No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Management and enforcement of secured E2E network slices across transport domains
Abstract
Due to the fact that the current variability of services is brought by the current networks and the new possibilities that will appear thanks to the near-future networks, Network Slicing has become one of the key elements to allow the co-existence of multiple computing and transportservices with different requirements (i.e., performance, security, isolation) over the same infrastructure in multi-tenant and multi-domain (i.e., edge, transport, core) scenarios. The use of this and other technologies allow to have only one generic infrastructure (e.g., an optical transport domain) despite the services differences, instead of needing specific resources (e.g., on single optical fiber) for each type of service. Multiple works have been published about Network Slicing, Network Function Virtualization and Software Defined Networks using multiple computing and transport domains but, based on our literature research, there is one important aspect with a low amount of attention: the security management around network slices and their enforcement. It is essential to ensure that the expected Quality of Security (QoSec) is accomplished based on the correct deployment and posterior monitoring of the security metrics defined in the agreed Security Service Level Agreement (SSLA) between the service requester and the provider.
This article aims to present an architecture designed to manage and control the life-cycle of secured End-to-End (E2E) network slices involving multiple domains based on the SSLA requirements. The security management architecture is described with its components together with the deployment and monitoring processes and the data objects used. Finally, an experimental validation is described using the use case of a DoS attack scenario and its resolution.
... Also in this line, authors in [21] developed a reactive zero-touch approach for NFV infrastructures, with security services that continuously monitor traffic in order to detect possible network vulnerabilities and apply countermeasures to mitigate the possible threats. In [22], authors presented the INSPIRE-5Gplus architecture, a security architecture designed to enable automated and smart security management of B5G by means of enforcing Security Service Level Agreements and ensuring Quality of Service. In [23], a novel system architecture and simulation model for machine learning orchestration in cloud environments was proposed, aiming at automating the training and deployment of using Distributed Machine Learning (DML) AI model. ...
As 5th Generation (5G) and Beyond 5G (B5G) networks become increasingly prevalent, ensuring not only network security but also the security and reliability of the applications, the so-called network applications, becomes of paramount importance. This paper introduces a novel integrated model architecture, combining a network application validation framework with an AI-driven reactive system to enhance security in real-time. The proposed model leverages machine learning (ML) and artificial intelligence (AI) to dynamically monitor and respond to security threats, effectively mitigating potential risks before they impact the network infrastructure. This dual approach not only validates the functionality and performance of network applications before their real deployment but also enhances the network’s ability to adapt and respond to threats as they arise. The implementation of this model, in the shape of an architecture deployed in two distinct sites, demonstrates its practical viability and effectiveness. Integrating application validation with proactive threat detection and response, the proposed model addresses critical security challenges unique to 5G infrastructures. This paper details the model, architecture’s design, implementation, and evaluation of this solution, illustrating its potential to improve network security management in 5G environments significantly. Our findings highlight the architecture’s capability to ensure both the operational integrity of network applications and the security of the underlying infrastructure, presenting a significant advancement in network security.
... Their proposed approach (slice creation by machine learning, slice isolation through resource allocation and slice management through resource transfer) dynamically allocates resources based on network service requests. Paper [19] shows an architecture for managing secured network slices and focuses on secure service level agreement requirements. The architecture's components, deployment processes and monitoring mechanisms are validated through a DoS attack scenario. ...
Sharing resources through network slicing in a physical infrastructure facilitates service delivery to various sectors and industries. Nevertheless, ensuring security of the slices remains a significant hurdle. In this paper, we investigate the utilization of State-of-the-Art (SoA) Virtual Private Network (VPN) solutions in 5G networks to enhance security and performance when isolating slices. We deploy and orchestrate cloud-native network functions to create multiple scenarios that emulate real-life cellular networks. We evaluate the performance of the WireGuard, IPSec, and OpenVPN solutions while ensuring confidentiality and data protection within 5G network slices. The proposed architecture provides secure communication tunnels and performance isolation. Evaluation results demonstrate that WireGuard provides slice isolation in the control and data planes with higher throughput for enhanced Mobile Broadband (eMBB) and lower latency for Ultra-Reliable Low-Latency Communications (URLLC) slices compared to IPSec and OpenVPN. Our developments show the potential of implementing WireGuard isolation, as a promising solution, for providing secure and efficient network slicing, which fulfills the 5G key performance indicator values.
This paper discusses the advantages and challenges of multiple architectures that consider the negotiation of inter-domain transport network slices using blockchain technologies. To this end, we presents results obtained using cloud-native ETSI TeraFlowSDN controller.
