GMPLSNetworkControlPlane EnablingQuantumEncryption inEnd-to-End Services

AlejandroAguado,VíctorLópez,Jesús Martínez-Mateo,Momtchil Peev,DiegoLópez andVicenteMartin

Outline

• Introduction• SecureChannelCreation• QKDnodearchitecture• PCE/GMPLSextensionstoenableautomaticprovisioning• Experimentalvalidation• Conclusions

Introduction

• Quantumkeydistribution (QKD)isanoveltechnologythatcanbeseenasasynchronizedsourceofsymmetrickeys intwoseparateddomainsthatisimmunetoanyalgorithmiccryptanalysis.• Ontheotherhand,networkservicesareincreasinglyrequestingmoreflexibilityandnetworkresources.• Oneofthebiggestdemandsistoincreasethelevelofsecurity forthetransmissionbetweenremotepremises.• Inthiswork,weproposeanodearchitecture anddefineprotocolrequirementsinaGMPLSenvironmenttoprovideQKD-enhancedsecurityinend-to-endservices.

Introduction

BobAlice

Encrypt Encrypt

Keyexchange

ChannelCreation

MessageExchange

Messageencryption

Eve

Introduction:QuantumKeyDistribution

BobAlice

Encrypt Decrypt

Keyexchange

MessageExchange

Messageencryption Eve

QKDSystem

QKDSystem

PublicAuthenticatedChannel

QuantumChannel

Ingredients:• Qubittransmitter(typically

photons),Alice.• Singlequbitreceivers,Bob.• Quantumchannel(capableof

transmittingqubitsfromAlicetoBob,inourcasefibre).

• Classicalchannel(public,butauthenticated).

Mainsteps:• Rawkeyexchange:

• Qubittransmission• Sifting(basisreconciliation)

• Keypost-processing:• Informationreconciliation• Errorverification• Privacyamplification

DataChannel

Introduction:QuantumKeyDistribution• QKD technologycanberegardedastwosourcesofsynchronizedrandomnumbers thatareseparatedphysically.

• Acorrectimplementationwilldeliverkeysofthehighestsecurity

• Itcanbemathematicallyproventobesecure(inprinciple,aninformationtheoreticsecure(ITS)primitive)

• QKDhassomelimitationsthatdonotaffecttheconventionalcryptosystems,usuallybasedoncomputationalcomplexity.

• Anykindofamplifiersoractivecomponentsthatcanmodifythestateofthesesignalsmustbebypassed.

• Thissetsalimittothemaximumdistance(orabsorptions)thataQKDprotocolcantolerate,wellsuitedtobeusedwithinametropolitanareaorwithlinksofupto150km

LIMITATIONS

Alice BobEve

Quantumchannel

Classicalchannel

Securechannelcreation

ExchangeSecureKeys/QuantumChannelQKDBoxETSIProxy

Lightpath creation/ControlPlane

IncludeKeysintheencryptioncard

Exchangeinformation/DataPlane

GMPLSAgent

GMPLSAgent

GMPLSAgent

GMPLSAgent

EncryptorEncryptor

OXC OXC

PCE

…

Alice Bob

Eve

Keyexchange

ChannelCreation

MessageExchange

Messageencryption

QKDBoxETSIProxy

QKDBox

ETSIProxy

GMPLSAgent

KeyReq/Resp

QuantumLink

Classic

al

channe

ls

Encryptor

OXC

Proprietaryprotocols

FlowcontrolKeyinjection

PCE

ExtendedPCEP Desiredcapabilities:

• AccesstoQKD-generatedkeys.• Encryptioninupstreamservices(Data

encryptor,securitymodule,etc.).• Switching/Routing.• Controlplaneinterfaceenablingautomation

ExampleofQKD-enablednetworknodearchitecture

Definitionofrequirementsintermsofparameters• Parametersrequiredtobeexchanged(point-to-pointencryption):

• SessionID(key_handle):Initiallysetas0,sessionIDgetsthevalueofthefirstKeyhandleextractedbythesourceagentintheinitialsetup.Thesourceagentwillbeinchargeofupdates(futurework).

• Keylength:Lengthofthekeytobeusedfortheencryption.• Destination:Itdefinestheotherpeer(encryptor/decryptor)tosynchronisewith.CurrentlydefinedbyanIPaddress.

• EncryptionLayer:Layerwhereencryptionisperformed.• Refreshtypeandvalue:Typeofrefreshtobedoneforakey(time/traffic/etc)andthevaluetobeconsideredasathreshold.

• Algorithm:Encryptionalgorithmtobeused.

DistributedGMPLSControl

• MajorityofthecommercialdeploymentsofopticalcoreandtransportnetworksarebasedonGMPLS.• GMPLSwasstandardizedbyIETFinCCAMP WG• Fundamentalprotocols:• RSVP-TE:responsibleofsettingupend-to-endquality-enabledconnections• OSPF-TE:disseminationofthetopologyandtrafficengineering(TE)information,enablingrouting• LMP(LinkManagementProtocol):isresponsibleoflinksmanagement

PCEP(PCReq,PRep)

PCE

RSVP

IGP

PathComputationElement

• PCElearnstheTEDBlisteningtheIGP.

