Vnfm reference pointIn this clause, threat analysis for the defined interfaces in the Or-Vnfm reference point is discussed. For all the threat scenarios, the assumption is that internal attackers are attached to the network and have the access to the Or-Vnfm reference points.

1) VNF Package Management

T1: Manipulation by masquerading VNF package management request - VNF package management notifications such as result of changes on VNF package states and on-boarding VNF package could be manipulated by the attackers. It may impact the on-boarding functionality of VNF package management.R1 (a): It shall be possible to validate the authenticity of the VNF package management notifications.R1 (b): It shall be possible to validate the integrity of the VNF package management notifications.


T1.a.1.2 Internal attackers have access to Or-Vnfm reference point

T1.a.1.3 Or-Vnfm supports VNF package management notifications such as result of changes on VNF package states and on-boarding VNF package

T1.a.2 Or-Vnfm reference point

T1.a.3 Authorized administrators with legitimate access to the Or-Vnfm reference point

T1.a.4.1 Attackers may manipulate the notifications such as result of changes on VNF package states and on-boarding VNF package that may impact the on-boarding functionality of VNF package management

T1.a.5 Security monitoring system and Security policy management shall be enabled for VNF package management

T1.b.1.1 VNF package management shall be configured using security monitoring system

T1.b.1.2 If any manipulated notifications regarding VNF package management is identified, the notification is logged, and a security alarm is raised to the Security monitoring system


ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)66

T1.c.2.1 Authenticity of the VNF package management notifications shall be validated

T1.c.2.2 Integrity of the VNF package management notifications shall be validated

2) VNF Lifecycle Operation Granting

T2: Misuse of privileges - During VNF lifecycle operation, VNFM obtains the information from NFVO regarding the identification and configuration information to access the VIM. Attackers may fool the VNFM/NFVO and gain access to VIM without authorization by sending the manipulated request.R2: It shall be possible to protect against unauthorized modification of the VNF lifecycle operation granting interface notifications.



T2.a.1.3 Or-VNFM supports VNF lifecycle operation granting interface for reporting the identification and configuration information to access the VIM.



T2.a.4.1Attackers may fool the VNFM/NFVO and gain access to VIM without authorization by sending the manipulated request

T2.a.5 Security monitoring system and Security policy management shall be enabled for VNF lifecycle operation granting interface

T2.b.1.1 VNF lifecycle operation granting shall be configured using security monitoring system

T2.b.1.2 If any manipulated request regarding the identification and configuration information to access the VIM is identified, the request is logged, and a security alarm is raised to the Security monitoring system


T2.c.2.1 VNF lifecycle operation granting interface notifications shall be protected from unauthorised access

T3: Manipulation of the identity - If the identity information of the VNF instance transmitted over the interface is known to the attackers, they may send false notifications to interrupt VNF lifecycle operations.R3 (a): It shall be possible to introduce anonymity over the network communication during VNFM information provisioning to identify the VNF instances which intend for VNF lifecycle operations. So the VNF instant information may remain anonymous from the attackers.R3 (b): It shall be possible to validate the authenticity of VNF lifecycle operation granting notifications.



T3.a.1.3 Or-Vnfm supports VNF lifecycle operation granting for reporting the identity information of VNF instance notifications



T3.a.4.1Attackers may send false notifications regarding identity information of VNF instance

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)67

T3.a.5 Security monitoring system and Security policy management shall be enabled for VNF lifecycle operation granting

T3.b.1.1 VNF lifecycle operation granting shall be configured using security monitoring system

T3.b.1.2If any false notifications regarding identity information of VNF instance is identified, the notification is logged, and a security alarm is raised to the Security monitoring system


T3.c.2.1 Anonymity shall be introduced over the network communication during VNFM information provisioning to identify the VNF instances which intend for VNF lifecycle operations

T3.c.2.2 Authenticity of VNF lifecycle operation granting notifications shall be validated

3) Virtualised Resources Management

T4: Denial of service attack by masquerading resource management request - Attackers may forge the request message on this interface for scaling up/down, scaling out/in, and migration operations to turn down the network functions and services which may result in denial of service attacks.R4(a): It shall be possible to validate the authenticity of the scaling and migration operations request.R4(b): It shall be possible to validate the integrity of the scaling and migration operations request.



T4.a.1.3 Or-Vnfm supports Virtualised Resource Management for reporting the scaling and migration operations request



T4.a.4.1 Attackers may forge the request message for scaling up/down, scaling out/in, and migration operations to turn down the network functions and services

T4.a.5 Security monitoring system shall be enabled for Virtualised Resource Management

T4.b.1.1 Virtualised Resource Management shall be configured using security monitoring system.

