Side Channel Attack-Aware Resource Allocation for URLLC and eMBB Slices in 5G RAN

Network slicing is a key enabling technology to realize the provisioning of customized services in 5G paradigm. Due to logical isolation instead of physical isolation, network slicing is facing a series of security issues. Side Channel Attack (SCA) is a typical attack for slices that share resources in the same hardware. Considering the risk of SCA among slices, this paper investigates how to effectively allocate heterogeneous resources for the slices under their different security requirements. Then, a SCA-aware Resource Allocation (SCA-RA) algorithm is proposed for Ultra-reliable and Low-latency Communications (URLLC) and Enhanced Mobile Broadband (eMBB) slices in 5G RAN. The objective is to maximize the number of slices accommodated in 5G RAN. With dynamic slice requests, simulation is conducted to evaluate the performance of the proposed algorithm in two different network scenarios. Simulation results indicate that compared with benchmark, SCA-RA algorithm can effectively reduce blocking probability of slice requests. In addition, the usage of IT and transport resources is also optimized.

transport network and core network. This paper focuses on RAN slicing, which is a primary part in 5G network slicing.
In 5G RAN, based on the flexible split of baseband processing functions [5]- [7], base band unit is divided into two parts, Distributed Unit (DU) and Central Unit (CU). DU is responsible for processing latency sensitive tasks while CU consists of latency tolerant functions. Network function virtualization (NFV) is considered as a key enable technology to realize the slicing of 5G RAN. With the leverage of NFV in 5G RAN, both CUs and DUs can be realized in the form of virtual network functions (VNFs) running on commercial servers [8], [9]. Thus, each server can accommodate multiple instances of virtual DU (vDU) or virtual CU (vCU). For each slice, the traffic from antennas side must go through vDU and vCU in sequence to perform baseband processing.
Due to logical isolation instead of physical isolation, network slicing is facing up with a lot of security issues, such as exhaustion of security resources, denial of service (DoS) [10]. This paper focuses on the issue of side channel attack (SCA) among slices [11], [12], which is a class of attack on implementations of cryptography. Supposing two slices respectively use two VNF instances (i.e., virtual machines (VMs)) in the same hardware, a malicious VM in one slice may extract fine-grained information from a victim VM in the other slice. Specifically, if the two slices have very different security levels, SCA could create a significant benefit for the attacker. Therefore, a specific policy of resource allocation is desired to cope with the potential SCA among different slices in 5G RAN.
In this paper, a SCA-aware Resource Allocation (SCA-RA) algorithm is proposed for URLLC and eMBB slices in 5G RAN. With the constraint of avoiding SCA, the objective in this paper is to maximize the number of slices accommodated in 5G RAN by optimizing resource allocation for slices. The main contributions of this paper can be summarized as follows.
• To the best of our knowledge, this paper investigates the issue of SCA among network slices in 5G RAN for the first time. We define the scenario of network slicing in 5G RAN and describe the resource allocation of eMBB and URLLC slices. Meanwhile, this paper clarifies how resource allocation for slices is affected by the risk of SCA.
• Considering dynamic slice requests, this paper designs a heuristic algorithm to effectively allocate heterogeneous resources for URLLC and eMBB slices under different security requirements.
• The performance of the proposed algorithm is evaluated through simulation with two different cases. Simulation results indicate that compared with the benchmark, the proposed SCA-RA algorithm can effectively reduce blocking probability of slice requests, as well as the usage of servers and transponders.
The rest of the paper is organized as follows. Section II introduces the related work of network slicing. Section III defines network scenario and presents the problem addressed in this paper. Then, Section IV describes the proposed SCA-RA algorithm and analyzes its time complexity. Section V evaluates the performance of SCA-RA algorithm in two network scenarios. Finally, Section VI concludes this paper.

II. RELATED WORK
In this section, we introduce the related works about network slicing, including network slice isolation and security in network slicing.

