dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1710
share rss forum feed

sunday8pm

join:2010-05-24
Reviews:
·Bell Sympatico
·voip.ms

GPON security concerns vs cable

Hi,

I read more about GPON and it seems there is a potential security problem with this technology. This is due to the backhaul fibre being split between 16 to 128 homes and thus all the ONTs on the tree receive data that are intended for their neighbours. I understand there is some kind of encryption and that the ONT is set to drop frames that are not destined to it but I also read that it is feasible to eavesdrop on traffic regardless.
Now, I didn't find much details on how to do it in practice so I have no idea how far fetched or realistic is this concern.

What I was wondering though is how is this different from cable internet? As far as I understand, cable works the same way, there is a single fibre or coax reaching the neighbourhood box where the cables are then pulled to every house. Thus, data is also broadcast and the cable modem drops whatever is not destined to it.

AFAIK, nobody managed to eavesdrop on cable.

Am I right? Thoughts?


Qsig

join:2009-05-18
Kanata, ON
From what I understand of cable networks, because the modems are all authenticated, it becomes harder (not impossible) for someone to put a device to capture all info from the local segment. I'm sure there's also encapsulation on the cable as well with some encryption (I hope)

The GPON\ONT is a curious question because if you just had a media changer to go from SM fibre to cat5/6 and just plugged it into a computer, what could you get from a network capture.

Bell still uses PPPoE for profile and connection info over FTTH so you'll have some encapsulation there but still curious. I'll try this one day if I get my hands on a media changer.

Fraoch

join:2003-08-01
Cambridge, ON
kudos:2
Reviews:
·TekSavvy Cable
reply to sunday8pm
said by sunday8pm:

AFAIK, nobody managed to eavesdrop on cable.

Didn't prevent the Bell CSR telling me about this when I switched from DSL to cable. Now that was desperate, wonder how often that works?

But yeah, this doesn't seem to happen.
--
TekSavvy 28/1 cable - Technicolor DCM476 - Ubiquiti EdgeRouter Lite - Amer Networks SGD8 switch - ASUS RT-N66U (as WAP)


jmck
formerly 'shaded'

join:2010-10-02
Ottawa, ON
well before docsis you could sniff everything on your segment.

Fraoch

join:2003-08-01
Cambridge, ON
kudos:2
Reviews:
·TekSavvy Cable
said by jmck:

well before docsis you could sniff everything on your segment.

This was well into the DOCSIS 2 era, only 5 years ago. Smacked of desperation...always like to hear that from an incumbent actually.
--
TekSavvy 28/1 cable - Technicolor DCM476 - Ubiquiti EdgeRouter Lite - Amer Networks SGD8 switch - ASUS RT-N66U (as WAP)

sunday8pm

join:2010-05-24
Reviews:
·Bell Sympatico
·voip.ms
reply to Qsig
said by Qsig:

The GPON\ONT is a curious question because if you just had a media changer to go from SM fibre to cat5/6 and just plugged it into a computer, what could you get from a network capture.

From what I gather, the ONT is doing some kind of filtering. It gets all the frames but filters out everything not destined to this particular ONT.
I'd think that to eavesdrop in this particular context, it would take a rogue ONT that would not filter any frame out?

I don't want to try it myself, I'm curious and want to know more about the possibility and finding out how easy/hard it is to accomplish to better understand how serious of a security concern this could be.


TypeS

join:2012-12-17
London, ON
kudos:1
Reviews:
·TekSavvy Cable
I'm sure its about as much a security concern as its for someone getting onto your home network via WiFi if it's behind a proper WPA2 passkey: almost irrelevant.

I'm sure its completely doable with someone invested the time, funds and effort into attempting to eavesdrop on a HFC or GPON network. But how likely is that? Where's the motivation?

If the a government ministry or agency wanted your information, they'd just go to your ISP instead of snooping, if the ISP was willing.

Criminals? Yeah... they're gonna rather attack a target where there's some financial or substantial gain. There's easier ways for fishers or Nigerian "royalty" to get a hold of bank information too.

So unless you've pissed someone off that's really knowledge in networks, I don't think you have much, if any, to fear from someone eavesdropping on your connection if its HFC or GPON.

