Hierarchical, Virtualized, and Distributed Intelligence 5G Architecture for Low-Latency and Secure Applications

— CHARISMA aims to tackle low-latency and end-to-end security for converged fixed/wireless 5G networks in order to meet the complex demands of emerging business paradigms, such as Smart Cities, eHealth


Introduction
5G networking is a swiftly evolving and broad concept [1], encompassing inter alia seamless fixed-mobile convergence with Gb/s connectivity speeds over an intelligent open access (multi-tenancy) infrastructure.Integrating such diverse technologies into a single architecture with attendant softwaredefined networking (SDN) and networking functions virtualization (NFV) presents key technology challenges, while making issues such as security, energy efficiency, and scalability ever more critical.In this paper, we present the CHARISMA (Converged Heterogeneous Advanced 5G Cloud-RAN Architecture for Intelligent and Secure Media Access) project architecture, whose objective is the development of an open access, converged 5G network, via virtualized slicing of network resources to different service providers (SPs), with network intelligence distributed out towards end-users over a self-similar hierarchical architecture.Such an approach offers a means to achieve important 5G key performance indicators (KPIs) related to low latency, high and scalable bandwidths, energy efficiency and virtualized security (v-security).CHARISMA's ambitious approach for low latency and enhanced security builds upon present and future high-capacity developments that are currently being mooted for 5G deployment, such as 60 GHz/E-band, CPRI-over-Ethernet, cloud-RAN, distributed intelligence across the back-, front-and perimetric-haul, ad-hoc mobile device interconnects, content delivery networks (CDN), mobile distributed caching (MDC) and improved energy efficiency.In this paper we discuss how CHARISMA's architecture has been designed to satisfy key 5G drivers as well as make the architecture particularly applicable to variety of 5G related use case scenarios.The paper § is organized as follows.Section II describes CHARISMA's approach to the key drivers of the 5G paradigm.The 5G use cases, identified by CHARISMA, along with the extracted requirements are listed in Section III.Section IV details CHARISMA's multi-domain converged architecture and its control, management and orchestration plane.Finally, we conclude the paper in Section V with potential future work and directions of the project.

II. CHARISMA Key drivers
The CHARISMA architecture has been designed to achieve many of the 5G KPIs as defined by the 5G-PPP programme as well as other key technology drivers.In particular, CHARISMA has been designed to emphasise 3 specific important functionalities that are also considered to be key to many important vertical sectors and the provisioning of their supporting 5G services.These 3 functionalities are to be a low-latency network, featuring security and open access (multi-tenancy) operation.End to end network latency is vital to support the wide range of new use cases promised by 5G networks, such as remote surgery, self-driving cars, and public safety communications systems.Apart from the necessity of low latency, 5G network security operations require automation, robustness and on-demand protection from attacks and threats.The softwarization and virtualization of networks and network functions have made security a complex challenge for 5G networks thus a comprehensive approach to end-to-end security for network resources, both physical and virtual is essential.A converged 5G infrastructure intrinsically possesses natural monopolistic characteristics, thus enabling its open access to multiple virtual network operators, has multiple social, economic and environmental benefits.The network sharing and multi-tenancy imply a single infrastructure provider (InP) serving several services providers, with physical infrastructure shared through the C&M systems, which becomes a fundamental enabler to provide required flexibility, elasticity, and programmability required for 5G access core networks.In particular these three features, which CHARISMA has been specially designed to promote, are not necessarily compatible (or consistent) with each other (i.e. they can be somewhat selfcontradictory, e.g. the desire for Open Access can potentially compromise security, if the architecture does not appropriately take this into account, e.g.via appropriate tenant isolation measures) and so impose their own additional constraints on how the architecture is best designed.Conversely, these particular features can also act to reinforce and help each other, e.g. the desire for end-to-end low latency can also act to assist in the secure operation of the network, e.g. by reducing the scope for interception or breakdown over long lengths of the topology, since low latency tends to require data to be processed (transmitted, etc.) as locally as possible to where it is required.These aspects and how they have influenced particular design choices in the CHARISMA architecture are examined in greater detail in later sections.

