Fifth generation softwarized network systems will make it possible to flexibly partition the network infrastructure into logically independent network slices, hosting end-to-end network services able to dynamically meet the diverse requirements of vertical industries. However, the high dynamicity of NFV-related operations and the interdependence of multiple slices running on top of a shared underlying infrastructure pose peculiar security challenges. In this article we investigate how such challenges can be addressed in the context of the management and orchestration (MANO) security functions within the ETSI NFV architectural framework. In particular, we target access control and authorization functions, and we discuss how to advance them for network slicing deployments with continuous and closedloop usage control mechanisms. We also present a proof of concept of a MANO framework extended with UCON capabilities able to regulate the access and use of network slices according to customizable security policies. Preliminary performance evaluation proves the effectiveness of the proposed approach with minor impact on the user experience and prompt reaction time to security policy violations.

中文翻译：

---

通过利用持续使用控制推动网络切片的安全性

第五代软件化网络系统将能够灵活地将网络基础设施划分为逻辑上独立的网络切片，承载能够动态满足垂直行业多样化需求的端到端网络服务。然而，NFV 相关操作的高动态性以及运行在共享底层基础设施之上的多个切片的相互依赖带来了特殊的安全挑战。在本文中，我们研究了如何在 ETSI NFV 架构框架内的管理和编排 (MANO) 安全功能的上下文中解决此类挑战。特别是，我们针对访问控制和授权功能，并讨论如何通过连续和闭环使用控制机制将它们推进网络切片部署。我们还展示了扩展了 UCON 功能的 MANO 框架的概念证明，该功能能够根据可定制的安全策略来规范网络切片的访问和使用。初步性能评估证明了所提出方法的有效性，对用户体验的影响很小，并且对违反安全策略的反应时间很短。