[go: up one dir, main page]

WO2017142577A1 - Identity management of virtualized entities - Google Patents

Identity management of virtualized entities Download PDF

Info

Publication number
WO2017142577A1
WO2017142577A1 PCT/US2016/034692 US2016034692W WO2017142577A1 WO 2017142577 A1 WO2017142577 A1 WO 2017142577A1 US 2016034692 W US2016034692 W US 2016034692W WO 2017142577 A1 WO2017142577 A1 WO 2017142577A1
Authority
WO
WIPO (PCT)
Prior art keywords
vnfc
unique identifier
tenant
identifier
vnf
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2016/034692
Other languages
French (fr)
Inventor
Kapil Sood
Farid Adrangi
Muthaiah Venkatachalam
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Intel IP Corp
Original Assignee
Intel IP Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intel IP Corp filed Critical Intel IP Corp
Publication of WO2017142577A1 publication Critical patent/WO2017142577A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/73Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information by creating or determining hardware identification, e.g. serial numbers
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0803Configuration setting
    • H04L41/0806Configuration setting for initial configuration or provisioning, e.g. plug-and-play
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0895Configuration of virtualised networks or elements, e.g. virtualised network function or OpenFlow elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/40Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks using virtualisation of network functions or resources, e.g. SDN or NFV entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Definitions

