5G Network Slicing with QKD and Quantum-Safe Security
Paul Wright, Catherine White, Ryan C. Parker, Jean-Sébastien Pegon, Marco Menchetti, Joseph Pearse, Arash Bahrami, Anastasia Moroz, Adrian Wonfor, Richard V. Penty, Timothy P. Spiller, Andrew Lord
55G Network Slicing with QKD and Quantum-Safe Security
Paul Wright , Catherine White , Ryan C. Parker ∗ , Jean-S´ebastien Pegon ,Marco Menchetti , Joseph Pearse , Arash Bahrami , Anastasia Moroz ,Adrian Wonfor , Timothy P. Spiller , Richard V. Penty , Andrew Lord BT Labs, Adastral Park, Ipswich, U.K. ID Quantique SA, Geneva, Switzerland York Centre for Quantum Technologies, Department of Physics, University of York, York, U.K. Department of Engineering, University of Cambridge, Cambridge, U.K. ∗ Corresponding author: [email protected]
We demonstrate how the 5G network slicing model can be extended to address data security require-ments. In this work we demonstrate two different slice configurations, with different encryption require-ments, representing two diverse use-cases for 5G networking namely, an enterprise application hosted at ametro network site, and a content delivery network.We create a modified software-defined networking (SDN) orchestrator which calculates and provisionsnetwork slices according to the requirements, including encryption backed by quantum key distribution(QKD), or other methods. Slices are automatically provisioned by SDN orchestration of network resources,allowing selection of encrypted links as appropriate, including those which use standard Diffie-Hellmankey exchange, QKD and quantum-resistant algorithms (QRAs), as well as no encryption at all. We show thatthe set-up and tear-down times of the network slices takes of the order of 1-2 minutes, which is an order ofmagnitude improvement over manually provisioning a link today.
The recent introduction of 5G networks for commer-cial use promises to deliver increased bandwidthto customers, enabling faster speed connections, aswell as lower-latency communications, the ability tomeet Quality of Service demands, and many otherservice improvements. This opens up the possibil-ity for far greater connectivity of devices than everbefore.The benefits brought by 5G are as a result of theconverged architecture, which is the core of 5G net-works; resources are placed as close to the edge ofthe network as possible (i.e. as far away from thecore network as can be), thus offering lower-latencyservices via so-called edge-computing [1]. Takingadvantage of the edge-located resources and the factthat these resources are used more efficiently (withsome sharing of compute resource, for example) areuse-cases such as content delivery networks (CDNs)and edge-compute, automated vehicles and remoteoperations, as well as the monitoring and control oflarge-scale Internet of Things (IoT) networks, suchas smart meters and distributed power generation.Due to the fact that there are a wide variety ofnew use-cases which are enabled by 5G technology,the network has had to be designed such that it cancope with this range of heterogeneous requirements,such as latency, reliability, security, and more [2]. Consequently, network slicing is utilised, and playsa key role within making 5G networks suitably flex-ible [3].By effectively multiplexing separate virtualisednetworks over common physical infrastructure, net-work slices are made, and can be provisioned differ-ent resources. For example, a network slice provid-ing communications for an automated vehicle willrequire very low latency, but a fairly low bandwidth,compared to high-definition video streaming whichis more reliant on large bandwidth and less on la-tency [4]. Both of these use-cases can be delivered onthe same physical infrastructure by separating theseinto separate virtualised networks through networkslicing.Network slicing is reliant on software-definednetworking (SDN) and network functions virtuali-sation (NFV). NFV allows network slices to be madevia virtual machines (VMs), which are then con-nected together across the network via SDN orches-tration [5]; SDN is used to flexibly configure net-work slices, as well as reserving resources for thewide range of use-cases possible via orchestrationcarried about by a network slice controller (as illus-trated in Fig. 1). This SDN orchestration is vitalwithin this work, as it is used to dynamically controlthe type of encryption deployed for each networkslice.1 a r X i v : . [ c s . N I] J u l igure 1: A generic schematic to illustrate network slicing, orchestrated by a network slice controller within an exemplar 5G network. In general, however, 5G networking does notusually intrinsically provide encryption of data traf-fic, instead relying on over-the-top encrypted ses-sions (such as TLS) often placing a responsibilityon the end user to maintain security updates. [5].End-to-end security will always require encryptionat the user equipment, of course, but 5G networksinvolve critical links within the tiered resources overwhich large concentrations of secure applicationtraffic may flow, such as between the