GMPLS Network Control PlaneEnabling Quantum Encryptionin ... · GMPLS Network Control PlaneEnabling...
Transcript of GMPLS Network Control PlaneEnabling Quantum Encryptionin ... · GMPLS Network Control PlaneEnabling...
GMPLSNetworkControlPlane EnablingQuantumEncryption inEnd-to-End Services
AlejandroAguado,VíctorLópez,Jesús Martínez-Mateo,Momtchil Peev,DiegoLópez andVicenteMartin
Outline
• Introduction• SecureChannelCreation• QKDnodearchitecture• PCE/GMPLSextensionstoenableautomaticprovisioning• Experimentalvalidation• Conclusions
Introduction
• Quantumkeydistribution (QKD)isanoveltechnologythatcanbeseenasasynchronizedsourceofsymmetrickeys intwoseparateddomainsthatisimmunetoanyalgorithmiccryptanalysis.• Ontheotherhand,networkservicesareincreasinglyrequestingmoreflexibilityandnetworkresources.• Oneofthebiggestdemandsistoincreasethelevelofsecurity forthetransmissionbetweenremotepremises.• Inthiswork,weproposeanodearchitecture anddefineprotocolrequirementsinaGMPLSenvironmenttoprovideQKD-enhancedsecurityinend-to-endservices.
Introduction
BobAlice
Encrypt Encrypt
Keyexchange
ChannelCreation
MessageExchange
Messageencryption
Eve
Introduction:QuantumKeyDistribution
BobAlice
Encrypt Decrypt
Keyexchange
MessageExchange
Messageencryption Eve
QKDSystem
QKDSystem
PublicAuthenticatedChannel
QuantumChannel
Ingredients:• Qubittransmitter(typically
photons),Alice.• Singlequbitreceivers,Bob.• Quantumchannel(capableof
transmittingqubitsfromAlicetoBob,inourcasefibre).
• Classicalchannel(public,butauthenticated).
Mainsteps:• Rawkeyexchange:
• Qubittransmission• Sifting(basisreconciliation)
• Keypost-processing:• Informationreconciliation• Errorverification• Privacyamplification
DataChannel
Introduction:QuantumKeyDistribution• QKD technologycanberegardedastwosourcesofsynchronizedrandomnumbers thatareseparatedphysically.
• Acorrectimplementationwilldeliverkeysofthehighestsecurity
• Itcanbemathematicallyproventobesecure(inprinciple,aninformationtheoreticsecure(ITS)primitive)
• QKDhassomelimitationsthatdonotaffecttheconventionalcryptosystems,usuallybasedoncomputationalcomplexity.
• Anykindofamplifiersoractivecomponentsthatcanmodifythestateofthesesignalsmustbebypassed.
• Thissetsalimittothemaximumdistance(orabsorptions)thataQKDprotocolcantolerate,wellsuitedtobeusedwithinametropolitanareaorwithlinksofupto150km
LIMITATIONS
Alice BobEve
Quantumchannel
Classicalchannel
Securechannelcreation
ExchangeSecureKeys/QuantumChannelQKDBoxETSIProxy
Lightpath creation/ControlPlane
IncludeKeysintheencryptioncard
Exchangeinformation/DataPlane
GMPLSAgent
GMPLSAgent
GMPLSAgent
GMPLSAgent
EncryptorEncryptor
OXC OXC
PCE
…
Alice Bob
Eve
Keyexchange
ChannelCreation
MessageExchange
Messageencryption
QKDBoxETSIProxy
QKDBox
ETSIProxy
GMPLSAgent
KeyReq/Resp
QuantumLink
Classic
al
channe
ls
Encryptor
OXC
Proprietaryprotocols
FlowcontrolKeyinjection
PCE
ExtendedPCEP Desiredcapabilities:
• AccesstoQKD-generatedkeys.• Encryptioninupstreamservices(Data
encryptor,securitymodule,etc.).• Switching/Routing.• Controlplaneinterfaceenablingautomation
ExampleofQKD-enablednetworknodearchitecture
Definitionofrequirementsintermsofparameters• Parametersrequiredtobeexchanged(point-to-pointencryption):
• SessionID(key_handle):Initiallysetas0,sessionIDgetsthevalueofthefirstKeyhandleextractedbythesourceagentintheinitialsetup.Thesourceagentwillbeinchargeofupdates(futurework).
• Keylength:Lengthofthekeytobeusedfortheencryption.• Destination:Itdefinestheotherpeer(encryptor/decryptor)tosynchronisewith.CurrentlydefinedbyanIPaddress.
• EncryptionLayer:Layerwhereencryptionisperformed.• Refreshtypeandvalue:Typeofrefreshtobedoneforakey(time/traffic/etc)andthevaluetobeconsideredasathreshold.
• Algorithm:Encryptionalgorithmtobeused.