The high reliability required by many future-generation network services can be enforced by proper resource assignments by means of logical partitions, i.e., network slices, applied in optical metro-aggregation networks. Different strategies can be applied to deploy the virtual network functions (VNFs) composing the slices over physical nodes, while providing different levels of resource isolation (among slices) and protection against failures, based on several available techniques. Considering that, in optical metro-aggregation networks, protection can be ensured at different layers, and the slice protection with traffic grooming calls for evolved multilayer protection approaches. In this paper, we investigate the problem of reliable slicing with protection at the lightpath layer for different levels of slice isolation and different VNF deployment strategies. We model the problem through an integer linear program (ILP), and we devise a heuristic for joint optimization of VNF placement and ligthpath selection. The heuristic maps nodes and links over the physical network in a coordinated manner and provides an effective placement of radio access network functions and the routing and wavelength assignment for the optical layer. The effectiveness of the proposed heuristic is validated by comparison with the optimal solution provided by the ILP. Our illustrative numerical results compare the impact of different levels of isolation, showing that higher levels of network and VNF isolation are characterized by higher costs in terms of optical and computation resources.
In spectrum-sliced elastic optical path networks (SLICE), the lightpath bandwidth is variable, and the virtual topology overlay on a physical topology shall be designed to optimize the spectrum utilization. Under static traffic, SLICE networks are typically designed through a mixed integer linear programming (MILP) with the aim of minimizing the spectrum utilization. In this paper, a new MILP formulation for protection in SLICE networks is proposed, which uses the concept of bandwidth squeezing and grooming to guarantee a minimum agreed bandwidth for each source–destination pair in the surviving bandwidth. The route for each demand on the physical topology is determined by balance equations together with physical layer constraints in the formulation, so that no pre-calculated routes are required and the modulation format of each established lightpath may be chosen with enough quality of transmission and to save network spectrum. Therefore, the proposed formulation jointly solves the virtual topology design and physical topology design problems. The first results evaluate the effectiveness of the MILP formulation for two small networks when connections are under different service-level agreement (SLA) requirements and are provisioned by an appropriate protection scheme and different modulation formats. Due to the NP-hard nature of the proposed MILP formulation, a heuristic algorithm for moderately large networks is also proposed. Case studies are carried out to analyze the basic properties of the formulation and the performance of the proposed heuristic. With the proposed formulation, it is possible to identify the configurations that ensure minimum spectrum occupation with different kinds of protection for each lightpath. Different kinds of modulation formats are considered and contrasted to the benchmark case of a single modulation format and using the same kind of protection for all lightpaths.
Communication systems are used not only by voice or file exchange applications, but also by other types of applications due to the coexistence of multiple and different verticals. Each vertical has its own requirements in terms of key performance indicators (KPIs) for their applications. Mapping the verticals KPIs into network quality of service (QoS) parameters and enforcing it at the network level is a complex procedure. Network slicing allows the deployment of multiple virtual networks (one per vertical) to work in parallel with their specific QoS based on the KPIs. This article presents and experimentally validates a KPI-enabled network function virtualization (NFV) management and orchestration (MANO) architecture able to manage network slices, to monitor the vertical KPI requirements and react in case they are not met. We address this objective from a holistic perspective, defining the network QoS parameters that enable meeting vertical KPIs along all levels of the NFV MANO architecture: the NSs using the 5G QoS Identifier parameter, the NFV network services using service level agreements, and the networking and computing services with QoS parameters. Finally, the described architecture is validated through an experimental use case based on a vertical realtime communications application.
We discuss how different degrees of slice isolation influence resource allocation in protected optical metro-aggregation networks. The case of slice reliability with dedicated protection at lightpath is modelled and numerically evaluated.
Countering distributed denial of service (DDoS) attacks is becoming ever more challenging with the vast resources and techniques increasingly available to attackers. In this paper, we consider sophisticated attacks that are protocol-compliant, non-intrusive, and utilize legitimate application-layer requests to overwhelm system resources. We characterize application-layer resource attacks as either request flooding, asymmetric, or repeated one-shot, on the basis of the application workload parameters that they exploit. To protect servers from these attacks, we propose a counter-mechanism namely DDoS Shield that consists of a suspicion assignment mechanism and a DDoS-resilient scheduler. In contrast to prior work, our suspicion mechanism assigns a continuous value as opposed to a binary measure to each client session, and the scheduler utilizes these values to determine if and when to schedule a session's requests. Using testbed experiments on a web application, we demonstrate the potency of these resource attacks and evaluate the efficacy of our counter-mechanism. For instance, we mount an asymmetric attack which overwhelms the server resources, increasing the response time of legitimate clients from 0.3 seconds to 40 seconds. Under the same attack scenario, DDoS Shield improves the victims' performance to 1.5 seconds.
Transport api: A solution for sdn in carriers networks
- V Lopez
- R Vilalta
- V Uceda
- A Mayoral
- R Casellas
- R Martinez
- R Munoz
- J P Fernandez Palacios