aggregationand metro nodes. These critical links could be veryattractive targets for eavesdroppers; and so we sug-gest that network operators consider providing en-cryption for these links.A vital prerequisite for strong encryption is se-cure key exchange. Todays standard key exchangealgorithms (such as Diffie-Hellman and RSA) arethought to be vulnerable to attacks by large-scalequantum computers. As such, there are two possi-ble routes for avoiding this future threat: quantum-resistant algorithms (QRAs), such as those being de-veloped under the NIST program [6], and quantumkey distribution (QKD).Whereas QRAs for key exchange would be re-liant on strong mathematical proofs to safeguardagainst the increased compute power of a large-scale quantum computer, QKD is based upon thefundamental laws of quantum physics, and if imple-mented properly is secure against any future com-putational threat. QKD utilises quantum states en-coded on photons to agree a key between users withinformation theoretic security (ITS). ITS implies thatwe are able to calculate the statistical likelihood thatan eavesdropper holds any information on the key,and show that this has been reduced to an infinites-imally small probability. We emphasise that QKD issecure against any future computational threat, be that classical or quantum, whereas QRAs may be in-secure against a future quantum hacking algorithm,which is yet to be discovered.QKD requires an initial authentication step,which is straightforward where pre-shared key ex-ists, but if this is not the case then QRAs may beneeded for this first-time authentication. Moreover,if a QRA is used for the initial authentication step,once QKD has been performed it does not thenmatter if the QRA is subsequently broken, becausethe QKD key material has no algorithmic link tothe QRA material that was used to authenticate theQKD exchange.To protect data for which there is a need for pri-vacy or intellectual property retention over a time-scale of years, we anticipate that network applica-tion designers will select QRAs. However, for themost valuable and/or sensitive data, further long-term key security can be provided by QKD, in con-junction with QRAs for encryption and authentica-tion. 5G networks have the capability to dynami-cally control the type of encryption used for sepa-rate data channels.Sections of a single network slice may have dif-ferent security requirements, for example wheredata is time sensitive and cached within the net-work, such as CDNs, or where data from multipledevices is aggregated; the level of security is anotherparameter of the connection which it would be use-ful to be able to control as part of a network slice.Using network slicing to control encryption isrelatively novel, but nevertheless has already beenconsidered theoretically in [7] and [8] by utilisingQKD in tandem with a QRA (specifically, a QRAversion of Elliptic-Curve Cryptography), and hasalso performed experimentally over the Bristol City5G UK Test Network in the works of [9–11], by2pplying QKD to 5G networking. Moreover, in[12], proof-of-transit of the 5G data traffic is demon-strated, using cryptographic techniques with QKDover the Madrid Quantum Network [13] this net-work has also been used to demonstrate securingthe management of the SDN control plane throughQKD in [14, 15].However, what differentiates our work is that wedynamically control the type of encryption Diffie-Hellman-AES, QRA-AES, QKD-AES, or no encryp-tion at all to address the realistic scenario in whichdifferent data packets in a 5G network will havevarying security requirements. We note here thatthe symmetric encryption algorithm used in thiswork is the Advanced Encryption Standard (AES)with 256 bit keys, from QKD, Diffie-Hellman or aQRA. AES is currently thought to be ”quantum-safe”, in that even a large-scale quantum computerwill be unable to crack this method of encryp-tion with an exponential speed-up, unlike Diffie-Hellman or RSA asymmetric algorithms used to es-tablish shared secret keys which are susceptible tothis type of cryptanalysis.Within this work we experimentally demon-strate 5G network slicing to dynamically control thetype of encryption (and therefore the level of datasecurity) over existing commercial telecommunica-tions infrastructure, to represent the possibility ofsupporting the variety of potential new use-casesborn through 5G networks, which will inevitablyhave diverse security requirements. More specifi-cally, we experimentally simulate two potential use-cases an enterprise application hosted at a metrosite in the network, and a CDN use-case.This paper is organised as follows: in Section2 we describe our 5G network topology and de-sign, and methodology behind our proof of con-cept demonstration, before discussing the results inSection 3. Section 3 is divided into subsections inwhich we first address the two network slice con-figurations separately (Subsections 3.1 and 3.2), be-fore moving to present results regarding the tim-ing (namely the provision and deprovision times) ofeach network slice in Subsection 3.3.
