Internet DRAFT - draft-rein-remote-attestation-nfv-use-cases

draft-rein-remote-attestation-nfv-use-cases







Network Working Group                                            A. Rein
Internet-Draft                                                    L. Xia
Intended status: Informational                                    Huawei
Expires: March 8, 2019                                September 04, 2018


                  The Remote Attestation NFV Use Cases
             draft-rein-remote-attestation-nfv-use-cases-01

Abstract

   This document proposes the use cases on an architectural level in
   terms of Remote Attestation for virtualized environments, especially
   in the context of Network Function Virtualization (NFV).

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 8, 2019.

Copyright Notice

   Copyright (c) 2018 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.





Rein & Xia                Expires March 8, 2019                 [Page 1]

Internet-Draft      Remote Attestation NFV Use Cases      September 2018


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Stakeholders  . . . . . . . . . . . . . . . . . . . . . .   2
     1.2.  Major Issue . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
     2.1.  Key Words . . . . . . . . . . . . . . . . . . . . . . . .   4
     2.2.  Definition of Terms . . . . . . . . . . . . . . . . . . .   4
   3.  Remote Attestation Use Cases  . . . . . . . . . . . . . . . .   4
     3.1.  Decentralized Model Use Case  . . . . . . . . . . . . . .   5
     3.2.  Centralized Model (in a Single Trust Domain) Use Case . .   8
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  10
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .  10
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  10
   7.  Normative References  . . . . . . . . . . . . . . . . . . . .  11
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  11

1.  Introduction

1.1.  Stakeholders

   Stakeholders play a major role in NFV and there is a strict
   hierarchical separation between the stakeholders in terms of
   responsibility, accessibility and visibility within the the NFV
   architecture.  Although these issues are also relevant for other
   virtualized environments, for example in private or hybrid clouds,
   they are most apparent in NFV, especially in multi vendor
   deployments.

   The stakeholders in NFV are:

   o  Cloud Service Provider (CSP): The CSP provides the platform, i.e.
      the hardware and core services, acting as the Virtual Machine
      Manager (VMM) or hypervisor for the provisioning of Virtual
      Machines (VM).  With regard to this document, the CSP is not
      responsible for the provisioning itself.  The CSP only provides
      the platform w.r.t. to CSP NFV Infrastructure (CSP:NFVI) role.
      The actual provisioning of specific VMs is carried out by the CSP
      Management and Orchestration (CSP:MANO) role, whereas both roles
      may be represented by the same or different organizations.  This
      contribution, however, is not concerned with the internal
      operations and procedures of the CSP:MANO and therefore does
      address CSP:MANO neither as a role nor as a functional component.

   o  Cloud Service Customer (CSC): The CSC is the actual user of the
      VMM and requests the provisioning of specific VMs that eventually
      provide some service.  The CSC is also in full control in terms of




Rein & Xia                Expires March 8, 2019                 [Page 2]

Internet-Draft      Remote Attestation NFV Use Cases      September 2018


      which specific VM is actually launched and thus not constrained in
      this regard.

   o  Cloud Service User (CSU): The CSU is an external entity that uses
      the CSC's provided services.  The CSU only has access to public
      API's provided by the offered service and has neither any
      responsibilities nor obligations within the NFV internals.

1.2.  Major Issue

   The most significant issue related to remote attestation is that the
   stakeholders may be constrained with regards to the information
   available to them.  This means that in a strict model that involves a
   multi-vendor NFV deployment, access to certain information may only
   be available to one particular stakeholder.  For instance, the CSP
   may only have direct access to the collected platform information and
   not to the information of provisioned VMs.  Similarly, the CSC may be
   limited to the information collected on the provisioned VMs and does
   not have access to the information of the platform.  This issue can
   be resolved by generally allowing the access to the information to
   all interested entities, w.r.t. a relaxed model, or allowing the
   access based on the enforcement of access permission policies.

   More severe is the information necessary to carry out an appraisal of
   the measured information, that is the information about the expected
   configuration of the specific entity.

   In principle there are two concerns, either this appraisal
   information should not be made available to a different entity (a
   stakeholder from a different organization) or the other entity does
   not want to carry out the appraisal by itself for any system not
   under its control.  This means, even under the consideration that the
   collected information is shared between multiple stakeholders, the
   information necessary for carrying out the appraisal may not be
   available for different reasons.

