Network slicing security: Challenges and directions

Network slicing emerges as a key technology in next generation networks, boosted by the integration of software-defined networking and network functions virtualization. However, while allowing resource sharing among multiple tenants, such networks must also ensure the security requirements needed for the scenarios they are employed. This letter presents the leading security challenges on the use of network slices at the packet core, the solutions that academy and industry are proposing to address them, pointing out some directions that should be considered


INTRODUCTION
The heterogeneity of network services coexisting in the same infrastructure requires networks to be designed to achieve a multitude of requirements that can be conflicting.Furthermore, such services are very dynamic and subject to unpredictable demands.Additionally, it is expected that networks will reach a much bigger scale in the coming years, mostly driven by the growth of the Internet of Things (IoT).This shift in scale will raise the network demands drastically, including 1000 times more data volume, from 10 to 100 times more devices, five times lower latency, and high bit rates per user.These new demands will require higher spectrum efficiency, better coverage, supporting an increasing number of heterogeneous devices, while being cost effective. 1To support this, the concept of Network Slicing arises, allowing network operators to split their physical infrastructure into multiple logical networks, each one orchestrated according to its specific characteristics.As depicted in Figure 1A, each slice represents an independent end-to-end network and can be owned by distinct tenants (or vertical markets) that control physical, virtualized, and service layers, with distinct key performance indicators (KPIs).Examples of KPIs are latency, data security, energy efficiency, mobility, massive connectivity, reachability, quality of service (QoS), and throughput, as illustrated in Figure 1B.Taking recent advancements in virtualization and network control, such as software-defined networking (SDN) for networking and network functions virtualization (NFV) for function virtualization, network slicing creates virtual networks that deliver a customized network experience tailored to relevant KPIs.The management view, shown in Figure 1C, illustrates how the orchestration of network slices can be done end-to-end by slice's owners, articulating the different slice-enabled telcos that provide the infrastructure.Inspired by the European Telecommunications Standards Institute (ETSI), 3 the telco should have a network slice manager (NSM) on top of its NFV orchestration, being the controls of the NSM exposed through the customer service portal or other interfaces with the operations support system/business support system (OSS/BSS).
While network slicing emerges as a key technology for new softwarized networks, including fifth generation (5G), it also raises security concerns because of the impact that a vulnerability may have in such scenarios.Because slicing builds atop other technologies, there are known security challenges attributed to the underlying SDN and NFV technologies, as well as the access networks.The goal of this letter is to focus on Network Slicing in a general packet core, conveying an applied view of the security challenges that arise from the network slicing definition, presenting the existing solutions and possible directions.

SECURITY ISSUES INTRODUCED BY NETWORK SLICING
Isolation is a fundamental feature of Network Slicing.The better the isolation, the more reliable the slicing solution is.A "slicing system" that can only ever have a single slice is actually a regular non-sliced network, that is, an already well-researched topic.Therefore, by definition, multiple slices will (at some point) have to coexist by sharing the same infrastructure.This coexistence is determined by the minimum requirements set for each slice.As long as these are delivered, interference does not occur, therefore preserving isolation.Defining what constitutes interference for that slice, setting the minimum requirements, and enforcing them is the critical part of security in network slicing.Kotulski et al 4 state that it is necessary to identify isolation attributes, create a kind of abstraction layer to assure end-to-end isolation on a certain strength level, and introduce adequate security policies.In their survey, the authors conclude that currently no common description of isolation capabilities could be used for automatic deployment.Then, it is important to define the expected initial isolation level (eg, security) as well as designing dynamic isolation mechanisms that can enforce the isolation level of any given service.Our work builds upon this to do a deeper assessment of network slice security challenges in a general packet core, presenting the existing solutions, as well as show future directions (in the form of not addressed issues).
Prominent bodies, such as next generation mobile networks (NGMN), issued recommendations for network slicing security in 5G, 5 which aided the identification of threats in the general packet core.Recommendations in underlying technologies were also considered, such as ETSI's for NFV, 6 which surveys the potential areas of security concern across the virtual network function (VNF) life cycle.Because of space constraints, we omit 3GPP's TR 33.811 study of network slicing security for 5G, since for our general packet core purposes the NGMN document already covers the same points.Similarly, ETSI NFV-SEC also covers essential aspects of the ONF SDN security whitepaper.

