KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Auto-configurable Security Mechanism for NFV

  • Kim, HyunJin (Department of Computer Engineering, Chungnam National University) ;
  • Park, PyungKoo (Network SW Research section, ETRI) ;
  • Ryou, Jaecheol (Department of Computer Engineering, Chungnam National University)
  • Received : 2017.10.09
  • Accepted : 2018.02.12
  • Published : 2018.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

Recently, NFV has attracted attention as a next-generation network virtualization technology for hardware -independent and efficient utilization of resources. NFV is a technology that not only virtualize computing, server, storage, network resources based on cloud computing but also connect Multi-Tenant of VNFs, a software network function. Therefore, it is possible to reduce the cost for constructing a physical network and to construct a logical network quickly by using NFV. However, in NFV, when a new VNF is added to a running Tenant, authentication between VNFs is not performed. Because of this problem, it is impossible to identify the presence of Fake-VNF in the tenant. Such a problem can cause an access from malicious attacker to one of VNFs in tenant as well as other VNFs in the tenant, disabling the NFV environment. In this paper, we propose Auto-configurable Security Mechanism in NFV including authentication between tenant-internal VNFs, and enforcement mechanism of security policy for traffic control between VNFs. This proposal not only authenticate identification of VNF when the VNF is registered, but also apply the security policy automatically to prevent malicious behavior in the tenant. Therefore, we can establish an independent communication channel for VNFs and guarantee a secure NFV environment.

Keywords

References

  1. Han, B., Gopalakrishnan, V., Ji, L., & Lee, S., "Network function virtualization: Challenges and opportunities for innovations," IEEE Communications Magazine, 53(2), 90- 97, 2015. https://doi.org/10.1109/MCOM.2015.7045396
  2. Ahamed Aljuhani, Talal Alharbi, "Virtualized Network Functions security attacks and vulnerabilities," in Proc. of Computing and Communication Workshop and Conference, January, 2017.
  3. Sang Il Kim, Hwa Sung Kim, "A high available service based on virtualization technology in NFV," in Proc. of International Conference on Information Networking, pp. 649-652, January, 2017.
  4. Faqir Zarrar Yousaf , Michael Bredel, Sibylle Schaller, Fabian Schneider, "NFV and SDN - Key Technology Enablers for 5G Networks," IEEE Journal on Selected Areas in Communications, Issue 99, October 6, 2017.
  5. Fang-Chun Kuo, Hannes Tschofenig, Fabian Meyer, Xiaoming Fu, "Comparison Studies between Pre-Shared and Public Key Exchange Mechanisms for Transport Layer Security," in Proc. of IEEE International Conference on Computer Communications, April, 2006.
  6. A. H. Harbitter, D. A. Menasce, "Performance of public-key-enabled Kerberos authentication in large networks," in Proc. of IEEE Symposium on Security and Privacy, May, 2000.
  7. Eman El-Emam, Magdy Koutb, Hamdy Kelash, Osama Farag Allah, "An optimized Kerberos authentication protocol," in Proc. of International Conference on Computer Engineering & Systems, pp.508-513, December, 2009.
  8. M. Naor, M. Yung, "Universal one-way hash functions and their cryptographic applications," in Proc. of the twenty-first annual ACM symposium on Theory of computing, pp.33-43, January, 1989.
  9. Min-Qing Zhang, Bin Dong, Xiao-Yuan Yang, "A New Self-Updating Hash Chain Structure Scheme," Computational Intelligence and Security, pp.315-318, December, 2009.
  10. Yuta Kurihara, Masakazu Soshi, "A novel hash chain construction for simple and efficient authentication," in Proc. of Annual Conference on Privacy, Security and Trust, pp.539-542, December , 2016.
  11. Xiangyang Jiang, Jie Ling, "Simple and effective one-time password authentication scheme," in Proc. of International Symposium on Instrumentation and Measurement, Sensor Network and Automation, pp.529-531, December, 2013.
  12. Huiyi Liu, Yuegong Zhang, "An improved one-time password authentication scheme," in Proc. of IEEE International Conference on Communication Technology, November 17-19, 2016.
  13. Saket Acharya, Namita Tiwari, "Survey of DDoS Attacks Based On TCP/IP Protocol Vulnerabilities," IOSR Journal of Computer Engineering (IOSR-JCE), Vol. 18, Issue 3, pp. 68-76, 2016.
  14. Wentao Liu, "Research on DoS Attack and Detection Programming," in Proc. of International Symposium on Intelligent Information Technology Application(IITA), pp.207-201, November 21-22, 2009.
  15. SteveMansfield-Devine, "The growth and evolution of DDoS," Network Security, vol. 2015, Issue 10, pp.13-20, October, 2015. https://doi.org/10.1016/S1353-4858(15)30092-1
  16. Neha Gupta, Ankur Jain, Pranav Saini, Vaibhav Gupta, "DDoS attack algorithm using ICMP flood," Computing for Sustainable Global Develop, pp.4082-4084, March, 2016.
  17. Wei Chen, Dit-Yan Yeung, "Defending Against TCP SYN Flooding Attacks Under Different Types of IP Spoofing," in Proc. of Networking, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies, April, 2006.
  18. Resul Das, Abubakar Karabade, Gurkan Tuna, "Common network attack types and defense mechanisms," in Proc. of Signal Processing and Communications Applications Conference (SIU), 2015.
  19. Mahmood Khalel Ibrahem, "Modification of Diffie-Hellman Key Exchange Algorithm for Zero Knowledge Proof," in Proc. of International Conference on Future Communication Networks, pp.147-152, April, 2012.