   To simplify the terminology, this contribution distinguishes between
   Remote Attestation Information Providers (RAIP) and Remote
   Attestation Information Consumers (RAIC).  In particular:

   o  CSP is limited to acting only as a RAIP for all authorized
      entities

   o  CSC is limited to acting as a RAIP for all authorized entities and
      is a specific RAIC of CSP

   o  RATP is limited to acting as a RAIP for all authorized entities
      and is a specific RAIC of CSP and CSC



Rein & Xia                Expires March 8, 2019                 [Page 3]

Internet-Draft      Remote Attestation NFV Use Cases      September 2018


   Furthermore a new term, the Level of Assurance (LoA) is introduced.
   The LoA is defined as an hierarchical model that specifies the
   systems and components to be attested and whether an attestation is
   carried out on a local or remote basis.

   With regards to this document, the overall targeted LoA equivalent to
   the NFV defined LoA levels 4 and 5 that corresponds to the remote
   attestation of the VMMs and VMs including the appraisal of load and
   runtime of applications within the VM's scope.

2.  Terminology

2.1.  Key Words

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

2.2.  Definition of Terms

3.  Remote Attestation Use Cases

   With regard to the main issue mentioned above, there are two options:

   o  Decentralized Model: Each entity carries out the remote
      attestation only for the particular system under its control.
      This is referred to as the decentralized remote attestation model
      and involved multiple remote attestation servers.

   o  Centralized Model: A new entity, referred to as a Remote
      Attestation Trusted Party (RATP), is introduced that has access to
      all information necessary to carry out a remote attestation on its
      own.  This is referred to as the centralized remote attestation
      model.

   However, the goal of the remote attestation is to convince an
   internal or external entity that a specific service (a networking
   function) has been provided by a trusted VM that was executed on a
   trusted VMM.  For case (1.) this implies that the internal or
   external entity that want to know about the trustworthiness of a
   service must inherently trust the appraised results of both, the CSP
   and CSC.  For case (2.) this means that the internal or external
   entity must only trust in the decision made by the RATP.








Rein & Xia                Expires March 8, 2019                 [Page 4]

Internet-Draft      Remote Attestation NFV Use Cases      September 2018


3.1.  Decentralized Model Use Case

   In this case there are multiple independent remote attestation
   servers controlled and maintained by the CSP or CSC stakeholders.

   Assumptions:

   o  It is assumed that the model satisfies LoA of 4 and 5

   Pre-Conditions:

   o  Relevant collected evidence (RA measurement information) is
      available.  Access permissions policies are either defined or
      enforced, or information is available to all RAICs.

   o  Role-specific RA appraisal information is available to the RAIC,
      but limited to the systems and components directly managed by the
      corresponding stakeholder.

   Use case description:

   A deployed NFV system consists of multiple RAIPs and RAICs that are
   under the control of stakeholders from different organizations.  The
   RAIPs collect evidence on systems and offer this information, for the
   purpose of appraising them, to RAICs that are also under the control
   of stakeholders from the same organization.

   For example, any RAIP under the control of stakeholder S1 will only
   share its collected evidence with RAICs that are also under the
   control of stakeholder S1.

   In addition, the information necessary to carry out an appraisal of
   the collected evidences (i.e., the RA appraisal information) are
   limited; RAICs from stakeholder S1 only have access to appraisal
   information for RAIPs that are under the control of the same
   stakeholder, i.e. S1.  For this reason, a RAIC can only appraise
   collected evidence from a RAIP operated by the same stakeholder.

   For example, there is RAIP1 (i.e. a VMM) and RAIC1 both under the
   control of CSP.  RAIC1 receives the collected evidence from RAIP1,
   appraises it and makes a statement based on the appraised evidence
   (i.e.  AR1).

             VMM
           --------       --------     -----
   CSP:    |RAIP 1|  ---> |RAIC 1| --> |AR1|
           --------       --------     -----




Rein & Xia                Expires March 8, 2019                 [Page 5]

Internet-Draft      Remote Attestation NFV Use Cases      September 2018


   Similarly, there is RAIP2 (i.e. a VM instantiated on top of CSP's
   VMM) and RAIC2 both under the control of CSC.  RAIC2 receives the
   collected evidence from RAIP2, appraises it and makes a statement
   based on the appraised evidence (i.e.  AR2).