DistributedGMPLSControl
• MajorityofthecommercialdeploymentsofopticalcoreandtransportnetworksarebasedonGMPLS.• GMPLSwasstandardizedbyIETFinCCAMP WG• Fundamentalprotocols:• RSVP-TE:responsibleofsettingupend-to-endquality-enabledconnections• OSPF-TE:disseminationofthetopologyandtrafficengineering(TE)information,enablingrouting• LMP(LinkManagementProtocol):isresponsibleoflinksmanagement
PCEP(PCReq,PRep)
PCE
RSVP
IGP
PathComputationElement
• PCElearnstheTEDBlisteningtheIGP.
• ActiveStatefulPCEcanrequesttocreateapathusingPCInitiate.
• Thenodeset-uptheconnectionusingRSVPPath,Resv.
• GMPLSiscomplementedwithalogicallycentralizedelement,thePCE
• TelefonicaNetphonyreleaseopensourcePCEimplementationandGMPLScontrolplane.
GMPLS+PCEArchitectureProposedworkflow:Case“Nodestarts”
Node1QKD
PCE
Node5QKD
GMPLScase:- PCRequest includingmetricforinline
encryption.- PCReply includingnewEROsubobjects for
keymanagement- RSVPincludingthesameERO- RSVPQEEROsubobject detectedbynode1.
Key_handle unset(=0),itgetsanewkeyandkey_handle,andaddsthekey_handle assessionIDtobeusedbynode5
- Node5getsthesessionID andextractstherequiredkey.
- TherestisstandardRSVP
Node2
Node3
Node4
NoSessionID(=0)InjectSessionID inERO
sessionID foundgetsessionID
4 metrics:- Keylength- Layerofencryption- Refreshtype/value- Enc_Alg
Experimentalvalidation
EmulatedQuantum
Link
ETSItoIDQProxies
GMPLSControlPlane
https://github.com/alexaguado/DockerNet
ExperimentalvalidationOSPFforQuantumencryptioncapabilities
InformationalCapabilitiesTLV
QuantumEncryptionsupport(bit7):capable
ExperimentalvalidationRSVP(signalling)
Node4QE EROsubobject.(beforenode2)Type:0x67Value:”00..00”(64bytes)KeyLenght:32Enc_layer:2RefType:0xfdRefValue:60Alg:10(TBD)
Node4QE EROsubobject.(beforenode2)Type:0x67Value:“4a0e…052f”(64bytes)KeyLenght:32Enc_layer:2RefType:0xfdRefValue:60Alg:10(TBD)
Conclusions
• WeproposeanodearchitectureanddefineprotocolrequirementsinaGMPLSenvironmenttoprovideQKD-enhancedsecurityinend-to-endservices.• Thisisthefirstworktopropose,implementandvalidateextensionsinaPCE/GMPLSarchitecturetousethistechnology.• TheworkisdonewithOpenSourcetoolsusingNetphony andDockerNet.• Asfuturework,theauthorswillexplorethisapproachinOpenFlow orNetconf.
THANKYOU!!!
AlejandroAguado,VíctorLópez,Jesús Martínez-Mateo,Momtchil Peev,DiegoLópez andVicenteMartin
ETSIIDQProxy
• ETSIGSQKD004V1.1.1definesanAPItobeusedbyapplicationswhicharerunningwithinthesameserverastheKeyManager.• Inordertojustifytheuseofthisstandard,wehavedevelopedaproxythatimplementsETSIGSQKD004V1.1.1-basedmessagestocommunicatewithexternalapplications• ThesemessagesaremappedtoIDQ3Prequests.• AdditionalSyncmessageshavebeenimplementes aswell.• Thisinterfaceallowstouseasingleidentifier(key_handle)thatcanbeusedtoextractmultiplekeys.
Modules/Messages
APP APP
ETSI/IDQProxy
ETSI/IDQProxy
IDQSystem IDQSystem
ALICE BOB
QuantumchannelErrorcorrectionDistillation…
Sync messages:Session Opened/closed
BlockSession,Update Key
AppmessagesSend_key_handle()ETSIGSQKD004V1.1.1msgs
QKD_{OPEN,CLOSE,GET_KEY,CONNECT_NONBLOCK,CONNECT_BLOCKING}
ETSIGSQKD004V1.1.1msgsQKD_{OPEN,CLOSE,GET_KEY,
CONNECT_NONBLOCK,CONNECT_BLOCKING}
IDQ3P IDQ3P
IDQSystem ETSI/IDQProxy APP APP ETSI/IDQ
Proxy IDQSystem
ExampleOPEN&CONNECT
QKD_OPEN()
Key_handle
Send_key_handle()
ACK
QKD_OPEN(Key_handle)
ACKQKD_CONNECT_NONBLOCK()
QKD_CONNECT_NONBLOCK()
ACK
ACK
SYNC_OPEN(key_handle)
ALICE BOB
IDQSystem ETSI/IDQProxy APP APP ETSI/IDQ
Proxy IDQSystem
ExampleGET_KEY
QKD_GET_KEY(Key_handle)
Update_Key()
ACK
QKD_GET_KEY(key_handle)
KEY
SYNC_BLOCK(key_handle)
ALICE BOB
SYNC_KEY(key_ids)
GET_KEY()
KeyID,Key
GET_KEY()
KeyID,Key
ACK