Security principles on network slicing
Each slice has its isolation constraints, which are set by its KPIs.Therefore, interference can be broadly defined as anything that breaks the ability to deliver the KPIs of a given slice.Such interference can be attributed to different origins, for example, the KPIs may have been poorly selected for the slice application, the service provisioning may be insufficient to deliver those security-related KPIs, or there may be adversaries who are disrupting services.As a consequence, an effective network slicing solution needs to address management, performance, and security as a whole.It is crucial that attacks performed against one slice do not affect the others, therefore requiring that security functions act independently.The NSM must be able to track flows and function interactions across slices, within their administrative domains.The NSM is responsible for the abstracted virtual network and interacting functions, within the slice.However, the same NSM is not responsible for the orchestration or correctness of services provided by the slices.Secure network slicing solutions must ensure the main security principles, traditionally categorized into confidentiality, authentication, authorization, availability, and integrity.In such a context, when associated with network slicing, these principles translate: 1. Confidentiality: must ensure that packets are not made available outside of the slice that generated them, or the slices which are allowed to interconnect.Additionally, the data carried in those packets or held within the network functions (NFs) that process them must not be available to anyone other than the authorized elements or end users.2. Authentication: must unequivocally identify and validate the persons, accounts, or elements that are interacting with the system.When an OSS/BSS interacts with the NSM, both parties must be able to verify and authenticate themselves mutually.The same requirement applies to OSS/BSS interactions made on behalf of slice-owners, the ones with the NFV Management and Orchestrator (MANO), in order to manage network elements and others triggered by end users.3. Authorization: must determine whether an attempted interaction is allowed to go through.End users, slice owners, infrastructure providers, and elements such as the NSM or NFs have different capabilities within the system.End users may only be allowed to interact with slices that the slice owners have granted access to.Slice owners must manage only their own slices, or control the allowed interactions with other slices.Infrastructure providers must have full control over the NSM and the accounting of slices.The NSM has full control over the network slice instances (NSIs) and their NFs.Lastly, the NFs have control over the resources and data that are provided to them.4. Availability: the system must be reachable and working as expected when it is required.This means that the NSM and NFs must remain accessible at all time, while the slices and application part of the NFs must be accessible as long as the contracted infrastructure resources are not exceeded.Another important aspect is the processing and response times, which must remain under the threshold as specified in the service-level agreement.5. Integrity: the system must not be able to be subverted, either by tampering with data or by replacing its functionality.In other words, only slice owners may change the application part of their NFs, define what is the flow processing within the slices, or change the interslice configurations.Cross-talk between slices cannot be allowed, interslice communications must only happen through their respective interfaces.
The primary challenge when developing a network slicing solution is to fulfill all requirements per the slice owner while ensuring the security of each slice independently.In the next section, we discuss how malicious users can exploit some slicing features in order to defeat the whole system.