              VM
           --------       --------     -----
   CSC:    |RAIP 2|  ---> |RAIC 2| --> |AR2|
           --------       --------     -----

   Under the consideration of the requirements defined by LoA 4 and 5 a
   single RAIC does not have the capability to satisfy these
   requirements.  More specifically this means that at least CSP's and
   CSC's RAICs must work together to be compliant to LoA 4 and 5
   requirements.  As a result, RAICs may share appraisal results with
   other RAICs or other external entities.  This sharing may be
   constrained by access permission policies.  For instance an external
   entity may request AR1 from RAIC1 and AR2 from RAIC2 and derive AR12
   under the assumption it trusts the individual appraised results from
   either RAIC.

   --------       --------    -----
   |RAIP 1|  ---> |RAIC 1| -->|AR1|--|
   --------       --------    -----  |     -----------------     ------
                                     |---> |external entity|---->|AR12|
   --------       --------    -----  |     -----------------     ------
   |RAIP 2|  ---> |RAIC 2| -->|AR2|--|
   --------       --------    -----

   However, the appraisal result generated from any other system but a
   RAIC (e.g. derived by an arbitrary external entity) is not trusted by
   any other entity (e.g.  CSP, CSC or CSU).  This mean that in this
   case AR12 only has any semantic meaning for the system (i.e. external
   entity) who derived it.

   Alternatively, RAIC2 may use AR1 as an additional input to RAIP2's
   collected evidence input and derive AR12 accordingly.  This is also
   under the consideration that RAIC2 implicitly trusts the statement
   made by RAIC1.












Rein & Xia                Expires March 8, 2019                 [Page 6]

Internet-Draft      Remote Attestation NFV Use Cases      September 2018


             VMM
           --------       --------     -----
   CSP:    |RAIP 1|  ---> |RAIC 1| --> |AR1|
           --------       --------     -----
                                         |
                              ,----------'
                              |
              VM              v
           --------       --------     ------
   CSC:    |RAIP 2|  ---> |RAIC 2| --> |AR12|
           --------       --------     ------

   In this case, AR12 is derived from CSC's RAIC and therefore other
   systems do trust this statement because it came from an authorized
   entity within the system.

   See the summary table as below:

   +-------------+------------+-------------+-----------+------------+
   |             |    CSP     |    CSC      |    CSU    |   External |
   |             |            |             |           |   Entity   |
   +=============+============+=============+===========+============+
   | Provides    |  anyone    |   anyone    | -         | -          |
   | RA          | authorized | authorized  |           |            |
   | measurement |            |             |           |            |
   | information |            |             |           |            |
   |             |            |             |           |            |
   +-------------+------------+-------------+-----------+------------+
   | Has RA      | Only CSP   | Only CSC    | -         | -          |
   | appraisal   |            |             |           |            |
   | information |            |             |           |            |
   |             |            |             |           |            |
   +-------------+------------+-------------+-----------+------------+
   | Provides    |  anyone    |  anyone     | -         | -          |
   | RA          | authorized | authorized  |           |            |
   | appraisal   |            |             |           |            |
   | results     |            |             |           |            |
   |             |            |             |           |            |
   +-------------+------------+-------------+-----------+------------+
   | Has         | From CSP   | From CSC    | From CSC  | From CSC   |
   | access to   | and, if    | and, if     | or CSP    | or CSP     |
   | RA          | eligible,  | eligible,   | (if       | (if        |
   | Appraisal   | CSC        | CSP         | eligible) | eligible)  |
   | Results     |            |             |           |            |
   |             |            |             |           |            |
   +-------------+------------+-------------+-----------+------------+





Rein & Xia                Expires March 8, 2019                 [Page 7]

Internet-Draft      Remote Attestation NFV Use Cases      September 2018


3.2.  Centralized Model (in a Single Trust Domain) Use Case

   In this case there are multiple independent remote attestation
   servers controlled and maintained by the CSP or CSC stakeholders.

   Assumptions:

   o  It is assumed that the model satisfies LoA of 4 and 5

   Pre-Conditions:

   o  Relevant collected evidence (RA measurement information) is
      available to RATP without any restriction.

   o  Role-specific RA appraisal information is available to RATP
      without any restriction.

   Use case description:

   A deployed NFV system consists of multiple RAIPs and RAICs that are
   under the control of stakeholders from different organizations and,
   in addition one RATP that is implicitly trusted by the other entities
   in the system.  The RAIPs collect evidence on systems and offer this
   information, for the purpose of appraising them, to RAICs that are
   also under the control of stakeholders from the same organization or
   to RATP.

   For example, any RAIP under the control of stakeholder S1 will only
   share its collected evidence with RAICs that are also under the
   control of stakeholder S1 and RATP.

