Network Function Virtualization Security and Trust System

US 20170012975A1
Filed: 08/04/2015
Published: 01/12/2017
Est. Priority Date: 07/12/2015
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

authenticating a first server computer executed to provide a first service on a network device;

authenticating a second server computer executed to provide a second service on the network device;

initiating chaining of the first service and the second service to form a federation of services that cooperatively operate within the network device to provide functional operation of the network device; and

verifying secure operation of the federation in accordance with cooperative operational functionality of each of the first service and the second service within the federation.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network function virtualization security and trust system includes a network device that operates as a virtualized network device with virtualized services provided on the network device by network nodes included in the system. Security and trust within the system can include hardware authentication of the network nodes and the network device to obtain a level of security of the hardware provisioning the operation of the virtualized services. Security and trust can also include authentication of the services being used on the virtualized network device. Services authentication can be based on monitoring and analysis of the cooperative operation of the services in the virtualized network device. The virtualized services can be dynamically changed, added or stopped. Hardware authentication and dynamic services authentication in accordance with changes in the virtualized services can dynamically maintain a level of security across the devices and the virtualized services.

48 Citations

View as Search Results

20 Claims

1. A method comprising:
- authenticating a first server computer executed to provide a first service on a network device;
  
  authenticating a second server computer executed to provide a second service on the network device;
  
  initiating chaining of the first service and the second service to form a federation of services that cooperatively operate within the network device to provide functional operation of the network device; and
  
  verifying secure operation of the federation in accordance with cooperative operational functionality of each of the first service and the second service within the federation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising establishing a trust level of each of the first service and the second service within the federation;
    - and maintaining the functional operation based on the trust level.
  - 3. The method of claim 1, wherein authenticating the first server computer and the second server computer comprises verifying an identity of first server computer and the second server computer.
  - 4. The method of claim 1, wherein verifying secure operation of the federation comprises confirming parameters of cooperative operation of the first service and the second service conform to predefined parameters representative of an expectation of the cooperative operation.
  - 5. The method of claim 4, wherein the predefined parameters include a predetermined latency threshold that each of a plurality of functions included in the service operate within.
  - 6. The method of claim 5, wherein the predefined parameters include a predetermined rate limit that each of the plurality of functions included in the service operate within.
  - 7. The method of claim 1, wherein confirming cooperative operation of the first service and the second service comprises receiving a secure hash function containing hash values indicative of cooperative operation, which are added to the secure hash function by each of the first service and the second service, and confirming the secure hash function against a predetermined hash function representative of the federation of services.
  - 8. The method of claim 1, wherein confirming cooperative operation of the first service and the second service comprises the network device authenticating the first server computer, and the first server computer authenticating the second server computer.
  - 9. The method of claim 1, wherein verifying secure operation of the federation comprises establishing a minimum security level among the first server computer, the second server computer and the network device, and verifying that the minimum security level is maintained during operation of the first service and the second service.
  - 10. The method of claim 1, wherein verifying secure operation of the federation comprises establishing predetermined operational template parameters representative of cooperative operation of the first service and the second service and confirming actual operation of the first service and the second service is within the predetermined operational template parameters.
  - 11. The method of claim 1, wherein the first server computer and the second server computer communicate with the network device over a network via a network switch, and authenticating the first server computer and the second server computer comprises the network device authenticating the network switch, and the network switch authenticating the first computer or the second server computer.

12. A system comprising:
- an authentication server to authenticate an identity of a first network device and a second network device, the first network device executed to provide a first service for a third network device, and the second network device executed to provide a second service for the third network device;
  
  the authentication server to initiate authentication of the identity of the first network device and the second network device to create a chain of trusted devices in response to the third network device being initiated to operate using the first service and the second service; and
  
  an integrity of the chain of trusted devices being verified with the authentication server by confirmation of cooperative operation of the first service and the second service in the third device being a trusted chain of services.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, wherein the first network device and the second network device provide the respective first service and the second service over a network as part of operational functionality of the third network device.
  - 14. The system of claim 12, wherein the first service and the second service are provided over a network to the third network device, and the authentication server to initiate authentication of the identity of the first network device, the second network device and the third network device, before the integrity of the chain of trusted devices is verified.
  - 15. The system of claim 14, wherein initiation of authentication of the identity of the first network device and the second network device comprises a two factor authentication by the authentication server, and verification of the integrity of the chain of trusted devices being verified by comparison of monitored parameters in the third device related to the cooperative operation of the first service and the second service with predetermined parameters of a federation of the first service and the second service.
  - 16. The system of claim 12, wherein initiation of authentication of the identity of the first network device and the second network device comprises authentication of the first network device with the authentication server, and authentication of the second network device by the first network device.
  - 17. The system of claim 12, wherein the integrity of the chain of trusted devices is verified with an accumulated hash by the authentication server, the accumulated hash being sequentially built by each of the first and second network devices.
  - 18. The system of claim 12, wherein the cooperative operation of the first service and the second service is confirmed by the authentication server based on a predetermined stored template of cooperative operation parameters.
  - 19. The system of claim 12, wherein the authentication server dynamically retrieves another predetermined stored template of cooperative operation parameters in response to a change of the first service or the second service, or addition of another service to the network device.

20. A system comprising:
- network interface circuitry configured to transmit an authentication request over a network to a first server executed to provide a first virtual service on a network device, and a second server executed to provide a second virtual service on the network device;
  
  authentication circuitry in communication with the network interface circuitry, the authentication circuitry used to authenticate an identity of the first server, the second server and the network device and develop a chain of trusted devices that includes the first server, the second server and the network device; and
  
  hypervisor circuitry in communication with the network interface circuitry, the hypervisor circuitry to develop a trusted chain of services by verification of cooperative operation of the first virtual service and the second virtual service on the network device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Broadcom Corporation (Broadcom, Inc.)
Inventors
Siva, Kumaran David, Ilyadis, Nicholas, Chen, Xuemin, Klein, Philippe, Hendel, Ariel

Granted Patent

US 10,341,384 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0876   based on the identity of th...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

Network Function Virtualization Security and Trust System

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Network Function Virtualization Security and Trust System

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links