Security threats on network slicing
Network slicing relies on assuring a required level of isolation, which depends on the actual requirements of a slice.As the NSM has full control over all telco slices, compromising the NSM functionality will eventually affect the whole system.If an attacker monitors the traffic in the northbound or southbound interfaces, he/she may be able to understand the configurations performed in the system, breaching confidentiality.This allows the attacker to independently create a snapshot of the system's status, a vital part of the enumeration phase in which all ingress vectors are identified, along with the possible vulnerabilities.A breach in confidentiality by monitoring these interfaces may quickly escalate to a breach of authentication or authorization, as the attacker may capture a way to impersonate an element or acquire a token that allows performing some action transiently.Also, if the attacker is able to inject traffic into those interfaces, then the system may also have a breach of integrity or availability.The same threats to the NSM's southbound interface also apply to the MANO's NFV Orchestrator (NFVO), as both are exposed.The difference in the case of the NFVO is the breadth of its scope, that is, the consequences of a breach/disruption of the NFVO only affect a subset of the elements controlled by the NSM.Unsurprisingly, if an attacker manages to get a foothold within the control plane of the operator (as was described above), that has the potential for broader consequences over the system.However, most network slice users will be constrained to just the data plane, being the control plane only indirectly exposed through well-defined configuration primitives (in the northbound interfaces of both NSM and NFVO).The incorrect validation in the northbound interfaces may allow legitimate users to compromise the system's integrity.
By itself, the data-plane is void of any configuration capabilities, therefore limiting the attack surface over the system.Notwithstanding, while that is the definition as in SDN-like networks, in reality, the control plane is not entirely decoupled from the data plane.The functions in the data plane usually interact with the southbound interface of their manager (a part of the control plane), through which the management primitives reconfigure and generally control the NF.Voiding data-plane access to the southbound interface partially relies on the function securing itself.Locally stored credentials to the control-plane capabilities need to be protected by the NF itself.A compromise of any of those functions may allow access to control-plane functionality, which would breach the system's integrity, exposing control-plane attack vectors through the data-plane.
Due to the nature of shared environments, even if the slice is well behaved and does not allow access to another slice's data plane/control plane, it may still allow establishing side-channels across slices that share resources.In this context, typical side channels are time-based attacks that leverage various system caches.An example of such an attack is an oracle, which infers data from another slice by introducing known combinations of data until one is processed faster than the rest, allowing the attacker to infer that such data was already in cache (even if belonging to another slice).This leads to a breach of confidentiality, with varying levels of severity.The availability (or even integrity) may also be compromised by a side channel, for instance, a noisy-neighbor whose workload selectively introduces jitter in a time-constrained service that shares its resources.
We must note that a user may connect simultaneously to more than one slice.Nevertheless, end devices are prone to security vulnerabilities and various kinds of attacks.For example, they can be contaminated by malware or turned into a bot within a Distributed Denial of Service (DDoS) attack.Also, they are subject to hardware tampering or sensor errors.In such a case, it is critical to be aware that compromised end devices may, even unintentionally, allow interslice communication.Thus, some security principles will be violated: confidentiality, because data from a given slice may flow into another via the compromised device; and authorization, whereas unauthorized users may use the affected end point to access a protected slice.
On the infrastructure side, the NSM will be responsible for securing the interslice communications (when permitted, according to the rules defined for that instance).The successful impersonation of the NSM itself would allow to fully subvert the slices isolation, allowing for unauthorized access to other slices.This results in a breach of authentication that could then result in a breach of system integrity and confidentiality.NFs may also serve more than one slice, in which case an exploit of the NF may allow for unauthorized interslice communication, breaching the system's integrity and potentially confidentiality.
In another scenario, an attacker may impersonate the host platforms.In this case, the NSM can be deceived and led to believe that the host platform on which a network slice will run is an operator authorized platform.In such a scenario, an impersonation attack can have significant consequences as operators will expose the network and private services within that network to an attacker.This breach impacts the confidentiality, since private data can be revealed, as well as integrity, since data may be corrupted, and availability, since service may be interrupted and data be removed.
An essential factor to take into consideration is that network slices will have resource quotas which a malicious user may try to abuse, disrupting the service of that single slice (compromising availability).The malicious user may do so by merely shaping its usage patterns of the slice in a way that is the most expensive for its functions, invalidating the previously required resource calculations, forcing the network slice to either take more resources from the pool or fail to keep with the demand.Additionally, the NFs shared across slices will also run with a limited resource quota.This allows an ill-intentioned user to break isolation and perturb the operation of the other slice by disrupting that shared NF, compromising the system integrity.
Threats are summarized in Table 1, which are divided into two categories, classical and nontrivial.Classical denotes well-researched and long-standing threats, common in other network systems.Nontrivial designates open research topics, in which a clear and general solution is still not available.