T4.b.1.2 If any scaling and migration operations request fails, the request is logged, and a security alarm is raised to the Security monitoring system


T4.c.2.1 Authenticity of the scaling and migration operations request shall be validated

T4.c.2.1 Integrity of the scaling and migration operations request shall be validated

4) VNF Lifecycle Management

T5: Denial of service by masquerading VNF lifecycle management request - False state of change of VNF instance notifications may disrupt the network services.R5 (a): It shall be possible to validate the authenticity for state of change of VNF instance notifications. R5 (b): It shall be possible to validate the integrity for state of change of VNF instance notifications.R5 (c): It shall be possible to provide non-repudiation services for state of change of VNF instance notifications.



ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)68

T5.a.1.3 Or-Vnfm supports VNF lifecycle management for reporting the state of change of VNF instance notifications



T5.a.4.1 Attackers may fake the state of change of VNF instance notifications

T5.a.5 Security monitoring system and Security policy management shall be enabled for VNF lifecycle management

T5.b.1.1 VNF lifecycle management shall be configured using security monitoring system

T5.b.1.2 If any state of change of VNF instance notifications fails, the notification is logged, and a security alarm is raised to the Security monitoring system


T5.c.2.1 Authenticity for the state of change of VNF instance notifications shall be validated

T5.c.2.1 Integrity for the state of change of VNF instance notifications shall be validated

T5.c.2.2 Non-repudiation services shall be provided for the state of change of VNF instance notifications

5) VNF Lifecycle Change Notification

T6: Manipulation of privileges - Fake VNF lifecycle change notifications by VNFM and NFVO subscribe using input filter for specifying the type of changes may lead to violation of the security policy due to filtering mechanism.R6: It shall be possible to deploy a dynamic security policy management to overcome security violations of the VNF Lifecycle change notifications interface.T6.a.1.1 Internal attackers are attached to the network


T6.a.1.3 Or-Vnfm supports VNF lifecycle management for reporting the VNF lifecycle change notifications



T6.a.4.1Attackers may fake the VNF lifecycle change notifications


T6.b.1.1 VNF lifecycle management shall be configured using security policy management.

T6.b.1.2 If any VNF lifecycle change notifications fails, the notification is logged, and a security alarm is raised to the Security monitoring system


T6.c.2.1 Deploy a dynamic security policy management to overcome security violations of the VNF Lifecycle change notifications

T7: Denial of service by masquerading VNF lifecycle change request - Fake VNF lifecycle change notifications such as add, update or delete resource may disrupt the network services.R7 (a): It shall be possible to validate the authenticity of the VNF lifecycle change notifications.R7 (b): It shall be possible to validate the integrity of the VNF lifecycle change notifications.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)69



T7.a.1.3 Or-Vnfm supports VNF lifecycle management for reporting the VNF lifecycle change notifications



T7.a.4.1Attackers may fake the VNF lifecycle change notifications such as add, update or delete resource may disrupt the network services


T7.b.1.1 VNF lifecycle management shall be configured using security monitoring system

T7.b.1.2 If any VNF lifecycle change notifications fails, the notification is logged, and a security alarm is raised to the Security monitoring system


T7.c.2.1 Authenticity of the VNF lifecycle change notifications shall be validated

T7.c.2.2 Integrity of the VNF lifecycle change notifications shall be validated

6) VNF Performance Management

T8: Denial of service attack by masquerading VNF performance management request - Fake VNF performance management notifications may disrupt the network service.R8 (a): It shall be possible to validate the authenticity of the VNF performance management related information notifications and prevent from disrupting the running network services. R8 (b): It shall be possible to validate the integrity of the VNF performance management related information notifications and prevent from disrupting the running network servicesR8(c): It shall be possible to provide non-repudiation services VNF performance management notifications.T8.a.1.1 Internal attackers are attached to the network


T8.a.1.3 Or-Vnfm supports VNF performance management for reporting the VNF performance management notifications



T8.a.4.1 Attackers may fake the VNF performance management notifications

T8.a.5 Security monitoring system and Security policy management shall be enabled for VNF performance Management

T8.b.1.1 VNF performance management shall be configured using security monitoring system.