  • the present disclosure relates to the field of electronic circuits. More particularly, the present disclosure relates to the management of virtualized network function identities in network function virtualization operator networks and software-defined networks.
  • Legacy security systems based on physical system technology have relied on globally unique identifiers cryptographically bound to un-mutable identities, such as being bound to media access control (MAC) addresses, internet protocol (IP) addresses, or other identities that are embedded into security credentials.
  • MAC media access control
  • IP internet protocol
  • the globally unique identifiers have been domain-wide unique allowing for the physical entity to be uniquely identified within the corresponding domain.
  • the globally unique identities are unmutable for the lifetime of the system.
  • Figure 1 illustrates an example network functions virtualization environment, according to various embodiments.
  • Figure 2 illustrates an example message flow diagram among a virtualized network function component and a security controller, according to various embodiments.
  • Figure 3 illustrates an example message flow diagram among elements of a network functions virtualization environment, according to various embodiments.
  • Figure 4 illustrates an example flow diagram of operations within a network functions virtualization environment, according to various embodiments.
  • Figure 5 illustrates an example computing device that may employ
  • Figure 6 illustrates an example computer-readable storage medium that may employ the apparatuses and/or methods described herein.
  • an apparatus for identity management of virtualized entities, may include a memory device with instructions stored thereon and a processor.
  • the processor in response to execution of the instructions stored on the memory device, may detect an instantiation of a virtualized network function component (VNFC) and obtain identifiers for components of a platform based on the detected instantiation, the platform to implement the VNFC.
  • the processor may further generate a unique identifier based on the identifiers for the components of the platform and assign the unique identifier to the VNFC.
  • VNFC virtualized network function component
  • phrase “A and/or B” means (A), (B), or (A and B).
  • phrase “A, B, and/or C” means (A), (B), (C), (A and B), (A and C), (B and C), or (A, B and C).
  • circuitry may refer to, be part of, or include an
  • ASIC Application Specific Integrated Circuit
  • an electronic circuit a processor (shared, dedicated, or group) and/or memory (shared, dedicated, or group) that execute one or more software or firmware programs, a combinational logic circuit, and/or other suitable components that provide the described functionality.
  • processor shared, dedicated, or group
  • memory shared, dedicated, or group
  • FIG 1 illustrates an example network functions virtualization (NFV)
  • the NFV environment 100 may include one or more virtualized network functions that may dynamically instantiate and terminate during operation of the NFV environment 100. It is desirable to have globally unique identifiers assigned to these virtualized network functions. Unlike legacy systems where the globally unique identities that bind the globally unique identifiers to the un- mutable identities, the dynamic instantiation and termination of the virtualized network functions present challenges, including assigning the globally unique identifiers upon dynamic instantiation of the virtualized network functions and maintaining the assignment of the globally unique identifiers as life cycle events occur with the virtualized network functions. The embodiments disclosed herein may be able to assign the globally unique identifiers upon dynamic instantiation of the virtualized network functions and maintain the assignments.
  • the network function virtualization environment 100 may include a tenant management portion 102, a network functions virtualization infrastructure (NFVI) portion 104, and/or an operations management portion 106.
  • the tenant management portion 102 may include one or more tenants, such as tenant 108a and tenant 108b, an operations support system (OSS)/business support system (BSS) 110, or some combination thereof.
  • the tenant 108a and the tenant 108b may be one or more end-user devices (such as computer devices, user devices, cellular phones, handheld computer devices, or some combination thereof), one or more subscribers to an NFV service provider, or some combination thereof.
  • the tenant 108a and the tenant 108b may be user devices that request and/or receive services from a cellular network provider.
  • the OSS/BSS 110 may be provided by an NFV service provider (which may also be referred to as an operator herein).
  • the OSS/BSS 110 may be communicatively coupled to the tenant 108a and/or the tenant 108b.
  • the tenant 108a and/or the tenant 108b may transmit a request for a NFV service to the OSS/BSS 110.
  • the OSS/BSS 110 may receive the request and forward the request to the operation management portion 106 for scheduling of the NFC service.
  • the operation management portion 106 may receive the request for the NFV service and schedule performance of the NFV service with the NFVI portion 104.
  • the NFVI portion 104 may include one or more virtual machines and/or containers that operate on general purpose hardware platform, such as a computer device and/or a server.
  • the NFVI portion 104 may perform the NFV service and return a result of the NFV service to the operation management portion 106 for provision to the tenant 108a and/or the tenant 108b that requested the service.
  • the NFVI portion 104 may include a NFVI 114 to perform the requested NFV services and output the results of the NFV service to the operation management portion 106.
  • the NFVI 114 may include one or more virtualized functions, such as virtualized network function (VNF) 164, VNF-N 162, virtualized switch/router 160, virtualized security functions 158, or some combination thereof.
  • the virtualized security functions 158 may include a user data plane 154 developed through use of a data plane development kit.
  • the one or more virtualized functions may include computer code to cause computer hardware to perform one or more functions that, in legacy systems, were previously performed by the individual tenants.
  • the one or more virtualized functions may be assigned computer hardware from one or more devices to perform operations associated with the one or more virtualized functions.
  • Each of the one or more virtualized functions may have a corresponding unique identifier, such as VNF ID 166 that corresponds with the VNF 164, Vswitch ID 152 that corresponds with the virtualized switch/router 160, SecMon ID 156 that corresponds with the virtualized security functions 158, or some combination thereof.
  • the one or more virtualized functions may each include one or more virtualized function components, such as virtualized network function component (VNFC) 148 and/or VNFC 150.
  • VNFC virtualized network function component
  • the VNFC 148 and/or the VNFC 150 may dynamically instantiate, migrate, clone, and run in active-active and/or active-passive modes.
  • the VNFC 148 and/or the V FC 150 may each perform a portion of the operations to be performed by the VNF 164.
  • Each of the VNFC 148 and/or the VNFC 150 may be assigned with corresponding computer code, and hardware and/or software components of the NFVI 114 to perform operations associated with the VNFC 148 and/or the VNFC 150, respectively.
  • the VNFC 148 may utilize different computer code, and hardware and/or software components of the NFVI 114 than the VNFC 150 utilizes.
  • the NFVI 114 may further include hardware infrastructure 146 to receive computer code from the one or more virtualized functions and perform the operations associated with the computer code. For example, in response to a request for performance of an operation associated with the virtualized switch/router 160, the virtualized switch/router 160 may provide computer code to the hardware infrastructure 146 to perform the operation associated with the computer code.
  • the hardware infrastructure 146 may be associated with a unique identifier, such as rack ID 116.
  • the hardware infrastructure 146 may include one or more platforms, such as platform PI 134 and/or platform Pn 118.
  • the platform PI 134 and/or platform Pn 118 may include computer hardware that may perform operations in response to execution of computer software and/or computer code.
  • the platform PI 134 may include one or more field programmable gate arrays (FPGAs) 132, one or more cores 120, one or more input/output (I/O) interfaces and/or network interface cards (NIC) 122, one or more communications system monitor equipment (CSME) 126, one or more busses and/or interconnects 128, or some combination thereof.
  • FPGAs field programmable gate arrays
  • NIC input/output
  • NIC network interface cards
  • CSME communications system monitor equipment
  • One or more components of the platform PI 134 may correspond to the processors described in, for example, Figure 5.
  • the platform PI 134 may be associated with a unique identifier, such as platform ID 130.
  • the platform PI 134 may further include a root of trust (RoT), which may be associated with a unique identifier, RoT ID 124.
  • the RoT may be an elementary security piece that may originate a chain of trust.
  • the RoT can delegate trust upwards in a chain to other software.
  • the other software may include firmware, unified extensible firmware interface (UEFI) basic input/output system (BIOS), operating system (OS) bootloader, OS kernel, VNF, virtual machine, or some combination thereof.
  • UEFI unified extensible firmware interface
  • BIOS basic input/output system
  • OS operating system bootloader
  • OS kernel OS kernel
  • VNF virtual machine
  • the hardware infrastructure 146 may further include software for performance of basic operations.
  • the software for basic operation may include an OS 140 (such as a hypervisor, OS, cloud OS, or some combination thereof), a UEFI BIOS 138, or some combination thereof.
  • OS 140 such as a hypervisor, OS, cloud OS, or some combination thereof
  • UEFI BIOS 138 or some combination thereof.
  • Each of the software components may be associated with a corresponding unique identifier.
  • the OS 140 may be associated with OS ID 142 and the UEFI BIOS 138 may be associated with BIOS ID 136.
  • the operation management portion 106 may act as an interface between the tenant management portion 102 and the FVI portion 104.
  • the operation management portion 106 may include an orchestrator 168.
  • the orchestrator 168 may receive requests for FV services from the OSS/BSS 110 and may perform orchestration and management of the NFVI 114 and software to provide the NFV services.
  • the operation management portion 106 may further include a VNF manager
  • VNFM virtualized infrastructure manager
  • VNFM virtualized infrastructure manager
  • VFM virtualized infrastructure manager
  • the VNFM 170 may be responsible for control and management of the one or more virtualized network functions, including instantiation, update, query, scaling, and/or termination of the one or more virtualized network functions.
  • the VFM 176 may control and manage interaction of the one or more virtualized network functions with the hardware infrastructure 146, including computing, storage, and/or network resources of the hardware infrastructure 146.
  • the orchestrator 168 in response to receiving the requests for NFV services from the OSS/BSS 110, may determine which resources of the NFVI 114 are to be utilized to fulfil the requests.
  • the orchestrator 168 may communicate with the VNFM 170 and/or the VIM 176 to instruct the VNFM 170 and/or the VIM 176 to schedule the resources to be utilized to fulfill the requests.
  • the VNFM 170 and/or the VFM 176 in response to the communication from the orchestrator 168, may schedule the resources to be utilized corresponding to each of the VNFM 170 and/or the VIM 176, thereby generating a virtual machine that includes the resources to be utilized based on the requests.
  • the operation management portion 106 may further include a security controller 172.
  • the security controller 172 may be communicatively coupled to the orchestrator 168, the VNFM 170, the VIM 176, the NFVI 114, the hardware infrastructure 146, or some combination thereof.
  • the security controller 172 may include an identity manager 174 for identity management associated with requests for NFV services and resources of the NFVI 114 to fulfill the requests.
  • the security controller 172 may detect and/or receive a notification from the orchestrator 168 that the orchestrator 168 is generating an instantiation of a VNFC. The generation of the instantiation may occur in response to a request, received by the orchestrator 168 from the OSS/BSS 110, for performance of a NFV service. In some embodiments, the security controller 172 may detect and/or receive a notification from the orchestrator 168 that the orchestrator 168 received a request for performance of the NFV service. In some embodiments, the security controller 172 may detect the instantiation of the VNFC based on operations associated with the VNFM 170 and/or the VIM 176.
  • the security controller 172 may obtain identifiers associated with resources to be assigned to the VNFC and/or identifiers associated with the request for the NFV service that induced instantiation of the VNFC.
  • the security controller 172 may generate one or more requests to be sent to the orchestrator 168, the VNFM 170, the VIM 176, the NFVI 114, the hardware infrastructure 146, or some combination thereof, wherein the request may request identifiers of resources to be associated with the VNFC.
  • the security controller 172 may transmit the requests to orchestrator 168, the VNFM 170, the VFM 176, the NFVI 114, the hardware infrastructure 114, or some combination thereof.
  • the orchestrator 168, the VNFM 170, the VFM 176, the NFVI 114, the hardware infrastructure, or some combination thereof may transmit identifiers for the resources to be associated with the VNFC to the security controller 172.
  • the VNFM 170 and/or the VIM 176 may transmit identifiers for the resources corresponding to the VNFM 170 and/or the VFM 176, respectively, to the security controller 172, while in other embodiments any of the elements that transmit the identifiers may transmit all the identifiers for the resources to be associated with the VNFC.
  • the identifiers for the resources may include the OS ID 142, the BIOS ID 136, the platform ID 130, the RoT ID 124, the rack ID 116, or some combination thereof.
  • the security controller 172 may provide the identifiers for the resources to the identity manager 174.
  • the identity manager 174 may generate a unique identifier for the VNFC based on the identifiers.
  • the identity manager 174 may generate the unique identifier through performance of a hash operation applied to the identifiers to produce the unique identifier.
  • the hash operation may include performance of one or more hash functions with respect to the identifiers, the one or more hash functions including a Zobrist hash function, a universal one-way hash function, a tabulation hash function, a Rabin fingerprint hash function, a non-cryptographic hash function, a keyed cryptographic hash function, an unkeyed cryptographic hash function, or some combination thereof.
  • the unique identifier is generated through performance on a hash of the identifiers for the resources, it may be possible to identify the resources associated with the VNFC based on the unique identifier.
  • the security controller 172 may further obtain a globally unique identifier associated with the VNFC, such as VNFC ID 144.
  • the identity manager 174 may further include the globally unique identifier in the hash operation to generate the unique identifier. Accordingly, it may be possible to determine the VNFC to which the unique identifier is associated based on the unique identifier itself.
  • the identity manager 174 may assign the unique identifier to the VNFC.
  • the identity manager 174 may store the unique identifier, with an indication of the association of the unique identifier with the VNFC, in a memory device of the security controller 172 and/or the memory device associated with the security controller 172.
  • the memory device may be a secure storage device.
  • the identity manager 174 may provide the unique identifier with the indication to security administrators associated with the NFVI 114 and/or the OSS/BSS 110 in response to a request received from the security administrators and/or the assignment of the unique identifier to the VNFC.
  • the security controller 172 may further generate a request for a tenant ID, such as tenant ID 109, associated with the detected instantiation of the VNFC.
  • the security controller 172 may transmit the request to the orchestrator 168, the VNFM 170, the VDVI 176, the NFVI 114, the hardware infrastructure 146, or some combination thereof, and receive the tenant ID is response to the request.
  • Identity manager 174 may associate the tenant ID with the VNFC and may store the association in the memory device of, or associated with, the security controller 172.
  • the identity manager 174 may include the tenant ID in the hash operation to produce the unique identifier. In these embodiments, it may be possible to identify the tenant associated with the VNFC based on the unique identifier.
  • the identity manager 174 may further generate a second unique identifier, such as VNF ID 166, for a VNF based on the unique identifier associated with the VNFC.
  • the security controller 172 may obtain identifiers associated with one or more VNFC (such as VNFC ID 144) of the VNF in response to detection of an instantiation of the VNF.
  • the identity manager 174 may perform a hash operation applied to the identifiers associated with the one or more VNFC to produce the second unique identifier.
  • the identity manager 174 may store the second unique identifier in the memory device of, or associated with, the security controller 172.
  • the identity manager 174 may further associate the second unique identifier with a tenant ID (such as tenant ID 109) associated with the tenant that requested and/or caused the instantiation of the VNF.
  • the identity manager 174 may store the tenant ID in the memory device, the tenant ID associated with the second unique identifier.
  • the identity manager 174 may generate a third unique identifier for a service function chain (SFC) that utilizes the VNF.
  • the security controller 172 may obtain one or more VNF IDs (such as VNF ID 166) associated with VNFs within the SFC.
  • the identity manager 174 may perform a hash on the one or more VNF IDs to generate the third unique identifier.
  • the identity manager 174 may associate the third unique identifier with the SFC and store, in the memory device, the third unique identifier and/or an indication of the association with the SFC.
  • the unique identifier, the second unique identifier, and/or the third unique identifier may be utilized in many different processes.
  • the unique identifiers may be utilized for initial provision of the NFVI 116 and/or the platform 134, which includes remote provisioning. Further the unique identifiers may be utilized for updates of the platform 134 and/or NFVI 116, including firmware, unified extensible firmware interface, operating system, open source business library, open source cloud computing software, and/or other software updates.
  • the unique identifiers may further be presented at instantiation of communication protocols associated with the unique identifiers, including internet protocol security, secure sockets layer protocol, encryption protocol, and/or accelerator attachment protocol.
  • the unique identifiers may be utilized for security.
  • the security controller 172 may store one or more lists of identifiers associated with authorized users that may utilize the NFVI 114, a platform (such as the platform PI 134 and the platform Pn 118), a VNF (such as the VNF 164, the VNF 162, the virtualized
  • the authorized users may include tenants, administrators, and/or certain software/firmware.
  • the security controller 172 may obtain an identifier associated with the requesting entity, such as tenant ID 109.
  • the security controller 172 may compare the identifier with a list of identifiers of authorized users for the NFV service to determine whether the requesting entity is authorized to utilize the NFV service.
  • the security controller 172 may prevent the NFVI 114 from performing the NFV service.
  • the security controller 172 may store an identifier associated with the requesting entity in a log, stored on the memory device of, or associated with, the security controller 172, the log including entities that accessed and/or attempted to access the NFV service.
  • the RoT may manage and assign the unique identifiers.
  • the RoT may access secure timestamps and other security authorization credentials to associate with the unique identifiers.
  • the RoT may root keys with the unique identifiers. The RoT may later utilize the rooted keys to verify the authenticity of the unique identifiers and attest to the authenticity of the unique identifiers.
  • FIG 2 illustrates an example message flow diagram 200 among a VNFC 202 and a security controller 206, which may include an identity manager 204, according to various embodiments.
  • the VNFC 202 may include one or more of the features of the VNFC 148 and/or the VNFC 150, described in relation to Figure 1.
