Ref. Ares(2016)3479770 - 15/07/2016 Converged Heterogeneous Advanced 5G Cloud-RAN Architecture for Intelligent and Secure Media Access Project no. 671704 Research and Innovation Action Co-funded by the Horizon 2020 Framework Programme of the European Union Call identifier: H2020-ICT-2014-1 Topic: ICT-14-2014 - Advanced 5G Network Infrastructure for the Future Internet Start date of project: July 1st, 2015 Deliverable D3.2 Initial 5G multi-provider v-security realization: Orchestration and Management Due date: 30/06/2016 Submission date: 15/07/2016 Deliverable leader: I2CAT Editor: Shuaib Siddiqui (i2CAT) Reviewers: Konstantinos Filis (COSMOTE), Oriol Riba (APFUT), and Michael Parker (UESSEX) Dissemination Level PU: Public PP: Restricted to other programme participants (including the Commission Services) RE: Restricted to a group specified by the consortium (including the Commission Services) CO: Confidential, only for members of the consortium (including the Commission Services) CHARISMA – D3.2 – v1.0 Page 1 of 145 List of Contributors Participant Short Name Contributor Fundació i2CAT I2CAT Shuaib Siddiqui, Amaia Legarrea, Eduard Escalona Demokritos NCSRD NCSRD Eleni Trouva, Yanos Angelopoulos APFutura APFUT Oriol Riba Innoroute INNO Andreas Foglar, Marian Ulbricht JCP-Connect JCP-C Yaning Liu University of Essex UESSEX Mike Parker, Geza Koczian, Stuart Walker Intracom ICOM Spiros Spirou, Konstantinos Katsaros, Konstantinos Chartsias, Dimitrios Kritharidis Ethernity ETH Eugene Zetserov Ericsson Ericsson Carolina Canales Altice Labs Altice Victor Marques Fraunhofer HHI HHI Kai Habel CHARISMA – D3.2 – v1.0 Page 2 of 145 Table of Contents List of Contributors ................................................................................................................ 2 1. Introduction ...................................................................................................................... 7 1.1. 5G network challenges: Security and Multi-tenancy ......................................................................... 7 1.2. SDN/NFV paradigms in the 5G network ............................................................................................ 9 2. CHARISMA Security and Multi-tenancy Scope ...................................................................10 2.1. CHARISMA Security: threats and risks analysis ...............................................................................10 2.1.1. CHARISMA Use Case Security Analysis ....................................................................................11 2.1.2. Security Requirements Summary ............................................................................................14 2.2. CHARISMA Multi-tenancy considerations ........................................................................................15 3. CHARISMA Control, Management and Orchestration (CMO) Overview ..............................17 3.1. CHARISMA Aggregation Levels Requirements .................................................................................17 3.2. CHARISMA CMO ...............................................................................................................................19 3.2.1. Overview ..................................................................................................................................19 3.2.2. CMO Workflows and Procedures .............................................................................................20 3.2.3. Service Orchestration ...............................................................................................................23 3.2.4. Virtual Infrastructure Manager (VIM) ......................................................................................27 4. CHARISMA Security and Multi-tenancy CMO Extensions....................................................42 4.1. Service Policy Manager ....................................................................................................................42 4.1.1. Security Policy Manager ...........................................................................................................42 4.2. Service Monitoring and Analytics ....................................................................................................47 4.2.1. Security Monitoring and Analytics ...........................................................................................47 4.3. Virtual Infrastructure Manager (VIM) .............................................................................................51 4.3.1. Open Access Manager..............................................................................................................51 4.3.2. VI Security ................................................................................................................................55 4.3.3. VI Monitoring ...........................................................................................................................57 4.4. VNF/VSF ...........................................................................................................................................58 4.4.1. vIDS ..........................................................................................................................................58 4.4.2. vFW ..........................................................................................................................................63 5. Conclusions ......................................................................................................................69 References ............................................................................................................................70 Appendix I: Orchestrator Comparisons ..................................................................................73 Appendix II: v-IDS Implementation ........................................................................................98 Appendix III: v-Firewall Implementation .............................................................................. 114 Appendix IV: Smart NIC card CLI example ............................................................................ 120 Appendix V: NETCONF ......................................................................................................... 125 Appendix VI: Basics of OpenFlow protocol .......................................................................... 126 Appendix VII: EPC & eNB Configuration files ....................................................................... 130 Appendix VIII: Integration of Wireless Backhaul in the CHARISMA CMO Plane .................... 140 CHARISMA – D3.2 – v1.0 Page 3 of 145 Appendix IX: IEEE 802.1ad Q-in-Q Primer ............................................................................ 143 Acronyms ............................................................................................................................ 144 CHARISMA – D3.2 – v1.0 Page 4 of 145 List of Figures Figure 1 Security Overview in SDN/NFV Environment .......................................................................................8 Figure 2 Architectural Schematic of CHARISMA Converged Aggregation Levels (CALs) ................................. 17 Figure 3 Scalability of CHARISMA CALs from x=0 to x=5 ................................................................................. 18 Figure 4 CHARISMA's CMO Architecture ......................................................................................................... 19 Figure 5 VNO registration at CHARISMA Operator ......................................................................................... 21 Figure 6 Slice & Service Provisioning by a VNO ............................................................................................... 22 Figure 7: TeNOR high-level architecture ......................................................................................................... 27 Figure 8 Managing OLT locally ......................................................................................................................... 33 Figure 9: Managing OLT by the Management Network ................................................................................. 34 Figure 10 Ethernity NIC APIs: Server view ....................................................................................................... 37 Figure 11 Management interface for Cache Node in CHARISMA ................................................................... 38 Figure 12 Management interface of OFDM-PON using current hardware ..................................................... 39 Figure 13 Planned management interface of OFDM-PON for new hardware ................................................ 39 Figure 14 Adaptation on Physical Switches ..................................................................................................... 40 Figure 15 NFVO Zoomed In: Service Policy Manager ...................................................................................... 42 Figure 16 Security Policy Manager Architecture ............................................................................................. 43 Figure 17 Security Policy Information Model .................................................................................................. 44 Figure 18 Automated security management via CHARISMA Security Policy Manager ................................... 47 Figure 19: Monitoring and Analytics architecture ..........................................................................................