First Experimental Demonstration of Secure NFV Orchestration over an SDN-Controlled Optical Network with Time-Shared Quantum Key Distribution Reso

📝 Abstract

We demonstrate, for the first time, a secure optical network architecture that combines NFV orchestration and SDN control with quantum key distribution (QKD) technology. A novel time-shared QKD network design is presented as a cost-effective solution for practical networks.

💡 Analysis

We demonstrate, for the first time, a secure optical network architecture that combines NFV orchestration and SDN control with quantum key distribution (QKD) technology. A novel time-shared QKD network design is presented as a cost-effective solution for practical networks.

📄 Content

First Experimental Demonstration of Secure NFV Orchestration over an SDN-Controlled Optical Network with Time-Shared Quantum Key Distribution Resources A. Aguado1, E. Hugues-Salas1, P. A. Haigh1, J. Marhuenda1, A. B. Price2,3, P. Sibson2, J. Kennard2, C. Erven2, J. G. Rarity2, M. G. Thompson2, A. Lord4, R. Nejabati1 and D. Simeonidou1 (1) High Performance Networks group, (2) Centre for Quantum Photonics & (3) Quantum Engineering Centre for Doctoral Training, School of Physics & Department of Electrical and Electronic Engineering, University of Bristol, BS8 1UB ({a.aguado; alasdair.price}@bristol.ac.uk) (4) Head of Optical Research, BT, UK. Abstract We demonstrate, for the first time, a secure optical network architecture that combines NFV orchestration and SDN control with quantum key distribution (QKD) technology. A novel time-shared QKD network design is presented as a cost-effective solution for practical networks. Introduction Network function virtualization (NFV) promises significant network infrastructure simplification as current hardware appliances are replaced with software running on standard servers. NFV is complemented by software-defined networking (SDN), provisioning the required network connectivity to respond to newly instantiated appliances by aligning network topologies in an automated manner. However, there are security risks associated with NFV deployment. In an NFV enabled network infrastructure, network functions are stored centrally as software images in a remote data center (DC) where they can be cloned, transferred and deployed as virtual functions on commodity servers (replacing network appliances) across the network. This transfer of network functions must be secured, as any attempt to tamper with NFV can create a significant security breach. For instance, if a transmitted software image of a network function contains any sensitive information, such as a firewall, its interception and/or alteration can compromise an entire network. Quantum key distribution (QKD) is a contemporary approach to the generation of symmetric keys [1]. In QKD, keys are distributed by transmitting single photons from a sender (Alice) to a receiver (Bob) over a quantum channel, which is usually a fibre optic channel. Fundamental laws of physics prevent an eavesdropper (Eve) from learning the key, as any attempts Eve makes to gain information about the photons will irreversibly change them in a manner that can be readily detected. An additional benefit of QKD is that keys generated in this manner can be considered future-proof from hacking, since they are random rendering any future mathematical attacks ineffective. Building on these principles, we propose and experimentally demonstrate, for the first time, the inclusion of QKD to tackle NFV’s security problems. More importantly, utilizing SDN technology, we present a cost-efficient method for time-sharing the QKD systems and demonstrate the ease in which these systems can be integrated with an NFV platform. NFV-QKD platform description The ETSI NFV management and orchestration (MANO) architecture [2] is organized into three layers: the orchestrator, virtual network function (VNF) managers, and the virtual infrastructure manager (VIM). Existing solutions approach the functional distribution in several different ways or are not completed, due to a lack of standardization. Here, we define and implement a prototype of the ETSI NFV architecture for distributed DCs (Fig1(a)). Our approach splits the architecture into a centralized orchestrator (CO) acting in master node and different ETSI NFV stacks operating in slave mode. The CO is composed of a Python backend core, mySQL database, a GUI and RESTful interfaces that allow platform users and administrators to manage the infrastructure. The slave-mode stack is composed of three layers: the orchestrator (acting as a gateway between the CO and the DC hosting network functions), the VNF managers, and the VIM, which manages virtual machines (VMs) and Linux containers (based on OpenStack and Docker, respectively).
In the proposed NFV architecture, images of network functions are stored within the CO’s trusted DC where an Alice sender unit is also located. To virtualize these network functions, their images must be cloned and securely transmitted to remote servers with Bob receiver units. To achieve secure transmission, our NFV MANO architecture has been integrated with an ID Quantique QKD system (ID3100 Clavis2) [3], as shown in Fig.1a. When an image needs to be transmitted, the CO asks for a key from the Alice using the proprietary IDQ3P protocol, before the advanced encryption standard (AES) symmetric key algorithm encrypts the image, informing the remote platform of the transmission and the key ID needed for image decryption. While we use the standard AES algorithm, one-time pad (OTP) c

This content is AI-processed based on ArXiv data.