  • the security controller 206 and/or the identity manager 204 may include one or more of the features of the security controller 172 and/or the identity manager 174, respectively, described in relation to Figure 1.
  • the VNFC 202 may transmit a security association establishment message to the identity manager 204.
  • the VNFC 202 may transmit the message in response to instantiation of the VNFC 202.
  • the identity manager 204 may detect the instantiation of the VNFC 202 based on the message.
  • the identity manager 204 may provide a second security association establishment message to the security controller 206.
  • the identity manager 204 may provide the second message in response to reception of the message 208.
  • the second message may include the same information as the message 208.
  • the VNFC 202 may perform operations associated with composition of a platform configuration.
  • the VNFC 202 may compose the platform configuration through identification and/or association of one or more resources for utilization in performance of operations associated with the VNFC 202.
  • the one or more resources may include one or more of the hardware/software components of the NFVI 114, described in relation to Figure 1, including the platform PI 134, the platform Pn 118, the UEFI BIOS 138, the operating system 140, or some combination thereof.
  • the VNFC 202 may transmit an identity request message to the identity manager 204.
  • the identity request message may request a unique identifier for the VNFC 202, such as VNFC ID 144, described in relation to Figure 1.
  • the identity request message may include one or more identifiers associated with the one or more resources to be utilized by the VNFC 202.
  • the one or more identifiers may include the OS ID 142, the BIOS ID 136, the platform ID 130, the RoT ID 124, the rack ID 116, or some combination thereof, as described in relation to Figure 1.
  • the identity manager 204 may perform a hash function with the one or more identifiers to generate a unique identifier for the VNFC 202.
  • the generation of the unique identifier, by the identity manager 204, for the VNFC 202 may include one or more of the features of generation of the unique identifier by the identity manager 174, as described in relation to Figure 1.
  • the identity manager 204 may store the generated unique identifier in a database on a memory device of, or associated with, the security controller 206.
  • the unique identifier may indicate a platform configuration of the VNFC 202 based on the unique identifier being generated through a hash operation of the one or more identifiers.
  • the identity manager 204 may transmit an identity response message to the VNFC 202.
  • the identity response message may include the generated unique identifier for the VNFC 202.
  • the VNFC 202 may store the generated unique identifier.
  • the identity manager 204 may transmit an identifier register message to the security controller 206.
  • the identifier register message may request that the security controller 206 add the generated unique identifier to a log, stored on the memory device of, or associated with, the security controller 206, of VNFCs identifiers.
  • the security controller 206 may transmit a VNFC information request message to the identity manager 204.
  • the identity manager 204 may transmit a VNFC information message to the security controller 206 in response to the VNFC information request message.
  • the VNFC information message may include the generated unique identifier.
  • the security controller 206 may add the generated unique identifier to a log, stored on the memory device of, or associated with, the security controller 206, of VNFCs.
  • the security controller 206 may further store a list of authorized users associated with the VNFC 202 in the log.
  • the authorized users may include tenants, administrators, and/or certain software/firmware.
  • FIG. 3 illustrates an example message flow 300 diagram among elements of a NFV environment, according to various embodiments.
  • the NFV environment may include an orchestrator 302, a VIM 304, a nova agent NFVI 306, a OS/virtual machine manager (VMM) NFVI 308, an identity manger 310, a RoT/trusted execution environment (TEE) 312, a security controller 314 and/or a VNFM 316.
  • VIM virtual machine manager
  • TEE RoT/trusted execution environment
  • the NFV environment may include one or more of the features of the NFV environment 100, described in relation to Figure 1.
  • the orchestrator 302 may include one or more features of the orchestrator 168;
  • the VIM 304 may include one or more of the features of the VIM 176;
  • the nova agent NFVI 306 and/or the OS/VMM NFVI 308 may include one or more of the features of the NFVI 114;
  • the identity manager 310 may include one or more of the features of the identity manager 174;
  • the RoT/TEE 312 may include one or more of the features of the CSME 126;
  • the security controller 314 may include one or more of the features of the security controller 172; and
  • the VNFM may include one or more of the features of the VNFM 170.
  • the nova agent NFVI 306 may be utilized for operation of a cloud server that implements the NFV environment.
  • the nova agent NFVI 306 may provide means of interacting with the cloud server through an application program interface of a cloud control panel.
  • the nova agent NFVI 306 may perform startup functions of the cloud server including configuring the cloud server's network, establishing the cloud server's hostname, and/or setting the cloud server's root or admin passwords.
  • the OS/VMM NFVI 308 may be utilized for management of an NFVI (such as the NFVI 114, described in relation to Figure 1) and/or a virtual machine or virtualized datacenter provided by the NFV environment.
  • the OS/VMM NFVI 308 may enable configuration and management of a virtualization host, networking and/or storage management for the NFV environment.
  • the VFM 304 may transmit a request for platform identifiers to the identity manager 310.
  • the VIM 304 may transmit the request for platform identifiers in response to the establishment of the NFV environment, introduction of new platforms into the NFV environment, identification of a platform within the NFV environment which does not have a platform identifier associated with the platform, or some combination thereof.
  • the identity manager 310 may generate a unique identifier for each of the platforms in the NFV environment not already associated with a platform identifier and may transmit the unique identifiers to the VIM 304 for association with each corresponding platform.
  • the RoT/TEE 312 may be associated with an NFVI of the NFV
  • the RoT/TEE 312 may transmit a list of platform identifiers corresponding to platforms within the NFVI to the security controller 314.
  • the RoT/TEE 312 may transmit the list in response to the VFM 304 receiving the platform identifiers from the identity manager 310 and/or the VIM 304 associating the platform identifiers with each corresponding platform.
  • the security controller 314 may store the list of the platform identifiers and indications of which platform each of the platform identifiers is associated with.
  • the VIM 304 may compose the platform.
  • the VIM 304 may compose the platform by associating the platform identifiers with each of the corresponding platforms within the NFVI of the NFV environment.
  • the VIM 304 identify the components (such as the FPGA 132, the cores 120, the I/O and/or NIC 122, the CSME 126, and/or the busses and/or interconnects 128 as described in relation to Figure 1) associated with each of the platforms within the NFVI.
  • the VIM 304 may store information that indicates the components included in each of the platforms and the platform which each of the components is associated with.
  • the OS/VMM NFVI 308 may transmit a request for a timestamp from the RoT/TEE 312.
  • the OS/VMM NFVI 308 may transmit the request for the timestamp in response to a request for instantiation of a VNF and/or a VNFC.
  • the RoT/TEE 312 may response to the request by transmitting a timestamp corresponding to the time of reception of the request to the OS/VMM NFVI 308.
  • the timestamp from the RoT/TEE 312 may be a secure timestamp.
  • the secure timestamps may be generated by a trusted source that cannot be falsified.
  • trusted sources include Intel's software guard extensions (SGX), Intel's converged security manageability engine (CSME), and Intel's interrupt enable register (IE).
  • the OS/VMM NFVI 308 may assign the secure timestamp to a VNF and/or a VNFC upon instantiation.
  • the orchestrator 302 may transmit an indication that event associated with a
  • the orchestrator 302 may transmit the indication in response to a request for instantiation of a VNF and/or a VNFC.
  • the indication may indicate that a request for instantiation of the VNF and/or the VNFC has been received by the orchestrator 302.
  • the VNFM 316 may transmit a request and/or instructions to the VIM 304 to instantiate a VNF and/or a VNFC.
  • the VNFM 316 may transmit the request and/or instructions in response to reception of the indication that event associated with the VNF life cycle has occurred from the orchestrator 302.
  • the request and/or instructions may include an indication of the VNF and/or the VNFC to be instantiated, a list of the types of NFVI components (such as the platform PI 134, the platform Pn 118, the OS 140 and/or the UEFI BIOS 138, as described in relation to Figure 1) to be utilized by the VNF and/or the VNFC, or some combination thereof.
  • the VIM 304 may transmit a request for VNF and/or VNFC identifiers from the identity manager 310.
  • the VIM 304 may transmit the request in response to reception of the request and/or instructions from the VNFM 316 to instantiate the VNF and/or the VNFC.
  • the request for VNF and/or VNFC identifiers may include a list of identifiers for one or more VNFCs (such as VNFC ID 144.
  • Vswitch ID 152 and/or SecMon ID 156, described in relation to Figure 1
  • components of an NFVI such as OS ID 142, BIOS ID 136, platform ID 130, RoT ID 124, and/or rack ID 116, as described in relation to Figure 1 to be associated with the VNF and/or the VNFC to be instantiated.
  • the identity manager 310 may generate one or more unique identifiers to be associated with the VNF and/or VNFC to be instantiated.
  • the identity manager 310 may generate the one or more unique identifiers through the process of generation of unique identifiers described in relation to Figure 1, including application of a hash operation (such as any of the hash operations described in relation to Figure 1) to the list of identifiers to be associated with the VNF and/or the VNFC to be instantiated.
  • the identity manager 310 may transmit the generated one or more unique identifiers to the VIM 304 for association, by the VIM 304, with the VNF and/or the VNFC to be instantiated.
  • the identity manager 310 may register the generated one or more unique identifiers, for association with the VNF and/or the VNFC to be instantiation, with the security controller 314.
  • the identity manager 310 may provide the security controller 314 with the unique identifiers and/or indications of the VNF and/or the VNFC for which each unique identifier is to be associated with.
  • the security controller 314 may store the unique identifiers and/or the indications in a log in a memory device of, or associated with, the security controller 314.
  • the identity manager 310 may further provide the security controller 314 with a list of authorized users that may utilize the VNF and/or the VNFC to be instantiated, which the security controller 314 may store in association with each unique identifier. In other embodiments, the security controller 314 may generate the list of authorized users that may utilize the VNF and/or the VNFC and associate the list with each unique identifier provided by the identity manager 310.
  • the VIM 304 may transmit a spin-up VNF request to the nova agent NFVI 306.
  • the VIM 304 may transmit the spin-up VNF request in response to reception, by the VIM 304, of the unique identifiers, for association with the VNF and/or VNFC to be instantiated from the identity manager 310.
  • the spin-up VNF request may include the unique identifiers for association with the VNF and/or VNFC to be instantiated and/or a request to associate one or more components of the NFVI (such as the platform PI 134, the platform Pn 118, the OS 140 and the UEFI BIOS 138, as described in relation to Figure 1), associated with the nova agent NFVI 306, to be associated with the VNF and/or VNFC to be instantiated.
  • the NFVI such as the platform PI 134, the platform Pn 118, the OS 140 and the UEFI BIOS 138, as described in relation to Figure 1
  • the nova agent NFVI 306 may transmit a spin-up VNF request to the OS/VMM NFVI 308.
  • the nova agent NFVI 306 may transmit the spin-up VNF request in response to reception of the spin-up VNF request from the VIM 304.
  • the spin-up VNF request transmitted by the nova agent NFVI 306 may include the same information as the spin-up VNF request transmitted by the VFM 304.
  • the NFVI 306 may translate the spin- up VNF request received from the VIM 304 into computer code and/or format that may be operable by the OS/VMM NFVI 308.
  • the OS/VMM NFVI 308 may transmit a signal to the RoT/TEE 312 that attests to the unique identifiers to the be associated with the VNF and/or VNFC to be instantiated.
  • the OS/VMM NFVI 308 may transmit the signal in response reception of the spin-up VNF request from the nova agent NFVI 306.
  • the RoT/TEE 312 may add the unique identifiers to a list of trusted applications/functions.
  • the OS/VMM NFVI 308 may instantiate the VNF and/or the VNFC.
  • the OS/VMM NFVI 308 may instantiate the VNF and/or the VNFC in response to reception of the spin-up VNF request received from the nova agent NFVI 306.
  • the OS/VMM NFVI 308 may register the instantiated VNF and/or the VNFC with the security controller 314.
  • the OS/VMM NFVI 308 may register the instantiated VNF and/or the VNFC through transmission of an indication that the VNF and/or the VNFC has been instantiated, and/or transmission of the unique identifier associated with the VNF and/or the VNFC.
  • a VNF and/or VNFC may send a registration message activation to the security controller 314.
  • the VIM 304, the nova agent NFVI 307, the OS/VMM NFVI 308, the VNFM 316, or some combination thereof, may provide the registration message activation to the security controller 314.
  • the security controller 314 may be communicatively coupled to a secure storage device and may store information in the secure storage device.
  • the security controller 314 may store logs, audit trails, traces, or some combination thereof, in the secure store device.
  • the security controller 314 may further store corresponding identities and/or timestamps with the logs, audit trails, trace, or some combination thereof, in the secure storage device.
  • the timestamps may include the timestamp and/or secure timestamp obtained by the OS/VMM NFVI 308 in 324.
  • one or more of the messages disclosed in relation to the message flow diagram 200 and/or the message flow diagram 300 may be protected and/or encrypted.
  • An RoT such as RoT/TEE 312
  • RoT/TEE 312 may be utilized to protect and/or encrypt the messages. Further, the protection and/or encryption of the messages may be based on secure timestamps associated with the messages, V Fs corresponding to the messages, V FMs corresponding to the messages, or some combination thereof.
  • the messages may be protected by secure sockets layer, transport layer security, internet protocol security, message wise protection, or some combination thereof.
  • FIG 4 illustrates an example flow diagram 400 of operations within a NFV environment, according to various embodiments.
  • an identity manager (such as identity manager 174 of Figure 1, identity manager 204 of Figure 2, and/or identity manager 310 of Figure 3) may assign a globally unique identifier to one or more FVI components (such as V F 164, NVF-N 162, virtualized switch/router 160, virtualized security function 158, OS 140, UEFI BIOS 138, platform PI 134, platform Pn 118, FPGA 132, cores 120, I/O and/or NIC 122, CSME 126, and/or busses and/or interconnects 128.
  • FVI components such as V F 164, NVF-N 162, virtualized switch/router 160, virtualized security function 158, OS 140, UEFI BIOS 138, platform PI 134, platform Pn 118, FPGA 132, cores 120, I/O and/or NIC 122, CSME 126, and/or busses and
  • the identity manager may provide the globally unique identifiers and/or indications of the assignment of the globally unique identifiers with the one or more NFVI components for storage in a secure logging service 412.
  • the secure logging service 412 may include a security controller (such as security controller 172 of Figure 1, security controller 206 of Figure 2, and/or security controller 314 of Figure 3) that may store the globally unique identifiers and/or indications of the assignment of the globally unique identifiers with the one or more NFVI components.
  • an NFVI (such as NFVI 114 of Figure 1) may communicate with the identity manager to retrieve component identities for the one or more NFVI components.
  • a RoT of the NFVI may cryptographically bind the component identities to the corresponding NFVI components.
  • the cryptographic binding of the component identities to the corresponding NFVI components may be provided to the secure logging service 412 for storage.
  • an OS service (such as OS 140 of Figure 1) may communicate with the identity manager regarding events that occur during VNF life cycles, such as at instantiation, activation, deletion, migration, or some combination thereof.
  • the identity manager may assign unique identifiers to each of the VNF instances and may communicate with the OS service to embed the unique identifiers in the corresponding VNF descriptors.
  • the assigned unique identifiers may be provided to the secure logging service 412 for storage.
  • a VNFM (such as the V FM 170 of Figure 1 and/or the V FM 316 of Figure 3) and/or a VIM (such as the VFM 176 of Figure 1 and/or the VIM 304 of Figure 3) may transmit a VNF image and/or VNF descriptor for a unique VNF instance to the platform on which the VNF is to be instantiated.
  • the VNFM and/or VFM may transmit a VNF image and/or VNF descriptor for a unique VNF instance to the platform on which the VNF is to be instantiated.
  • the VNFM and/or VFM may transmit a VNF image and/or VNF descriptor for a unique VNF instance to the platform on which the VNF is to be instantiated.
  • the VNFM and/or VFM may transmit a VNF image and/or VNF descriptor for a unique VNF instance to the platform on which the VNF is to be instantiated.
  • the VNFM and/or VFM may
  • the platform, the VNFM, and/or the VFM may provide information regarding the transmission of the VNF image and/or the VNF descriptor to the secure logging service 412 for storage.
  • an OS of the NFVI may deliver the unique identifier for a VNF instance to an instantiation 'command line' parameter, which may be sent into the VNF instance.
  • the RoT may deliver a signed/attested 'command line' parameter set into the VNF instance.
  • the VNF instance may utilize the signed/attested 'command line' parameter set to register the VNF instance with the security controller.
  • the signed/attested 'command line' parameter set may be provided to the secure logging service 412 for storage.
  • Figure 5 illustrates an example computing device 500 that may
  • computing device 500 may include a number of components, such as one or more processor(s) 504 (one shown) and at least one communication chip 506.
  • the one or more processor(s) 504 each may include one or more processor cores.
  • the at least one communication chip 506 may be physically and
  • computing device 500 may include printed circuit board (PCB) 502.
  • PCB printed circuit board
  • the one or more processor(s) 504 and communication chip 506 may be disposed thereon.
  • the various components may
  • computing device 500 may include other components that may or may not be physically and electrically coupled to the PCB 502. These other components include, but are not limited to, memory controller 526, volatile memory (e.g., dynamic random access memory (DRAM) 520), non-volatile memory such as read only memory (ROM) 524, flash memory 522, storage device 554 (e.g., a hard-disk drive (HDD)), an I/O controller 541, a digital signal processor (not shown), a crypto processor (not shown), a graphics processor 530, one or more antenna 528, a display (not shown), a touch screen display 532, a touch screen controller 546, a battery 536, an audio codec (not shown), a video codec (not shown), a
  • volatile memory e.g., dynamic random access memory (DRAM) 520
  • non-volatile memory such as read only memory (ROM) 524
  • flash memory 522 e.g., a hard-disk drive (HDD)
  • GPS global positioning system
  • a gyroscope (not shown), a speaker 550, a camera 552, and a mass storage device (such as hard disk drive, a solid state drive, compact disk (CD), digital versatile disk (DVD)) (not shown), and so forth.
  • a mass storage device such as hard disk drive, a solid state drive, compact disk (CD), digital versatile disk (DVD) (not shown), and so forth.
  • memory 522, and/or storage device 554 may include associated firmware (not shown) storing programming instructions configured to enable computing device
  • processor(s) 504 to practice all or selected aspects of the methods described herein. In various embodiments, these aspects may additionally or alternatively be implemented using hardware separate from the one or more processor(s) 504, flash memory 522, or storage device 554.