T8.b.1.2 If any VNF performance management notifications fails, the notification is logged, and a security alarm is raised to the Security monitoring system


T8.c.2.1 Authenticity of the VNF performance management notifications shall be validated

T8.c.2.2 Integrity of the VNF performance management notifications shall be validated

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)70

T8.c.2.3 Non-repudiation services shall be provided for VNF performance management notifications

T9: Manipulation of notifications - The attackers may disable the reporting of VNF performance measurements maliciously, which results in VNF performance degrade or service interruptions.R9 (a): It shall be possible to validate the authenticity of the VNF performance management notifications. R9 (b): It shall be possible to validate the integrity of the VNF performance management notifications.



T9.a.1.3 Or-Vnfm supports VNF performance management for reporting the VNF performance management request



T9.a.4.1 Attackers may fake the VNF performance management request

T9.a.5 Security monitoring system and Security policy management shall be enabled for performance management

T9.b.1.1 VNF performance management shall be configured using security monitoring system.

T9.b.1.2 If any VNF performance management request fails, the request is logged, and a security alarm is raised to the Security monitoring system


T9.c.2.1 Authenticity of the VNF performance management shall be validated

T9.c.2.2 Integrity of the VNF performance management shall be validated

7) VNF Fault Management

T10: Manipulation of notifications - The attackers may disable the reporting of VNF fault notifications and alarms or change the threshold conditions maliciously, which results in service interruptions and permanent failure of the systems.R10(a): It shall be possible to validate the authenticity of the VNF fault management notificationsR10 (b): It shall be possible to validate the integrity of the VNF fault management notifications



T10.a.1.3 Or-Vnfm supports VNF fault management for reporting the VNF fault notifications



T10.a.4.1Attackers may fake the VNF fault notifications

T10.a.5 Security monitoring system and Security policy management shall be enabled for VNF Fault management

T10.b.1.1 VNF fault management shall be configured using security monitoring system.

T10.b.1.2 If any VNF fault Incorporating Orange comments OTD comments notifications fails, the notification is logged, and a security alarm is raised to the Security monitoring system

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)71


T10.c.2.1 Authenticity of the VNF fault notifications shall be validated

T10.c.2.2 Integrity of the VNF fault notifications shall be validated

T11: Denial of service by masquerading VNF fault management request - Fake VNF fault management notifications/alarms may disrupt the network service.R11 (a): It shall be possible to validate the authenticity of the VNF fault management notifications and prevent from disrupting the running network services. It shall be possible to provide non-repudiation services.R11 (b): It shall be possible to validate the integrity of the VNF fault management notifications and prevent from disrupting the running network services.R11(c): It shall be possible to provide non-repudiation services.



T11.a.1.3 Or-Vnfm supports VNF fault management for reporting the VNF fault management alarm



T11.a.4.1 Attackers may fake the VNF fault management alarms

T11.a.5 Security monitoring system and Security policy management shall be enabled for VNF Fault management

T11.b.1.1 VNF fault management shall be configured using security monitoring system

T11.b.1.2 If any VNF fault management request fails, the request is logged, and a security alarm is raised to the Security monitoring system


T11.c.2.1 Authenticity of the VNF fault management shall be validated

T11.c.2.2 Integrity of the VNF fault management shall be validated

8) Virtualised Resources Quota Available Notification

T12: Manipulation of privileges - Fake Virtualised Resources Quota Available notifications by NFVO and VNFM subscribe using input filter for specifying the type of changes can lead to violation of the security policy due to filtering mechanism.R12: It shall be possible to deploy a dynamic security policy management to overcome security violations of the Virtualised Resources Quota Available notification interface.

T13: Denial of service by masquerading Virtualised Resources Quota Available request - Fake Virtualised Resources Quota Available notifications can disrupt the network services management.R13: It shall be possible to validate the authenticity of the Virtualised Resources Quota Available. R13: It shall be possible to validate the integrity of the Virtualised Resources Quota Available.

9) VNF Indicator

T14: Manipulation of privileges - Fake VNF Indicator notifications by VNFM and NFVO subscribe using input filter for specifying the type of changes can lead to violation of the security policy due to filtering mechanism.R14: It shall be possible to deploy a dynamic security policy management to overcome security violations of the VNF Indicator interface.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)72

T15: Denial of service by masquerading VNF Indicator - Fake VNF Indicator notifications can disrupt the network services management.R15 (a): It shall be possible to validate the authenticity of the Virtualised Resources Quota Available. R15 (b): It shall be possible to validate the integrity of the Virtualised Resources Quota Available.

