2. What is Network Function Virtualization?
Virtual Core Network Services
Introduces Concept of Control Plane and Data Plane
Typical Virtual Network Services
Core Layer 2 Switching (VLANS)
Layer 3 Routing (Internal and External Routing Functions- OSPF,
BGP, etc)
Edge Firewall Services
VPN Tunneling
Embedded IPS/IDS
Automated Service Provisioning
Automated Threat Response
3. A means to make the network more flexible and simple by
minimising dependence on HW constraints
v
Network Functions are SW-based over well-known HW
Multiple roles over same HW
ORCHESTRATION, AUTOMATION
& REMOTE INSTALL
DPI
BRAS
GGSN/
SGSN
Firewall
CG-NAT
PE Router
VIRTUAL
APPLIANCES
STANDARD
HIGH VOLUME
SERVERS
Virtualised Network Model:
VIRTUAL APPLIANCE APPROACHv
Network Functions are based on specific HW&SW
One physical node per role
DPI
BRAS
GGSN/SGSN
Session Border
ControllerFirewall CG-NAT
PE Router
Traditional Network Model:
APPLIANCE APPROACH
Source: Adapted from D. Lopez Telefonica I+D, NFV
5. Network Function Virtualization vs.
Software Defined Networks
Complimentary set of services
Network Function Virtualization (NFV)
Originated from the need to scale Network Services (Service Provider World)
Data plane functions running in VMs on commodity servers
Software Defined Networking (SDN)
Originated from API control of Network Features (IT World)
Also Separating the Control and Data Planes
Together Allow Scalable Cloud Applications and Services (Apps)
Applications running on top of the network with transportable network
characteristics.
6. The ETSI NFV ISG
• Global operators-led Industry
Specification Group (ISG) under the
auspices of ETSI
– ~150 member organisations
• Open membership
– ETSI members sign the “Member
Agreement”
– Non-ETSI members sign the
“Participant Agreement”
– Opening up to academia
• Operates by consensus
– Formal voting only when required
• Deliverables: White papers
addressing challenges and operator
requirements, as input to SDOs
– Not a standardisation body by itself
• Currently, four WGs and two EGs
– Infrastructure
– Software Architecture
– Management & Orchestration
– Reliability & Availability
– Performance & Portability
– Security
Source: Adapted from D. Lopez Telefonica I+D, NFV
7. ETSI NFV Reference Architecture
Computing
Hardware
Storage
Hardware
Network
Hardware
Hardware resources
Virtualisation Layer
Virtualised
Infrastructure
Manager(s)
VNF
Manager(s)
VNF 2
OrchestratorOSS/BSS
NFVI
VNF 3VNF 1
Execution
reference points
Main NFV
reference points
Other reference
points
Virtual
Computing
Virtual
Storage
Virtual
Network
NFV Management and
Orchestration
EMS 2 EMS 3EMS 1
Service and Infrastructure
Requirements
Or-Vi
Or-Vnfm
Vnfm-Vi
Os-Ma
Se-Or
Ve-Vnfm
Nf-Vi
Vn-Nf
Vi-Ha
Virtualization Layer-Hardware Resources (VI-Ha)
VNF – NFVI (Vn-Nf)
Orchestrator – VNF Manager (Or-Vnfm)
Virtualized Infrastructure Manager – VNF Manager (Vi-Vnfm)
Orchestrator – Virtualized Infrastructure Manager (Or-Vi)
NFVI-Virtualized Infrastructure Manager (Nf-Vi)
Operation Support System (OSS)/Business Support Systems
(BSS) – NFV Management and Orchestration (Os-Ma)
VNF/ Element Management System (EMS) – VNF Manager
(Ve-Vnfm)
Service, VNF and Infrastructure Description – NFV
Management and Orchestration (Se-Ma): VNF Deployment
template, VNF Forwarding Graph, service-related information,
NFV infrastructure information
Ref: ETSI, “Architectural Framework,” Oct 2013,
14. Virtual Networks are isolated from each other
(Overlapping IP Addresses)
Virtual Networks are isolated from underlying
physical network (IPv6 over IPv4)
Security – Complete Isolation
21. NFV Challenges
Very Quickly Evolving Standards
Still some industry to do on standardization of transport layer (Data Center
Extension) Services (Ie. MPLS, VXLAN)
Some very new NFV software stacks require market testing for security
Initial complexity of deployment and learning curve means a higher risk of
mis-configuration and security exposure
Must trust the inherent security barriers between the management and
control planes.
Extreme diligence on security the management plane of a virtualized system for
obvious reasons.
Cloud Administrators are being thrust into the role of security architects in
many cases.
22. NFV Opportunities
Very Rapid Deployment Models
Allows for significantly quicker recovery from incidents.
Create new DMZ, redeploy VM’s, Add Firewall in Minutes rather than days
Allows the addition of extra layers of security with lower costs.
Many virtualized firewalls are significantly cheaper than traditional H/W based devices
Flexibility to easily, rapidly, dynamically provision and instantiate new services in various
locations
Improved operational efficiency
Software-oriented innovation to rapidly prototype and test new services
More service differentiation & customization
Reduced (OPEX) operational costs: reduced power, reduced space, improved network
monitoring
IT-oriented skillset and talent
Rapid development of software based virtual security appliances
23. NFV Security Best Practices
Stick to traditional best practices
Defense in depth
Log management (Including accurate time/date stamps)
Diligence on software bugs (some NFV stacks have much lower public
scrutiny)
Don’t assume software teams have network security experience
Layer 2 Security
Isolated VLANS for Secure Zones
Layer 3 Security
Access Control via Access List and Firewall Rules
IPS/IDS