SECURITY IN NETWORK SLICES
Academy and industry researched the main threats against network slicing and proposed solutions to either solve or mitigate the impact of such threats.Table 2 summarizes the key research specific to network slicing security.When the specific research does not address an issue, we resort to the solutions proposed in the broader fields of computing and networking.As such, Table 2 is grouped into three categories: radio access network (RAN)'s slice, core's slice, and general solutions.The first, RAN's slice, is the specific research that focuses on radio access.Although highly relevant, works in this field fall outside of the scope of the packet core.Because of that, their findings are presented only in regards to their applicability to the scope of this letter, which is the packet core.The second, core's slice, presents the works that directly fall within our scope.Lastly, general solutions address open issues in field-specific research with broader works.Mareca et al 7 and Bordel et al 8 proposed solutions to protect data flow between end devices and the base stations.Both solutions consider only RAN and, as a consequence, do not address the issues that threaten core slices.The former employed chaos-based cryptography for privacy preservation, which relied on the actual radio signal and properties of media access, therefore hard to apply to the packet core.The latter proposed a stream cipher to protect intra-slice communications, based on a simple lightweight pseudo-random number generator.Dubbed as the Trifork, 14 it may be used in resource-constrained devices as it requires lower computational power.Unlike Mareca et al, this approach may be ported to be used in the packet core.
0][11] Thus, such solutions are more suitable to protect against the threats discussed in the previous section.Ni et al 9 presented ES 3 A, an efficient and secure service-oriented authentication framework supporting network slicing for 5G-enabled IoT services.By using ES 3 A, users can establish connections with the 5G core network and anonymously access IoT services under their delegation through proper network slices.Also, users' privacy is ensured in terms of slice configuration and access.Authors employed group signatures to provide anonymous service-oriented authentication.In addition, session keys, based on Diffie-Hellman key agreement, are employed to guarantee secure access to service data.As a result, all the classical threats are directly addressed by the solution.
Cryptography is also employed to protect interslice communication.Liu et al 10 proposed a mutual heterogeneous signcryption scheme to ensure the secure communications between 5G network slices, in different public cryptosystems -public key infrastructure (PKI) and certificateless cryptography (CLC).The authors present a scenario in which users of a 5G mobile Internet slice, using a PKI, want to securely communicate with users of a 5G vehicle Internet slice, using a CLC.The solution is more efficient than the traditional signature-than-encrypt approach, in which a user first signs a message and then encrypts it before sending to another user.This allows secure communication between two slices using different cryptography techniques.As Ni et al framework, the security schema proposed by Liu et al protects the network slice against the classical threats.
Ehrlich et al 11 approached the security controls required for core slicing addressing, in particular, the classical threats.The authors propose a dynamic, machine-readable, automatic, continuous, and future-proof approach to model and describe cybersecurity QoS requirements to support network slicing on SDN.They assess what is essential to describe and map non-functional QoS requirements of cybersecurity to the 5G network slices paradigms.The ISO/IEC 62443 security standard was used to model and describe the cybersecurity maturity of the high-level application requirements and the underlying network management capabilities.Seven foundational requirements (FRs) are evaluated with four predefined security levels (SLs), which results in a numerical specification of the cybersecurity maturity of the given application requirements or networking capabilities.Finally, Kotulski et al 4 discuss a dynamic isolation mechanism that creates isolated resources with proper capabilities, which also addresses interslicing communication with shared virtual resources across slices without breaching global security policy rules.Although the proposed tasks cover a wide range of issues related to secure network slicing, they do not present solutions to address security issues directly.Nonetheless, the authors describe some ways to meet secure environments.
Note that neither solutions that consider only RAN nor those that consider core slicing address the nontrivial threats.As stated, nontrivial threats are still open issues that need more attention.However, it is assumed that general security solutions of other environments may be transposed to network slice scenarios.For instance, Canella et al 12 describe different types of Specter and Meltdown attacks, an architectural side-channel that affects many CPUs.While not directly surveyed within Network Slicing, the findings are highly relevant for shared softwarized and virtualized environments, such as those used by NFV and SDN.Hutchins et al 13 characterized the network attack process, later known as the "Cyber Kill Chain."This methodology is readily applicable to NFs that take part of the slice, being also relevant to define the controls needed in the end user terminals.

CONCLUSION
We have briefly reviewed the most pressing challenges of Network Slicing Security, in the scope of the general packet core networks.The gathered challenges can be classified as classical and nontrivial.The classical challenges are already addressed in some form, as they encompass well-researched topics, such as mutual authentication protocols, encryption mechanisms, and data integrity/authentication measures.We were able to find research already in the field of Network Slicing Security that delivered solutions to these classical challenges.On the other hand, nontrivial issues, such as avoiding the compromise of a NF, defending against side-channels, or dealing with end-devices vulnerabilities, still lack research that addressed the needs of network slicing.In fact, side-channel attacks such as Specter and Meltdown still have open issues in the broader sense of general computing, with new (unmitigated) variants of the attack still being discovered.Nevertheless, challenges such as avoiding the compromise of a network function or dealing with end-devices vulnerabilities may be addressable employing the same methodology of general computing/networking (for instance, the "Cyber Kill Chain").While it still lacks the holistic approach that allows for the integration with the different components that make a network slicing system, future research may build upon the methodology, unlocking more efficient solutions that are aware of the KPIs and the ramifications of the resource sharing in these softwarized and virtualized environments.

1
The different perspectives of the asset to be secured (A) Business overview (B) Slice KPIs (GSM Alliance 2 ) (C) Management architecture (ETSI inspired 3 ).KPI, Key Performance Indicator

slice General solutions Security threat Mareca et al 7 Bordel et al 8 Ni et al 9 Liu et al 10 Ehrlich et al 11 Kotuski et al. 4 Canella et al 12 Hutchins et al 13
Threats impact on the security principles Network slicing defenses against the security threats Not applicable; ✓, Describes or references; ✓✓, Applicable methods or controls; ✓✓✓, Directly addresses issue.