A. NETWORK SLICE ISOLATION
Since slice isolation is an effective solution to guarantee slice security, many researches focus on how to realize or optimize the slice isolation. The authors in [13] outlined the recent trends and proposed a set of challenges to realize end-to-end user's security based on slices isolation. For the combination of private and public network infrastructure, several deployment models were introduced in [14] to provide strong network slice isolation for the third parties. However, they just showed the qualitative analysis of different deployment approaches. The authors in [15] investigated dynamic network slicing strategies with mixed traffics in virtualized RAN to improve resource utilization and QoS satisfaction. A connection admission control mechanism was used to achieve effective isolation while reaping the capacity benefits of dynamic network slicing [16]. A two-layer scheduler was proposed for an efficient and low complexity RAN slicing approach to achieve trade-offs between isolation and efficiency [17]. A demonstration was given in [18] to show how Flex Ethernet (FlexE) technology could be leveraged to guarantee hard isolation between slices.

B. SECURITY IN NETWORK SLICING
Due to sharing the same physical network, network slices face a lot of security issues. The authors in [19] proposed the network slice trust degree concept and established the trust degree calculation model for 5G network slices. The concept of Security Trust Zone (STZ) was introduced into network slicing architecture, and the performance and isolation capabilities of STZ approach were assessed in terms of detecting and mitigating simulated threats [20]. An application-aware framework was proposed in [21] to enable Security as a Service (SECaaS) within network slices using Software Defined Networking (SDN) and NFV technologies. An efficient and secure service-oriented authentication framework was proposed in [22] to support network slicing and fog computing for 5G-enabled IoT services. Two heterogeneous signcryption schemes were proposed for 5G network slicing to achieve mutual communications between different public key environments [23]. The authors in [24] abstracted security issues of network slicing into the security requirement and security level instead of delving into specific security issues. They formulated an Integer Linear Programming (ILP) model and designed a heuristic algorithm to realize efficient and secure 5G core network slice provisioning. The authors in [25] used slice isolation to mitigate the impact of DDoS attacks on slice authentication and the solution was evaluated by a combination of simulation and an experimental testbed. However, the solutions proposed in [24], [25] are only suitable for core network slicing.
To the best of our knowledge, resource allocation policy of RAN slicing in 5G is not available in the context of avoiding SCA. Since SCA brings constraint on resource allocation of slices, the flexibility of resource allocation will be degraded as well as resource utilization. Thus, resource allocation of slices needs to be addressed carefully under the constraint of security requirements to improve the resource utilization in 5G RAN.