  • the communication chips 506 may enable wired and/or wireless communications for the transfer of data to and from the computing device 500.
  • wireless and its derivatives may be used to describe circuits, devices, systems, methods,
  • the communication chip 506 may implement any of a number of wireless standards or protocols, including but not limited to IEEE
  • LTE Long Term Evolution
  • LTE-A LTE Advanced
  • GPRS Packet Radio Service
  • Ev-DO Evolution Data Optimized
  • HSPA+ Evolved High Speed Packet Access
  • HSDPA+ Evolved High Speed Uplink Packet Access
  • HSUPA+ Evolved High Speed Uplink Packet Access
  • GSM Global System for Mobile Communications
  • EDGE GSM Evolution
  • CDMA Code Division Multiple Access
  • TDMA Time Division Multiple Access
  • the computing device 500 may include a plurality of communication chips 506.
  • a first communication chip 506 may be dedicated to shorter range wireless communications such as Wi-Fi and Bluetooth, and a second communication chip 506 may be dedicated to longer range wireless
  • communications such as GPS, EDGE, GPRS, CDMA, WiMAX, LTE, Ev-DO, and others.
  • the computing device 500 may be a laptop, a netbook, a notebook, an ultrabook, a smartphone, a computing tablet, a personal digital assistant (PDA), an ultra-mobile PC, a mobile phone, a desktop computer, a server, a printer, a scanner, a monitor, a set-top box, an entertainment control unit (e.g., a gaming console or automotive entertainment unit), a digital camera, an appliance, a portable music player, or a digital video recorder.
  • the computing device 500 may be any other electronic device that processes data.
  • Figure 6 illustrates an example computer-readable storage medium that may employ the apparatuses and/or methods described herein.
  • the present disclosure may be embodied as methods or computer program products. Accordingly, the present disclosure, in addition to being embodied in hardware as earlier described, may take the form of an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to as a "circuit,"
  • module or “system.”
  • present disclosure may take the form of a computer program product embodied in any tangible or non-transitory medium of expression having computer-usable program code embodied in the medium.
  • Figure 6 illustrates an example computer-readable non-transitory storage medium that may be suitable for use to store instructions that cause an apparatus, in response to execution of the instructions by the apparatus, to practice selected aspects of the present disclosure.
  • non-transitory computer-readable storage medium 602 may include a number of programming instructions 604.
  • Programming instructions 604 may be configured to enable a device, e.g., computer 500, in response to execution of the programming instructions, to implement (aspects of) the FV environment 100 (including the tenant management portion 102, the operation management portion 106, and/or the NFV infrastructure portion 104), the VNFC 202, the identity manager 204, the security controller 206, the orchestrator 302, the VIM 304, the nova agent NFVI 306, the
  • programming instructions 604 may be disposed on multiple computer-readable non-transitory storage media 602 instead. In still other embodiments, programming instructions 604 may be disposed on computer-readable transitory storage media 602, such as, signals.
  • the computer-usable or computer-readable medium may be, for example but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, or propagation medium. More specific examples (a non- exhaustive list) of the computer-readable medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a transmission media such as those supporting the Internet or an intranet, or a magnetic storage device.
  • the computer- usable or computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted, or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory.
  • a computer-usable or computer- readable medium may be any medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.
  • the computer- usable medium may include a propagated data signal with the computer-usable program code embodied therewith, either in baseband or as part of a carrier wave.
  • the computer usable program code may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc.
  • Computer program code for carrying out operations of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages.
  • the program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server.
  • the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
  • LAN local area network
  • WAN wide area network
  • Internet Service Provider for example, AT&T, MCI, Sprint, EarthLink, MSN, GTE, etc.
  • These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • These computer program instructions may also be stored in a computer-readable medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable medium produce an article of manufacture including instruction means which implement the function/act specified in the flowchart and/or block diagram block or blocks.
  • the computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • Example 1 may include an apparatus for identity management of virtualized entities comprising a memory device with instructions stored thereon, and one or more processors that, in response to execution of the instructions stored on the memory device, are to detect an instantiation of a virtualized network function component (VNFC), obtain identifiers for components of a platform based on the detected instantiation, the platform to implement the VNFC, generate a unique identifier based on the identifiers for the components of the platform, and assign the unique identifier to the VNFC.
  • Example 2 may include the apparatus of example 1, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further perform a hash operation on the identifiers to generate the unique identifier.
  • VNFC virtualized network function component
  • Example 3 may include the apparatus of any of the examples 1 and 2, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further obtain a globally unique identifier associated with the VNFC, and perform a hash operation on the identifiers and the globally unique identifier to generate the unique identifier.
  • Example 4 may include the apparatus of any of the examples 1-3, wherein the identifiers for the components of the platform include one or more identifiers selected from the group consisting of a rack identifier, a root of trust identifier, a platform identifier, a basic input/output system identifier, an operating system identifier, and a virtual machine manager identifier.
  • Example 5 may include the apparatus of any of the examples 1-4, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further obtain a tenant identifier for a tenant that requests use of the VNFC, and associate the unique identifier with the tenant identifier.
  • Example 6 may include the apparatus of example 5, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further store, in a log on the memory device, the tenant identifier with the associated unique identifier.
  • Example 7 may include the apparatus of any of the examples 1-6, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further obtain a tenant identifier for a tenant that requests use of the VNFC, determine that the tenant is not authorized to utilize the VNFC based on the
  • tenant identifier and prevent use of the VNFC by the tenant based on the determination that the tenant is not authorized.
  • Example 8 may include the apparatus of any of the examples 1-7, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further receive an instantiation request of a virtualized network function
  • VNF virtual network
  • OS cloud operating system
  • RoT root of trust
  • Example 9 may include the apparatus of example 8, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further generate a second unique identifier based on the unique identifier assigned to the V FC, assign the second unique identifier to the VNF, and register the second unique identifier assigned to the VNF.
  • Example 10 may include the apparatus of any of the examples 8 and 9, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further retrieve a secure timestamp based on the instantiation request, associate the secure timestamp with the unique identifier assigned to the VNFC, and transmit, to the cloud OS service, the secure timestamp with the unique identifier for association with the RoT.
  • Example 11 may include the apparatus of any of the examples 9 and 10, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further log operations, performed by the VNF, associated with the second unique identifier, and store the logged operations on the memory device.
  • Example 12 may include the apparatus of any of the examples 1-11, wherein the unique identifier is assigned to the VNFC by a root of trust (RoT) of the apparatus, and wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further log the unique identifier in the RoT for management by the RoT.
  • RoT root of trust
  • Example 13 may include a method for virtualized entity identity management, comprising obtaining identifiers for components of a platform in response to instantiation of a virtualized network function component (VNFC), the platform to implement the VNFC, generating a unique identifier for the VNFC based on the identifiers for the components of the platform, and assigning the unique identifier to the VNFC.
  • VNFC virtualized network function component
  • Example 14 may include the method of example 13, further comprising performing a hash operation on the identifiers for the components of the platform, wherein the unique identifier is set to a result of the hash operation.
  • Example 15 may include the method of any of the examples 13 and 14, further comprising obtaining a globally unique identifier associated with the VNFC and performing a hash operation on the identifiers for the components of the platform and the globally unique identifier associated with the VNFC, wherein the unique identifier is set to a result of the hash operation.
  • Example 16 may include the method of any of the examples 13-15, wherein the identifiers for the components of the platform include one or more identifiers selected from the group consisting of a rack identifier, a root of trust identifier, a platform identifier, a basic input/output system identifier, an operating system identifier and a virtual machine manager identifier.
  • Example 17 may include the method of any of the examples 13-16, further comprising obtaining a tenant identifier for a tenant that requests use of the VNFC, and associating the unique identifier with the tenant identifier.
  • Example 18 may include the method of example 17, further comprising storing, in a log, the tenant identifier with the associated unique identifier.
  • Example 19 may include the method of any of the examples 13-18, further comprising obtaining a tenant identifier for a tenant that requests use of the VNFC, determining that the tenant is not authorized to utilize the virtualized network
  • Example 20 may include the method of any of the examples 13-19, further comprising receiving an instantiation request of a virtualized network function (VNF) from a cloud operating system (OS) service, determining that the VNF is to utilize the VNFC based on the instantiation request, and transmitting, to the cloud OS service, the unique identifier assigned to the VNFC for association with a root of trust associated with the VNF.
  • VNF virtualized network function
  • OS cloud operating system
  • Example 21 may include the method of example 20, further comprising generating a second unique identifier based on the unique identifier assigned to the VNFC, assigning the second unique identifier to the VNF, and registering the second unique identifier assigned to the VNF.
  • Example 22 may include the method of example 21, further comprising logging operations, performed by the VNF, associated with the second unique identifier.
  • Example 23 may include the method of any of the examples 13-22, wherein the instructions, further comprising retrieving a secure timestamp based on the instantiation of the VNFC, associating the secure timestamp with the unique identifier assigned to the VNFC, and transmitting, to a network function virtualization (NFV) infrastructure, the secure timestamp with the unique identifier for association with a root of trust (RoT) of the platform.
  • the instructions further comprising retrieving a secure timestamp based on the instantiation of the VNFC, associating the secure timestamp with the unique identifier assigned to the VNFC, and transmitting, to a network function virtualization (NFV) infrastructure, the secure timestamp with the unique identifier for association with a root of trust (RoT) of the platform.
  • NFV network function virtualization
  • Example 24 may include the method of any of the examples 13-23, wherein the unique identifier is generated by a root of trust (RoT) of the platform, and wherein the method further comprises logging the unique identifier in the RoT for management by the RoT.
  • RoT root of trust
  • Example 25 may include one or more computer-readable media having instructions stored thereon, wherein the instructions, in response to execution by a device, cause the device to process an instantiation request from a network function virtualization
  • NFV virtualized network function component
  • Example 26 may include the one or more computer-readable media of example 25, wherein the instructions, in response to execution by the device, cause the device to further perform a hash operation on the identifiers for the components of the platform, wherein the unique identifier is set to a result of the hash operation.
  • Example 27 may include the one or more computer-readable media of any of the examples 25 and 26, wherein the instructions, in response to execution by the device, cause the device to further extract, from the instantiation request, a globally unique identifier associated with the VNFC, and perform a hash operation on the identifiers for the components of the platform and the globally unique identifier associated with the VNFC, wherein the unique identifier is set to a result of the hash operation.
  • Example 28 may include the one or more computer-readable media of any of the examples 25-27, wherein the identifiers for the components of the platform include one or more identifiers selected from the group consisting of a rack identifier, a root of trust identifier, a platform identifier, a basic input/output system identifier, an operating system identifier and a virtual machine manager identifier.
  • Example 29 may include the one or more computer-readable media of any of the examples 25-28, wherein the instructions, in response to execution by the device, cause the device to further obtain a tenant identifier for a tenant that requests use of the VNFC, and associate the unique identifier with the tenant identifier.
  • Example 30 may include the one or more computer-readable media of example 29, wherein the instructions, in response to execution by the device, cause the device to further store, in a log, the tenant identifier with the associated unique identifier.
  • Example 31 may include the one or more computer-readable media of any of the examples 25-30, wherein the instructions, in response to execution by the device, cause the device to further obtain a tenant identifier for a tenant that requests use of the VNFC, determine that the tenant is not authorized to utilize the virtualized network function based on the tenant identifier, and prevent use of the VNFC by the tenant based on the determination that the tenant is not authorized.
  • Example 32 may include the one or more computer-readable media of any of the examples 25-31, wherein the instructions, in response to execution by the device, cause the device to further receive an instantiation request of a virtualized network function (VNF) from a cloud operating system (OS) service, determine that the VNF is to utilize the VNFC based on the instantiation request, and transmit, to the cloud OS service, the unique identifier assigned to the VNFC for association with a root of trust (RoT) associated with the VNF.
  • VNF virtualized network function
  • OS cloud operating system
  • RoT root of trust
  • Example 33 may include the one or more computer-readable media of example 32, wherein the instructions, in response to execution by the device, cause the device to further generate a second unique identifier based on the unique identifier assigned to the VNFC, assign the second unique identifier to the VNF, and register the second unique identifier assigned to the VNF.
  • Example 34 may include the one or more computer-readable media of example 33, wherein the instructions, in response to execution by the device, cause the device to further log operations, performed by the VNF, associated with the second unique identifier.
  • Example 35 may include the one or more computer-readable media of any of the examples 25-34, wherein the instructions, in response to execution by the device, cause the device to further retrieve a secure timestamp based on the instantiation request, associate the secure timestamp with the unique identifier assigned to the VNFC, and transmit, to the NFV infrastructure, the secure timestamp with the unique identifier for association with a root of trust (RoT) of the platform.
  • RoT root of trust
  • Example 36 may include the one or more computer-readable media of any of the examples 25-35, wherein the unique identifier is generated by a root of trust (RoT) of the platform, and wherein the instructions, in response to execution by the device, cause the device to further log the unique identifier in the RoT for management by the RoT.
  • RoT root of trust
  • Example 37 may include an apparatus for virtualized entity identity management, comprising means for obtaining identifiers for components of a platform in response to instantiation of a virtualized network function component (VNFC), the platform to implement the VNFC, means for generating a unique identifier for the VNFC based on the identifiers for the components of the platform, and means for assigning the unique identifier to the VNFC.
  • VNFC virtualized network function component
  • Example 38 may include the apparatus of example 37, further comprising means for performing a hash operation on the identifiers for the components of the platform, wherein the unique identifier is set to a result of the hash operation.
  • Example 39 may include the apparatus of any of the examples 37 and 38, further comprising means for obtaining a globally unique identifier associated with the VNFC, and means for performing a hash operation on the identifiers for the components of the platform and the globally unique identifier associated with the VNFC, wherein the unique identifier is set to a result of the hash operation.
  • Example 40 may include the apparatus of any of the examples 37-39, wherein the identifiers for the components of the platform include one or more identifiers selected from the group consisting of a rack identifier, a root of trust identifier, a platform identifier, a basic input/output system identifier, an operating system identifier and a virtual machine manager identifier.
  • Example 41 may include the apparatus of any of the examples 37-40, further comprising means for obtaining a tenant identifier for a tenant that requests use of the VNFC, and means for associating the unique identifier with the tenant identifier.
  • Example 42 may include the apparatus of example 41, further comprising means for storing, in a log, the tenant identifier with the associated unique identifier.
  • Example 43 may include the apparatus of any of the examples 37-42, further comprising means for obtaining a tenant identifier for a tenant that requests use of the VNFC, means for determining that the tenant is not authorized to utilize the VNFC based on the tenant identifier, and means for preventing use of the VNFC by the tenant based on the determination that the tenant is not authorized.
  • Example 44 may include the apparatus of any of the examples 37-43, further comprising means for receiving an instantiation request of a virtualized network function (VNF) from a cloud operating system (OS) service, means for determining that the VNF is to utilize the VNFC based on the instantiation request, and means for transmitting, to the cloud OS service, the unique identifier assigned to the VNFC for association with a root of trust (RoT) associated with the VNF.
  • VNF virtualized network function
  • OS cloud operating system
  • RoT root of trust
  • Example 45 may include the apparatus of example 44, further comprising means for generating a second unique identifier based on the unique identifier assigned to the VNFC, means for assigning the second unique identifier to the VNF, and means for registering the second unique identifier assigned to the VNF.
  • Example 46 may include the apparatus of example 45, further comprising means for logging operations, performed by the VNF, associated with the second
  • Example 47 may include the apparatus of any of the examples 44-46, further comprising means for retrieving a secure timestamp based on the instantiation request, means for associating the secure timestamp with the unique identifier assigned to the VNFC, and means for transmitting, to the cloud OS service, the secure timestamp with the unique identifier for association with the RoT.
  • Example 48 may include the apparatus of any of the examples 37-47, wherein the unique identifier is generated by a root of trust (RoT) of the platform, and wherein the apparatus further comprises means for logging the unique identifier in the RoT for management by the RoT.
  • RoT root of trust

