Footprints: Ensuring Trusted Service Function Chaining in the World of SDN and NFV

Montida Pattaranantakul; Qipeng Song; Yanmei Tian; Licheng Wang; Zonghua Zhang; Ahmed Meddahi

doi:10.1007/978-3-030-37231-6_16

Footprints: Ensuring Trusted Service Function Chaining in the World of SDN and NFV

Montida Pattaranantakul^*
, Qipeng Song
, Yanmei Tian
, Licheng Wang
, Zonghua Zhang
, Ahmed Meddahi

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

8 Citations (Scopus)

Abstract

Network Function Virtualization (NFV) and Software Defined Networking (SDN) empower Service Function Chaining (SFC), which integrates an ordered list of Virtualized Network Functions (VNFs) together for implementing a particular service. However, the high-level SFC policy specification cannot guarantee that the VNFs are always chained in an expected manner (or the packet flows of the service are forwarded to the VNFs of concern in a predefined order). An attacker can manage to bypass or evade the security VNFs (e.g., firewall, virus scanner, DPI) and deviate the packets flows from the pre-specified path. It is thus a significant need to have an efficient self-checking mechanism in place, ensuring the SFC to be implemented in a secure and correct way. We develop such a scheme based on an improved crypto primitive, Lite identity-based ordered multisignature, which enforces all the VNFs in the same service chain to sequentially sign the packets received. Then the last hop of the chain will verify the aggregate signature, so as to validate the authenticity of the VNFs, as well as their orders in the chain. We leverage the IETF Network Service Header (NSH) to implement our scheme and run the experiments in a real-world environment to evaluate its performance in terms of computational overhead and latency.

Original language	English
Title of host publication	Security and Privacy in Communication Networks - 15th EAI International Conference, SecureComm 2019, Proceedings
Editors	Songqing Chen, Kim-Kwang Raymond Choo, Xinwen Fu, Wenjing Lou, Aziz Mohaisen
Publisher	Springer
Pages	287-301
Number of pages	15
ISBN (Print)	9783030372309
DOIs	https://doi.org/10.1007/978-3-030-37231-6_16
Publication status	Published - 2019
Externally published	Yes
Event	15th International Conference on Security and Privacy in Communication Networks, SecureComm 2019 - Orlando , United States Duration: 23 Oct 2019 → 25 Oct 2019

Publication series

Name	Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST
Volume	305 LNICST
ISSN (Print)	1867-8211

Conference

Conference	15th International Conference on Security and Privacy in Communication Networks, SecureComm 2019
Country/Territory	United States
City	Orlando
Period	23/10/19 → 25/10/19

Keywords

Aggregate signature
NFV
Pairings
SDN
SFC

Access to Document

10.1007/978-3-030-37231-6_16

Cite this

Pattaranantakul, M., Song, Q., Tian, Y., Wang, L., Zhang, Z., & Meddahi, A. (2019). Footprints: Ensuring Trusted Service Function Chaining in the World of SDN and NFV. In S. Chen, K.-K. R. Choo, X. Fu, W. Lou, & A. Mohaisen (Eds.), Security and Privacy in Communication Networks - 15th EAI International Conference, SecureComm 2019, Proceedings (pp. 287-301). (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 305 LNICST). Springer. https://doi.org/10.1007/978-3-030-37231-6_16

Pattaranantakul, Montida ; Song, Qipeng ; Tian, Yanmei et al. / Footprints : Ensuring Trusted Service Function Chaining in the World of SDN and NFV. Security and Privacy in Communication Networks - 15th EAI International Conference, SecureComm 2019, Proceedings. editor / Songqing Chen ; Kim-Kwang Raymond Choo ; Xinwen Fu ; Wenjing Lou ; Aziz Mohaisen. Springer, 2019. pp. 287-301 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST).

@inproceedings{1e6a30bda6c14ca1a7548f9aee93fc70,

title = "Footprints: Ensuring Trusted Service Function Chaining in the World of SDN and NFV",

abstract = "Network Function Virtualization (NFV) and Software Defined Networking (SDN) empower Service Function Chaining (SFC), which integrates an ordered list of Virtualized Network Functions (VNFs) together for implementing a particular service. However, the high-level SFC policy specification cannot guarantee that the VNFs are always chained in an expected manner (or the packet flows of the service are forwarded to the VNFs of concern in a predefined order). An attacker can manage to bypass or evade the security VNFs (e.g., firewall, virus scanner, DPI) and deviate the packets flows from the pre-specified path. It is thus a significant need to have an efficient self-checking mechanism in place, ensuring the SFC to be implemented in a secure and correct way. We develop such a scheme based on an improved crypto primitive, Lite identity-based ordered multisignature, which enforces all the VNFs in the same service chain to sequentially sign the packets received. Then the last hop of the chain will verify the aggregate signature, so as to validate the authenticity of the VNFs, as well as their orders in the chain. We leverage the IETF Network Service Header (NSH) to implement our scheme and run the experiments in a real-world environment to evaluate its performance in terms of computational overhead and latency.",

keywords = "Aggregate signature, NFV, Pairings, SDN, SFC",

author = "Montida Pattaranantakul and Qipeng Song and Yanmei Tian and Licheng Wang and Zonghua Zhang and Ahmed Meddahi",

note = "Publisher Copyright: {\textcopyright} ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2019.; 15th International Conference on Security and Privacy in Communication Networks, SecureComm 2019 ; Conference date: 23-10-2019 Through 25-10-2019",

