Top   in Index   Prev   Next

TR 33.848
Study on Security impacts of Virtualisation

V18.0.0 (Wzip)  2023/09  55 p.
Mr. Leadbeater, Alex
BT plc

full Table of Contents for  TR 33.848  Word version:  18.0.0

Here   Top


0  Introductionp. 8

Virtualisation is a fundamental building block of 5G and while not the only way of implementing a 5G network, it is nevertheless the primary implementation method being pursued to some degree (great or small) by all operators and manufacturers. Furthermore, virtualisation is being applied to earlier 3GPP architectures (e.g. LTE) and part virtualised networks containing a mixture of physical, containerised and virtualised network functions will be common place for most operators for the foreseeable future.

1  Scopep. 9

The present document considers the consequences of virtualisation on 3GPP architectures, in order to identify threats and subsequent security requirements. 3GPP function security relies on the underlying implementation technology and physical environment being secure. In legacy deployments, physical rack security and separation implicitly provides underlying security. Many legacy physical security requirements are not formally documented in 3GPP standards and rely on proprietary domain knowledge by 3GPP operators and manufacturers. Legacy core network security models also assume that threats primarily apply at the edge of the function or network only, where the network or physical network functions are exposed by external interfaces.
To provide equivalent security in virtualised deployments, the underlying infrastructure needs to provide minimum security capabilities, in a standardized form, which can be requested and or consumed at the 3GPP layer. This is necessary since virtual functions need to co-exist in shared virtualisation environments and the legacy physical security models do not address the new threat vectors introduced by virtualisation.
While a number of the key issues identified in the present document may not necessarily fully be within the scope of 3GPP to resolve, in order to implement 3GPP functions securely, it is necessary for 3GPP to set requirements that may be addressed outside 3GPP.
The present document identifies security requirements which need to be addressed outside of 3GPP in order for 3GPP to specify fully secure virtualised 3GPP functions. The present document identifies extensions to 3GPP security capabilities which are required to provide direct, explicit, security visibility of the underlying virtualised infrastructure platform to the 3GPP layer. It also identifies extensions to 3GPP functions to make use of such capabilities.
The wider requirements captured within the present document are intended to allow external groups such as ETSI or open-source groups to develop any necessary capabilities and fill identified standardization gaps.
Identification of requirements for the standardization of the overall security framework (e.g. top to bottom, 3GPP, NFVI, hardware, SDN) and minimum-security capabilities which should be used by a virtualised implementation to meet Critical National Infrastructure (CNI) or other regulatory requirements are outside the scope of the present document.
Since there is no single approach to virtualisation, the security threats and risks will vary depending on the deployment use case and virtualisation technology choices. The present document considers both virtualisation threats and risks, that apply to specific implementations (e.g. Virtual Machine or Container based) and more generic threat and risks that apply in all use cases.

2  Referencesp. 9

3  Definitions of terms, symbols and abbreviationsp. 10

3.1  Termsp. 10

3.2  Symbolsp. 11

3.3  Abbreviationsp. 11

4  Virtualisation Background, Concepts and Assumptionsp. 12

5  Key Issuesp. 15

5.1  Introductionp. 15

5.2  Key Issue #1: Establishment of trust domains for Network Functionsp. 15

5.3  Key Issue #2: Confidentiality of sensitive datap. 16

5.4  Key Issue #3: Availability of Network Functionsp. 16

5.5  Key Issue #4: Common Software Environmentp. 17

5.6  Key Issue #5: Data Location and Lifecyclep. 18

5.7  Key Issue #6: Function Isolationp. 18

5.8  Key Issue #7: Memory Introspectionp. 19

5.9  Key Issue #8: Test Isolation and Assurancep. 20

5.10  Key Issue #9: Trust domain and Slice Isolationp. 21

5.11  Key Issue 10: Single Administrator Domainp. 22

5.12  Key Issue #11: Where are my Keys and Confidential Datap. 22

5.13  Key Issue #12: Where the is my functionp. 23

5.14  Key Issue #13: Attestation at 3GPP Function levelp. 24

5.15  Key Issue #14: VNF Host Spanningp. 24

5.16  Key Issue #15: Encrypted Data Processingp. 25

5.17  Key Issue #16: Mixed Virtual and Legacy PNF Deploymentsp. 26

5.18  Key Issue #17: Software Catalogue Image Exposurep. 27

5.19  Key Issue #18: The Startup Paradoxp. 28

5.20  Key Issue #19: Time Manipulationp. 28

5.21  Key Issue #20: 3rd Party Hosting Environmentsp. 29

5.22  Key Issue #21: VM and Hypervisor Breakoutp. 29

5.23  Key Issue #22: MANO Single Point of Failuresp. 30

5.24  Key Issue #23: IP layer vs Application layer Securityp. 30

5.25  Key Issue #24: Data synchronicity through networkp. 31

5.26  Key Issue #25: Container Securityp. 31

5.27  Key Issue #26: Container breakoutp. 32

5.28  Key Issue #27: Secrets in NF container imagesp. 33

5.29  Key Issue #28: Management APIsp. 34

5.30  Key Issue #29: Image Snapshot and VNF Mobilityp. 35

6  Mitigations and Solutionsp. 36

6.1  Introductionp. 36

6.2  Solution #1: Trust domains and separationp. 36

6.3  Solution #2: Lock-down of infrastructurep. 37

6.4  Solution #3: Administration of the virtualisation fabricp. 38

6.5  Solution #4: Hardware Mediated Execution Enclave (HMEE)p. 39

6.6  Solution #5: Solution Using Boot Time Attestation for NF Registrationp. 40

6.7  Solution #6: Solution Using Attestation for Key Issue 13p. 47

6.8  Solution #7: Ticket-based access control for NFVp. 49

6.9  Solution #8: Slice isolation in both service and resource layerp. 51

7  Conclusionsp. 52

8  Recommendationsp. 53

A  Principles for administration of virtualisation infrastructurep. 54

$  Change historyp. 55

Up   Top