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Computing Systems (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Apparatuses, systems and methods associated with management of virtualized network function identities in network function virtualization operator networks and/or software-defined networks are disclosed herein. In embodiments, an apparatus, for identity management of virtualized entities, may include a memory device with instructions stored thereon and a processor. The processor, in response to execution of the instructions stored on the memory device, may detect an instantiation of a virtualized network function component (VNFC) and obtain identifiers for components of a platform based on the detected instantiation, the platform to implement the VNFC. The process may further generate a unique identifier based on the identifiers for the components of the platform and assign the unique identifier to the VNFC. Other embodiments may be described and/or claimed.

Description

IDENTITY MANAGEMENT OF VIRTU ALIZED ENTITIES
Cross Reference to Related Applications
The present application claims priority to U.S. Provisional Patent Application Ser. No. 62/295,924, entitled CRYPTOGRAPHIC IDENTITIES MANAGEMENT IN
VIRTUAL NFV AND SDN OPERATOR NETWORKS, filed February 16, 2016, which is herein incorporated by reference in its entirety.
Cross Reference to Related Applications
The present disclosure relates to the field of electronic circuits. More particularly, the present disclosure relates to the management of virtualized network function identities in network function virtualization operator networks and software-defined networks.
Background
The background description provided herein is for the purpose of generally presenting the context of the disclosure. Unless otherwise indicated herein, the materials described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.
Legacy security systems based on physical system technology have relied on globally unique identifiers cryptographically bound to un-mutable identities, such as being bound to media access control (MAC) addresses, internet protocol (IP) addresses, or other identities that are embedded into security credentials. The globally unique identifiers have been domain-wide unique allowing for the physical entity to be uniquely identified within the corresponding domain. The globally unique identities are unmutable for the lifetime of the system.
Brief Description of the Drawings
Embodiments will be readily understood by the following detailed description in conjunction with the accompanying drawings. To facilitate this description, like reference numerals designate like structural elements. Embodiments are illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings.
Figure 1 illustrates an example network functions virtualization environment, according to various embodiments.
Figure 2 illustrates an example message flow diagram among a virtualized network function component and a security controller, according to various embodiments.
Figure 3 illustrates an example message flow diagram among elements of a network functions virtualization environment, according to various embodiments. Figure 4 illustrates an example flow diagram of operations within a network functions virtualization environment, according to various embodiments.
Figure 5 illustrates an example computing device that may employ
the apparatuses and/or methods described herein.
Figure 6 illustrates an example computer-readable storage medium that may employ the apparatuses and/or methods described herein.
Detailed Description
Apparatuses, systems and methods associated with management of virtualized network function identities in network function virtualization operator networks and/or software-defined networks are disclosed herein. In embodiments, an apparatus, for identity management of virtualized entities, may include a memory device with instructions stored thereon and a processor. The processor, in response to execution of the instructions stored on the memory device, may detect an instantiation of a virtualized network function component (VNFC) and obtain identifiers for components of a platform based on the detected instantiation, the platform to implement the VNFC. The processor may further generate a unique identifier based on the identifiers for the components of the platform and assign the unique identifier to the VNFC. Other embodiments may be described and/or claimed.
In the following detailed description, reference is made to the accompanying drawings which form a part hereof wherein like numerals designate like parts throughout, and in which is shown by way of illustration embodiments that may be practiced. It is to be understood that other embodiments may be utilized and structural or logical changes may be made without departing from the scope of the present disclosure. Therefore, the following detailed description is not to be taken in a limiting sense, and the scope of embodiments is defined by the appended claims and their equivalents.
Aspects of the disclosure are disclosed in the accompanying description. Alternate embodiments of the present disclosure and their equivalents may be devised without parting from the spirit or scope of the present disclosure. It should be noted that like elements disclosed below are indicated by like reference numbers in the drawings.
Various operations may be described as multiple discrete actions or operations in turn, in a manner that is most helpful in understanding the claimed subject matter.
However, the order of description should not be construed as to imply that these operations are necessarily order dependent. In particular, these operations may not be performed in the order of presentation. Operations described may be performed in a different order than the described embodiment. Various additional operations may be performed and/or described operations may be omitted in additional embodiments.
For the purposes of the present disclosure, the phrase "A and/or B" means (A), (B), or (A and B). For the purposes of the present disclosure, the phrase "A, B, and/or C" means (A), (B), (C), (A and B), (A and C), (B and C), or (A, B and C).
The description may use the phrases "in an embodiment," or "in embodiments," which may each refer to one or more of the same or different embodiments. Furthermore, the terms "comprising," "including," "having," and the like, as used with respect to embodiments of the present disclosure, are synonymous.
As used herein, the term "circuitry" may refer to, be part of, or include an
Application Specific Integrated Circuit (ASIC), an electronic circuit, a processor (shared, dedicated, or group) and/or memory (shared, dedicated, or group) that execute one or more software or firmware programs, a combinational logic circuit, and/or other suitable components that provide the described functionality.
Figure 1 illustrates an example network functions virtualization (NFV)
environment 100, according to various embodiments. The NFV environment 100 may include one or more virtualized network functions that may dynamically instantiate and terminate during operation of the NFV environment 100. It is desirable to have globally unique identifiers assigned to these virtualized network functions. Unlike legacy systems where the globally unique identities that bind the globally unique identifiers to the un- mutable identities, the dynamic instantiation and termination of the virtualized network functions present challenges, including assigning the globally unique identifiers upon dynamic instantiation of the virtualized network functions and maintaining the assignment of the globally unique identifiers as life cycle events occur with the virtualized network functions. The embodiments disclosed herein may be able to assign the globally unique identifiers upon dynamic instantiation of the virtualized network functions and maintain the assignments.
The network function virtualization environment 100 may include a tenant management portion 102, a network functions virtualization infrastructure (NFVI) portion 104, and/or an operations management portion 106. The tenant management portion 102 may include one or more tenants, such as tenant 108a and tenant 108b, an operations support system (OSS)/business support system (BSS) 110, or some combination thereof. The tenant 108a and the tenant 108b may be one or more end-user devices (such as computer devices, user devices, cellular phones, handheld computer devices, or some combination thereof), one or more subscribers to an NFV service provider, or some combination thereof. In some embodiments, the tenant 108a and the tenant 108b may be user devices that request and/or receive services from a cellular network provider.
The OSS/BSS 110 may be provided by an NFV service provider (which may also be referred to as an operator herein). The OSS/BSS 110 may be communicatively coupled to the tenant 108a and/or the tenant 108b. The tenant 108a and/or the tenant 108b may transmit a request for a NFV service to the OSS/BSS 110. The OSS/BSS 110 may receive the request and forward the request to the operation management portion 106 for scheduling of the NFC service.
The operation management portion 106 may receive the request for the NFV service and schedule performance of the NFV service with the NFVI portion 104. The NFVI portion 104 may include one or more virtual machines and/or containers that operate on general purpose hardware platform, such as a computer device and/or a server. The NFVI portion 104 may perform the NFV service and return a result of the NFV service to the operation management portion 106 for provision to the tenant 108a and/or the tenant 108b that requested the service.
The NFVI portion 104 may include a NFVI 114 to perform the requested NFV services and output the results of the NFV service to the operation management portion 106. The NFVI 114 may include one or more virtualized functions, such as virtualized network function (VNF) 164, VNF-N 162, virtualized switch/router 160, virtualized security functions 158, or some combination thereof. The virtualized security functions 158 may include a user data plane 154 developed through use of a data plane development kit. The one or more virtualized functions may include computer code to cause computer hardware to perform one or more functions that, in legacy systems, were previously performed by the individual tenants. The one or more virtualized functions may be assigned computer hardware from one or more devices to perform operations associated with the one or more virtualized functions. Each of the one or more virtualized functions may have a corresponding unique identifier, such as VNF ID 166 that corresponds with the VNF 164, Vswitch ID 152 that corresponds with the virtualized switch/router 160, SecMon ID 156 that corresponds with the virtualized security functions 158, or some combination thereof.
The one or more virtualized functions may each include one or more virtualized function components, such as virtualized network function component (VNFC) 148 and/or VNFC 150. The VNFC 148 and/or the VNFC 150 may dynamically instantiate, migrate, clone, and run in active-active and/or active-passive modes. The VNFC 148 and/or the V FC 150 may each perform a portion of the operations to be performed by the VNF 164. Each of the VNFC 148 and/or the VNFC 150 may be assigned with corresponding computer code, and hardware and/or software components of the NFVI 114 to perform operations associated with the VNFC 148 and/or the VNFC 150, respectively. The VNFC 148 may utilize different computer code, and hardware and/or software components of the NFVI 114 than the VNFC 150 utilizes.
The NFVI 114 may further include hardware infrastructure 146 to receive computer code from the one or more virtualized functions and perform the operations associated with the computer code. For example, in response to a request for performance of an operation associated with the virtualized switch/router 160, the virtualized switch/router 160 may provide computer code to the hardware infrastructure 146 to perform the operation associated with the computer code. The hardware infrastructure 146 may be associated with a unique identifier, such as rack ID 116.
The hardware infrastructure 146 may include one or more platforms, such as platform PI 134 and/or platform Pn 118. The platform PI 134 and/or platform Pn 118 may include computer hardware that may perform operations in response to execution of computer software and/or computer code. The platform PI 134 may include one or more field programmable gate arrays (FPGAs) 132, one or more cores 120, one or more input/output (I/O) interfaces and/or network interface cards (NIC) 122, one or more communications system monitor equipment (CSME) 126, one or more busses and/or interconnects 128, or some combination thereof. One or more components of the platform PI 134 may correspond to the processors described in, for example, Figure 5. The platform PI 134 may be associated with a unique identifier, such as platform ID 130.
The platform PI 134 may further include a root of trust (RoT), which may be associated with a unique identifier, RoT ID 124. The RoT may be an elementary security piece that may originate a chain of trust. The RoT can delegate trust upwards in a chain to other software. The other software may include firmware, unified extensible firmware interface (UEFI) basic input/output system (BIOS), operating system (OS) bootloader, OS kernel, VNF, virtual machine, or some combination thereof. It is to be understood that platform Pn 118 may include one or more of the features and/or computer hardware components described in relation to platform PI 134.
The hardware infrastructure 146 may further include software for performance of basic operations. The software for basic operation may include an OS 140 (such as a hypervisor, OS, cloud OS, or some combination thereof), a UEFI BIOS 138, or some combination thereof. Each of the software components may be associated with a corresponding unique identifier. For example, the OS 140 may be associated with OS ID 142 and the UEFI BIOS 138 may be associated with BIOS ID 136.
The operation management portion 106 may act as an interface between the tenant management portion 102 and the FVI portion 104. The operation management portion 106 may include an orchestrator 168. The orchestrator 168 may receive requests for FV services from the OSS/BSS 110 and may perform orchestration and management of the NFVI 114 and software to provide the NFV services.
The operation management portion 106 may further include a VNF manager
(VNFM) 170 and a virtualized infrastructure manager (VIM) 176. The VNFM 170 may be responsible for control and management of the one or more virtualized network functions, including instantiation, update, query, scaling, and/or termination of the one or more virtualized network functions. The VFM 176 may control and manage interaction of the one or more virtualized network functions with the hardware infrastructure 146, including computing, storage, and/or network resources of the hardware infrastructure 146.
The orchestrator 168, in response to receiving the requests for NFV services from the OSS/BSS 110, may determine which resources of the NFVI 114 are to be utilized to fulfil the requests. The orchestrator 168 may communicate with the VNFM 170 and/or the VIM 176 to instruct the VNFM 170 and/or the VIM 176 to schedule the resources to be utilized to fulfill the requests. The VNFM 170 and/or the VFM 176, in response to the communication from the orchestrator 168, may schedule the resources to be utilized corresponding to each of the VNFM 170 and/or the VIM 176, thereby generating a virtual machine that includes the resources to be utilized based on the requests.
The operation management portion 106 may further include a security controller 172. The security controller 172 may be communicatively coupled to the orchestrator 168, the VNFM 170, the VIM 176, the NFVI 114, the hardware infrastructure 146, or some combination thereof. The security controller 172 may include an identity manager 174 for identity management associated with requests for NFV services and resources of the NFVI 114 to fulfill the requests.
The security controller 172 may detect and/or receive a notification from the orchestrator 168 that the orchestrator 168 is generating an instantiation of a VNFC. The generation of the instantiation may occur in response to a request, received by the orchestrator 168 from the OSS/BSS 110, for performance of a NFV service. In some embodiments, the security controller 172 may detect and/or receive a notification from the orchestrator 168 that the orchestrator 168 received a request for performance of the NFV service. In some embodiments, the security controller 172 may detect the instantiation of the VNFC based on operations associated with the VNFM 170 and/or the VIM 176.
In response to detecting or receiving the notification associated with the instantiation of the VNFC, the security controller 172 may obtain identifiers associated with resources to be assigned to the VNFC and/or identifiers associated with the request for the NFV service that induced instantiation of the VNFC. The security controller 172 may generate one or more requests to be sent to the orchestrator 168, the VNFM 170, the VIM 176, the NFVI 114, the hardware infrastructure 146, or some combination thereof, wherein the request may request identifiers of resources to be associated with the VNFC. The security controller 172 may transmit the requests to orchestrator 168, the VNFM 170, the VFM 176, the NFVI 114, the hardware infrastructure 114, or some combination thereof.
In response to the request for the identifiers, the orchestrator 168, the VNFM 170, the VFM 176, the NFVI 114, the hardware infrastructure, or some combination thereof may transmit identifiers for the resources to be associated with the VNFC to the security controller 172. In some embodiments, the VNFM 170 and/or the VIM 176 may transmit identifiers for the resources corresponding to the VNFM 170 and/or the VFM 176, respectively, to the security controller 172, while in other embodiments any of the elements that transmit the identifiers may transmit all the identifiers for the resources to be associated with the VNFC. The identifiers for the resources may include the OS ID 142, the BIOS ID 136, the platform ID 130, the RoT ID 124, the rack ID 116, or some combination thereof.
The security controller 172 may provide the identifiers for the resources to the identity manager 174. The identity manager 174 may generate a unique identifier for the VNFC based on the identifiers. The identity manager 174 may generate the unique identifier through performance of a hash operation applied to the identifiers to produce the unique identifier. The hash operation may include performance of one or more hash functions with respect to the identifiers, the one or more hash functions including a Zobrist hash function, a universal one-way hash function, a tabulation hash function, a Rabin fingerprint hash function, a non-cryptographic hash function, a keyed cryptographic hash function, an unkeyed cryptographic hash function, or some combination thereof. As the unique identifier is generated through performance on a hash of the identifiers for the resources, it may be possible to identify the resources associated with the VNFC based on the unique identifier.
In some embodiments, the security controller 172 may further obtain a globally unique identifier associated with the VNFC, such as VNFC ID 144. The identity manager 174 may further include the globally unique identifier in the hash operation to generate the unique identifier. Accordingly, it may be possible to determine the VNFC to which the unique identifier is associated based on the unique identifier itself.
The identity manager 174 may assign the unique identifier to the VNFC. The identity manager 174 may store the unique identifier, with an indication of the association of the unique identifier with the VNFC, in a memory device of the security controller 172 and/or the memory device associated with the security controller 172. The memory device may be a secure storage device. In some embodiments, the identity manager 174 may provide the unique identifier with the indication to security administrators associated with the NFVI 114 and/or the OSS/BSS 110 in response to a request received from the security administrators and/or the assignment of the unique identifier to the VNFC.
In some embodiments, the security controller 172 may further generate a request for a tenant ID, such as tenant ID 109, associated with the detected instantiation of the VNFC. The security controller 172 may transmit the request to the orchestrator 168, the VNFM 170, the VDVI 176, the NFVI 114, the hardware infrastructure 146, or some combination thereof, and receive the tenant ID is response to the request. Identity manager 174 may associate the tenant ID with the VNFC and may store the association in the memory device of, or associated with, the security controller 172. In some
embodiments, the identity manager 174 may include the tenant ID in the hash operation to produce the unique identifier. In these embodiments, it may be possible to identify the tenant associated with the VNFC based on the unique identifier.
The identity manager 174 may further generate a second unique identifier, such as VNF ID 166, for a VNF based on the unique identifier associated with the VNFC. The security controller 172 may obtain identifiers associated with one or more VNFC (such as VNFC ID 144) of the VNF in response to detection of an instantiation of the VNF. The identity manager 174 may perform a hash operation applied to the identifiers associated with the one or more VNFC to produce the second unique identifier. The identity manager 174 may store the second unique identifier in the memory device of, or associated with, the security controller 172. In some embodiments, the identity manager 174 may further associate the second unique identifier with a tenant ID (such as tenant ID 109) associated with the tenant that requested and/or caused the instantiation of the VNF. The identity manager 174 may store the tenant ID in the memory device, the tenant ID associated with the second unique identifier.
In some embodiments, the identity manager 174 may generate a third unique identifier for a service function chain (SFC) that utilizes the VNF. The security controller 172 may obtain one or more VNF IDs (such as VNF ID 166) associated with VNFs within the SFC. The identity manager 174 may perform a hash on the one or more VNF IDs to generate the third unique identifier. The identity manager 174 may associate the third unique identifier with the SFC and store, in the memory device, the third unique identifier and/or an indication of the association with the SFC.
The unique identifier, the second unique identifier, and/or the third unique identifier (collectively, 'the unique identifiers') may be utilized in many different processes. The unique identifiers may be utilized for initial provision of the NFVI 116 and/or the platform 134, which includes remote provisioning. Further the unique identifiers may be utilized for updates of the platform 134 and/or NFVI 116, including firmware, unified extensible firmware interface, operating system, open source business library, open source cloud computing software, and/or other software updates. The unique identifiers may further be presented at instantiation of communication protocols associated with the unique identifiers, including internet protocol security, secure sockets layer protocol, encryption protocol, and/or accelerator attachment protocol.
