Draft ETSI GS NFV SEC 007 V0.0.3
(2015-07)
GROUP SPECIFICATION
Network Function Virtualisation (NFV);
Trust;
Report on Attestation Technologies and Practices for Secure
Deployments
Disclaimer: This DRAFT is a working document of ETSI ISG NFV. It
is provided for information only and is still under development
within ETSI ISG NFV. DRAFTS may be updated, deleted, replaced, or
obsoleted by other documents at any time.
ETSI and its Members accept no liability for any further
use/implementation of the present DRAFT.
Do not use as reference material.
Do not cite this document other than as "work in progress".
-
ETSI NFV public DRAFTS are available in: http://docbox.etsi.org/ISG/NFV/Open/Drafts/
Report FEEDBACK via the NFV issue tracker: http://nfvwiki.etsi.org/index.php?title=NFV_Issue_Tracker
Approved and PUBLISHED deliverables shall be obtained via the ETSI Standards search page at:
http://www.etsi.org/standards-search

2
Draft ETSI GS NFV SEC 007 V0.0.3 (2015-07)
0
1
Reference
GS NFV SEC 007
Keywords
Trust, provenance, attestation, level of
assurance, infrastructure
2
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE
Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16
Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88
Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.
© European Telecommunications Standards Institute yyyy.
All rights reserved.
DECTTM, PLUGTESTSTM, UMTSTM and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
3GPPTM and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
3
3
4
Draft ETSI GS NFV SEC 007 V0.0.3 (2015-07)
Reproduction is only permitted for the purpose of standardization work undertaken within ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.
5
ETSI
4
Draft ETSI GS NFV SEC 007 V0.0.3 (2015-07)
6
Contents
7
Intellectual Property Rights ................................................................................................................................ 5
8
Foreword............................................................................................................................................................. 5
9
Introduction ........................................................................................................................................................ 5
10
1
Scope ........................................................................................................................................................ 6
11
12
13
2
References ................................................................................................................................................ 6
14
15
16
17
3
18
4
Attestation Procedures.............................................................................................................................. 7
19
20
5
Levels of Assurance ................................................................................................................................. 7
21
22
6
23
24
7
25
8
26
Annex: Follow-on PoCs ..................................................................................................................................... 9
27
28
History ................................................................................................................................................................ 9
2.1
2.2
3.1
3.2
3.3
5.x
6.x
7.1
Normative references ......................................................................................................................................... 6
Informative references ....................................................................................................................................... 6
Definitions, symbols and abbreviations ................................................................................................... 6
Definitions ......................................................................................................................................................... 6
Symbols ............................................................................................................................................................. 6
Abbreviations ..................................................................................................................................................... 6
LoA x ................................................................................................................................................................. 7
Infrastructure Capabilities ........................................................................................................................ 7
Capability x ........................................................................................................................................................ 8
Operational Procedures ............................................................................................................................ 7
Recommendations .............................................................................................................................................. 8
Analysis of Current Attestation Technologies ......................................................................................... 8
29
ETSI
5
Draft ETSI GS NFV SEC 007 V0.0.3 (2015-07)
30
Intellectual Property Rights
31
32
33
34
35
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://ipr.etsi.org).
36
37
38
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
39
Foreword
40
41
This Group Specification (GS) has been produced by ETSI Industry Specification Group Network Functions
Virtualization (NFV).
42
Introduction
43
ETSI
6
Draft ETSI GS NFV SEC 007 V0.0.3 (2015-07)
44
1 Scope
45
46
This report is intended to identify gaps in existing attestation technologies and practices, as applicable to NFV systems,
addressing:






47
48
49
50
51
52
The identification and definition of levels of assurance
The discussion of the assumed capabilities from the NFVI (TPM, TCG…)
The description of operational procedures
The definition of requirements for interoperability
A gap analysis of current (established or newly proposed) attestation technologies
Recommendations for follow-on PoCs to demonstrate feasibility of the attestation procedures
53
2
54
55
56
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references,only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
57
58
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
59
60
References
NOTE:
While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
61
2.1
Normative references
62
2.2
Informative references
63
3
Definitions, symbols and abbreviations
64
3.1
Definitions
65
For the purposes of the present document, the following terms and definitions apply:
66
3.2
67
For the purposes of the present document, the following symbols apply:
68
3.3
69
For the purposes of the present document, the following abbreviations apply:
Symbols
Abbreviations
70
ETSI
7
71
4
Draft ETSI GS NFV SEC 007 V0.0.3 (2015-07)
Attestation Procedures
72
73
Editor’s Note: This section shall provide a quick recap of attestation procedures and establish the basic concepts to
be discussed in the documents.
74
75
76
77
Both authentication (a process of ensuring that the computing platform can prove that it is what it claims to be) and
attestation (a process of proving that a computing platform is trustworthy and has not been breached) are necessary
steps to ensure secure computing in NFV environment. Attestation procedures create assurances of computing
platform’s health, state, and ability to protect data in accordance with policy
78
Key sources for attestation procedures are:



