TECHNOLOGIES FOR SECURE BOOTSTRAPPING OF VIRTUAL NETWORK FUNCTIONS

US 20160337329A1
Filed: 05/11/2015
Published: 11/17/2016
Est. Priority Date: 05/11/2015
Status: Active Grant

First Claim

Patent Images

1. A virtual network function (VNF) bootstrap service (VBS) agent of a VNF instance for bootstrapping virtual network functions in a network functions virtualization (NFV) network architecture, the VBS agent comprising:

a VBS capture protocol execution module to (i) transmit a start message to a VBS of the NFV network architecture, wherein the VBS is communicatively coupled to the VBS agent, and wherein the start message provides an indication that the VBS agent is instantiated, (ii) receive a start response message from the VBS in response to transmission of the start message, (iii) transmit a registration request message to the VBS in response to receiving the start response message, wherein the registration request message includes a security quote usable to authenticate the VBS agent as the transmitter of the registration request message and a security credential request to request a security credential from the VBS, and (iv) receive a registration response message from the VBS, wherein the registration response message includes a security credential that indicates that the security quote and the security credential request have been validated by the VBS.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Technologies for bootstrapping virtual network functions in a network functions virtualization (NFV) network architecture include a virtual network function (VNF) bootstrap service (VBS) in secure network communication with a VBS agent of a VNF instance. The VBS agent is configured to execute a secure VNF bootstrap capture protocol in the NFV network architecture. Accordingly, the VBS agent can be configured to register with the VBS via secure communications transmitted between the VBS and the VBS agent. The secure communications include transmitting a security quote from a TEE of a platform on which the VNF instance is instantiated and a security credential request to the VBS, as well as receiving a security credential in response to validating the security quote and the security credential request. Other embodiments are described and claimed.

Citations

30 Claims

1. A virtual network function (VNF) bootstrap service (VBS) agent of a VNF instance for bootstrapping virtual network functions in a network functions virtualization (NFV) network architecture, the VBS agent comprising:
- a VBS capture protocol execution module to (i) transmit a start message to a VBS of the NFV network architecture, wherein the VBS is communicatively coupled to the VBS agent, and wherein the start message provides an indication that the VBS agent is instantiated, (ii) receive a start response message from the VBS in response to transmission of the start message, (iii) transmit a registration request message to the VBS in response to receiving the start response message, wherein the registration request message includes a security quote usable to authenticate the VBS agent as the transmitter of the registration request message and a security credential request to request a security credential from the VBS, and (iv) receive a registration response message from the VBS, wherein the registration response message includes a security credential that indicates that the security quote and the security credential request have been validated by the VBS.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The VBS agent of claim 1, wherein:
    - the start message includes a first nonce,the start response message is signed by the VBS using a private key of the VBS and includes the first nonce and a second nonce generated by the VBS,the security credential request is signed by the VNF instance using a private key of the VNF instance and includes the first nonce, the second nonce, and a public key of the VNF instance,the registration response message is signed by the VBS using the private key of the VBS and further includes the first nonce, the second nonce, an identifier of a VNF manager of the NFV network architecture responsible for managing the VBS agent, a set of VNF managers that are whitelisted, a set of VNF components (VNFCs) authorized by the VBS, a unique VNF instance identifier, and one or more policies, andthe one or more policies include instructions usable by the VBS agent to perform a particular function.
  - 3. The VBS agent of claim 1, wherein the VBS capture protocol execution module is further to retrieve the security quote signed by a trusted execution environment (TEE) using a private key of the TEE, wherein the TEE is located on a platform on which the VNF instance is instantiated.
  - 4. The VBS agent of claim 1, wherein the VBS capture protocol execution module is further to (i) receive an instantiation trigger from an NFV orchestrator of the NFV network architecture, and (ii) initialize the VBS agent in response to having received the instantiation trigger, wherein to transmit the start message comprises to transmit the start message in response to receiving the instantiation trigger.
  - 5. The VBS agent of claim 4, wherein to initialize the VBS agent comprises to (i) create a public/private key pair of the VNF instance, wherein the public/private key pair of the VNF instance includes a public key and a private key, and (ii) retrieve the security quote, from a trusted execution environment (TEE) of a platform on which the VNF instance was created, wherein the security quote is signed by the TEE using a private key of the TEE.
  - 6. The VBS agent of claim 5, wherein the VBS capture protocol execution module is further to (i) generate the security credential request and (ii) sign the security credential request using the private key of the VNF instance in response to having received the start response message from the VBS.
  - 7. The VBS agent of claim 1, wherein the VBS capture protocol execution module is further to activate the VNF instance to actively process network traffic received by the VNF instance in response to having received the security credential.
  - 8. The VBS agent of claim 7, wherein the VBS capture protocol execution module is further to transmit an indication to a VNF manager of the NFV network architecture that indicates to the VNF manager that (i) the VNF instance is active and (ii) the configuration of the VNF instance is to be managed by the VNF manager, wherein the indication includes a VNF instance identifier that is unique to the VNF instance and usable to add the VNF instance to a whitelist of authorized VNF instances at the VNF manager.
  - 9. The VBS agent of claim 1, wherein to receive the registration response message from the VBS further comprises to receive an identifier of a VNF manager of the NFV network architecture that is communicatively coupled to the VBS agent.
  - 10. The VBS agent of claim 9, wherein to receive the identifier of the VNF manager comprises to receive at least one of an internet protocol (IP) address, a domain name server (DNS), a fully qualified domain name (FQDN), a uniform resource locator (URL).
  - 11. The VBS agent of claim 9, wherein the VBS capture protocol execution module is further to connect to the VNF manager using the identifier of the VNF manager in response to receiving the identifier of the VNF manager.
  - 12. The VBS agent of claim 9, wherein the VBS capture protocol execution module is further to transmit VNF license information to the VNF manager in response to having received the identifier of the VNF manager, wherein the VNF license information includes information usable to track usage of a license associated with the VNF instance.

