Footprints: Ensuring Trusted Service Function Chaining in the World of SDN and NFV

Network Function Virtualization (NFV) and Software Defined Networking (SDN) empower Service Function Chaining (SFC), which integrates an ordered list of Virtualized Network Functions (VNFs) together for implementing a particular service. However, the high-level SFC policy specification cannot guarantee that the VNFs are always chained in an expected manner (or the packet flows of the service are forwarded to the VNFs of concern in a predefined order). An attacker can manage to bypass or evade the security VNFs (e.g., firewall, virus scanner, DPI) and deviate the packets flows from the pre-specified path. It is thus a significant need to have an efficient self-checking mechanism in place, ensuring the SFC to be implemented in a secure and correct way. We develop such a scheme based on an improved crypto primitive, Lite identity-based ordered multisignature, which enforces all the VNFs in the same service chain to sequentially sign the packets received. Then the last hop of the chain will verify the aggregate signature, so as to validate the authenticity of the VNFs, as well as their orders in the chain. We leverage the IETF Network Service Header (NSH) to implement our scheme and run the experiments in a real-world environment to evaluate its performance in terms of computational overhead and latency.