• ActiveStatefulPCEcanrequesttocreateapathusingPCInitiate.

• Thenodeset-uptheconnectionusingRSVPPath,Resv.

• GMPLSiscomplementedwithalogicallycentralizedelement,thePCE

• TelefonicaNetphonyreleaseopensourcePCEimplementationandGMPLScontrolplane.

GMPLS+PCEArchitectureProposedworkflow:Case“Nodestarts”

Node1QKD

PCE

Node5QKD

GMPLScase:- PCRequest includingmetricforinline

encryption.- PCReply includingnewEROsubobjects for

keymanagement- RSVPincludingthesameERO- RSVPQEEROsubobject detectedbynode1.

Key_handle unset(=0),itgetsanewkeyandkey_handle,andaddsthekey_handle assessionIDtobeusedbynode5

- Node5getsthesessionID andextractstherequiredkey.

- TherestisstandardRSVP

Node2

Node3

Node4

NoSessionID(=0)InjectSessionID inERO

sessionID foundgetsessionID

4 metrics:- Keylength- Layerofencryption- Refreshtype/value- Enc_Alg

Experimentalvalidation

EmulatedQuantum

Link

ETSItoIDQProxies

GMPLSControlPlane

https://github.com/alexaguado/DockerNet

ExperimentalvalidationOSPFforQuantumencryptioncapabilities

InformationalCapabilitiesTLV

QuantumEncryptionsupport(bit7):capable

ExperimentalvalidationPCEP

NewQEERO

subobject

ExperimentalvalidationRSVP(signalling)

Node4QE EROsubobject.(beforenode2)Type:0x67Value:”00..00”(64bytes)KeyLenght:32Enc_layer:2RefType:0xfdRefValue:60Alg:10(TBD)

Node4QE EROsubobject.(beforenode2)Type:0x67Value:“4a0e…052f”(64bytes)KeyLenght:32Enc_layer:2RefType:0xfdRefValue:60Alg:10(TBD)

Conclusions

• WeproposeanodearchitectureanddefineprotocolrequirementsinaGMPLSenvironmenttoprovideQKD-enhancedsecurityinend-to-endservices.• Thisisthefirstworktopropose,implementandvalidateextensionsinaPCE/GMPLSarchitecturetousethistechnology.• TheworkisdonewithOpenSourcetoolsusingNetphony andDockerNet.• Asfuturework,theauthorswillexplorethisapproachinOpenFlow orNetconf.

THANKYOU!!!

AlejandroAguado,VíctorLópez,Jesús Martínez-Mateo,Momtchil Peev,DiegoLópez andVicenteMartin

AppendixAETSIGSQKD004V1.1.1

forremoteappsandIDQ3P

ETSIIDQProxy

• ETSIGSQKD004V1.1.1definesanAPItobeusedbyapplicationswhicharerunningwithinthesameserverastheKeyManager.• Inordertojustifytheuseofthisstandard,wehavedevelopedaproxythatimplementsETSIGSQKD004V1.1.1-basedmessagestocommunicatewithexternalapplications• ThesemessagesaremappedtoIDQ3Prequests.• AdditionalSyncmessageshavebeenimplementes aswell.• Thisinterfaceallowstouseasingleidentifier(key_handle)thatcanbeusedtoextractmultiplekeys.

Modules/Messages

APP APP

ETSI/IDQProxy

ETSI/IDQProxy

IDQSystem IDQSystem

ALICE BOB

QuantumchannelErrorcorrectionDistillation…

Sync messages:Session Opened/closed

BlockSession,Update Key

AppmessagesSend_key_handle()ETSIGSQKD004V1.1.1msgs

QKD_{OPEN,CLOSE,GET_KEY,CONNECT_NONBLOCK,CONNECT_BLOCKING}

ETSIGSQKD004V1.1.1msgsQKD_{OPEN,CLOSE,GET_KEY,

CONNECT_NONBLOCK,CONNECT_BLOCKING}

IDQ3P IDQ3P

IDQSystem ETSI/IDQProxy APP APP ETSI/IDQ

Proxy IDQSystem

ExampleOPEN&CONNECT

QKD_OPEN()

Key_handle

Send_key_handle()

ACK

QKD_OPEN(Key_handle)

ACKQKD_CONNECT_NONBLOCK()

QKD_CONNECT_NONBLOCK()

ACK

ACK

SYNC_OPEN(key_handle)

ALICE BOB

IDQSystem ETSI/IDQProxy APP APP ETSI/IDQ

Proxy IDQSystem

ExampleGET_KEY

QKD_GET_KEY(Key_handle)

Update_Key()

ACK

QKD_GET_KEY(key_handle)

KEY

SYNC_BLOCK(key_handle)

ALICE BOB

SYNC_KEY(key_ids)

GET_KEY()

KeyID,Key

GET_KEY()

KeyID,Key

ACK

IDQSystem ETSI/IDQProxy APP APP ETSI/IDQ

Proxy IDQSystem

ExampleCLOSE

QKD_CLOSE()

ACK

Send_close()?????

ACK

QKD_CLOSE(Key_handle)

ACK

SYNC_CLOSE(key_handle)

ALICE BOB