Home

BSec-NFVO (Blockchain Security for Network Function Virtualization Orchestration) is a sytem to ensure audibility of the functionalities of a multi-tenant platform for orchestrating virtual network functions and to simplify the process of building Service Function Chains in the cloud. It is designed to be used in a distributed scenario where different components of the architecture run on different hosts. To achieve this, the tool is built on top of a modular architeture with three main components:

• Display Module, responsible for the interface between tenants and the back-end functionalities
• Orchestration Module, responsible for handling requests coming from the Display Module
• Blockchain Module, responsible for mediating and logging the exectution of write requests on the platform

The Display Module is made by four submodules. The first is a user-friendly web interface which allows a tenant to monitor and modify their hired NFV and SFC services. The second, an access-control manager that applies SLA policies and restrict user access to their respective services. The third is an orchestration client which communicates with the Orchestration Module in order to issue read requests. Lastly, there is a blockchain client used for communication with the Blockchain Module in order to issue write requests on the platform. Through the Display Module, a tenant can graphically and intuitively create VNFs, SFCs, classifiers and networks. Communication of the client components is done through TLS-protected remote procedure calls (RPC).

The Orquestration Module is composed of five main components. The first component is an orchestration server which receives the RPC calls from the Display Module. The second is a database that records the account information and services belonging to each user. The third is a permission-control system that acts along the database to verify whether a user is authorized to execute any request. The fourth is a blockchain client which communicates with the Blockchain Module through polling to verify the existence of write requests and to record the result of an processed request. Finally, ther is an API for connection to the OPNFV platform and issuing of the authorized requests.

The Blockchain Module acts as a mediator of write requests and consists of a blockchain server and the blockchain itself. The blockchain server receives RPC calls for writing and querying the blockchain. Each write request is signed by the issuing tentant with an asymmetric RSA key pair so that repudiation of a request can not be achieved. At each consecutive time interval (presumably around 1 second), every request is recorded in a block, associated with the the previous block's hash and signed by the blockchain module with a key pair provided by the cloud service manager. In this way, an immutable and integral chain is built. The combination of these features allows the auditing of requests and is indispensable in the case of a security incident. Several blockchain modules can run concurrently and maintain the block correlation performed through a consensus protocol so that this repository is attack-resilient and highly available.