Experimental Demonstration of DDoS Mitigation over a Quantum Key Distribution (QKD) Network Using Software Defined Networking (SDN)

We experimentally demonstrate, for the first time, DDoS mitigation of QKD-based networks utilizing a software defined network application. Successful quantum-secured link allocation is achieved after a DDoS attack based on real-time monitoring of quantum parameters. OCIS codes: (060.0060) Fiber optics and optical communications; (060.1155) All-optical networks (060.5565); Quantum cryptography; (270.5568) Networks, circuit-switched; (060.6718); Optical security and encryption (060.4785); Quantum key distribution (QKD) is considered an important cryptography method aimed at solving a number of security problems in communication networks [1]. In QKD, symmetric keys are generated by transmitting single photons from Alice to Bob over an optical channel. QKD enables detection of any eavesdropping attempt by Eve, based on the fundamental constraints of quantum mechanics. In recent years, QKD technologies have achieved a significant level of maturity and successful field trials have been demonstrated using point-to-point QKD links to create key distribution networks [2]. However, it has been identified that QKD is vulnerable to Distributed Denial of Service (DDoS) attacks, typically aborting key establishment sessions whenever tampering or any strong perturbation is detected on the quantum channel, disrupting the key generation [3,4]. To overcome this problem, the provision of quantum-secured paths over a network configuration has been proposed [4]. In addition, the use of Software Defined Networking (SDN) is highly beneficial in quantum-secured optical networks since SDN adds flexibility and programmability together with a centralized management of optical resources [5]. To this end, we have demonstrated the use of SDN for time-sharing of QKD resources in which a programmable cost-effective network can be designed [6]. In this paper, we experimentally demonstrate, for the first time, an SDN-enabled circuit-switched optical network with QKD resources under DDoS attacks. An SDN application is developed to monitor the quantum parameters of the system, such as the secret key rate (SKR) and the quantum bit error rate (QBER). Based on this application, SDN can be used to detect link failures (due to attacks) and to provision newly secure paths to mitigate DDoS. In our testbed, we used three possible scenarios. The first scenario emulates a simple attacker directly over a standard single mode fiber (SSMF) link. The second addresses a multicore fiber (MCF)-based QKD network, which could be used in intra-data center applications to reduce the required dedicated SSMFs (i.e., expensive and unavailable). An attacker is applied in one of the adjacent cores of the MCF core that carries the encoded photon. Lastly, the third scenario represents a multi-hop (2-hops) link which can be found in meshed complex networks. Fig. 1. a) SDN/QKD Optical Network testbed. b) DoS attacker for links 1 and 2. c) DDoS Mitigation Flowchart. a) b) c) 2. SDN-Enabled QKD Network Setup under DDoS Attack Fig. 1a shows the SDN-enabled optical network with QKD resources. In the Alice node, a QKD-Alice unit (ID Quantique Clavis ID3100) is connected to a low-insertion loss, large-port count optical switch (Polatis). Similarly, in the Bob node, a QKD-Bob unit is connected to a port of the optical switch. The optical switches are interconnected by three parallel optical links: i) the first link includes a 3dB coupler (Fig. 1b) in which the Raman noise from a tunable laser is filtered (0.7nm bandwidth) and a high attenuation is gradually reduced to add noise to the optical link at the 1552nm wavelength of the quantum channel; ii) in the second link, a 1km long, 7-core multicore fiber with an average core pitch of ~44.7m and a loss of 0.2dB/km provides an alternative path between the QKD units. A DDoS attack is emulated by inducing crosstalk at 1552nm (Fig. 1b), in an adjacent core to the one carrying the QKD signal. iii) for the third secure path, a 520m long SSMF link is used to alleviate the attacks in the other two links. This last optical link passes through two intermediate nodes which are used to interconnect the Alice and Bob units. The total power loss of one of the 3 links is adjusted to be ~9dB, using a variable optical attenuator. Fig. 1a also depicts the SDN architecture that is applied over the optical network, which continuously monitors the system’s parameters and reacts in real time to the presence of a link failure. The Quantum Parameters Monitor (QPM) application monitors the QBER and the SKR from the QKD units and interfaces with the SDN Controller through the REST API. In the optical switches, an OpenFlow agent (OpenFlow 1.0) is installed to allow the connectivity to the SDN controller (OpenDaylight, Lithium). Fig. 1c shows the flow and decision making of the QPM application. More specifically, if the QKD units are not generating keys, i.e. the final key size is equal to zero or the QBER is above a specified threshold, the QPM application will detect this link failure and react to change the current optical path. The QPM application maintains a list of all three available paths in the order depicted in Fig. 1a, which have been pre-calculated between the pair of the QKD units, and selects the first path on the list. A reconfiguration decision will be made by the application and then sent to the SDN controller using an HTTP POST request. This decision contains the cross-connections to be performed for setting up the new optical path. Following this, the SDN Controller sends OpenFlow messages to the optical switches to create the suitable cross-connections. Once this process is undertaken, the key generation operation re-initializes through the new secure path and the monitoring procedure starts again to detect new attacks.