Within this section we discuss the methodologyused behind the test-bed configuration of our5G network slicing prototype, with dynamically-controlled encryption.Fig. 2 schematically describes the architectureof the representative network test-bed used withinthis work. There are four node types in this networkcell, aggregation, metro, and core. Traffic flows fromthe cell sites to the core site, via use of Ethernet switches and optical switches. In reality such an ex-emplar network would likely be located as per Fig.5, in which the two cell sites could be Felixstowe andWoodbridge, with the aggregation site in Ipswich,the metro site in Cambridge, and the core node inLondon.However, in this work we use the UKQN tel in-frastructure, which is a section of the UK QuantumNetwork, containing intermediate trusted nodes forQKD link handover and classical amplification (forfurther detail, see [16]), as this has QKD-capable net-working over a 121 km link from BT Research Labsin Ipswich (Adastral Park) to Cambridge. Avail-able for interconnections over this infrastructureare 5 × ×
10G client Ethernet ports, and all in-terconnections between 5G network sites are 10G.There is no segregation of encryption between 10Gclients on the same 100G channel (one encryptionkey per 100G channel, refreshed at 3s intervals).In other implementations it might be preferred tohave a separate encryption key per client port, butthis would not affect the Network Slicing Orches-trator approach demonstrated here. Three channelsare configured to provide: no encryption; standardDiffie-Hellman with Advanced Encryption Stan-dard (DH-AES); a prototype QRA, specifically anNTRU implementation provided by the OpenQuan-tumSafe library [17], with AES (QRA-AES). The re-maining two channels are in the default config-uration for the UKQN tel link (256 bit AES, withkeys provided via QKD, referred to herein as QKD-AES). Two exemplary network circuit schematicsare shown in Fig. 3 to illustrate the specific con-nectivity between Adastral Park and Cambridgewith the various encryption schemes utilised in thiswork.The ADVA 10-TCE encryption cards that wereused for data transmission have two available mod-els: one which supports encryption (10-TCE-AES,see Fig. 3), and one which does not (10-TCE). Theresource limitations on encrypted links are there-fore dependent on the hardware available. Simi-larly, adding QKD to an encrypted link is limitedby available installed hardware, however, it may bepossible to route traffic which does not strictly re-quire encryption over free encrypted links. The de-lay introduced by the 10-TCE-AES is µ s ( µ s inthe card, and µ s in the CFP module which appliesForward Error Correction) - this figure is the samefor both the 10-TCE and 10-TCE-AES (encrypted)card.3 igure 2: The network test-bed configuration for the implementation of 5G network slicing, with varying levels of security provided.Figure 3: Exemplary network diagrams to show the connectivity from the Adastral Park and Cambridge network nodes, illustratingthe use of various encryption methods: a) QKD-AES encryption, b) DH-AES or QRA-AES encryption. The wavelengths of the variouschannels are denoted as follows: λ MGMT = management wavelength, λ DISC = QKD discussion channel wavelength, λ Q = quantum keytransmission wavelength. OTN = optical transport network. igure 4: Two stages in the user journey for creating slices, highlighting the security specification: no encryption, DH-AES, QKD-AES orPost-Quantum (referred to in-text as ”QRA-AES”). a) Selecting the sites, b) Configuring the security requirements for interconnections.Figure 5: A representative view of how such a 5G network would be distributed: Cell Sites = Felixstowe and Woodbridge, AggregationNode = Ipswich, Metro Node = Cambridge, Core Node = London. To demonstrate the ability of our orchestrator tocreate very diverse network slice requirements weadded a further illustrative variation, namely be-tween DH-AES and QRA-AES. However, in prac-tice a network operator would likely select a net-work policy which always applies one, or both, ofthese techniques in addition to available QKD hard-ware. We view the QKD-AES encrypted links as of-fering the highest level of security, and note that insome implementations, since the main extra cost isfor the QKD hardware, these may be implementedas QKD plus another method of key