year = "2019",

doi = "10.1007/978-3-030-37231-6\_16",

language = "English",

isbn = "9783030372309",

series = "Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST",

publisher = "Springer",

pages = "287--301",

editor = "Songqing Chen and Choo, \{Kim-Kwang Raymond\} and Xinwen Fu and Wenjing Lou and Aziz Mohaisen",

booktitle = "Security and Privacy in Communication Networks - 15th EAI International Conference, SecureComm 2019, Proceedings",

address = "Germany",

}

Pattaranantakul, M, Song, Q, Tian, Y, Wang, L, Zhang, Z & Meddahi, A 2019, Footprints: Ensuring Trusted Service Function Chaining in the World of SDN and NFV. in S Chen, K-KR Choo, X Fu, W Lou & A Mohaisen (eds), Security and Privacy in Communication Networks - 15th EAI International Conference, SecureComm 2019, Proceedings. Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST, vol. 305 LNICST, Springer, pp. 287-301, 15th International Conference on Security and Privacy in Communication Networks, SecureComm 2019, Orlando , United States, 23/10/19. https://doi.org/10.1007/978-3-030-37231-6_16

Footprints: Ensuring Trusted Service Function Chaining in the World of SDN and NFV. / Pattaranantakul, Montida; Song, Qipeng; Tian, Yanmei et al.
Security and Privacy in Communication Networks - 15th EAI International Conference, SecureComm 2019, Proceedings. ed. / Songqing Chen; Kim-Kwang Raymond Choo; Xinwen Fu; Wenjing Lou; Aziz Mohaisen. Springer, 2019. p. 287-301 (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST; Vol. 305 LNICST).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Footprints

T2 - 15th International Conference on Security and Privacy in Communication Networks, SecureComm 2019

AU - Pattaranantakul, Montida

AU - Song, Qipeng

AU - Tian, Yanmei

AU - Wang, Licheng

AU - Zhang, Zonghua

AU - Meddahi, Ahmed

N1 - Publisher Copyright: © ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2019.

PY - 2019

Y1 - 2019

N2 - Network Function Virtualization (NFV) and Software Defined Networking (SDN) empower Service Function Chaining (SFC), which integrates an ordered list of Virtualized Network Functions (VNFs) together for implementing a particular service. However, the high-level SFC policy specification cannot guarantee that the VNFs are always chained in an expected manner (or the packet flows of the service are forwarded to the VNFs of concern in a predefined order). An attacker can manage to bypass or evade the security VNFs (e.g., firewall, virus scanner, DPI) and deviate the packets flows from the pre-specified path. It is thus a significant need to have an efficient self-checking mechanism in place, ensuring the SFC to be implemented in a secure and correct way. We develop such a scheme based on an improved crypto primitive, Lite identity-based ordered multisignature, which enforces all the VNFs in the same service chain to sequentially sign the packets received. Then the last hop of the chain will verify the aggregate signature, so as to validate the authenticity of the VNFs, as well as their orders in the chain. We leverage the IETF Network Service Header (NSH) to implement our scheme and run the experiments in a real-world environment to evaluate its performance in terms of computational overhead and latency.

AB - Network Function Virtualization (NFV) and Software Defined Networking (SDN) empower Service Function Chaining (SFC), which integrates an ordered list of Virtualized Network Functions (VNFs) together for implementing a particular service. However, the high-level SFC policy specification cannot guarantee that the VNFs are always chained in an expected manner (or the packet flows of the service are forwarded to the VNFs of concern in a predefined order). An attacker can manage to bypass or evade the security VNFs (e.g., firewall, virus scanner, DPI) and deviate the packets flows from the pre-specified path. It is thus a significant need to have an efficient self-checking mechanism in place, ensuring the SFC to be implemented in a secure and correct way. We develop such a scheme based on an improved crypto primitive, Lite identity-based ordered multisignature, which enforces all the VNFs in the same service chain to sequentially sign the packets received. Then the last hop of the chain will verify the aggregate signature, so as to validate the authenticity of the VNFs, as well as their orders in the chain. We leverage the IETF Network Service Header (NSH) to implement our scheme and run the experiments in a real-world environment to evaluate its performance in terms of computational overhead and latency.

KW - Aggregate signature

KW - NFV

KW - Pairings

KW - SDN

KW - SFC

UR - https://www.scopus.com/pages/publications/85076882257

U2 - 10.1007/978-3-030-37231-6_16

DO - 10.1007/978-3-030-37231-6_16

M3 - Conference contribution

AN - SCOPUS:85076882257

SN - 9783030372309

T3 - Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST

SP - 287

EP - 301

BT - Security and Privacy in Communication Networks - 15th EAI International Conference, SecureComm 2019, Proceedings

A2 - Chen, Songqing

A2 - Choo, Kim-Kwang Raymond

A2 - Fu, Xinwen

A2 - Lou, Wenjing

A2 - Mohaisen, Aziz

PB - Springer

Y2 - 23 October 2019 through 25 October 2019

ER -

Pattaranantakul M, Song Q, Tian Y, Wang L, Zhang Z, Meddahi A. Footprints: Ensuring Trusted Service Function Chaining in the World of SDN and NFV. In Chen S, Choo KKR, Fu X, Lou W, Mohaisen A, editors, Security and Privacy in Communication Networks - 15th EAI International Conference, SecureComm 2019, Proceedings. Springer. 2019. p. 287-301. (Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, LNICST). doi: 10.1007/978-3-030-37231-6_16

Footprints: Ensuring Trusted Service Function Chaining in the World of SDN and NFV

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this