III. NETWORK SCENARIO AND PROBLEM STATEMENT
A. DEFINITION OF NETWORK SCENARIO As shown in Fig. 1(a), this paper assumes a Dense Wavelength Division Multiplexing (DWDM) centric transport network with a ring-type topology [26]. The Active Antenna Units (AAUs) are connected to Metro Nodes (MNs) via Access Edge (AE) nodes. In turn, MNs can reach the 5G VOLUME 8, 2020 Core via a Metro Edge (ME) node [27]. For the placement of radio functionalities, CUs are placed at the ME while DUs are deployed at both the MNs and AEs. In Fig. 1(b), the interface between CU and DU is called F1 [28]. The transport capacity requirement of F1 is similar to that for the conventional backhaul interface. The interface between AAU and DU is defined as evolved Common Public Radio Interface (eCPRI) [29], [30]. This paper adopts packet aggregation and wavelength switching for F1 and eCPRI traffic flows, respectively. Note that both DUs and CUs can be virtualized as vDUs and vCUs running on commercial servers. Each server can accommodate multiple instances of vCU or vDU.
With the logical isolation, each slice contains a set of heterogeneous resources from AAU to 5G core. Specifically, AAU/sub-AAU is allocated for each slice to collect the user signals and transport resources are assigned to carry eCPRI and F1 traffic. Meanwhile, IT resources (e.g., computing and storage) are required for each slice since the traffic must go through vDU and vCU in sequence to perform the baseband processing. As shown in Fig. 1(a), this paper considers two kinds of typical slices, i.e., eMBB and URLLC slice. Note that the Quality of Service (QoS) requirements of slices affect the location of the vDU to be used. For instance, the traffic from URLLC slice should be processed by the vDU hosted in AE to meet the low latency requirement. By contrast, since the number of vDUs in MN is much higher than that in AE, the flow in eMBB slice should be terminated in MN to enable the large amount of baseband processing from broadband services.
Due to the differences of service characteristics and application scenarios, each type of slices may have different security levels. This paper assumes that both URLLC and eMBB slices have two kinds of security levels, i.e., high and low security level. We consider dynamic traffic scenario where slice requests dynamically come and depart. Besides, the security level of each slice request is randomly assigned as high or low security level. According to the security recommendations in [10], slices with different security levels cannot use the vDUs or vCUs in the same server to avoid the risk of SCA. In other words, each sever is supposed to provide vDUs or vCUs for the slices with the same security level.
For ease of description, the notations and corresponding definitions are listed as follows.
• G(V , E), ring topology with DWDM transport for 5G RAN, where V refers to the set of nodes including AAUs, AEs, MNs and ME. E is the set of fiber links.
, a tuple denoting slice request, where r id is the ID of slice request and r t is the type of slice request. η id is a binary variable, η id = 1 for high security level. Otherwise, the value is 0. b FH and b F1 are the bandwidth demand of eCPRI and F1 traffic, respectively. d IT is the demand of IT resources.
• a v u , the v th slice of the u th AAU, u ∈ [1, n aau ], v ∈ [1, n slice ]. n aau is total number of AAUs and n slice is slice number supported by each AAU.
• ψ AE i , set of AEs, including AE i and its neighbor AEs with no more than one hop distance.
• ψ MN i , set of MNs, including MN i and its neighbor MNs with no more than one hop distance.
, a server consisting of several vDUs, is total number of vDU.
• vDU k η , the k th vDU providing IT units for slices with security level η.  special constraints (e.g., the selection requirement of vDU), which are shown in Fig. 2. We can see that both AEs and MNs have two servers, which provide vDUs for slices with high and low security level, respectively. The slice requests include one URLLC slice with high security level from AAU 3 to 5G core and one eMBB slice with low security level from AAU 2 to 5G core.
The policy adopted in Fig. 2(a) is to always use the nearest vDUs for each slice request. To be specific, the URLLC slice request will occupy the vDU in the server with high security level in AE 3 . We can see that a free server provides the desired vDU for this slice. Similarly, the eMBB slice request attempts to use the vDU in the server with low security level in MN 1 . However, the remaining resource in the selected server is not enough to meet the vDU requirement of this slice request. Thus, this eMBB slice request will be rejected due to lack of vDU. In Fig. 2(b), the selection of vDU for slice request is not limited to the nearest AE or MN. The URLLC slice uses the vDU in the server with high security level in AE 4 . In this case, the server with high security in AE 3 remains free and the number of used servers reduces by one. For the eMBB slice, the vDU in the server with low security in MN 2 is allocated to avoid the overload in MN 1 .
Comparing Fig. 2(a) with Fig. 2(b), we can find that the security requirements of slices introduce the constraint of avoiding SCA in the resource allocation for slices. In this regard, different policies of resource allocation for slices may potentially affect the resource usage and network performance (e.g., blocking probability of slice requests). To solve this issue, this paper investigates how to effectively allocate heterogeneous resources for the slices under their different security requirements. The objective is to maximize the number of slices accommodated in 5G RAN. In addition, it is important to note that since all vCUs are placed in ME, the allocation of IT resources focuses on vDUs assignment for slices.

IV. SCA-AWARE RESOURCE ALLOCATION ALGORITHM FOR URLLC AND eMBB SLICES A. ALGORITHM DESCRIPTION
This paper designs a heuristic algorithm of resource allocation for URLLC and eMBB slices under the constraints of different security requirements. Considering each slice consists of radio, IT and transport resources, the aim of this work is to minimize the blocking probability of slice requests by optimizing the allocation of heterogenous resources. The pseudo-code of the algorithm is shown in Table 1.
Without loss of generality, we take an eMBB slice request as an example and its security level is high. For URLLC slice requests, the resource allocation can be realized similarly. The difference is that URLLC slices need to occupy IT resources (i.e., vDU) in AE instead of in MN. For each slice request, the proposed algorithm consists of three phases. The first phase is to allocate radio resource (i.e., AAU) for each slice request. Note that each AAU can be shared by several network slices. If a AAU is available for the new slice request, the algorithm steps into the second phase. Otherwise, the slice request will be blocked for lack of AAUs.
The second phase is to search a vDU to supply the required IT resource for the slice request. First, we will get the local MN MN i , which the selected AAU in the first phase belongs to. Then, the set ψ MN i is composed of MN i and its neighbor MNs with no more than one hop distance. It is important to note that MN i is ranked as the first element in ψ MN i and its neighbor MNs are sorted in the ascending order of the connection length from AAU to 5G core. All the elements in ψ MN i are traversed to search a vDU for the high security slice request. Meanwhile, to avoid the risk of SCA, each server can only provide vDUs for either high security slices or low security slices. To be more specific, a server is assumed to provide vDUs for a set of slices, which is denoted as R = {r id }, id ∈ [1, N ]. Then, the following constraint must be VOLUME 8, 2020 satisfied to avoid the SCA among slices in this server. Note that to reduce the number of working servers, only vDUs in the being occupied servers are checked and the vDUs in new servers are not considered in this step. If the vDU can be found in an occupied server, the ID of the vDU is marked. Otherwise, MN i is checked whether a new server is available to provide the required vDU. If so, the ID of the vDU is marked. Otherwise, slice request is blocked for lack of IT resources.
The third phase is to perform the routing and transport resource assignment. For each slice request, a connection from AAU to 5G core is established, which must go through the selected vDU in the phase two. If transport resources are adequate for both eCPRI and F1 traffic, the slice request can be served successfully and the resource usage will be updated then. Otherwise, the slice request is blocked due to the scarcity of transport resources.