exchange in asingle link.Central to this experiment is the use of SDNcontrol and orchestration technologies. All of the network devices utilised within this demo have aYANG device model, and their configuration can bechanged by issuing requests via a NETCONF inter-face. Network devices are registered with a CiscoNetwork Services Orchestrator (NSO) SDN Con-troller, and the orchestrator communicates with theSDN controller via a REST-API. Each slice is brokendown into three connections: cell site to core site (forcontrol plane traffic), cell site to compute site, andcompute site to core site. To achieve the requirednetwork flexibility, Layer 2 (L2) switches are used ateach site. The optical switch at the metro site pro-vides necessary flexibility for allocation of the linkswith different security levels to different tasks.This approach allows a network operator to5 igure 6: Network configurations of a) Use-Case 1, representing an enterprise app hosted at a network metro site, and b) Use-Case 2,representing a content delivery network (CDN), hosted at the network aggregation site. specify the properties of the new network slicerequired, through a portal or application pro-grammable interface (API). The entity providingthis is a custom Network Slicing Orchestrator (seeFig. 5), which we have created and modified toinclude security requirements. The Network Slic-ing Orchestrator has the full end-to-end view of thenetwork and understands the requirements for net-work slices, as well as performing the routing andresource allocation.For each connection in a slice, the required se-curity level (non-encrypted, DH-AES, QKD-AES orQRA-AES is specified, along with more traditionalslice parameters such as bandwidth, latency andcompute requirements. The portal interface and theslice requirement input screen showing the new se-curity level options used in the experiment is shownin Fig. 4b, and the site selection interface is shownin Fig. 4a.Once the properties for a slice are submitted, theNetwork Slicing Orchestrator determines a suitableroute through the network and checks whether suf-ficient network and compute resource are available,whilst also ensuring that the links selected meet thesecurity requirements specified in the initial slice re-quest. The NSO achieves this by allocating a secu-rity metric to each link which then is used as part ofthe path computation element. The network opera-tor can then submit their request for the slice to beactivated and the orchestrator then issues the con-figuration commands to the network devices.
We trialled two use-cases for 5G network slicing en-cryption. Two slice configurations are shown in Fig.6, based on use-cases, and in the following subsec-tions we discuss the network topology of each use-case separately before moving to present further re-sults.
Use-Case 1 is an enterprise app hosted at the metrosite. The enterprise app processes data coming from user equipment (UE) which is connected to the cellsites.The link from each cell site to the metro site issecured with post-quantum security via use of aQRA, a solution which scales well. Premium QKD-AES encryption is selected for the link which passesaggregated data from the metro site to the mobilecore node; this could be a prime target for a ma-licious eavesdropper, and therefore would benefitthe most from the highest level of data security.Standard software-based key-exchange algorithms(Diffie-Hellman) are chosen as sufficient to protectthe control plane, operating from the cell site to thecore site, which is considered to require only short-lived security of encryption.
Use-Case 2 is a CDN, in which the delivery sitesare placed close to the network edge, at aggrega-tion sites, in order to reduce the load within thecore of the network. The scenario is that sensitivedata (such as pre-released video content or softwarepackages) is delivered securely to the CDN, and aneavesdropper would place high value in retrievingthis data ahead of the official release.The delivery of the content to the CDN is via anencrypted link based on QKD, while no encryptionis provisioned between the aggregation node andthe cell site, since after the data has been released itno longer needs to be protected. Again, we deploystandard DH-AES key exchange and encryption tothe control plane traffic, from the cell site to the coresite, as we did for Use-Case 1.
