On Achieving Trustworthy Service Function Chaining

Abstract

Service Function Chaining (SFC) has recently received considerable attentions from both industry and academia, due to its potential for improving the flexibility of provisioning and composition of Virtualized Network Functions (VNFs) to suit application-specific needs. From a security perspective, there is a gap between high-level SFC policy specification and its enforcement in the data plane. It cannot guarantee that the deployed VNFs are always chained in an expected manner, or the packet flows of a particular service chain are sequentially forwarded to the intended and legitimate VNFs strictly compliant with the specified SFC policy. This lack of assurance leaves the door open for attackers to maliciously manipulate the service chain by evading from security functions such as firewall, Deep Packet Inspection (DPI), etc., or deviating the packet flows from their original service function path, ultimately leading to the violation of SFC policy. It is therefore important to have an efficient self-checking mechanism in place, ensuring the SFC to be implemented in a secure and dependable way. This paper presents a new security primitive - Lite Identity-based Ordered Multisignature scheme (ChainSign in short), which enforces all intended VNFs in a particular service chain to sequentially sign the packet received. Then the last hop of the chain will verify the signature, so as to validate whether all of them work as expected and have not been compromised, while satisfying the security properties of concern (i.e., the consistency in VNF chaining, their authenticities and sequences in a service chain). In addition to the implementation, we leverage the IETF Network Service Header (NSH) to carry the signature generated from our proposed scheme. The experiments show that ChainSign can preserve all identified security properties with minimal overhead.