Network Function Virtualization (NFV) has shifted communication networks towards more adaptable software solutions, but this transition raises new security concerns, particularly in public cloud deployments. While Intel's Software Guard Extensions (SGX) offers a potential remedy, it requires complex application adaptations. This paper investigates AMD's Secure Encrypted Virtualization (SEV) as an alternative approach for securing NFV. SEV encrypts virtual machine (VM) memory, protecting it from threats, including those at the hypervisor level, without requiring application modifications. We explore the practicality and performance implications of executing native network function (NF) implementations in AMD SEV-SNP, the latest iteration of SEV. Our study focuses on running an unmodified Snort NF within SEV. Results show an average performance penalty of approximately 20% across various traffic and packet configurations, demonstrating a trade-off between security and performance that may be acceptable for many NFV deployments.

翻译：网络功能虚拟化（NFV）已推动通信网络向更具适应性的软件解决方案转型，但这一转变在公有云部署中引发了新的安全顾虑。尽管英特尔的软件防护扩展（SGX）提供了潜在的解决方案，但其需要复杂的应用适配。本文研究了AMD的安全加密虚拟化（SEV）作为保障NFV安全的替代方案。SEV通过加密虚拟机（VM）内存，可在无需修改应用程序的情况下，保护其免受包括虚拟机监控程序层级在内的威胁。我们探讨了在AMD最新一代SEV-SNP中执行原生网络功能（NF）实现的可行性与性能影响。本研究重点在于在SEV环境中运行未经修改的Snort网络功能。实验结果表明，在不同流量与数据包配置下，平均性能损耗约为20%，这揭示了安全性与性能之间的权衡关系，该损耗对多数NFV部署而言可能是可接受的。