13. One or more computer-readable storage media comprising a plurality of instructions stored thereon that in response to being executed cause a virtual network function (VNF) bootstrap service (VBS) agent of a VNF instance of a network functions virtualization (NFV) network architecture for bootstrapping virtual network functions in the NFV network architecture to:
- transmit a start message to a VBS of the NFV network architecture communicatively coupled to the VBS agent, wherein the start message provides an indication that the VBS agent is instantiated;
  
  receive, in response to the start message, a start response message from the VBS;
  
  transmit a registration request message to the VBS in response to receiving the start response message, wherein the registration request message includes a security quote usable to authenticate the VBS agent as the transmitter of the registration request message and a security credential request to request a security credential from the VBS; and
  
  receive a registration response message from the VBS, wherein the registration response message includes a security credential that indicates each of the security quote and the security credential request have been validated by the VBS.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The one or more computer-readable storage media of claim 13, wherein:
    - transmit the start message comprises to transmit a first nonce,receive the start response message comprises to receive the start response message signed by the VBS using a private key of the VBS and includes the first nonce and a second nonce generated by the VBS,transmit the security credential request comprises to transmit the security credential request signed by the VNF instance using a private key of the VNF instance and includes the first nonce, the second nonce, and a public key of the VNF instance,receive the registration response message comprises to receive the registration response message signed by the VBS using the private key of the VBS and further includes the first nonce, the second nonce, an identifier of a VNF manager of the NFV network architecture responsible for managing the VBS agent, a set of VNF managers that are whitelisted, a set of VNF components (VNFCs) authorized by the VBS, a unique VNF instance identifier, and one or more policies, andthe one or more policies include instructions usable by the VBS agent to perform a particular function.
  - 15. The one or more computer-readable storage media of claim 13, further comprising a plurality of instructions that in response to being executed cause the VBS agent to:
    - receive an instantiation trigger from an NFV orchestrator of the NFV network architecture; and
      
