Securing Ethernet-based Optical Fronthaul for 5G Network

In 5G networks, an optical fronthaul transports massive user data from remote radio heads (RRH) to the core network (CO) with high throughput and low latency. eCPRI is a new standard interface for the Ethernet-based optical fronthaul network to enhance the efficiency and performance. However, if fronthaul networks are deployed in an unsafe domain, an end-to-end security system should be implemented over the data flow, which requires additional overhead and processing time. This redundancy may cause unexpected latency and performance degradation in the data transport for 5G networks. According to the specification of eCPRI, vendors may optionally implement either IPsec or MACsec for the secure transmission. In this paper, we investigate security solutions suitable for the Ethernet-based optical fronthaul network. We analyse the standard security protocols such as IPsec and MACsec. Alternatively, we propose WireGuard as an replacement of IPsec for secure fronthaul networks. According to our analysis, the extended overhead for three security protocols has negligible impact on the latency. However, the encryption and decryption of transmission packets may cause additional latency on the eCPRI processing time and eventually reduce the maximum transmission distance between RRH and CO. To verify our analysis, we simulated an eCPRI traffic on our test platform with the WireGuard protocol enabled. Our test results showed that the latency caused by encryption and decryption process could be significant. We also point out that a re-key interval should be carefully selected not to compromise the security of the high capacity transmission link such as 5G fronthaul networks. Our analysis is further extended with quantum-resistant cryptographic solutions for the long-term security of fronthaul networks.