In any case, my thinking has always been, if someone is really concerned about privacy, they shouldn't have a home internet connection and not sign up social media networks, email services, etc. Expecting absolute privacy and security of privacy on the internet is a pipe dream.

sibisties

join:2012-06-04
Canada
kudos:8
reply to sunday8pm
Downstream data is AES encrypted on a GPON network, I would not be worried at all.

sunday8pm

join:2010-05-24
reply to sunday8pm
Good to know it's not a major concern. Thanks for your answers

InvalidError

join:2008-02-03
kudos:5
reply to sunday8pm
GPON borrows a lot from DOCSIS due to being TDM shared-media (why re-invent stuff like the ranging process to calculate upstream timings when DOCSIS has already solved that specific problem?) and one of those many things is indeed upstream/downstream encryption. So properly deployed GPON should be as secure as DOCSIS.


skuv

@juniper.net
reply to Qsig
said by Qsig:

The GPON\ONT is a curious question because if you just had a media changer to go from SM fibre to cat5/6 and just plugged it into a computer, what could you get from a network capture.

Since the signal from a GPON is not Ethernet, you're not going to get anything from a media convertor. A media convertor is to convert the media (fiber) to another media (copper.) It is not a protocol convertor.


Gone
Premium
join:2011-01-24
Fort Erie, ON
kudos:4
said by skuv :

Since the signal from a GPON is not Ethernet, you're not going to get anything from a media convertor. A media convertor is to convert the media (fiber) to another media (copper.) It is not a protocol convertor.

I'm pretty sure Bell is using EPON, with Internet on VLAN 35, TV on VLAN 36 and telephone on (if I remember...) VLAN 34.

Unless they're encapsulating over ATM, which would be odd...

InvalidError

join:2008-02-03
kudos:5
said by Gone:

Unless they're encapsulating over ATM, which would be odd...

GPON uses GPON Encapsulation Method (GEM) to carry whatever other L2/L3 protocol goes on top so there is nothing strange about Bell using Ethernet-over-GEM which appears to be the standard application.

Almost exactly the same happens on cable where Ethernet gets framed over DOCSIS.


Gone
Premium
join:2011-01-24
Fort Erie, ON
kudos:4
Gotcha.

kovy7

join:2009-03-26
kudos:8
reply to Gone
said by Gone:

said by skuv :

Since the signal from a GPON is not Ethernet, you're not going to get anything from a media convertor. A media convertor is to convert the media (fiber) to another media (copper.) It is not a protocol convertor.

I'm pretty sure Bell is using EPON, with Internet on VLAN 35, TV on VLAN 36 and telephone on (if I remember...) VLAN 34.

Unless they're encapsulating over ATM, which would be odd...

Bell is GPON.

prairiesky

join:2008-12-08
canada
kudos:2
reply to sunday8pm
fiber can be snooped. a friend of mine is working with a government to monitor the movement of fiber optic cables. With fiber you can break out enough light to be able to record the patterns. It of course means decoding those pulses which is a completely different matter. But technically it's really really easy to snoop fiber.

The tech they've developed can tell if you move the cable on the floor or if it's been touched, or tapped. really cool stuff

InvalidError

join:2008-02-03
kudos:5
said by prairiesky:

But technically it's really really easy to snoop fiber.

To tap fiber, you need to know which fiber you actually need to tap into, which is easier said than done when cables may have over 1000 strands with 4-16 GPON subscribers each.

To make matters worse, GPON traffic is encrypted with AES128 so your chances of finding the subscriber you are looking for are slim to none without the incumbent's assistance... and doing so is pointless without the decryption keys anyway.

But if you are going to request the incumbent's assistance to locate fiber and acquire session decryption keys, you will likely need a court order and at this point, you would likely get told to get a wiretap warrant. This renders your neat equipment moot since the wiretap, if granted, will spare you the trouble of accessing the fiber plant, intercepting optical traffic, isolating a specific subscriber's flows and decrypting the traffic by giving you access to pre-filtered unencrypted subscriber traffic forwarded directly from the OLT.

While you can bend fiber just enough to make it leak enough light to read traffic from it, the ability is pointless if there is reasonably strong L2 encryption on it as is the case with GPON.