In some embodiments, the unique identifiers may be utilized for security. The security controller 172 may store one or more lists of identifiers associated with authorized users that may utilize the NFVI 114, a platform (such as the platform PI 134 and the platform Pn 118), a VNF (such as the VNF 164, the VNF 162, the virtualized
switch/router 160, virtualized security functions 158, or some combination thereof. The authorized users may include tenants, administrators, and/or certain software/firmware. In response to detection of a request for a NFV service, the security controller 172 may obtain an identifier associated with the requesting entity, such as tenant ID 109. The security controller 172 may compare the identifier with a list of identifiers of authorized users for the NFV service to determine whether the requesting entity is authorized to utilize the NFV service. In response to determining that the requesting entity is not authorized, the security controller 172 may prevent the NFVI 114 from performing the NFV service. Further, the security controller 172 may store an identifier associated with the requesting entity in a log, stored on the memory device of, or associated with, the security controller 172, the log including entities that accessed and/or attempted to access the NFV service.
In some embodiments, the RoT may manage and assign the unique identifiers. The RoT may access secure timestamps and other security authorization credentials to associate with the unique identifiers. In some embodiments, the RoT may root keys with the unique identifiers. The RoT may later utilize the rooted keys to verify the authenticity of the unique identifiers and attest to the authenticity of the unique identifiers.
Figure 2 illustrates an example message flow diagram 200 among a VNFC 202 and a security controller 206, which may include an identity manager 204, according to various embodiments. The VNFC 202 may include one or more of the features of the VNFC 148 and/or the VNFC 150, described in relation to Figure 1. Further, the security controller 206 and/or the identity manager 204 may include one or more of the features of the security controller 172 and/or the identity manager 174, respectively, described in relation to Figure 1.
In 208, the VNFC 202 may transmit a security association establishment message to the identity manager 204. The VNFC 202 may transmit the message in response to instantiation of the VNFC 202. The identity manager 204 may detect the instantiation of the VNFC 202 based on the message.
In 210, the identity manager 204 may provide a second security association establishment message to the security controller 206. The identity manager 204 may provide the second message in response to reception of the message 208. The second message may include the same information as the message 208.
In 212, the VNFC 202 may perform operations associated with composition of a platform configuration. The VNFC 202 may compose the platform configuration through identification and/or association of one or more resources for utilization in performance of operations associated with the VNFC 202. The one or more resources may include one or more of the hardware/software components of the NFVI 114, described in relation to Figure 1, including the platform PI 134, the platform Pn 118, the UEFI BIOS 138, the operating system 140, or some combination thereof.
In 214, the VNFC 202 may transmit an identity request message to the identity manager 204. The identity request message may request a unique identifier for the VNFC 202, such as VNFC ID 144, described in relation to Figure 1. The identity request message may include one or more identifiers associated with the one or more resources to be utilized by the VNFC 202. The one or more identifiers may include the OS ID 142, the BIOS ID 136, the platform ID 130, the RoT ID 124, the rack ID 116, or some combination thereof, as described in relation to Figure 1. The identity manager 204 may perform a hash function with the one or more identifiers to generate a unique identifier for the VNFC 202. The generation of the unique identifier, by the identity manager 204, for the VNFC 202 may include one or more of the features of generation of the unique identifier by the identity manager 174, as described in relation to Figure 1.
The identity manager 204 may store the generated unique identifier in a database on a memory device of, or associated with, the security controller 206. The unique identifier may indicate a platform configuration of the VNFC 202 based on the unique identifier being generated through a hash operation of the one or more identifiers.
In 218, the identity manager 204 may transmit an identity response message to the VNFC 202. The identity response message may include the generated unique identifier for the VNFC 202. The VNFC 202 may store the generated unique identifier.
In 220, the identity manager 204 may transmit an identifier register message to the security controller 206. The identifier register message may request that the security controller 206 add the generated unique identifier to a log, stored on the memory device of, or associated with, the security controller 206, of VNFCs identifiers. In 222, in response to the identifier register message, the security controller 206 may transmit a VNFC information request message to the identity manager 204.
In 224, the identity manager 204 may transmit a VNFC information message to the security controller 206 in response to the VNFC information request message. The VNFC information message may include the generated unique identifier. The security controller 206 may add the generated unique identifier to a log, stored on the memory device of, or associated with, the security controller 206, of VNFCs. The security controller 206 may further store a list of authorized users associated with the VNFC 202 in the log. The authorized users may include tenants, administrators, and/or certain software/firmware.
Figure 3 illustrates an example message flow 300 diagram among elements of a NFV environment, according to various embodiments. The NFV environment may include an orchestrator 302, a VIM 304, a nova agent NFVI 306, a OS/virtual machine manager (VMM) NFVI 308, an identity manger 310, a RoT/trusted execution environment (TEE) 312, a security controller 314 and/or a VNFM 316.
The NFV environment may include one or more of the features of the NFV environment 100, described in relation to Figure 1. In particular, the orchestrator 302 may include one or more features of the orchestrator 168; the VIM 304 may include one or more of the features of the VIM 176; the nova agent NFVI 306 and/or the OS/VMM NFVI 308 may include one or more of the features of the NFVI 114; the identity manager 310 may include one or more of the features of the identity manager 174; the RoT/TEE 312 may include one or more of the features of the CSME 126; the security controller 314 may include one or more of the features of the security controller 172; and the VNFM may include one or more of the features of the VNFM 170.
The nova agent NFVI 306 may be utilized for operation of a cloud server that implements the NFV environment. The nova agent NFVI 306 may provide means of interacting with the cloud server through an application program interface of a cloud control panel. The nova agent NFVI 306 may perform startup functions of the cloud server including configuring the cloud server's network, establishing the cloud server's hostname, and/or setting the cloud server's root or admin passwords.
The OS/VMM NFVI 308 may be utilized for management of an NFVI (such as the NFVI 114, described in relation to Figure 1) and/or a virtual machine or virtualized datacenter provided by the NFV environment. The OS/VMM NFVI 308 may enable configuration and management of a virtualization host, networking and/or storage management for the NFV environment.
In 318, the VFM 304 may transmit a request for platform identifiers to the identity manager 310. The VIM 304 may transmit the request for platform identifiers in response to the establishment of the NFV environment, introduction of new platforms into the NFV environment, identification of a platform within the NFV environment which does not have a platform identifier associated with the platform, or some combination thereof. The identity manager 310 may generate a unique identifier for each of the platforms in the NFV environment not already associated with a platform identifier and may transmit the unique identifiers to the VIM 304 for association with each corresponding platform.
In 320, the RoT/TEE 312 may be associated with an NFVI of the NFV
environment. The RoT/TEE 312 may transmit a list of platform identifiers corresponding to platforms within the NFVI to the security controller 314. The RoT/TEE 312 may transmit the list in response to the VFM 304 receiving the platform identifiers from the identity manager 310 and/or the VIM 304 associating the platform identifiers with each corresponding platform. The security controller 314 may store the list of the platform identifiers and indications of which platform each of the platform identifiers is associated with. In 322, the VIM 304 may compose the platform. The VIM 304 may compose the platform by associating the platform identifiers with each of the corresponding platforms within the NFVI of the NFV environment. The VIM 304 identify the components (such as the FPGA 132, the cores 120, the I/O and/or NIC 122, the CSME 126, and/or the busses and/or interconnects 128 as described in relation to Figure 1) associated with each of the platforms within the NFVI. The VIM 304 may store information that indicates the components included in each of the platforms and the platform which each of the components is associated with.
In 324, the OS/VMM NFVI 308 may transmit a request for a timestamp from the RoT/TEE 312. The OS/VMM NFVI 308 may transmit the request for the timestamp in response to a request for instantiation of a VNF and/or a VNFC. The RoT/TEE 312 may response to the request by transmitting a timestamp corresponding to the time of reception of the request to the OS/VMM NFVI 308.
In some embodiments, the timestamp from the RoT/TEE 312 may be a secure timestamp. The secure timestamps may be generated by a trusted source that cannot be falsified. Some examples of trusted sources include Intel's software guard extensions (SGX), Intel's converged security manageability engine (CSME), and Intel's interrupt enable register (IE). The OS/VMM NFVI 308 may assign the secure timestamp to a VNF and/or a VNFC upon instantiation.
In 326, the orchestrator 302 may transmit an indication that event associated with a
VNF life cycle has occurred to the VNFM 316. The orchestrator 302 may transmit the indication in response to a request for instantiation of a VNF and/or a VNFC. The indication may indicate that a request for instantiation of the VNF and/or the VNFC has been received by the orchestrator 302.
In 328, the VNFM 316 may transmit a request and/or instructions to the VIM 304 to instantiate a VNF and/or a VNFC. The VNFM 316 may transmit the request and/or instructions in response to reception of the indication that event associated with the VNF life cycle has occurred from the orchestrator 302. The request and/or instructions may include an indication of the VNF and/or the VNFC to be instantiated, a list of the types of NFVI components (such as the platform PI 134, the platform Pn 118, the OS 140 and/or the UEFI BIOS 138, as described in relation to Figure 1) to be utilized by the VNF and/or the VNFC, or some combination thereof.
In 330, the VIM 304 may transmit a request for VNF and/or VNFC identifiers from the identity manager 310. The VIM 304 may transmit the request in response to reception of the request and/or instructions from the VNFM 316 to instantiate the VNF and/or the VNFC. The request for VNF and/or VNFC identifiers may include a list of identifiers for one or more VNFCs (such as VNFC ID 144. Vswitch ID 152, and/or SecMon ID 156, described in relation to Figure 1) and/or components of an NFVI (such as OS ID 142, BIOS ID 136, platform ID 130, RoT ID 124, and/or rack ID 116, as described in relation to Figure 1) to be associated with the VNF and/or the VNFC to be instantiated.
Further in 330, the identity manager 310 may generate one or more unique identifiers to be associated with the VNF and/or VNFC to be instantiated. The identity manager 310 may generate the one or more unique identifiers through the process of generation of unique identifiers described in relation to Figure 1, including application of a hash operation (such as any of the hash operations described in relation to Figure 1) to the list of identifiers to be associated with the VNF and/or the VNFC to be instantiated. The identity manager 310 may transmit the generated one or more unique identifiers to the VIM 304 for association, by the VIM 304, with the VNF and/or the VNFC to be instantiated.
In 332, the identity manager 310 may register the generated one or more unique identifiers, for association with the VNF and/or the VNFC to be instantiation, with the security controller 314. The identity manager 310 may provide the security controller 314 with the unique identifiers and/or indications of the VNF and/or the VNFC for which each unique identifier is to be associated with. The security controller 314 may store the unique identifiers and/or the indications in a log in a memory device of, or associated with, the security controller 314.
In some embodiments, the identity manager 310 may further provide the security controller 314 with a list of authorized users that may utilize the VNF and/or the VNFC to be instantiated, which the security controller 314 may store in association with each unique identifier. In other embodiments, the security controller 314 may generate the list of authorized users that may utilize the VNF and/or the VNFC and associate the list with each unique identifier provided by the identity manager 310.
In 334, the VIM 304 may transmit a spin-up VNF request to the nova agent NFVI 306. The VIM 304 may transmit the spin-up VNF request in response to reception, by the VIM 304, of the unique identifiers, for association with the VNF and/or VNFC to be instantiated from the identity manager 310. The spin-up VNF request may include the unique identifiers for association with the VNF and/or VNFC to be instantiated and/or a request to associate one or more components of the NFVI (such as the platform PI 134, the platform Pn 118, the OS 140 and the UEFI BIOS 138, as described in relation to Figure 1), associated with the nova agent NFVI 306, to be associated with the VNF and/or VNFC to be instantiated.
In 336, the nova agent NFVI 306 may transmit a spin-up VNF request to the OS/VMM NFVI 308. The nova agent NFVI 306 may transmit the spin-up VNF request in response to reception of the spin-up VNF request from the VIM 304. The spin-up VNF request transmitted by the nova agent NFVI 306 may include the same information as the spin-up VNF request transmitted by the VFM 304. The NFVI 306 may translate the spin- up VNF request received from the VIM 304 into computer code and/or format that may be operable by the OS/VMM NFVI 308.
In 338, the OS/VMM NFVI 308 may transmit a signal to the RoT/TEE 312 that attests to the unique identifiers to the be associated with the VNF and/or VNFC to be instantiated. The OS/VMM NFVI 308 may transmit the signal in response reception of the spin-up VNF request from the nova agent NFVI 306. The RoT/TEE 312 may add the unique identifiers to a list of trusted applications/functions.
In 340, the OS/VMM NFVI 308 may instantiate the VNF and/or the VNFC. The OS/VMM NFVI 308 may instantiate the VNF and/or the VNFC in response to reception of the spin-up VNF request received from the nova agent NFVI 306.
In 342, the OS/VMM NFVI 308 may register the instantiated VNF and/or the VNFC with the security controller 314. The OS/VMM NFVI 308 may register the instantiated VNF and/or the VNFC through transmission of an indication that the VNF and/or the VNFC has been instantiated, and/or transmission of the unique identifier associated with the VNF and/or the VNFC.
In some embodiments, a VNF and/or VNFC may send a registration message activation to the security controller 314. The VIM 304, the nova agent NFVI 307, the OS/VMM NFVI 308, the VNFM 316, or some combination thereof, may provide the registration message activation to the security controller 314.
In some embodiments, the security controller 314 may be communicatively coupled to a secure storage device and may store information in the secure storage device. The security controller 314 may store logs, audit trails, traces, or some combination thereof, in the secure store device. The security controller 314 may further store corresponding identities and/or timestamps with the logs, audit trails, trace, or some combination thereof, in the secure storage device. The timestamps may include the timestamp and/or secure timestamp obtained by the OS/VMM NFVI 308 in 324. In some embodiments, one or more of the messages disclosed in relation to the message flow diagram 200 and/or the message flow diagram 300 may be protected and/or encrypted. An RoT, such as RoT/TEE 312, may be utilized to protect and/or encrypt the messages. Further, the protection and/or encryption of the messages may be based on secure timestamps associated with the messages, V Fs corresponding to the messages, V FMs corresponding to the messages, or some combination thereof. The messages may be protected by secure sockets layer, transport layer security, internet protocol security, message wise protection, or some combination thereof.
Figure 4 illustrates an example flow diagram 400 of operations within a NFV environment, according to various embodiments. In 402, an identity manager (such as identity manager 174 of Figure 1, identity manager 204 of Figure 2, and/or identity manager 310 of Figure 3) may assign a globally unique identifier to one or more FVI components (such as V F 164, NVF-N 162, virtualized switch/router 160, virtualized security function 158, OS 140, UEFI BIOS 138, platform PI 134, platform Pn 118, FPGA 132, cores 120, I/O and/or NIC 122, CSME 126, and/or busses and/or interconnects 128. In 414, the identity manager may provide the globally unique identifiers and/or indications of the assignment of the globally unique identifiers with the one or more NFVI components for storage in a secure logging service 412. The secure logging service 412 may include a security controller (such as security controller 172 of Figure 1, security controller 206 of Figure 2, and/or security controller 314 of Figure 3) that may store the globally unique identifiers and/or indications of the assignment of the globally unique identifiers with the one or more NFVI components.
In 404, an NFVI (such as NFVI 114 of Figure 1) may communicate with the identity manager to retrieve component identities for the one or more NFVI components. A RoT of the NFVI may cryptographically bind the component identities to the corresponding NFVI components. In 416, the cryptographic binding of the component identities to the corresponding NFVI components may be provided to the secure logging service 412 for storage.
In 406, an OS service (such as OS 140 of Figure 1) may communicate with the identity manager regarding events that occur during VNF life cycles, such as at instantiation, activation, deletion, migration, or some combination thereof. In response to the communication, the identity manager may assign unique identifiers to each of the VNF instances and may communicate with the OS service to embed the unique identifiers in the corresponding VNF descriptors. In 418, the assigned unique identifiers may be provided to the secure logging service 412 for storage.
In 408, a VNFM (such as the V FM 170 of Figure 1 and/or the V FM 316 of Figure 3) and/or a VIM (such as the VFM 176 of Figure 1 and/or the VIM 304 of Figure 3) may transmit a VNF image and/or VNF descriptor for a unique VNF instance to the platform on which the VNF is to be instantiated. The VNFM and/or VFM may
communication with a RoT of the platform to verify authorization for instantiation of the VNF on the platform. In 420, the platform, the VNFM, and/or the VFM may provide information regarding the transmission of the VNF image and/or the VNF descriptor to the secure logging service 412 for storage.
In 410, an OS of the NFVI (such as OS 140 of Figure 1) may deliver the unique identifier for a VNF instance to an instantiation 'command line' parameter, which may be sent into the VNF instance. The RoT may deliver a signed/attested 'command line' parameter set into the VNF instance. The VNF instance may utilize the signed/attested 'command line' parameter set to register the VNF instance with the security controller. In 422, the signed/attested 'command line' parameter set may be provided to the secure logging service 412 for storage.
Figure 5 illustrates an example computing device 500 that may
employ the apparatuses and/or methods described herein (e.g., the NFV environment 100 (including the tenant management portion 102, the operation management portion 106, and/or the NFV infrastructure portion 104), the VNFC 202, the identity manager 204, the security controller 206, the orchestrator 302, the VIM 304, the nova agent NFVI 306, the OS/VMM 308, the identity manager 310, the RoT/TEE 312, the security controller 314, and/or the VNFM 316), in accordance with various embodiments. As shown, computing device 500 may include a number of components, such as one or more processor(s) 504 (one shown) and at least one communication chip 506. In various embodiments, the one or more processor(s) 504 each may include one or more processor cores. In various embodiments, the at least one communication chip 506 may be physically and
electrically coupled to the one or more processor(s) 504. In further implementations, the communication chip 506 may be part of the one or more processor(s) 504. In various embodiments, computing device 500 may include printed circuit board (PCB) 502. For these embodiments, the one or more processor(s) 504 and communication chip 506 may be disposed thereon. In alternate embodiments, the various components may
be coupled without the employment of PCB 502.
Depending on its applications, computing device 500 may include other components that may or may not be physically and electrically coupled to the PCB 502. These other components include, but are not limited to, memory controller 526, volatile memory (e.g., dynamic random access memory (DRAM) 520), non-volatile memory such as read only memory (ROM) 524, flash memory 522, storage device 554 (e.g., a hard-disk drive (HDD)), an I/O controller 541, a digital signal processor (not shown), a crypto processor (not shown), a graphics processor 530, one or more antenna 528, a display (not shown), a touch screen display 532, a touch screen controller 546, a battery 536, an audio codec (not shown), a video codec (not shown), a
global positioning system (GPS) device 540, a compass 542, an accelerometer
(not shown), a gyroscope (not shown), a speaker 550, a camera 552, and a mass storage device (such as hard disk drive, a solid state drive, compact disk (CD), digital versatile disk (DVD)) (not shown), and so forth.