Use Cases
The CHARISMA use cases have been selected to highlight the main drivers of the project (see Figure .1), as discussed in Section II, including: support of low latency, multi-tenancy, and enhanced security, while being in-line with the UC families described by NGMN [1].The purpose of these use cases is twofold:

Requirements and Challenges
The abovementioned use cases facilitate the requirement elicitation for the CHARISMA architecture.In the requirement analysis process, the similar requirements, belonging to different use cases, are merged and in case where different KPIs are considered for the same requirement, the most stringent KPI is taken into account.Following are the high-level consolidated requirements for CHARISMA: • Support for low latency services: CHARISMA architecture shall support low latency services (≤ 1ms) via, i) Routing of data at the lowest common aggregation point, ii) devolved offload strategies for device-to-device, device-to-remote-radio, device-to-baseband, device-tocentral office/metro, etc., and iii) mobile distributed caching.
• Support for advanced end-to-end security: CHARISMA architecture shall support distributed security as well as physical layer security.The CHARISMA virtualized open access architecture level design need to have a holistic security approach for the control and management plane as the underlying infrastructure is virtualized and shared among different SPs who operate simultaneously on the same physical resources.
• Support for open access: CHARISMA's architecture shall enable ubiquitous multi-provider, multi-user, multitechnology, and multi-service scenarios.The open access enabled infrastructure should have a unified virtualized network management system capable of allocating slices and offering accessible service interfaces for novel and differentiated services to end-users, as the basis for supporting innovative business models.The infrastructure owner has to be able to offer its virtual resources in a way that multiple operators can coexist and function independently from each other.To this end, virtual resources should be easily bundled together into slices of the physical infrastructure so that each slice constitutes an independent virtual edge network and cloud for a virtual network operator.• Support for high data-rates: CHARISMA's architecture shall support data-rates up to 10 Gb/s for SMEs and residential users and up to 1 Gb/s for mobile end-users, through the use of a hierarchical intelligent data processing approach at the C-RAN and RRH, where statistical multiplexing, aggregation, and caching allow access data volumes to be significantly increased.

Business Perspective
The telecommunication market is a highly competitive environment that is characterized by continuous changes in terms of technology evolution and user preferences.The pure voice oriented mobile networks (2G) of the previous decades have evolved to data networks (3G & 4G).5G is envisioned as the technology that will connect a huge number of end-devices in a fully connected future.5G will be the backbone of the future digital society since it will interconnect almost every device, sensor, etc. leading to growth and impact not just on telecom sector but also creating new business opportunities.The business model regarding mobile networking is evolving alongside: initially the Network Operator and the End Users were the main stakeholders of the value-chain.Nowadays, new actors such as Content Providers, Over-The-Top (OTT) players, are arising.One of the biggest changes of 5G will be the transformation of connectivity and this will lead to changes related to business models.
As described in previous sections more and more of the functionalities will be moved from the Central Exchange (CE) to other parts of the network.Virtualization will be present in most of the network elements.NFV will enable to use common hardware with ease of deployment, scalability and reduced costs to achieve required network elements functionalities.Additionally, NFV combined with SDN, will lead to a reduction of CAPEX and OPEX, and will optimize the operations and reduce the time to market for new actors.
A new eco-system with new players alongside the traditional ones will arise.A huge amount of CAPEX will not be necessary in order to enter the market and most of the costs will be OPEX related.Competition will move to the SW domain: SMEs developing new functions will have an opportunity to enter the market, while HW vendors will move their business closer to SW development.
Open Access is an essential feature of CHARISMA ecosystem as it opens the market to multiple operators who will control their set of virtual resources by the appropriate interfaces.CHARISMA characteristics will lead also to the creation of new business innovation by involving vertical sectors such as Health, Factories of the Future, Energy, Automotive etc. that require low latency, high security and open access.For example, low latency will lead to new applications that require almost real time control and information flow (remote surgery, ITS/collision avoidance); Security will lead to new use cases regarding Factories of the Future such as internet based manufacturing and will lead closer towards Industry 4.0.; Open access provides the basis for multi-tenancy.CHARISMA architecture will lead to cost efficiency, in terms of total cost of ownership and costs associated with control and management (C&M) of the network.The different topics that will be researched regarding the business perspectives of CHARISMA among others include: new tariff and pricing models, charging mechanisms, demand forecasting for services.Finally, a detailed techno-economic analysis of the CHARISMA solution will be performed and guidelines will be extracted.