Fig. 7 shows histograms to quantify the time takento set-up (provision) and tear-down (deprovision)the network slices, in both use-cases.Fig. 7 shows that the distribution of times toset-up and tear down each of the two slices is, ineach use-case, between 1 and 2 minutes. This is asignificant improvement, as it is orders of magni-tude shorter than the time it takes to provision a6ink manually today, which is a benefit to telecom-munications operators. In Use-Case 2 the slice takeslonger to provision/deprovision as it has an ad-ditional network element to provision (namely, ametro node Ethernet switch), which is not neededin Use-Case 1.Each network configuration step is made in se-quence (see Wireshark trace, Fig. 8), allowing forefficient roll-back if there is a problem. This sequen-tial build-up of the slice increases the time taken toset it up (there is no parallel allocation or configura-tion of resources), but since the network configura-tion is locked by the orchestrator which only allowsone change at a time, this approach would reducerace conditions and conflicts if this system were tobe extended to support multiple simultaneous slicerequests.
As highlighted throughout this work, there are use-cases within network slicing and 5G networks thatwould greatly benefit from flexible selection of net-work encryption. Two such use-cases we demon-strate in this work are metro-site-hosted enterpriseapps and content delivery networks, however thereare many potential applications such as CAVs (con-nected and automated vehicles) communications, smart factories, connecting distributed research fa-cilities with high-value intellectual property, andmore. Moreover, the dynamic nature of this workalso lends itself to applications with time variabledemand, such as setting-up highly secure links fordaily, or more frequent, back-up of data.For future-proof security, the secure link optionswill need to include quantum-safe methods such asNTRU (i.e. quantum-resistant algorithms) and QKDas demonstrated here, such that the customer, ornetwork operator, are able to select the encryptionlevel accordingly, based on the type of traffic. Thesecurity requirements of a 5G application can be in-cluded in the resource selection criteria of a 5G Net-work Slicing Orchestrator. This approach could helpoperators make maximum utilisation of premiumsecurity resources such as high speed, encryptedlinks and QKD.
We gratefully acknowledge that the UKQN tel net-work was supported by the UK Engineeringand Physical Sciences Research Council (EPSRC)(EP/N015207/1, EP/M013472/1, EP/N509802/1).We also thank the UK Quantum CommunicationsHub and ADVA for invaluable support.
Figure 7: Histograms showing slice set-up times over 100 runs. a) Use-Case 1 provision times, and b) deprovision times, c) Use-Case 2provision times, and d) deprovision times. igure 8: A Wireshark trace showing the complete provision of a network slice. References [1] A. Ksentini and P. A. Frangoudis, ”Toward Slicing-Enabled Multi-Access Edge Computing in 5G”, IEEENetw., , 99-105 (2020).[2] X. Foukas, G. Patounas , A. Elmokashfi and M. K. Marina, ”Network Slicing in 5G: Survey and Chal-lenges, IEEE Commun. Mag., , 94-100 (2017).[3] P. Rost, C. Mannweiler, D. S. Michalopoulos, C. Sartori, V. Sciancalepore, N. Sastry, O. Holland, S. Tayadeand B. Han, ”Network Slicing to Enable Scalability and Flexibility in 5G Mobile Networks”, IEEE Com-mun. Mag., , 72-79 (2017).[4] ”NGMN 5G Initiative White Paper”, NGMN Alliance (2015).[5] F. Z. Yousaf, M. Bredel, S. Schaller and F. Schneider, ”NFV and SDN - Key Technology Enablers for 5GNetworks”, IEEE J. on Sel. Areas in Commun., , 11, 2468-2478 (2017).[6] L. Chen, S. Jordan, Y.-K. Liu, D. Moody, R. Peralta, R. Perlner and D. Smith-Tone, ”Report on post-quantum cryptography”, in Department of Commerce, National Institute of Standards and Technology (2016).[7] A. K. Kumari, G. S. Sadasivam, S. S. Gowri, S. A. Akash and E. G. Radhika, ”An approach for End-to-End (E2E) security of 5G applications”, in