      initialize the VBS agent in response to having received the instantiation trigger,wherein to transmit the start message comprises to transmit the start message in response to having received the instantiation trigger.
  - 16. The one or more computer-readable storage media of claim 15, wherein to initialize the VBS agent comprises to (i) create a public/private key pair, wherein the public/private key pair of the VNF instance includes a public key and a private key, and (ii) retrieve the security quote from a trusted execution environment (TEE) of a platform on which the VNF instance was created, wherein the security quote is signed by the TEE using a private key of the TEE.
  - 17. The one or more computer-readable storage media of claim 15, further comprising a plurality of instructions that in response to being executed cause the VBS agent to:
    - generate the security credential request; and
      
      sign the security credential request using a private key of the VNF instance in response to having received the start response message from the VBS.
  - 18. The one or more computer-readable storage media of claim 13, wherein to receive the registration response message from the VBS further comprises to receive an identifier of a VNF manager of the NFV network architecture that is communicatively coupled to the VBS agent.
  - 19. The one or more computer-readable storage media of claim 18, further comprising a plurality of instructions that in response to being executed cause the VBS agent to connect to the VNF manager using the identifier of the VNF manager in response to having received the identifier of the VNF manager.
  - 20. The one or more computer-readable storage media of claim 18, further comprising a plurality of instructions that in response to being executed cause the VBS agent to transmit VNF license information to the VNF manager in response to having received the identifier of the VNF manager, wherein the VNF license information includes information usable to track usage of a license associated with the VNF instance.

21. A method for bootstrapping virtual network functions in a network functions virtualization (NFV) network architecture, the method comprising:
- transmitting, by a VNF bootstrap service (VBS) agent of a VNF instance of the NFV network architecture, a start message to a VBS of the NFV network architecture communicatively coupled to the VBS agent, wherein the start message provides an indication that the VBS agent is instantiated;
  
  receiving, by the VBS agent and in response to the start message, a start response message from the VBS;
  
  transmitting, by the VBS agent, a registration request message to the VBS in response to receiving the start response message, wherein the registration request message includes a security quote usable to authenticate the VBS agent as the transmitter of the registration request message and a security credential request to request a security credential from the VBS; and
  
  receiving, by the VBS agent, a registration response message from the VBS,wherein the registration response message includes a security credential that indicates each of the security quote and the security credential request have been validated by the VBS.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The method of claim 21, wherein:
    - transmitting the start message comprises transmitting a first nonce,receiving the start response message comprises receiving the start response message signed by the VBS using a private key of the VBS and includes the first nonce and a second nonce generated by the VBS,transmitting the security credential request comprises transmitting the security credential request signed by the VNF instance using a private key of the VNF instance and includes the first nonce, the second nonce, and a public key of the VNF instance,receiving the registration response message comprises receiving the registration response message signed by the VBS using the private key of the VBS and further includes the first nonce, the second nonce, an identifier of a VNF manager of the NFV network architecture responsible for managing the VBS agent, a set of VNF managers that are whitelisted, a set of VNF components (VNFCs) authorized by the VBS, a unique VNF instance identifier, and one or more policies, andthe one or more policies include instructions usable by the VBS agent to perform a particular function.
  - 23. The method of claim 21, further comprising:
    - receiving, by the VBS agent, an instantiation trigger from an NFV orchestrator of the NFV network architecture; and
      
      initializing the VBS agent in response to receiving the instantiation trigger,wherein transmitting the start message comprises transmitting the start message in response to receiving the instantiation trigger.
  - 24. The method of claim 23, further comprising:
    - generating the security credential request; and
      
      signing the security credential request using a private key of the VNF instance in response to having received the start response message from the VBS.
  - 25. The method of claim 21, further comprising transmitting an indication to a VNF manager of the NFV network architecture that indicates to the VNF manager that (i) the VNF instance is active and (ii) the configuration of the VNF instance is to be managed by the VNF manager, wherein the indication includes a VNF instance identifier that is unique to the VNF instance and usable to add the VNF instance to a whitelist of authorized VNF instances at the VNF manager.