8 Summary of Security RequirementsThe present document addresses the security requirement specifications and threat analysis for MANO components (NFVO, VNFM, and VIM) and MANO reference point’s Or-Vnfm, Or-Vi, Vi-Vnfm. The security analysis addressed in the present document shows that there are various threats that pose significant risks for the MANO components and reference points. Future large scale threats and malicious activities like malware and DDoS attack will cause a further rise of the risk level. NFV system will provide the ability for communications service providers to significantly transform their networks over the next few years and beyond, so as security requirements and threat analysis for each MANO component and reference points will play a vitally important role for securing the NFV-MANO and all the applications trusting on them. These inputs are limited, but it shall provide guidance on which entity and what kind of threat to focus on in order to reduce the overall risks of MANO components and interfaces most efficiently. This analysis is a continual process that should be reviewed regularly to ensure that security requirement and specification shall meet the required objective. NFV systems complying with the present document adequately address the security requirements in terms of authenticity, integrity, confidentiality, privacy, etc. The security and threat analysis should be an integral part of an overall lifecycle of NFV system.

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)73

Annex B (informative):Authors & contributorsThe following people have contributed to this specification:

Rapporteur:Dr. Pradheepkumar Singaravelu, NEC Corporation

Other contributors:Mr. Prabhu T, NEC Europe Ltd

Dr. Sivabalan Arumugam, NEC Europe Ltd

Dr. Anand R. Prasad, NEC Corporation

Dr. Zarrar Yousaf, NEC Europe Ltd

Mr. Kapil Sood, Intel Corporation

Dr. Ashutosh Dutta, AT&T

Mr. Ihab Guirguis, Sprint

Mr. Esa Salahuddin, Cisco

Mr. Diego Lopez, Telefonica

Mr. Scott, Cadzow

Mr. Michael Bilca

Mr.Olivier Legrand

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)74

Annex C (informative):Change History

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)75

Date Version Information about changes

February 2016 0.0.1 Updating the scope and TOC for the SEC014 draft. Both scope and TOC was approved during NFVSEC#65 meeting

March 2016 0.0.2

Below mentioned contribution document accepted in NFVSEC#68 meeting:

NFVSEC(16)000017r3_General_Security_Threats_and_requirements in Section 5

NFVSEC(16)000018r3_Threat_Analysis_for_NFV_Or-Vi_reference point in Section 7.1

NFVSEC(16)000019r3_Threat Analysis_for_NFV_Vi-Vnfm_reference point in Section 7.2

NFVSEC(16)000020r3_Threat_Analysis_for_NFV_Or-Vnfm_reference_point in Section 7.3

Annex A updates

A.1 Risk analysis and assessment for general threats and requirements

A.2 Risk analysis and assessment for Or-Vi reference point

A.3 Risk analysis and assessment for Vi-Vnfm reference point

A.4 Risk analysis and assessment for Or-Vnfm reference point

April 2016 0.0.3


NFVSEC(16)000091,Threat Analysis for NFV Orchestrator in Section 6.1

NFVSEC(16)000092 Threat Analysis for VNF Manager(s) in Section 6.2

Annex A updates

A.5 Risk analysis and assessment for NFV orchestrator

A.6 Risk analysis and assessment for VNF Manger(s)

May 2016 0.0.4


NFVSEC(16)000093r1CoverPage_Threat Analysis for Virtualised Infrastructure Manager(s)_r1 in Section 6.3

NFVSEC(16)000119CoverPage_Additional text to section 6.3.2-Threat Analysis for Virtualised Infrastructure Manager(s)

Annex A updatesA.7 Risk analysis and assessment for Virtualised Infrastructure Manager

June 2016 0.0.5


NFVSEC(16)077003r1 Additional Text to Section 6.1Threat Analysis for NFV Orchestrator

NFVSEC(16)077004r1 Additional text to Section 6.2 Threat Analysis for VNF Manager(s)

July 2016 0.0.6


NFVSEC(16)000141 [SEC 014]Section 8 Summary of Security Requirements

NFVSEC(16)000142 [SEC 014] Section 1 MANO and Interfaces

August 2016 0.0.7 Updated the ETSI Comments

May 2017 0.0.8Changing Internal Interface to reference point (recommended by IFA WG). Some Editorial change recommended by SECWG and Incorporating Orange comments OTD comments

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)76

Date Version Information about changes

HistoryDocument history

V0.0.6 August 2016 Clean-up done by editHelp!E-mail: mailto:[email protected]

ETSI

ETSI GS NFV-SEC 014 V0.0.8 (2017-05)77

mailto:[email protected]

Documents

ETSI GS NFV-SEC 014 V0.0.6 - Directory Listing / · Web viewETSI GS NFV-SEC 014 V0.0.8 (2017-05) Network Functions Virtualisation (NFV); NFV Security; Security Specification for MANO