IEEE 4th International Conference on Big Data Security onCloud (BigDataSecurity), IEEE International Conference on High Performance and Smart Computing,(HPSC)and IEEE International Conference on Intelligent Data and Security , (Institute of Electrical and ElectronicsEngineers, 2018), pp. 133-138.[8] S. Khan, J. Abdullah, N. Khan, A. A. Julahi and S. Tarmizi, ”Quantum-Elliptic curve Cryptography forMultihop Communication in 5G Networks”, International Journal of Computer Science and NetworkSecurity, , 357-365 (2017). 89] R. Nejabati, R. Wang, A. Bravalheri, A. Muqaddas, N. Uniyal, T. Diallo, R. Tessinari, R. S. Guimaraes,S. Moazzeni, E. Hugues-Salas, G. T. Kanellos and D. Simeonidou, ”First Demonstration of Quantum-Secured Inter-Domain 5G Service Orchestration and On-Demand NFC Chaining over Flexi-WDM Opti-cal Networks”, in Optical Fiber Communication Conference Post-deadline Papers , (Optical Society of Amer-ica, 2019), pp. Th4C-6.[10] R. Wang, R. S. Tessinari, E. Hugues-Salas, A. Bravalheri, N. Uniyal, A. S. Muqaddas, R. S. Guimaraes, T.Diallo, S. Moazenni, Q. Wang, G. T. Kanellos, R. Nejabati and D. Simeonidou, ”End-to-End Quantum Se-cured Inter-Domain 5G Service Orchestration Over Dynamically Switched Flex-Grid Optical NetworksEnabled by a q-ROADM”, J. of Lightw. Tech., , 139-149 (2019).[11] R. S. Tessinari, A. Bravalheri, E. Hugues-Salas, R. Collins, D. Aktas, R. S. Guimaraes, O. Alia, J. Rarity, G.T. Kanellos, R. Nejabati and D. Simeonidou, ”Field Trial of Dynamic DV-QKD Networking in the SDNControlled Fully-Meshed Optical Metro Network of the Bristol City 5GUK Test Network”, in EuropeanConference on Optical Communication , (Institute of Electrical and Electronics Engineers, 2019), pp. PD.3.6.[12] A. Aguado, D. R. Lopez, V. Lopez, F. de la Iglesia, A. Pastor, M. Peev, W. Amaya, F. M, C. Abellan andV. Martin, ”Quantum Technologies in Support for 5G services: Ordered Proof-of-Transit”, in
EuropeanConference on Optical Communication , (Institute of Electrical and Electronics Engineers, 2019), pp. P41.[13] V. Martin, A. Aguado, P. Salas, A. L. Sanz, J. P. Brito, D. R. Lopez, V. Lopez, A. Pastor, J. Folgueira, H. H.Brunner, S. Bettelli, F. Fung, L. C. Comandar, D. Wang, A. Poppe and M. Peev, ”The Madrid QuantumNetwork: A Quantum-Classical Integrated Infrastructure”, in
Photonics Networks and Devices , (OpticalSociety of America, 2019), pp. QtW3E-5.[14] V. Martin, A. Aguado, A. L. Sanz, J. P. Brito, P. Salas, D. R. Lopez, V. Lopez, A. Pastor-Perales, A. Poppeand M. Peev, ”Quantum Aware SDN Nodes in the Madrid Quantum Network”, in
International Confer-ence on Transparent Optical Networks , (Institute of Electrical and Electronics Engineers, 2019), pp. 1-4.[15] A. Aguado, V. Lopez, J. Pedro Brito, A. Pastor, D. R. Lopez and V. Martin, ”Enabling Quantum KeyDistribution Networks via Software-Defined Networking”, in
Optical Network Design and Modelling (In-stitute of Electrical and Electronics Engineers, 2020).[16] C. White, A. Wonfor, A. Bahrami, J. Pearse, G. Duan, T. Edwards, A. Straw , T. Spiller, R. Penty andA. Lord, ”Field Trial of Multi-Node, Coherent-One-Way Quantum Key Distribution with Encrypted5x100G DWDM System”, in
European Conference on Optical Communications , (Institute of Electrical andElectronics Engineers, 2019), pp. Th.1.A.1.[17] M. Mosca and D. Stebila, ”Post-quantum key exchange for the internet and the open quantum safeproject”, in