CHARISMA Main Actors
Within CHARISMA scope the following actors have been identified (cf. Figure 2): Network Operator (NO): This actor owns all the infrastructure and telecommunication related equipment.The NO is also the entity that operates CHARISMA on top of its infrastructure.The infrastructure is virtualized and mapped into a pool of available resources that are offered to the virtual network operator(s).It provides all the different flavors of Xas-a-Service model (XaaS).

Virtual Network Operator (VNO):
This actor provides connectivity to end users in retail and/or wholesale markets using the virtual resources from the NO, as a slice.A VNO can offer different application services with features including high security, low latency etc. to the end user.

Application Provider (AP):
An entity that provides specialized and enhanced services (e.g.platforms for remote surgery or automotive industry, content delivery) to users such as Business-to-Business or Business-to-Customer. Often, an SLA contract is signed between the AP and the VNO.End Users (EU): End users of the CHARISMA services, they can be either simple end users or an entity (e.g. automotive company, factory, hospital, bus company etc.) Figure 2 represents a simple model describing the interactions between the actors.CHARISMA will study in detail different scenarios, relations and interactions between the actors.

Architecture Definition
A key architectural innovation of CHARISMA is the adoption of a self-similar hierarchical approach, with active nodes intermediate to the central office (CO) and end-users.The CHARISMA 5G architecture described has been designed to exhibit low-latency (towards the 1-msec KPI of the 5G-PPP programme) as well as security and open access.Achieving low latency requires data to be handled (i.e.routed and/or processed) as close to where it is required (i.e.either at the receiving end, and/or at the source end).Indeed, this implies that a low-latency architecture requires network intelligence to be located as close to the edge as possible, such that traffic which is expected to remain local never needs to travel towards the core of the network; minimizing transmission latency.Likewise, in cases where data is frequently required (e.g. from a popular video streaming source) it makes sense to store that video data at a location close to where it is frequently accessed; in such a way, access time latency can also be minimized.Overall, this requires the CHARISMA architecture to be much more distributed in nature, as compared to more centralized 5G architectures, e.g. as typically exemplified by the purely C-RAN architecture, where intelligence is almost completely located in the Central Office (or Central Node).The legacy C-RAN network might also have had some limited storage at the RRH (equivalent to CAL2 in Fig. 3), CHARISMA's much more distributed and hierarchical approach sees such intelligence, processing and caching (i.e. in the IMU at each CAL node) pushed out also to the small cell (CAL1 at the rear of the bus) and at CAL0.Thus, the CHARISMA architecture is therefore also anticipating developments in cloudlet and fog computing.To that end, we have designed the CHARISMA architecture to be hierarchical, with a set of self-similar intelligent aggregation nodes located between the CO and end-users.Each node is labeled a Converged Aggregation Level (CAL) and is designated with a number, to signify its level in the hierarchy.The high-level design of the CHARISMA control, management, and orchestration plane is shown in Figure 4.It closely follows the ETSI NFV architecture [9] as the latter is a standard that has been developed internationally over several years and is geared towards virtualization and multi-tenancy.Moreover, the ETSI NFV architecture comes with background work on security [10] and performance [11].The architecture consists of four groups of components1 : Virtualized Infrastructure (VI); Virtualized Network Functions (VNFs); Management and Orchestration (MANO); and Operations and Business Support Systems (OSS/BSS).
The VI group virtualizes the hardware resources (computing, storage, and network) via e.g., a hypervisor at the Virtualization Layer, which pools the resources and exposes them for consumption by VNFs.The hardware resources constitute the CHARISMA access network, with the addition of an IMU at each CAL.The IMU models computing and storage resources that are either spare within access network equipment (e.g., BSs) or introduced with commercial off-theshelf hardware (e.g., servers).The VNFs group comprises software components that implement network functions destined to run on the VI (and finally on the IMUs).CHARISMA looks specifically to implement VNFs for caching, switching, and security.However, any other network function, e.g., CDN, would be able to run on the VI.The MANO group includes components for the combination of VNFs into graphs implementing network services, the lifecycle management of VNFs, the coordination of allocating VNFs to virtualized resources, the homogenized control and management of the hardware resources, and the slicing of resources for supporting multi-tenancy.MANO operates under the policy set by the owner of the hardware infrastructure and communicates with the OSS/BSS of VNOs to report status and possibly to receive requirements.Apart from the general policies, the VNO can also select predefined security policies to be applied to resources or services under its control.The Security Policy Manager module manages the configured security policies at service and resource level (cf.Fig. 4).The Monitoring and Analytics module provides input to the Security Policy Manager based on the current monitoring information for a particular service or resource in order for the Security Policy Manager to take next best action according to the configured policy.
In the rest of this section, we elaborate different features of CHARISMA architecture in light of the three main functionalities, low-latency, security and open access, CHARISMA aims to achieve.