26. A virtual network function (VNF) bootstrap service (VBS) agent of a VNF instance for bootstrapping virtual network functions in a network functions virtualization (NFV) network architecture, the VBS agent comprising:
- means for transmitting a start message to a VBS of the NFV network architecture communicatively coupled to the VBS agent, wherein the start message provides an indication that the VBS agent is instantiated;
  
  means for receiving, in response to the start message, a start response message from the VBS;
  
  means for transmitting a registration request message to the VBS in response to receiving the start response message, wherein the registration request message includes a security quote usable to authenticate the VBS agent as the transmitter of the registration request message and a security credential request to request a security credential from the VBS; and
  
  means for receiving a registration response message from the VBS, wherein the registration response message includes a security credential that indicates each of the security quote and the security credential request have been validated by the VBS.
- View Dependent Claims (27, 28, 29, 30)
- - 27. The VBS agent of claim 26, wherein:
    - the means for transmitting the start message comprises means for transmitting a first nonce,the means for receiving the start response message comprises means for receiving the start response message signed by the VBS using a private key of the VBS and includes the first nonce and a second nonce generated by the VBS,the means for transmitting the security credential request comprises means for transmitting the security credential request signed by the VNF instance using a private key of the VNF instance and includes the first nonce, the second nonce, and a public key of the VNF instance,the means for receiving the registration response message comprises means for receiving the registration response message signed by the VBS using the private key of the VBS and further includes the first nonce, the second nonce, an identifier of a VNF manager of the NFV network architecture responsible for managing the VBS agent, a set of VNF managers that are whitelisted, a set of VNF components (VNFCs) authorized by the VBS, a unique VNF instance identifier, and one or more policies, andthe one or more policies include instructions usable by the VBS agent to perform a particular function.
  - 28. The VBS agent of claim 26, further comprising:
    - means for receiving an instantiation trigger from an NFV orchestrator of the NFV network architecture; and
      
      means for initializing the VBS agent in response to having received the instantiation trigger,wherein the means for transmitting the start message comprises means for transmitting the start message in response to having received the instantiation trigger.
  - 29. The VBS agent of claim 28, further comprising:
    - means for generating the security credential request; and
      
      means for signing the security credential request using a private key of the VNF instance in response to having received the start response message from the VBS.
  - 30. The VBS agent of claim 26, further comprising means for transmitting an indication to a VNF manager of the NFV network architecture that indicates to the VNF manager that (i) the VNF instance is active and (ii) the configuration of the VNF instance is to be managed by the VNF manager, wherein the indication includes a VNF instance identifier that is unique to the VNF instance and usable to add the VNF instance to a whitelist of authorized VNF instances at the VNF manager.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Sood, Kapil, Walker, Jesse

Granted Patent

US 9,578,008 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

G06F 2009/45587   Isolation or security of vi...

G06F 2009/45595   Network integration; Enabli...

G06F 21/10   Protecting distributed prog...

G06F 21/53   by executing in a restricte...

G06F 21/575   Secure boot

G06F 2221/034   Test or assess a computer o...

G06F 9/4416   Network booting; Remote ini...

G06F 9/45533   Hypervisors; Virtual machin...

G06F 9/45558   Hypervisor-specific managem...

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0254   Stateful filtering

H04L 63/06   for supporting key manageme...

H04L 63/08   for authentication of entit...

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 9/14   using a plurality of keys o...

H04L 9/30 : Public key, i.e. encryption...

H04L 9/3247 : involving digital signatures

View All

TECHNOLOGIES FOR SECURE BOOTSTRAPPING OF VIRTUAL NETWORK FUNCTIONS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

TECHNOLOGIES FOR SECURE BOOTSTRAPPING OF VIRTUAL NETWORK FUNCTIONS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links