Management and enforcement of secured E2E network slices across transport domains

Due to the fact that the current variability of services is brought by the current networks and the new possibilities that will appear thanks to the near-future networks, Network Slicing has become one of the key elements to allow the co-existence of multiple computing and transportservices with different requirements (i.e., performance, security, isolation) over the same infrastructure in multi-tenant and multi-domain (i.e., edge, transport, core) scenarios. The use of this and other technologies allow to have only one generic infrastructure (e.g., an optical transport domain) despite the services differences, instead of needing specific resources (e.g., on single optical fiber) for each type of service. Multiple works have been published about Network Slicing, Network Function Virtualization and Software Defined Networks using multiple computing and transport domains but, based on our literature research, there is one important aspect with a low amount of attention: the security management around network slices and their enforcement. It is essential to ensure that the expected Quality of Security (QoSec) is accomplished based on the correct deployment and posterior monitoring of the security metrics defined in the agreed Security Service Level Agreement (SSLA) between the service requester and the provider. This article aims to present an architecture designed to manage and control the life-cycle of secured End-to -End (E2E) network slices involving multiple domains based on the SSLA requirements. The security management architecture is described with its components together with the deployment and monitoring processes and the data objects used. Finally, an experimental validation is described using the use case of a DoS attack scenario and its resolution.