B. TIME COMPLEXITY ANALYSIS
The time complexity of SCA-RA algorithm is analyzed as follows. As mentioned in above section, SCA-RA algorithm consists of three phases. The time complexity of the first

V. SIMULATION AND RESULTS ANALYSIS A. SIMULATION SETUP
The parameter configurations in the simulation are shown in the Table. 2. A DWDM centric network with a ring topology is considered in the simulation. There are 5 MNs and 1 ME. Each MN is connected to 15 AEs, each one with 6 AAUs. Thus, the ring topology consists of 450 AAUs in total. Note that each AAU can be shared by three slices at most. 25Gb/s transponder is adopted for each wavelength. For server deployment, each AE accommodates two servers while each MN consists of six servers. Note that due to the potential risk of SCA, each server cannot provide vDUs for high security slices and low security slices at the same time. Besides, each server consists of ten vDU instances, each of which can provide ten IT units for slices.
In terms of service profile, 50000 service requests are generated following Poisson distribution and their holding time follows exponential distribution. The AAU in each slice request is randomly selected from all the AAUs. For URLLC and eMBB slices, the detailed capacity requirements of eCPRI and F1 interfaces are listed in Table 2. For each slice, eCPRI traffic occupies one or multiple wavelength by using wavelength switching while F1 traffic can share one wavelength channel through packet aggregation. The vDU of each eMBB slice and URLLC slice consumes ten and five IT units, respectively. In addition, routing and wavelength assignment are computed according to the strategy presented in [20]. Simulation results are obtained by averaging 20 experiments. All the presented results have a confidence interval not exceeding 6%, with 95% confidence level.

B. RESULTS ANALYSIS
The performance of the proposed algorithm is evaluated through simulation experiments. We focus on two types of performance metrics in this paper, i.e., blocking ratio of slice requests and network resource usage. The blocking ratio is the ratio of the blocked slice number to the total request number. This paper focuses on dynamic traffic, where slice requests dynamically arrive and depart. If the slice request cannot be served immediately at the arrival time, it will be blocked. Thus, blocking probability is calculated after all the slice requests arrive. Two kinds of network resources are considered in the simulation, i.e., IT and transport resources. The former is quantified as the total number of servers occupied by slices while the latter refers to the wavelengths and transponders (TPs) allocated for slices. Specifically, for wavelength usage, we calculate the number of wavelengths used on the most loaded link (MLL) in metro ring (MR) and access rings (AR), respectively. The TP usage refers to the total number of TPs used to aggregate F1 traffic flows. Since the usage of network resource varies with time during the simulation, we record the resource usage every 5000 slices. Then, with 50000 slice requests in total, each metric of resource usage is the average value of 10 samples in each simulation. In addition, the benchmark algorithm is to select the nearest AE or MN to provide the required vDUs for slice requests.
Two network scenarios are considered in the simulation. In the first scenario, the performance of SCA-RA algorithm is evaluated in different traffic loads. Besides, both AAUs and transport resources are enough for the slice requests. Thus, IT resource is the only bottleneck that may lead to service rejection in high traffic load. By contrast, the second scenario focuses on different ratios of eMBB to URLLC slice number among all slice requests with a fixed traffic load. Meanwhile, only AAUs are sufficient for slice requests. Both wavelength and IT resources affect how many slice requests can be accommodated in 5G RAN.

