Abstract
In 5G networks, an optical fronthaul transports massive user data from remote radio heads (RRH) to the core network (CO) with high throughput and low latency. eCPRI is a new standard interface for the Ethernet-based optical fronthaul network to enhance the efficiency and performance. However, if fronthaul networks are deployed in an unsafe domain, an end-to-end security system should be implemented over the data flow, which requires additional overhead and processing time. This redundancy may cause unexpected latency and performance degradation in the data transport for 5G networks. According to the specification of eCPRI, vendors may optionally implement either IPsec or MACsec for the secure transmission. In this paper, we investigate security solutions suitable for the Ethernet-based optical fronthaul network. We analyse the standard security protocols such as IPsec and MACsec. Alternatively, we propose WireGuard as an replacement of IPsec for secure fronthaul networks. According to our analysis, the extended overhead for three security protocols has negligible impact on the latency. However, the encryption and decryption of transmission packets may cause additional latency on the eCPRI processing time and eventually reduce the maximum transmission distance between RRH and CO. To verify our analysis, we simulated an eCPRI traffic on our test platform with the WireGuard protocol enabled. Our test results showed that the latency caused by encryption and decryption process could be significant. We also point out that a re-key interval should be carefully selected not to compromise the security of the high capacity transmission link such as 5G fronthaul networks. Our analysis is further extended with quantum-resistant cryptographic solutions for the long-term security of fronthaul networks.
References
CPRI, “Common Public Radio Interface eCPRI Interface Specification
V1.2,” 2018. [Online].
S. Bjørnstad, D. Chen and R. Veisllari, “Handling Delay in 5G Ethernet
Mobile Fronthaul Networks,” in European Conference on Networks and
Communications (EuCNC), 2018.
3GPP, “3G security; Network Domain Security (NDS); IP network layer
security (Release 16). TS 33.210 V16.1.0,” 2019.
K. Shaneman and S. Gray, “Optical network security: technical analysis
of fiber tapping mechanisms and methods for detection amp; prevention,”
IEEE MILCOM 2004. Military Communications Conference,
vol. 2, p. 711–716, 2004.
H. J. Son and S. Shin, “Fronthaul Size: Calculation of maximum distance
between RRH and BBU,” [Online]. Available: https://www.netm
anias.com/en/post/blog/6276/c-ranfronthaul-lte/fronthaul-size-calculat
ion-of-maximum-distance-between-rrhand-bbu.
S. Kumar, “Simulating DDoS Attacks on the US Fiber-Optics Internet
Infrastructure,” in Proceedings of the 2017 Winter Simulation Conference,
P. W. Shor, “Algorithms for quantum computation: discrete logarithms
and factoring.,” 35th annual IEEE symposium on the foundations of
computer science, 1994.
N. J. Gomes et al., “Boosting 5G Through Ethernet: How Evolved
Fronthaul Can Take Next-Generation Mobile to the Next Level,” IEEE
Veh. Technol. Mag., vol. 13, p. 74–84, 2018.
IEEE, “Precision Clock Synchronization Protocol for Networked Measurement
and Control Systems,” IEEE Std. 1588–2008.
IEEE, “Precision clock synchronization protocol for networked measurement,”
IEEE Std. 1588–2008.
3GPP, “Study on the security aspects of the next generation system
(Release 14), TR 33.899 V1.3.0,” 2017.
IEEE, “Local and metropolitan area networks–Media Access Control
(MAC) Security,” IEEE Std 802.1AE.
IEEE, “Standard for local and metropolitan area network – port-based
network access control. IEEE 802.1X-2010.”
S. Santesson, M. Myers, R. Ankney, A. Malpani, S. Galperin and
C. Adams, “X.509 Internet Public Key Infrastructure Online Certificate
Status Protocol – OCSP,” 2013. [Online]. Available: https://tools.ietf.
org/html/rfc2560.
J. Donenfeld, “WireGuard: Next Generation Kernel Network Tunnel,”
[Online]. Available: https://www.wireguard.com/papers/wireguard.pdf.
Y. Nir and A. Langley, “ChaCha20 and Poly1305 for IETF Protocols,”
[Online]. Available: https://tools.ietf.org/html/rfc8439.
C. Wood, T. Enghardt, T. Pauly, C. Perkins and K. Rose, “A Survey of
Transport Security Protocols,” 2019. [Online]. Available: draft-ietf-tap
s-transport-security.
B. Lipp, B. Blanchet and K. Bhargavan, “A Mechanised Cryptographic
Proof of the WireGuard Virtual Private Network Protocol,” in IEEE
European Symposium on Security and Privacy (EuroS&P’19), 2019.
A. Luykx and K. Paterson, “Limits on Authenticated Encryption Use
in TLS – Information Security,” 2017. [Online]. Available: http://www.
isg.rhul.ac.uk/˜kp/TLS-AEbounds.pdf.
IEEE, “MAC Security (MACsec) – Extended Packet Numbering,” IEEE
1AEbw-2013.
C. Kaufman, P. Hoffman, Y. Nir, P. Eronen and T. Kivinen, “The Internet
Key Exchange Protocol Version 2 (IKEv2). IETF RFC 7296,” 2014.
L. Chen, S. Jordan, Y. Liu, D. Moody, R. Peralta, R. Perlner and
D. Smith-Tone, “Report on Post-Quantum Cryptography, NISTIR
,” 2016.
A. Langley, M. Hamburg and S. Turner, “Elliptic Curves for Security,”
IETF RFC 7748, 2016.
B. B. K. B. Benjamin Lipp, “A Mechanised Cryptographic Proof of
the WireGuard Virtual Private Network Protocol,” June 2019. [Online].
Available: https://hal.inria.fr/hal-02100345v2/document.
J. Appelbaum, C. Martindale and P. Wu„ “Tiny WireGuard Tweak,”
Cryptology ePrint Archive, Report 2019/482, 2019.
DPDK, “Data Plane Development Kit,” [Online]. Available: https://www.
dpdk.org.
“XDP: eXpress Data Path,” IO Visor Project, [Online]. Available:
https://www.iovisor.org/technology/xdp.
T. Høiland-Jørgensen, J. Brouer, D. Borkmann, J. Fastabend, T. Herbert,
D. Ahern and D. Miller, “The eXpress Data Path: Fast Programmable
Packet Processing in the Operating System Kernel,” [Online]. Available:
https://github.com/xdp-project/xdp-paper/blob/master/xdp-the-expressdata-
path.pdf.