A new control- and management architecture for SDN-enabled quantum key distribution networks

TL;DR

The paper tackles secure, high-performance QKDN design by examining how different CM architectures interact with SDN control. It analyzes routing characteristics unique to QKDNs and evaluates three existing CM approaches against a novel cm-via-KMS design through discrete-event simulations. The study finds that cm-via-KMS offers strong security benefits by concealing metadata and tying CM to key provisioning, while maintaining feasible performance under appropriate key-generation rates and routing schemes; recommendations favor sp for low-rate or research contexts, CMS for centralized KMS deployments, and cm-via-KMS for high-security scenarios. The work provides actionable guidance for selecting CM architectures in SDN-enabled QKDNs and outlines future work on scalability and hardware validation.

Abstract

This paper aims to address the challenge of designing secure and high performance Quantum Key Distribution Networks (QKDN), which are essential for encrypted communication in the era of quantum computing. Focusing on the control and management (CM) layer essential for monitoring and routing, the study emphasizes centrally managed software defined networks (SDN). We begin by analyzing QKDN routing characteristics needed for evaluating two existed architectures and the proposed, new CM layer implementation. Following the theoretical analysis, we conduct a discrete-event based simulation in which the proposed architecture is compared to an existent serving as performance-baseline. The results provide recommendations based on use cases for which different architectures show superiority and offer valuable insights into the development and evaluation of CM architectures for QKDNs.

Figures (5)

• Figure 1: This Figure shows different implementations of the Control- and Management (CM) layer for qkdn. Other tasks of the network devices are not depicted. To implement the sdn functionality, a centralized QKD sdn-Controller (QSDN-Controller) hosts global knowledge on the network and its devices. It is linked to the sdn-Agent residing in each node, thereby establishing a unified control plane that enables efficient network management and orchestration. On the left side, every node has a dedicated connection to the QSDN-Controller it uses crypto primitives beside QKD to secure its cm traffic, i.e. the sp architecture madrid_qkdn. In the middle, the sdn-Agent as well as the QSDN-Controller are attached as SAEs such that a secure connection via the km layer can be established which is deployed in another layer, i.e. the cms architecture sdn_uk. On the far right, the cm traffic is relayed via the km layer in the same manner of a key transport towards the QSDN-Controller, i.e. the cm-via-KMS architecture. Here, the KMS holds the capabilities of key forwarding and cm traffic relaying.
• Figure 2: We examined the impact of varying key generation rates on the performance of different qkdns, each deploying a combination of routing protocol and cm architecture. Scenarios A and B use a distributed proactive routing protocol and a source-reactive routing protocol in the sp architecture. Scenarios C and D use the cm-via-KMS architecture with a distributed proactive routing protocol and a source-reactive routing protocol respectively.
• Figure 3: Structure of the presented simulator depicting its modular approach. To perform a simulation, the process involves the following steps: (1) defining a set of constants, which may include default values from the fixed constants in the utils section; (2) generating nodes using the relevant modules based on the architecture being investigated; (3) establishing links between the modules; (4) executing the simulation; and (5) logging and evaluating the results during and after execution, respectively.
• Figure 4: Schematic overview of the KM layer of the simulated Padua Network. It depicts the part of the Padua Network topology, used to establish an AES-256 secured connection between nodes 1 and 6, consists of two lower-key-rate free-space optical links (links 1-2 and 2-3) and a higher-key-rate fiber channel (link 3-6). The three graphs depict the amount of consumed keys, relayed KMS messages and generated keys.
• Figure 5: The investigated network topology consists of 20 nodes, designed to mimic Internet properties (seed=42) internet_like_topology. Dark blue nodes are access/source nodes that send and receive messages, while light blue nodes are relaying-only backbone nodes. For scenarios C and D, a gateway node is added next to Node 19 (adjacent to Node 5) to facilitate access to the QSDN-Controller.