1) PERFORMANCE EVALUATION IN DIFFERENT TRAFFIC LOADS
In this case, traffic load increases from 700 to 1150 Erlangs with the increment of 50 Erlangs. Note that traffic load is calculated as the ratio of the mean holding time to the mean  inter-arrival time of network slices. For the composition of slice requests, the ratio of eMBB to URLLC number is 1:2 [31]. Besides, each fiber link has enough wavelengths to carry eCPRI and F1 traffic. Figure 3 shows the blocking probability of slice requests in different traffic loads. We can see that with traffic load increasing from 700 to 1150 Erlangs, a growing number of slice requests are blocked for lack of IT resources for both the benchmark and the proposed SCA-aware algorithm. Compared with benchmark, the proposed algorithm can make more slice requests served by the network in different traffic loads. For instance, if the traffic load is set to 900 Erlangs, nearly 4.23% of service requests are blocked with the benchmark while the blocking ratio can be reduced to 2.64% with the proposed SCA-RA algorithm. This is because multiple MNs or AEs are available to provide the required vDU for each slice request in SCA-RA algorithm. However, the benchmark always selects the nearest MN or AE, which makes slice requests blocked with a higher probability. Figure 4 shows the wavelength usage on MLL in MR and ARs. When traffic load increases from 700 to 1150 Erlangs, VOLUME 8, 2020 the number of wavelengths used on MLL in MR increases from 84 to 90 with the benchmark. By contrast, with SCA-RA algorithm, the number of wavelengths used on MLL in MR increases from 74 to 117. Besides, it is interesting to note that two curves cross around 850 Erlangs. This can be explained as follows. The wavelengths in MR are occupied by both eMBB and URLLC slices. For eMBB slices, since the traffic may be processed by vDUs in neighbor MNs, SCA-RA algorithm requires more wavelengths in MR than the benchmark. For URLLC slices, since more F1 flows can be aggregated in SCA-RA algorithm, the wavelength usage in MR is less than the benchmark. When traffic load is less than 850 Erlangs, wavelength reduction in MR brought by URLLC slices surpasses the wavelength increment caused by eMBB slices. Thus, SCA-RA algorithm can achieve a smaller value for this metric than the benchmark. However, when traffic load is higher than 850 Erlangs, wavelength reduction in MR brought by URLLC slices is less than wavelength increment caused by eMBB slices. Therefore, SCA-RA algorithm requires more wavelengths in MR than the benchmark in high traffic load. Meanwhile, the wavelength usage on MLL in AR is shown in the lower half of Fig. 4. We can see that SCA-RA algorithm consumes more wavelengths than the benchmark on MLL in AR with different traffic loads, which can be analyzed similarly. Since the traffic in URLLC slices may be processed by vDUs in neighbor AEs, SCA-RA algorithm needs more wavelengths in AR than the benchmark. Besides, for eMBB slices, SCA-RA algorithm makes little difference on the wavelength usage in ARs. Therefore, SCA-RA algorithm requires more wavelengths in ARs than the benchmark.
The total number of servers and TPs are shown in Fig. 5 and Fig. 6, respectively. Since servers are deployed in both MNs and AEs, we calculate the number of servers used in MNs and AEs, respectively. In Fig. 5, we can see that the total number of servers used in MNs and AEs increases with the growth of traffic load. The server usage in MNs with the benchmark is very close to the case with SCA-RA algorithm. With only five MNs in total, SCA-RA algorithm just brings slight reduction of server number in MNs. By contrast, the SCA-RA algorithm can bring significant reduction in terms of server usage in AEs. This is because 75 AEs in total leave a huge margin for the optimization of server usage. Compared with the benchmark, the total number of servers needed by SCA-RA algorithm is reduced by ∼39%. For instance, when traffic load is 900 Erlangs, the SCA-RA algorithm and the benchmark consume 108 and 178 servers, respectively. Similarly, total number of TPs consists of two parts, TPs in MNs and AEs. For TP usage in MNs, SCA-RA algorithm requires slightly more TPs than the benchmark. Besides, we can see that SCA-RA algorithm makes a difference on the TP usage in AEs. Compared with the benchmark, SCA-RA algorithm brings 27% reduction of TP usage in AEs when traffic load is 700 Erlangs.