Low Latency
CHARISMA targets end-to-end low latency with a multiple prong approach including, cooperative hierarchical caching and routing, hardware acceleration, and high data throughput in the aggregation network.
CHARISMA offers a unified content delivery solution in the access and aggregation networks, and for device-to-device (D2D) communications latencies towards the 1-msec 5G KPI.CHARISMA caching solution is based on cooperative hierarchical caching, i.e., caching decisions are made both locally and globally at each cache.Beyond CDN, the concept of in-network caching and information centric networking (ICN) also allows cache functionalities to reside at network devices like routers, switches, etc. [2].The latter allows such devices forming the CHARISMA hierarchical in-network caching system to be controlled through a centralized SDN controller that can be used to manage/control content replicas by keeping track of the location and availability of content in distributed locations.By differentiating the forwarding data paths, the SDN cache controller is able to realize a better load balancing and reduce redundant content stored in the network.However, the traditional Internet was designed for e2e communication with content being intrinsically linked to its location -indeed, up to now, security mechanisms have also tended to be designed to be tightly coupled to the physical location of a host.ICN decouples data from the host, thus providing new opportunities for networking entities that can implement in-network caching functionalities [3] to reduce mean client latency by serving content near end-users.
As part of its architectural approach to reducing latency, CHARISMA also employs TrustNode technology [4] representing a router for radio access networks offering a portto-port latency of less than 3µs.To realize this, target data path circuitry is optimized at the register level, while a novel, IPv6-based routing concept is introduced which uses a selfrouting mechanism, where the destination of a packet is contained in the routing address.The hierarchical architecture allows data to be routed via the lowest common CAL.No time-consuming table look-up or search algorithm is necessary for the forwarding decision.In parallel, a novel traffic management concept is explored with a QoS control mechanism providing smooth packet streams, which avoid large buffer fill and resulting packet delay variation (jitter).The hierarchical cluster of TrustNodes is configured to allow short paths and local content caching, with redundancy and dynamic load sharing also supported.
The trend for next-generation 5G technologies to employ software-based NFV unfortunately tends to increase latencies due to the higher CPU utilization required to implement an all software-based networking function.To mitigate this trend, CHARISMA also proposes the use of a smart network interface card (NIC) armed with NFV acceleration for the data path as a means to reduce latency, power consumption, and also CAPEX.In the back-haul or aggregation network, respectively, CHARISMA is investigating OFDM-PON technology [5], both as a means to achieve high data throughputs at a low cost and as a means to reduce network latency.Key parameters here are an aggregated data rate of 100 Gb/s together with 1024 subcarriers providing an additional degree of freedom for media access to provide effective virtualization.Here, latency is dominated by input buffering, error correction, and synchronization.Simulations show a processing delay due to MAC and PHY signal processing in the low µs range, which is already well below the propagation delay of 50 µs for a 10-km fibre connection.In order to reduce the costs at the Optical Network Unit (ONU), CHARISMA is also investigating new concepts, where only parts of the OFDM spectrum are received and processed.