In some embodiments, the one or more processor(s) 504, flash
memory 522, and/or storage device 554 may include associated firmware (not shown) storing programming instructions configured to enable computing device
500, in response to execution of the programming instructions by one or
more processor(s) 504, to practice all or selected aspects of the methods described herein. In various embodiments, these aspects may additionally or alternatively be implemented using hardware separate from the one or more processor(s) 504, flash memory 522, or storage device 554.
The communication chips 506 may enable wired and/or wireless communications for the transfer of data to and from the computing device 500. The term "wireless" and its derivatives may be used to describe circuits, devices, systems, methods,
techniques, communications channels, etc., that may communicate data through the use of modulated electromagnetic radiation through a non-solid medium. The term does not imply that the associated devices do not contain any wires, although in
some embodiments they might not. The communication chip 506 may implement any of a number of wireless standards or protocols, including but not limited to IEEE
502.20, Long Term Evolution (LTE), LTE Advanced (LTE-A), General
Packet Radio Service (GPRS), Evolution Data Optimized (Ev-DO), Evolved High Speed Packet Access (HSPA+), Evolved High Speed Downlink Packet
Access (HSDPA+), Evolved High Speed Uplink Packet Access (HSUPA+),
Global System for Mobile Communications (GSM), Enhanced Data rates for
GSM Evolution (EDGE), Code Division Multiple Access (CDMA), Time Division Multiple Access (TDMA), Digital Enhanced Cordless
Telecommunications (DECT), Worldwide Interoperability for Microwave Access
(WiMAX), Bluetooth, derivatives thereof, as well as any other wireless protocols that are designated as 3G, 4G, 5G, and beyond. The computing device 500 may include a plurality of communication chips 506. For instance, a first communication chip 506 may be dedicated to shorter range wireless communications such as Wi-Fi and Bluetooth, and a second communication chip 506 may be dedicated to longer range wireless
communications such as GPS, EDGE, GPRS, CDMA, WiMAX, LTE, Ev-DO, and others.
In various implementations, the computing device 500 may be a laptop, a netbook, a notebook, an ultrabook, a smartphone, a computing tablet, a personal digital assistant (PDA), an ultra-mobile PC, a mobile phone, a desktop computer, a server, a printer, a scanner, a monitor, a set-top box, an entertainment control unit (e.g., a gaming console or automotive entertainment unit), a digital camera, an appliance, a portable music player, or a digital video recorder. In further implementations, the computing device 500 may be any other electronic device that processes data.
Figure 6 illustrates an example computer-readable storage medium that may employ the apparatuses and/or methods described herein. As will be appreciated by one skilled in the art, the present disclosure may be embodied as methods or computer program products. Accordingly, the present disclosure, in addition to being embodied in hardware as earlier described, may take the form of an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to as a "circuit,"
"module" or "system." Furthermore, the present disclosure may take the form of a computer program product embodied in any tangible or non-transitory medium of expression having computer-usable program code embodied in the medium. Figure 6 illustrates an example computer-readable non-transitory storage medium that may be suitable for use to store instructions that cause an apparatus, in response to execution of the instructions by the apparatus, to practice selected aspects of the present disclosure. As shown, non-transitory computer-readable storage medium 602 may include a number of programming instructions 604. Programming instructions 604 may be configured to enable a device, e.g., computer 500, in response to execution of the programming instructions, to implement (aspects of) the FV environment 100 (including the tenant management portion 102, the operation management portion 106, and/or the NFV infrastructure portion 104), the VNFC 202, the identity manager 204, the security controller 206, the orchestrator 302, the VIM 304, the nova agent NFVI 306, the
OS/VMM 308, the identity manager 310, the RoT/TEE 312, the security controller 314, and/or the VNFM 316. In alternate embodiments, programming instructions 604 may be disposed on multiple computer-readable non-transitory storage media 602 instead. In still other embodiments, programming instructions 604 may be disposed on computer-readable transitory storage media 602, such as, signals.
Any combination of one or more computer usable or computer readable medium(s) may be utilized. The computer-usable or computer-readable medium may be, for example but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, device, or propagation medium. More specific examples (a non- exhaustive list) of the computer-readable medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a random access memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or Flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a transmission media such as those supporting the Internet or an intranet, or a magnetic storage device. Note that the computer- usable or computer-readable medium could even be paper or another suitable medium upon which the program is printed, as the program can be electronically captured, via, for instance, optical scanning of the paper or other medium, then compiled, interpreted, or otherwise processed in a suitable manner, if necessary, and then stored in a computer memory. In the context of this document, a computer-usable or computer- readable medium may be any medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device. The computer- usable medium may include a propagated data signal with the computer-usable program code embodied therewith, either in baseband or as part of a carrier wave. The computer usable program code may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc.
Computer program code for carrying out operations of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
The present disclosure is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the disclosure. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program
instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable medium that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable medium produce an article of manufacture including instruction means which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
Example 1 may include an apparatus for identity management of virtualized entities comprising a memory device with instructions stored thereon, and one or more processors that, in response to execution of the instructions stored on the memory device, are to detect an instantiation of a virtualized network function component (VNFC), obtain identifiers for components of a platform based on the detected instantiation, the platform to implement the VNFC, generate a unique identifier based on the identifiers for the components of the platform, and assign the unique identifier to the VNFC. Example 2 may include the apparatus of example 1, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further perform a hash operation on the identifiers to generate the unique identifier.
Example 3 may include the apparatus of any of the examples 1 and 2, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further obtain a globally unique identifier associated with the VNFC, and perform a hash operation on the identifiers and the globally unique identifier to generate the unique identifier.
Example 4 may include the apparatus of any of the examples 1-3, wherein the identifiers for the components of the platform include one or more identifiers selected from the group consisting of a rack identifier, a root of trust identifier, a platform identifier, a basic input/output system identifier, an operating system identifier, and a virtual machine manager identifier.
Example 5 may include the apparatus of any of the examples 1-4, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further obtain a tenant identifier for a tenant that requests use of the VNFC, and associate the unique identifier with the tenant identifier.
Example 6 may include the apparatus of example 5, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further store, in a log on the memory device, the tenant identifier with the associated unique identifier.
Example 7 may include the apparatus of any of the examples 1-6, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further obtain a tenant identifier for a tenant that requests use of the VNFC, determine that the tenant is not authorized to utilize the VNFC based on the
tenant identifier, and prevent use of the VNFC by the tenant based on the determination that the tenant is not authorized.
Example 8 may include the apparatus of any of the examples 1-7, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further receive an instantiation request of a virtualized network function
(VNF) from a cloud operating system (OS) service determine that the VNF is to utilize the VNFC based on the instantiation request, and transmit, to the cloud OS service, the unique identifier assigned to the VNFC for association with a root of trust (RoT) associated with the VNF. Example 9 may include the apparatus of example 8, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further generate a second unique identifier based on the unique identifier assigned to the V FC, assign the second unique identifier to the VNF, and register the second unique identifier assigned to the VNF.
Example 10 may include the apparatus of any of the examples 8 and 9, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further retrieve a secure timestamp based on the instantiation request, associate the secure timestamp with the unique identifier assigned to the VNFC, and transmit, to the cloud OS service, the secure timestamp with the unique identifier for association with the RoT.
Example 11 may include the apparatus of any of the examples 9 and 10, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further log operations, performed by the VNF, associated with the second unique identifier, and store the logged operations on the memory device.
Example 12 may include the apparatus of any of the examples 1-11, wherein the unique identifier is assigned to the VNFC by a root of trust (RoT) of the apparatus, and wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further log the unique identifier in the RoT for management by the RoT.
Example 13 may include a method for virtualized entity identity management, comprising obtaining identifiers for components of a platform in response to instantiation of a virtualized network function component (VNFC), the platform to implement the VNFC, generating a unique identifier for the VNFC based on the identifiers for the components of the platform, and assigning the unique identifier to the VNFC.
Example 14 may include the method of example 13, further comprising performing a hash operation on the identifiers for the components of the platform, wherein the unique identifier is set to a result of the hash operation.
Example 15 may include the method of any of the examples 13 and 14, further comprising obtaining a globally unique identifier associated with the VNFC and performing a hash operation on the identifiers for the components of the platform and the globally unique identifier associated with the VNFC, wherein the unique identifier is set to a result of the hash operation.
Example 16 may include the method of any of the examples 13-15, wherein the identifiers for the components of the platform include one or more identifiers selected from the group consisting of a rack identifier, a root of trust identifier, a platform identifier, a basic input/output system identifier, an operating system identifier and a virtual machine manager identifier.
Example 17 may include the method of any of the examples 13-16, further comprising obtaining a tenant identifier for a tenant that requests use of the VNFC, and associating the unique identifier with the tenant identifier.
Example 18 may include the method of example 17, further comprising storing, in a log, the tenant identifier with the associated unique identifier.
Example 19 may include the method of any of the examples 13-18, further comprising obtaining a tenant identifier for a tenant that requests use of the VNFC, determining that the tenant is not authorized to utilize the virtualized network
function based on the tenant identifier, and preventing use of the VNFC by the tenant based on the determination that the tenant is not authorized.
Example 20 may include the method of any of the examples 13-19, further comprising receiving an instantiation request of a virtualized network function (VNF) from a cloud operating system (OS) service, determining that the VNF is to utilize the VNFC based on the instantiation request, and transmitting, to the cloud OS service, the unique identifier assigned to the VNFC for association with a root of trust associated with the VNF.
Example 21 may include the method of example 20, further comprising generating a second unique identifier based on the unique identifier assigned to the VNFC, assigning the second unique identifier to the VNF, and registering the second unique identifier assigned to the VNF.
Example 22 may include the method of example 21, further comprising logging operations, performed by the VNF, associated with the second unique identifier.
Example 23 may include the method of any of the examples 13-22, wherein the instructions, further comprising retrieving a secure timestamp based on the instantiation of the VNFC, associating the secure timestamp with the unique identifier assigned to the VNFC, and transmitting, to a network function virtualization (NFV) infrastructure, the secure timestamp with the unique identifier for association with a root of trust (RoT) of the platform.
Example 24 may include the method of any of the examples 13-23, wherein the unique identifier is generated by a root of trust (RoT) of the platform, and wherein the method further comprises logging the unique identifier in the RoT for management by the RoT.
Example 25 may include one or more computer-readable media having instructions stored thereon, wherein the instructions, in response to execution by a device, cause the device to process an instantiation request from a network function virtualization
(NFV) infrastructure for a virtualized network function component (VNFC), obtain identifiers for components of a platform to implement the VNFC based on the instantiation request, generate a unique identifier for the VNFC based on the identifiers for the components of the platform, and transmit the unique identifier to the NFV infrastructure for association with the VNFC.
Example 26 may include the one or more computer-readable media of example 25, wherein the instructions, in response to execution by the device, cause the device to further perform a hash operation on the identifiers for the components of the platform, wherein the unique identifier is set to a result of the hash operation.
Example 27 may include the one or more computer-readable media of any of the examples 25 and 26, wherein the instructions, in response to execution by the device, cause the device to further extract, from the instantiation request, a globally unique identifier associated with the VNFC, and perform a hash operation on the identifiers for the components of the platform and the globally unique identifier associated with the VNFC, wherein the unique identifier is set to a result of the hash operation.
Example 28 may include the one or more computer-readable media of any of the examples 25-27, wherein the identifiers for the components of the platform include one or more identifiers selected from the group consisting of a rack identifier, a root of trust identifier, a platform identifier, a basic input/output system identifier, an operating system identifier and a virtual machine manager identifier.
Example 29 may include the one or more computer-readable media of any of the examples 25-28, wherein the instructions, in response to execution by the device, cause the device to further obtain a tenant identifier for a tenant that requests use of the VNFC, and associate the unique identifier with the tenant identifier.
Example 30 may include the one or more computer-readable media of example 29, wherein the instructions, in response to execution by the device, cause the device to further store, in a log, the tenant identifier with the associated unique identifier.
Example 31 may include the one or more computer-readable media of any of the examples 25-30, wherein the instructions, in response to execution by the device, cause the device to further obtain a tenant identifier for a tenant that requests use of the VNFC, determine that the tenant is not authorized to utilize the virtualized network function based on the tenant identifier, and prevent use of the VNFC by the tenant based on the determination that the tenant is not authorized.
Example 32 may include the one or more computer-readable media of any of the examples 25-31, wherein the instructions, in response to execution by the device, cause the device to further receive an instantiation request of a virtualized network function (VNF) from a cloud operating system (OS) service, determine that the VNF is to utilize the VNFC based on the instantiation request, and transmit, to the cloud OS service, the unique identifier assigned to the VNFC for association with a root of trust (RoT) associated with the VNF.
Example 33 may include the one or more computer-readable media of example 32, wherein the instructions, in response to execution by the device, cause the device to further generate a second unique identifier based on the unique identifier assigned to the VNFC, assign the second unique identifier to the VNF, and register the second unique identifier assigned to the VNF.
Example 34 may include the one or more computer-readable media of example 33, wherein the instructions, in response to execution by the device, cause the device to further log operations, performed by the VNF, associated with the second unique identifier.
Example 35 may include the one or more computer-readable media of any of the examples 25-34, wherein the instructions, in response to execution by the device, cause the device to further retrieve a secure timestamp based on the instantiation request, associate the secure timestamp with the unique identifier assigned to the VNFC, and transmit, to the NFV infrastructure, the secure timestamp with the unique identifier for association with a root of trust (RoT) of the platform.
Example 36 may include the one or more computer-readable media of any of the examples 25-35, wherein the unique identifier is generated by a root of trust (RoT) of the platform, and wherein the instructions, in response to execution by the device, cause the device to further log the unique identifier in the RoT for management by the RoT.
Example 37 may include an apparatus for virtualized entity identity management, comprising means for obtaining identifiers for components of a platform in response to instantiation of a virtualized network function component (VNFC), the platform to implement the VNFC, means for generating a unique identifier for the VNFC based on the identifiers for the components of the platform, and means for assigning the unique identifier to the VNFC.
Example 38 may include the apparatus of example 37, further comprising means for performing a hash operation on the identifiers for the components of the platform, wherein the unique identifier is set to a result of the hash operation.
Example 39 may include the apparatus of any of the examples 37 and 38, further comprising means for obtaining a globally unique identifier associated with the VNFC, and means for performing a hash operation on the identifiers for the components of the platform and the globally unique identifier associated with the VNFC, wherein the unique identifier is set to a result of the hash operation.
Example 40 may include the apparatus of any of the examples 37-39, wherein the identifiers for the components of the platform include one or more identifiers selected from the group consisting of a rack identifier, a root of trust identifier, a platform identifier, a basic input/output system identifier, an operating system identifier and a virtual machine manager identifier.
Example 41 may include the apparatus of any of the examples 37-40, further comprising means for obtaining a tenant identifier for a tenant that requests use of the VNFC, and means for associating the unique identifier with the tenant identifier.
Example 42 may include the apparatus of example 41, further comprising means for storing, in a log, the tenant identifier with the associated unique identifier.
Example 43 may include the apparatus of any of the examples 37-42, further comprising means for obtaining a tenant identifier for a tenant that requests use of the VNFC, means for determining that the tenant is not authorized to utilize the VNFC based on the tenant identifier, and means for preventing use of the VNFC by the tenant based on the determination that the tenant is not authorized.
Example 44 may include the apparatus of any of the examples 37-43, further comprising means for receiving an instantiation request of a virtualized network function (VNF) from a cloud operating system (OS) service, means for determining that the VNF is to utilize the VNFC based on the instantiation request, and means for transmitting, to the cloud OS service, the unique identifier assigned to the VNFC for association with a root of trust (RoT) associated with the VNF.
Example 45 may include the apparatus of example 44, further comprising means for generating a second unique identifier based on the unique identifier assigned to the VNFC, means for assigning the second unique identifier to the VNF, and means for registering the second unique identifier assigned to the VNF.
Example 46 may include the apparatus of example 45, further comprising means for logging operations, performed by the VNF, associated with the second
unique identifier.
Example 47 may include the apparatus of any of the examples 44-46, further comprising means for retrieving a secure timestamp based on the instantiation request, means for associating the secure timestamp with the unique identifier assigned to the VNFC, and means for transmitting, to the cloud OS service, the secure timestamp with the unique identifier for association with the RoT.
Example 48 may include the apparatus of any of the examples 37-47, wherein the unique identifier is generated by a root of trust (RoT) of the platform, and wherein the apparatus further comprises means for logging the unique identifier in the RoT for management by the RoT.
It will be apparent to those skilled in the art that various modifications and variations can be made in the disclosed embodiments of the disclosed device and associated methods without departing from the spirit or scope of the disclosure. Thus, it is intended that the present disclosure covers the modifications and variations of the embodiments disclosed above provided that the modifications and variations come within the scope of any claims and their equivalents.

