With the advent of network function virtualization (NFV), outsourcing network functions (NFs) to the cloud is becoming increasingly popular for enterprises since it brings significant benefits for NF deployment and maintenance, such as improved scalability and reduced overhead. However, NF outsourcing limits the control of customer enterprises over NF deployment and management, consequently raising serious security concerns. Enterprises cannot ensure whether their outsourced NFs and associated service function chains (SFCs) are correctly enforced according to their specifications. In this paper, we propose vSFC, an SFC verification scheme that allows an enterprise to accurately verify the correctness of SFC enforcement in real time. Specifically, it can detect a wide range of SFC violations including forwarding path incompliance, packet dropping, and flow dropping attacks. Meanwhile, it is generic and agile, which can be applied to arbitrary cloud architectures without requiring any modification to NFs. To demonstrate the feasibility and performance of vSFC, we implement a vSFC prototype on top of Linux kernel-based virtual machines (KVM) and conduct extensive experiments with real traffic. The experimental results show that vSFC can accurately detect SFC violations with negligible overhead.

中文翻译：

---

vSFC：云中服务功能链的通用验证和敏捷验证

随着网络功能虚拟化（NFV）的出现，将网络功能（NFs）外包到云对于企业来说变得越来越普遍，因为它为NF部署和维护带来了巨大的好处，例如改进了可伸缩性和减少了开销。但是，NF外包限制了客户企业对NF部署和管理的控制，因此引发了严重的安全问题。企业无法确保其外包的NF和相关的服务功能链（SFC）是否根据其规范得到正确实施。在本文中，我们提出了vSFC，这是一种SFC验证方案，可让企业实时准确地验证SFC强制执行的正确性。具体来说，它可以检测到各种违反SFC的行为，包括转发路径不符合，数据包丢失，和流量下降攻击。同时，它具有通用性和敏捷性，可以应用于任意云架构，而无需对NF进行任何修改。为了证明vSFC的可行性和性能，我们在基于Linux内核的虚拟机（KVM）之上实现了vSFC原型，并使用实际流量进行了广泛的实验。实验结果表明，vSFC可以以很小的开销准确地检测到违反SFC的行为。