Security
In 5G networks, chaining of physical network functions and virtual network functions within a network service imposes a holistic approach to achieve end-to-end security.Virtualized security (v-security) is a vital part of 5G network service provisioning, and the CHARISMA architecture approaches v-security via intelligent security management, tenant isolation, Virtual Security Functions (VSFs), authentication, and authorization.Amongst the advantages brought by NFV are the agility and adaptability offered to meet service delivery requirements that is achieved through the orchestration of the available resources.CHARISMA adopts a policy-driven approach, via the Security Policy Manager (cf.Fig. 4), to orchestration and support for intelligent security management capabilities.The orchestrator can receive security rules and policies set by a SP, and based upon monitoring information collected from the already deployed services, through the Monitoring and Analytics (cf.Fig. 4), it can detect possible security threats.Depending on the security policy selected, the orchestrator creates security profiles that differentiate on the decisions taken for required counter measures appropriate to address a particular threat.Examples of such decisions are: the configuration, termination, scaling or migration of an already deployed service; and the deployment of new security services, which through proper placement of VNFs, will attempt to prevent, neutralize or respond to a specific attack.
Moreover, the security-related VNFs developed in CHARISMA are designed to implement or assist virtualized security functions (i.e.VNFs) such as: intrusion detection, firewalls, and deep packet inspection (DPI).That is, a network service may be composed of one or more security VNFs according to the differing virtual network operators (VNO) specifications, ensuring the individual v-security requirements.CHARISMA foresees authentication and authorization at infrastructure level, both virtualized and physical, i.e., every virtual and hardware component has to be authenticated.The VNOs need to be authenticated and allowed access to authorized virtual network resources only.In this regard, CHARISMA provides a comprehensive authorization and authentication solution facilitated with a trust framework.Furthermore, CHARISMA also exploits MACsec [8] for authentication and encryption for MAC layer security.Other VNFs implemented in CHARISMA are directed towards vCPE, SDN control, and content caching.Security of ICNbased architectures is still relatively immature; however some directions have been proposed [7] to extend protocols (i.e.OpenFlow) where content can be encrypted through a digital signature with the private key of the content originator, thus enforcing confidentiality, traceability and content access feedbacks.Here we envision distributed caching security as a virtualization of the network layer and cluster encryption at the physical layer in order to also greatly reduce content access latency for both mobile and fixed networks.

Open Access/Multi-tenancy
The CHARISMA open access solution allows infrastructure providers to share resources among multiple VNOs, thereby leveraging down CAPEX and OPEX, as well as achieving more efficient operation of the network using a centralized control and management system for all resources involved.It supports different network instances, called network slices that share a common pool of resources but have different characteristics in order to support the different network service needs.Motivated by its open access virtualization platform through the use of Software Defined Networks (SDN), Network Functional Virtualization (NFV), and network slicing, concepts that enables a new SP to propose new services, without the need to negotiate with the operator for a slice of physical infrastructure, therefore opening the market to multiple VNOs in a secured and segregated manner.More specifically, the VNFs consist of software components running on top of the CHARISMA virtualized infrastructure, with the VNFs implementing common network functions traditionally carried out by specialized hardware devices, and are deployed on top of commodity (i.e.off-the-shelf) IT infrastructure equipment.The CHARISMA open access solution ensures that the VNFs operated by a particular VNO are deployed on virtual resource belonging to the network slice of the respective VNO while maintaining isolation among the different tenants of the CHARISMA network.

V. Conclusions
This paper presented a virtualized hierarchical and intelligent 5G access network architecture, based on hierarchical CAL and flexible IMU technology, suitable for services and applications requiring low-latency, enhanced security, and multi-tenancy.To achieve the low-latency requirements, CHARISMA explores hierarchical routing with in-network caching, NFV acceleration for data paths using smart NICs, and OFDM-PON technology.In order to meet the enhanced security (both physical and virtual) and multi-tenancy challenges, the proposed architecture employs network slicing concept along with SDN and NFV principles.In this paper, we have also listed various use cases, where CHARISMA's innovation architecture can play a vital role for enabling required 5G networking solutions.The requirements extracted from these use cases allowed to refine the CHARISMA architecture.The CHARISMA project consortium plans to demonstrate the proof of concept, for the three main drivers (low-latency, enhanced security, & open access/multi-tenancy), by end of this year.CHARISMA is an ongoing research project and latest updates can be found in [13].

Figure 1 :
Figure 1: CHARISMA use cases and drivers

Figure 4 :
Figure 4: High-level CHARISMA control, management, and orchestration plane

Factory of the Future (IoT): The objective
This use cases highlights CHARISMA's support for advanced ITS innovative services/applications necessitating the exchange of information among the vehicles in real-time under strict delay constraints among the vehicles and the central infrastructure.