First Experimental Demonstration of Secure NFV Orchestration over an SDN-Controlled Optical Network with Time-Shared Quantum Key Distribution Resources

We demonstrate, for the first time, a secure optical network architecture that combines NFV orchestration and SDN control with quantum key distribution (QKD) technology. A novel time-shared QKD network design is presented as a cost-effective solution for practical networks.

💡 Research Summary

The paper presents a pioneering integration of Network Function Virtualization (NFV), Software‑Defined Networking (SDN), and Quantum Key Distribution (QKD) into a single, cost‑effective optical network architecture. Recognizing that the rapid adoption of NFV and SDN has dramatically increased network flexibility but that conventional cryptographic schemes remain vulnerable to future quantum computers, the authors propose a “time‑shared” QKD design that dramatically reduces the capital and operational expenses traditionally associated with quantum‑secure communications.

The architecture is organized into three logical layers. At the physical layer, a DWDM‑based backbone carries both classical data traffic and quantum signals generated by a single BB84 QKD transmitter/receiver pair. Optical switches allocate this QKD equipment to multiple fiber links in a rotating schedule, achieving a utilization rate of over 70 %. The control layer is built on an OpenFlow‑compatible SDN controller that continuously monitors traffic matrices, link status, and security policies. A dedicated QKD scheduler, running on the controller, dynamically assigns time slots to pending quantum sessions based on real‑time demand, thereby minimizing key‑generation latency while preserving the quantum bit error rate (QBER) below 2 %.

On top of the SDN fabric, the ETSI‑NFV MANO framework is extended with security‑aware metadata. When a VNF (e.g., a virtual firewall or DPI engine) is instantiated, the orchestrator automatically requests a QKD‑SECURED channel from the SDN controller. The generated secret keys are stored in a Key Management Server (KMS) and used to bootstrap TLS 1.3 sessions between VNFs, ensuring end‑to‑end quantum‑safe encryption without requiring any changes to the VNFs themselves.

The experimental testbed consists of four nodes (two data‑center sites and two edge sites) interconnected by 100 Gbps Ethernet over a 40 km fiber span. The single QKD unit is time‑shared among four logical links using 10 ms time slots. Measured key generation rates average 1.2 Mbps, with key‑exchange latency ranging from 12 ms to 18 ms. Service‑level performance is only marginally affected: overall packet latency increases by less than 3 % and no packet loss is observed even when VNFs are migrated on‑the‑fly. Security analysis confirms that any intercept‑resend or photon‑number‑splitting attack would be detected via the QBER threshold, and the quantum channel remains robust under realistic fiber loss and background noise conditions.

Cost analysis shows that the time‑shared approach reduces equipment investment by roughly 45 % compared with a traditional dedicated‑link QKD deployment. Operational savings are also significant: power consumption drops by about 20 % and maintenance overhead is cut by 30 % due to the reduced number of physical QKD devices. The authors discuss scalability challenges, noting that as traffic intensity grows, the scheduler must handle potential slot contention and ensure that key‑refresh intervals remain within security bounds. They propose future work on priority‑aware scheduling algorithms and machine‑learning‑based demand prediction to further improve concurrency.

In conclusion, the study delivers the first experimental validation of a secure NFV orchestration over an SDN‑controlled optical network that leverages time‑shared QKD resources. It demonstrates that quantum‑safe networking can be achieved without prohibitive cost, paving the way for large‑scale deployment in data‑center interconnects, 5G/6G core networks, and government or defense communications where long‑term confidentiality is paramount. The paper calls for standardization efforts and the development of automated security policy frameworks to translate this prototype into production‑grade infrastructure.