Quantum Cryptography Networks In Support Of Path Verification In Service Function Chains

Quantum key distribution (QKD) is a physical technology that enables the secure generation of bit streams (keys) in two separated locations. This technology is designed to provide a solution for very secure (quantum-safe) key agreement, which is nowadays at risk due to advances in quantum computing. The recent demonstration of a QKD network in the metropolitan area of Madrid shows how these networks can be deployed in current production infrastructure by following existing networking paradigms, such as software-defined networking. In particular, a three-node QKD network is implemented on the metropolitan area network using existing infrastructure and coexisting with other data and control services. On the other hand, telecommunication networks are drastically changing the way services are architectured. Users of the operator's infrastructure are moving from traditional connectivity services (e.g., virtual private networks) to a set of interconnected network functions, either physical or virtual, in the shape of service function chaining (SFC). However, SFC users do not have a method to validate that the traffic flow is appropriately forwarded across the nodes in the network, a situation that may lead to very critical security breaches (e.g., a security node or a firewall in the chain that is bypassed). This work presents a method for validating ordered proof-of-transit (OPoT) on top of the Madrid Quantum Network. We first provide a general description of the QKD network deployed in Madrid. Then, we describe an existing security protocol for PoT in packet networks, analyzing its issues and vulnerabilities. Finally, this work presents a protocol for alleviating the security breach found in this work and for providing OPoT in SFC. Finally, an example of the real implementation is shown, where nodes being part of the OPoT scheme are provisioned with QKD-derived keys. (C) 2020 Optical Society of America