Abstract

Network Function Virtualization (NFV) is an emerging technology to enable network functions (NFs) outsourcing on cloud so as to reduce the costs of deploying and maintaining NFs. However, NF outsourcing poses a serious gap between the expected service function chains (SFCs) and the real enforcement because SFC deployment and management on cloud is invisible to NF customers (i.e., enterprises). In this paper, we propose verifiable SFC, i.e., vSFC, the first scheme that allows an enterprise to accurately verify the correct enforcement of SFC in realtime. In particular, different from the-state-ofthe-art network function verification schemes, vSFC is generic and agile, which can be deployed on various clouds, while not requiring modifications to any NFs on cloud. vSFC detects a wide range of SFC violations including forwarding path incompliance, flow dropping, and packet injection attacks. To demonstrate the feasibility and performance of vSFC, we implement a vSFC prototype built on top of KVM and conduct experiments with real traces. Our experiment results show that vSFC detects various SFC violations with a negligible overhead.