Claims

Claims What is claimed is:
1. An apparatus for identity management of virtualized entities, comprising:
a memory device with instructions stored thereon; and
one or more processors that, in response to execution of the instructions stored on the memory device, are to:
detect an instantiation of a virtualized network function component (V FC);
obtain identifiers for components of a platform based on the detected instantiation, the platform to implement the VNFC;
generate a unique identifier based on the identifiers for the components of the platform; and
assign the unique identifier to the VNFC.
2. The apparatus of claim 1, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further perform a hash operation on the identifiers to generate the unique identifier.
3. The apparatus of any of the claims 1 and 2, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further: obtain a globally unique identifier associated with the VNFC; and
perform a hash operation on the identifiers and the globally unique identifier to generate the unique identifier.
4. The apparatus of any of the claims 1 and 2, wherein the identifiers for the components of the platform include one or more identifiers selected from the group consisting of a rack identifier, a root of trust identifier, a platform identifier, a basic input/output system identifier, an operating system identifier, and a virtual machine manager identifier.
5. The apparatus of any of the claims 1 and 2, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further: obtain a tenant identifier for a tenant that requests use of the VNFC; and associate the unique identifier with the tenant identifier.
6. The apparatus of claim 5, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further store, in a log on the memory device, the tenant identifier with the associated unique identifier.
7. The apparatus of any of the claims 1 and 2, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further: obtain a tenant identifier for a tenant that requests use of the VNFC;
determine that the tenant is not authorized to utilize the VNFC based on the tenant identifier; and
prevent use of the VNFC by the tenant based on the determination that the tenant is not authorized.
8. The apparatus of any of the claims 1 and 2, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further: receive an instantiation request of a virtualized network function (VNF) from a cloud operating system (OS) service;
determine that the VNF is to utilize the VNFC based on the instantiation request; and
transmit, to the cloud OS service, the unique identifier assigned to the VNFC for association with a root of trust (RoT) associated with the VNF.
9. The apparatus of claim 8, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further:
generate a second unique identifier based on the unique identifier assigned to the
VNFC;
assign the second unique identifier to the VNF; and
register the second unique identifier assigned to the VNF.
10. The apparatus of claim 8, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further:
retrieve a secure timestamp based on the instantiation request;
associate the secure timestamp with the unique identifier assigned to the VNFC; and
transmit, to the cloud OS service, the secure timestamp with the unique identifier for association with the RoT.
11. The apparatus of claim 9, wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further:
log operations, performed by the VNF, associated with the second unique identifier; and
store the logged operations on the memory device.
12. The apparatus of any of the claims 1 and 2, wherein the unique identifier is assigned to the VNFC by a root of trust (RoT) of the apparatus, and wherein the one or more processors, in response to execution of the instructions stored on the memory device, are to further:
log the unique identifiers in the RoT for management by the RoT.
13. One or more computer-readable media having instructions stored
thereon, wherein the instructions, in response to execution by a device, cause the device to:
process an instantiation request from a network function virtualization (NFV) infrastructure for a virtualized network function component (VNFC);
obtain identifiers for components of a platform to implement the VNFC based on the instantiation request;
generate a unique identifier for the VNFC based on the identifiers for the components of the platform; and
transmit the unique identifier to the NFV infrastructure for association with the
VNFC.
14. The one or more computer-readable media of claim 13, wherein the instructions, in response to execution by the device, cause the device to further:
perform a hash operation on the identifiers for the components of the platform, wherein the unique identifier is set to a result of the hash operation.
15. The one or more computer-readable media of any of the claims 13 and 14, wherein the instructions, in response to execution by the device, cause the device to further:
extract, from the instantiation request, a globally unique identifier associated with the VNFC; and
perform a hash operation on the identifiers for the components of the platform and the globally unique identifier associated with the VNFC, wherein the unique identifier is set to a result of the hash operation.
16. The one or more computer-readable media of any of the claims 13 and 14, wherein the instructions, in response to execution by the device, cause the device to further:
obtain a tenant identifier for a tenant that requests use of the VNFC; and associate the unique identifier with the tenant identifier.
17. The one or more computer-readable media of claim 16, wherein the instructions, in response to execution by the device, cause the device to further:
store, in a log, the tenant identifier with the associated unique identifier.
18. The one or more computer-readable media of any of the claims 13 and 14, wherein the instructions, in response to execution by the device, cause the device to further:
obtain a tenant identifier for a tenant that requests use of the V FC;
determine that the tenant is not authorized to utilize the virtualized network function based on the tenant identifier; and
prevent use of the VNFC by the tenant based on the determination that the tenant is not authorized.
19. The one or more computer-readable media of any of the claims 13 and 14, wherein the instructions, in response to execution by the device, cause the device to further:
receive an instantiation request of a virtualized network function (VNF) from a cloud operating system (OS) service;
determine that the VNF is to utilize the VNFC based on the instantiation request; and
transmit, to the cloud OS service, the unique identifier assigned to the VNFC for association with a root of trust (RoT) associated with the VNF.
20. The one or more computer-readable media of claim 19, wherein the instructions, in response to execution by the device, cause the device to further:
generate a second unique identifier based on the unique identifier assigned to the
VNFC;
assign the second unique identifier to the VNF; and
register the second unique identifier assigned to the VNF.
21. The one or more computer-readable media of any of the claims 13 and 14, wherein the instructions, in response to execution by the device, cause the device to further:
retrieve a secure timestamp based on the instantiation request;
associate the secure timestamp with the unique identifier assigned to the VNFC; and
transmit, to the NFV infrastructure, the secure timestamp with the unique identifier for association with a root of trust (RoT) of the platform.
22. The one or more computer-readable media of any of the claims 13 and 14, wherein the unique identifier is generated by a root of trust (RoT) of the platform, and wherein the instructions, in response to execution by the device, cause the device to further:
log the unique identifiers in the RoT for management by the RoT.
23. An apparatus for virtualized entity identity management, comprising:
means for obtaining identifiers for components of a platform in response to instantiation of a virtualized network function component (VNFC), the platform to implement the VNFC;
means for generating a unique identifier for the VNFC based on the identifiers for the components of the platform; and
means for assigning the unique identifier to the VNFC.
24. The apparatus of claim 23, further comprising:
means for performing a hash operation on the identifiers for the components of the platform, wherein the unique identifier is set to a result of the hash operation.
25. The apparatus of any of the claims 23 and 24, further comprising:
means for obtaining a globally unique identifier associated with the VNFC; and means for performing a hash operation on the identifiers for the components of the platform and the globally unique identifier associated with the VNFC, wherein the unique identifier is set to a result of the hash operation.
26. The apparatus of any of the claims 23 and 24, further comprising:
means for obtaining a tenant identifier for a tenant that requests use of the VNFC; and
means for associating the unique identifier with the tenant identifier.
27. The apparatus of any of the claims 23 and 24, further comprising:
means for obtaining a tenant identifier for a tenant that requests use of the VNFC; means for determining that the tenant is not authorized to utilize the VNFC based on the tenant identifier; and
means for preventing use of the VNFC by the tenant based on the determination that the tenant is not authorized.
28. The apparatus of any of the claims 23 and 24, further comprising:
means for receiving an instantiation request of a virtualized network function (VNF) from a cloud operating system (OS) service;
means for determining that the VNF is to utilize the VNFC based on the instantiation request; and
means for transmitting, to the cloud OS service, the unique identifier assigned to the V FC for association with a root of trust (RoT) associated with the VNF.
29. The apparatus of claim 28, further comprising:
means for generating a second unique identifier based on the unique identifier assigned to the VNFC;
means for assigning the second unique identifier to the VNF; and
means for registering the second unique identifier assigned to the VNF.
30. The apparatus of claim 28, further comprising:
means for retrieving a secure timestamp based on the instantiation request; means for associating the secure timestamp with the unique identifier assigned to the VNFC; and
means for transmitting, to the cloud OS service, the secure timestamp with the unique identifier for association with the RoT.
PCT/US2016/034692 2016-02-16 2016-05-27 Identity management of virtualized entities Ceased WO2017142577A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201662295924P 2016-02-16 2016-02-16
US62/295,924 2016-02-16

Publications (1)

Publication Number Publication Date
WO2017142577A1 true WO2017142577A1 (en) 2017-08-24

Family

ID=56133066

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2016/034692 Ceased WO2017142577A1 (en) 2016-02-16 2016-05-27 Identity management of virtualized entities

Country Status (1)

Country Link
WO (1) WO2017142577A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109756356A (en) * 2017-11-07 2019-05-14 华为技术有限公司 Device updating method and device
GB2583904A (en) * 2019-04-23 2020-11-18 Metaswitch Networks Ltd Commissioning a virtualised network function
CN113918268A (en) * 2020-07-07 2022-01-11 华为技术有限公司 Multi-tenant management method and device
US11429733B2 (en) * 2018-11-15 2022-08-30 International Business Machines Corporation Sharing secret data between multiple containers

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1548580A2 (en) * 2003-11-12 2005-06-29 Hewlett-Packard Development Company, L.P. Non-platforn-specific unique identifier generation
US20120226740A1 (en) * 2011-03-04 2012-09-06 Mformation Technologies Inc. System and method to provide remote device management for mobile virtualized platforms

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1548580A2 (en) * 2003-11-12 2005-06-29 Hewlett-Packard Development Company, L.P. Non-platforn-specific unique identifier generation
US20120226740A1 (en) * 2011-03-04 2012-09-06 Mformation Technologies Inc. System and method to provide remote device management for mobile virtualized platforms

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109756356A (en) * 2017-11-07 2019-05-14 华为技术有限公司 Device updating method and device
CN109756356B (en) * 2017-11-07 2021-09-21 华为技术有限公司 Equipment upgrading method and device
US11640313B2 (en) 2017-11-07 2023-05-02 Huawei Technologies Co., Ltd. Device upgrade method and apparatus
US11429733B2 (en) * 2018-11-15 2022-08-30 International Business Machines Corporation Sharing secret data between multiple containers
GB2583904A (en) * 2019-04-23 2020-11-18 Metaswitch Networks Ltd Commissioning a virtualised network function
US11425203B2 (en) 2019-04-23 2022-08-23 Metaswitch Networks Ltd Commissioning a virtualized network function
GB2583904B (en) * 2019-04-23 2023-03-08 Metaswitch Networks Ltd Commissioning a virtualised network function
CN113918268A (en) * 2020-07-07 2022-01-11 华为技术有限公司 Multi-tenant management method and device
EP4177742A4 (en) * 2020-07-07 2023-12-06 Huawei Technologies Co., Ltd. Multitenancy management method and apparatus

Similar Documents

Publication Publication Date Title
US12277228B2 (en) Computing devices with secure boot operations
US10977372B2 (en) Technologies for secure bootstrapping of virtual network functions
US9774602B2 (en) Remote trust attestation and geo-location of servers and clients in cloud computing environments
US9614875B2 (en) Scaling a trusted computing model in a globally distributed cloud environment
US9910972B2 (en) Remote trust attestation and geo-location of servers and clients in cloud computing environments
US11063923B2 (en) Authenticator plugin interface
WO2019020034A1 (en) Password reset method, apparatus and system for virtual machine
KR20210141639A (en) Network-based media processing security
WO2017142577A1 (en) Identity management of virtualized entities
US9386042B1 (en) Methods, systems, and computer readable mediums for utilizing geographical location information to manage applications in a computer network system
US11989279B2 (en) Method and system for service image deployment in a cloud computing system based on distributed ledger technology
US11902345B2 (en) Method and apparatus for contribution reporting of uplink streaming in 5G networks
US11526373B2 (en) Agentless personal network firewall in virtualized datacenters
CN108171062B (en) Positioning method and device for equipment and storage medium
CN109286494B (en) Method and device for generating initialization credential of virtual network function VNF
US20240275836A1 (en) Method and apparatus for signaling individual and group service operation points for multiple formats in 5g media streaming

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16729697

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16729697

Country of ref document: EP

Kind code of ref document: A1