2) PERFORMANCE EVALUATION IN DIFFERENT PROFILES OF SLICE REQUESTS
In this case, the traffic load is fixed at 900 Erlangs and only 80 wavelengths are available for each fiber link. We consider five different ratios of eMBB to URLLC slice number among 50000 slice requests, i.e., eMBB: URLLC = 1:1, 1:1.25, 1:1.5, 1:2 and 1:3. The lower ratio corresponds to a higher number of URLLC slices generated among all slice requests. Figure 7 shows the blocking ratio of slice requests in different ratios of eMBB to URLLC slices. Two curves are going down when the number of URLLC slices increases. This is because each URLLC slice requires less transport and IT resources than an eMBB slice. Besides, the proposed SCA-RA algorithm can make more slices accommodated than the benchmark. For instance, when the ratio is 1:1.5, the blocking ratio can be reduced by 1.08%. The number of wavelengths used on MLL in MR and ARs are listed in Fig. 8, respectively. For SCA-RA algorithm, the wavelength usage  in ARs is slightly higher than the benchmark while the wavelength usage in MR is slightly less than the benchmark. This can be explained as follows. The wavelengths in ARs and MR are occupied by both eMBB and URLLC slices. Since the traffic in URLLC slices may be processed by vDUs in neighbor AEs, SCA-RA algorithm needs more wavelengths in AR than the benchmark. Meanwhile, for eMBB slices, SCA-RA algorithm makes little difference on the wavelength usage in ARs. Therefore, SCA-RA algorithm requires more wavelengths in ARs than the benchmark. The wavelength usage in MR can be analyzed similarly. For eMBB slices, SCA-RA algorithm requires more wavelengths in MR than the benchmark. For URLLC slices, since more F1 flows can be aggregated in SCA-RA algorithm, the wavelength usage in MR is less than the benchmark. With the increase of URLLC slice number, the wavelength reduction in MR brought by URLLC slices will surpass the wavelength increment caused  by eMBB slices. That is why SCA-RA algorithm can reduce the number of wavelengths used on MLL in MR. Figure 9 and 10 show the usage of servers and TPs in different ratios of eMBB to URLLC slices. In Fig. 9, for a given ratio, we can see that SCA-RA algorithm hardly affects the server usage in MNs. In contrast, the server usage in AEs can be greatly reduced due to a large number of AEs. For instance, when the ratio is 1:1.5, the server usage in AEs can be reduced by ∼49%. Therefore, SCA-RA algorithm can effectively reduce the server usage by optimizing resource allocation for slices. Besides, when the number of URLLC slices increases, more servers are required to provide IT resources for slices. The usage of TPs in MNs and AEs are shown in Fig. 10. Similar with the server usage in MNs, SCA-RA algorithm makes little difference on the TP usage in MNs. However, the TP usage in AE can be reduced by ∼24% with SCA-RA algorithm. This is because SCA-RA algorithm VOLUME 8, 2020 can aggregate F1 flows from local AE as well as neighbor AEs.
According to the above two cases, compared with the benchmark, the proposed SCA-RA algorithm can make more slices accommodated in 5G RAN by optimizing the allocation of heterogenous resources. Meanwhile, the proposed SCA-RA algorithm can bring savings in terms of server and TP usage, with the cost of slightly higher wavelength usage. It is worth noting that the server usage in AEs is significantly reduced by SCA-RA algorithm.

VI. CONCLUSION
With the constraint of avoiding SCA, this paper investigates how to optimize the resource allocation for eMBB and URLLC slices in 5G RAN. A SCA-RA heuristic algorithm is proposed to address this problem, with the objective of maximizing the number of slices accommodated in 5G RAN. Simulation is carried out to evaluate the performance of the proposed SCA-RA algorithm and two different network scenarios are considered. Simulation results show that the proposed SCA-RA algorithm can effectively reduce the blocking ratios of slice requests, compared with the benchmark. In addition, the usage of IT and transport resources is also reduced by optimizing the allocation of heterogeneous resources for slices. In future work, we plan to utilize artificial intelligence algorithms to improve the security of network slicing in 5G RAN [32]. His research interests include software-defined optical networks, edge computing, and 5G optical transport networks.