79
80
81
82
83
84
85
86

5
NIST SP800-147B (for BIOS integrity and secure boot guidelines);
NIST SP800-155 (for BIOS integrity measurements guidelines);
TCG Attestation PTS Protocol: Binding to TNC IF-M
(http://www.trustedcomputinggroup.org/resources/tcg_attestation_pts_protocol_binding_to_tnc_ifm )
(currently under revision for TPM 2.0 support); and
TCG TPM 2.0 Library (http://www.trustedcomputinggroup.org/resources/tpm_library_specification) for the
definition of the DAA (Direct Anonymous Attestation) mechanism.
Levels of Assurance
87
88
89
90
91
92
93
94
95
96
Editor’s Note: The attestation steps will be specific to the levels of assurance (LoAs) to be established, which, in
turn, depends on the nature of the particular network function, the service it supports, and the different
parties involved in its instantiation. This section will propose a set of such LoAs suitable for the NFV
framework.
Key sources for this will be:
* NIST SP 800-63 (for Level of Assurance definitions), the more general ITU-T X.1254 (for entity
authentication assurance framework)
* TCG Virtualized Trusted Platform Architecture:
http://www.trustedcomputinggroup.org/resources/virtualized_trusted_platform_architecture_specification
* And related results mostly from the identity federation arena.
97
98
99
Attestation of computing platform’s integrity (i.e., measurement and verification) leads to the ability to establish
information security assurance. Such security assurance directly translates into trust in a computing platform’s
capability to protect its information and functional assets, and to attest to those protections.
100
5.x
LoA x
101
6
Infrastructure Capabilities
102
103
104
105
106
107
108
109
110
111
112
113
114
115
Editor’s Note: Different local and remote attestation procedures may apply depending on whether the elements in
the supporting infrastructure are trusted. The required infrastructure capabilities (TPM, secure boot, etc,)
will be analysed and mapped to the requirements of the different LoAs
This section briefly lists some of the components which may be provided by the infrastructure and may provide
capabilities relevant to attestation. Note that there is no expectation that all of these components will be part of the
NFVI – they may be spread through various parts of the deployment architecture.






TPM (Trusted Platform Module)
Certificate Authority
CPU or other on-board capabilities
Remote attestation server
Trusted time
Secure logging server
Editor’s Note: We need to define all the elements mentioned above, and end the section with a mapping of the
capabilities to the LoAs defined in section 5.
ETSI
8
Draft ETSI GS NFV SEC 007 V0.0.3 (2015-07)
116
117
118
It is not expected that any single component will be able to provide appropriate levels of attestation, and the various
methods and techniques (including protocols) that can be use to combine their capabilities will be (and need to be)
different to suit the requirements of different LoAs.
119
6.1
120
The ability to measure whether a particular piece of hardware has booted into a known, measured configuration.
121
6.2
122
123
The ability of a particular component to assert its location. Geolocation usually refers to geographic (physical) location,
but logical location may also be an important issue to consider.
124
6.3
125
126
127
The ability for a file system to be mounted read-only. This may be a temporary measure to allow measurement at a
particular point in the boot and attestation process, or a permanent measure to ensure that the integrity of certain data is
maintained.
128
6.3
129
130
131
The ability for a file system to be encrypted before mounting. Typically, the keys to decrypt the file system are
provided to the boot process as part of the measured boot and/or attestation procedure, based on measures of trust in the
measured boot process.
132
6.3
133
134
135
136
137
The ability of a system to attest remotely a particular level of trust (within given contexts and constraints) of another
component. The two systems may already have an existing trust relationship, or this may need to be built up from first
principles. One approach is Intel® Trusted Execution Technology (TXT), which provides for attestation of a physical
platform and its operating system (including hypervisor), and makes use of a TPM and capibilities within the host
chipset to provide measurements and then communicate with a remote server.
138
7
146
147
148
149
150
151
152
153
Capability – Read-only file systems
Capability – Encrypted file systems
Capability – Remote Attestation
Operational Procedures
7.1
Recommendations
Editor’s Note: Outline possible recommendations towards the IFA normative work items.
144
145
Capability – Geolocation
Editor’s Note: Provide an analysis on where and when attestation procedures should be applied within VNF and
service lifecycle management, how attestation information can be exchanged through the orchestration
and management interfaces, and how provenance policies can be enforced according to the applicable
levels of assurance.
139
140
141
142
143
Capability - Measured Boot
8
Analysis of Current Attestation Technologies
Editor’s Note: A gap analysis of current, either established or newly proposed, attestation technologies and related
open-source software, such as OpenStack and the openattestation framework.
TCG developed these specifications for attestation of computing platforms:


TCG Attestation PTS Protocol: Binding to TNC IF-M
(http://www.trustedcomputinggroup.org/resources/tcg_attestation_pts_protocol_binding_to_tnc_ifm),
currently under revision for TPM 2.0 support.
TCG TPM 2.0 Library (http://www.trustedcomputinggroup.org/resources/tpm_library_specification) for the
definition of the DAA (Direct Anonymous Attestation) mechanism.
ETSI
9
154
155
156
157
Draft ETSI GS NFV SEC 007 V0.0.3 (2015-07)
Annex: Follow-on PoCs
Editor’s Note: - Recommendations for follow-on PoCs to demonstrate feasibility of such attestation procedures.
With the support of the TST WG, and time permitting, include a summary of their results.
History
Document history
V0.0.1
2014-12-16
Initial ToC and Skeleton
V0.0.2
2015-03-10
Editor notes on section contents and contribution on infrastructure
V0.0.3
2015-07-15
Initial contribution from TCG
First version available at the ETSI portal open area
158
ETSI