   In addition, the information necessary to carry out an appraisal of
   the collected evidences (i.e., the RA appraisal information) are
   limited; RAICs from stakeholder S1 only have access to appraisal
   information for RAIPs that are under the control of the same
   stakeholder, i.e. S1.

   In contrast to this, RATP has access to all appraisal information of
   any system under evaluation from all stakeholders, i.e. CSP and CSC.

   Similar to use-case 1, a RAIC can only appraise collected evidence
   from a RAIP operated by the same stakeholder, whereas RATP can
   appraise collected evidence from all stakeholders.

   For example, there is RAIP1 (i.e. a VMM) under the control of CSP and
   RATP.  RATP receives the collected evidence from RAIP1, appraises it
   and makes a statement based on the appraised evidence (i.e.  AR1).




Rein & Xia                Expires March 8, 2019                 [Page 8]

Internet-Draft      Remote Attestation NFV Use Cases      September 2018


             VMM
           --------       ------     -----
   CSP:    |RAIP 1|  ---> |RATP| --> |AR1|
           --------       ------     -----

   Similarly, there is RAIP2 (i.e. a VM instantiated on top of CSP's
   VMM) under the control of CSC and RATP.  RAIC2 receives the collected
   evidence from RAIP2, appraises it and makes a statement based on the
   appraised evidence (i.e.  AR2).

              VM
           --------       ------     -----
   CSC:    |RAIP 2|  ---> |RATP| --> |AR2|
           --------       ------     -----

   Under the consideration of the requirements defined by LoA 4 and 5,
   RATP satisfies these requirements under the assumption that it
   received the correlated collected evidences from both VMM and VM.
   RATP may share its appraisal results with any other entity, however,
   access permissions policies may constrain access to the information.
   For instance, considering access permissions allow it, an external
   entity may request AR12 from RATP.

   --------
   |RAIP 1|  -,
   --------   |   ------      ------    -----------------
               -> |RATP| ---> |AR12| -> |external entity|
   --------   |   ------      ------    -----------------
   |RAIP 2|  -'
   --------

   Important to note in this case is that the appraisal result provided
   by RATP is ultimately trusted by all participating systems from any
   stakeholder and all external entities the request this appraisal
   result.

   See the summary table as below:














Rein & Xia                Expires March 8, 2019                 [Page 9]

Internet-Draft      Remote Attestation NFV Use Cases      September 2018


+-------------+-----------+-----------+-----------+-----------+-----------+
|             |   CSP     |    CSC    |    CSU    |    RATP   | External  |
|             |           |           |           |           | System    |
+=============+===========+===========+===========+===========+===========+
| Provides    | To RATP   | To RATP   | -         | -         |           |
| RA          | or CSP    | or CSC    |           |           |           |
| measurement |           |           |           |           |           |
| information |           |           |           |           |           |
+-------------+-----------+-----------+-----------+-----------+-----------+
| Has RA      | Only CSP  | Only CSC  | -         | CSP and   |           |
| appraisal   |           |           |           | CSC       |           |
| information |           |           |           |           |           |
+-------------+-----------+-----------+-----------+-----------+-----------+
| Provides RA | -         | -         | -         | For CSP,  |           |
| appraisal   |           |           |           | CSC, CSU, |           |
| results     |           |           |           | External  |           |
|             |           |           |           | system    |           |
|             |           |           |           | (access   |           |
|             |           |           |           | restricti |           |
|             |           |           |           | ons       |           |
|             |           |           |           | may be    |           |
|             |           |           |           | defined)  |           |
+-------------+-----------+-----------+-----------+-----------+-----------+
| Has access  | From RATP | From RATP | From RATP | From RATP | From RATP |
| to RA       |           |           |           |           |           |
| Appraisal   | (if       | (if       | (if       | (if       | (if       |
| results     | eligible) | eligible) | eligible) | eligible) | eligible) |
|             |           |           |           |           |           |
|             |           |           |           |           |           |
+-------------+-----------+-----------+-----------+-----------+-----------+

4.  IANA Considerations

   This document makes no request of IANA.

   Note to RFC Editor: this section may be removed on publication as an
   RFC.

5.  Security Considerations

   To be added.

6.  Acknowledgements








Rein & Xia                Expires March 8, 2019                [Page 10]

Internet-Draft      Remote Attestation NFV Use Cases      September 2018


7.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

Authors' Addresses

   Andre Rein
   Huawei

   Email: Andre.Rein@huawei.com


   Liang Xia
   Huawei

   Email: frank.xialiang@huawei.com
































Rein & Xia                Expires March 8, 2019                [Page 11]