Next Generation Access Network (in)security

Similar documents
Gigabit-capable Passive Optical Networks (GPON): General characteristics

Passive Optical Networks: Recent Developments and Issues

Prospects and Problems GPON Technology over Ethernet Technology

Operator s Requirements for G-PON:

PON Technology A Shift in Building Network Infrastructure. Bob Matthews Technical Manager CommScope Canada

BT and The Developing Optical Access Network Malcolm Campbell BT Design

BroadbandSoHo. Verizon MDU FTTP Overview. Document Description:

Broadband Forum G-PON ONU Certification Program Update

Energy efficiency in TLC Networks: the Operator and the User perspective

Next Generation Access Glossary. 21CN: BT s upgrade of their core network (the backbone of the network).

GPON - EPON Comparison

Ethernet Passive Optical Networks EPON

Planning for Universal Broadband Solving for x

The battle for the residential customer

Alcatel 7342 Intelligent Service Access Manager (ISAM) Fiber to the User (FTTU)

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

FTTH Explained: Delivering efficient customer bandwidth and enhanced services Michael Kunigonis Product Line Manager Access Corning Cable Systems

FTTH Technology Developments and Trends. Stephen Hardy Editorial Director & Associate Publisher Lightwave

Objectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services

Connect & Go with WDM PON Ea 1100 WDM PON

CommScope GPON. The End-to-End PON Solution. GPON Solution

Securing IP Networks with Implementation of IPv6

Analysis of the threshold between GPON and EP2P

Economic issues of (broadband) access networks. C. Courcoubetis

FTTH ARCHITECTURE WHITE PAPER SERIES

EPON Technology White Paper

Draft ITU-T Recommendation X.805 (Formerly X.css), Security architecture for systems providing end-to-end communications

Deep-fiber broadband access networks

Revisiting Access and Aggregation Network Architecture

Green Wireline Networks home networks sensors networks

CS5008: Internet Computing

Healthcare ICT Trends & Innovation: Passive Optical LAN (GPON) for the New Era

COSC 472 Network Security

GPON INNOVATION ABOUT PT INOVAÇÃO OPEN YOUR NETWORK TO THE FUTURE BEYOND PT INOVAÇÃO GPON IN-A-BOX

Security for 802 Access Networks: A Problem Statement

How Enterprises Are Solving Evolving Network Challenges with Optical LAN

GPON- Gigabit Passive Optical Network

FTTH solutions for providing broadband services to end-users

GIGABIT PASSIVE OPTICAL NETWORK

Genexis FTTH Network Architecture

GEPON & GPON Comparison. James Young, Technical Director, APAC

Advanced Topics in Distributed Systems. Dr. Ayman Abdel-Hamid Computer Science Department Virginia Tech

Security Requirements for Wireless Networking

Overview of the BBF access-network solution

Link Layer and Network Layer Security for Wireless Networks

TROUBLESHOOTING AT THE SPEED OF LIGHT EMBEDDED OTDR FOR OPERATIONAL EXCELLENCE IN PASSIVE OPTICAL NETWORKS

The Economics of Broadband Access Platform Evolution

TELECOMMUNICATIONS STANDARDS ADVISORY COMMITTEE WORKING GROUP ON COMMON CONNECTION STANDARDS (CCS)

OPTICAL NETWORKS. Optical Access Networks. A. Gençata İTÜ, Dept. Computer Engineering 2005

Chap. 1: Introduction

Deutsche Telekom Super FTTC. The Hague, June 2015

Construction of High-speed and High-reliability Optical Networks for Social Infrastructure

GPON in Mobile Backhaul

Making Communities Better with Broadband

White Paper: Broadband Access Technologies A White Paper by the Deployment & Operations Committee

The Infrastructure of Tomorrow, Available Today. Luca Rozzoni RCDD Business Line Manager TE Connectivity

Appendix C. Glossary of Broadband Terms

Cryptography and Network Security Overview & Chapter 1. Network Security. Chapter 0 Reader s s Guide. Standards Organizations.

Securing VoIP Networks using graded Protection Levels

TWDM PON Is on the Horizon. Facilitating fast FTTx network monetization

Virtual Privacy vs. Real Security

TR-156 Using GPON Access in the context of TR-101

Chapter 6: Fundamental Cloud Security

PN8600 Serials. Product Specification. Topvision Technology Co., Ltd

Telecom Italia technology enablers for new markets

Cryptography and Network Security Chapter 1

HST-3000 Handheld Services Tester. Platform Overview

VoIP Security regarding the Open Source Software Asterisk

Bandwidth Allocation DBA (BA-DBA) Algorithm for xpon Networks

Progress on Super Fast Fibre Access

NOWADAYS one can observe increasing demand for. How to build a flexible and cost-effective high-speed access network based on FTTB+LAN architecture

Performance Evaluation of Dynamic Bandwidth Allocation Algorithm for XG-PON Using Traffic Monitoring and Intra- Scheduling

HughesNet Broadband VPN End-to-End Security Using the Cisco 87x

MR-229 Leveraging Standards for Next Generation Wholesale Access

1550 Video Overlay for FTTH

How GPON Deployment Drives the Evolution of the Packet-Based Network

Cryptography and Network Security

FTTH Deployment Options for Telecom Operators

4G: Fourth generation mobile phone standards and technology. Provides faster mobile data speeds than the 3G standards that it succeeds.

National Broadband Infrastructure Plan for Next Generation Access

Fiber to the Home. Definition. Overview. Topics

WDM-PON: A VIABLE ALTERNATIVE FOR NEXT GENERATION FTTP

Joint ITU-T/IEEE Workshop on Next Generation Optical Access Systems. Verizon FiOS FTTP Deployment and NG PON Perspectives

Cincinnati Bell Wireline Broadband Network Policies November 20, 2011

White Paper Testing Ethernet Passive Optical Networks

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

INTERNATIONAL TELECOMMUNICATION UNION SERIES L: CONSTRUCTION, INSTALLATION AND PROTECTION OF CABLES AND OTHER ELEMENTS OF OUTSIDE PLANT

Strategic White Paper

Tutor: Orawan Tipmongkolsilp

GPON Section Reporter: 王 依 盈

PMD Burst Mode Dynamic Performance Requirement

Power Saving Modes for GPON and VDSL2

Towards networks of the future: SDN paradigm introduction to PON networking for business applications

Transcription:

P0 Next Generation Access Network (in)security Security proposal for NGN standardization 4 th ETSI Security Workshop Sophia Antipolis, France 13-14 January 2009 Paolo DE LUTIIS, Roberta D AMICO, Luciana COSTA Telecom Italia SpA Via Reiss Romoli 274, Turin Italy 0

P1 Next Generation Access Network (in)security Summary: Background: GPON-based NGA Networks (ITU-T G.984.x) GPON-based NGA main security threats Profiling a complete security mechanism for GPON Conclusions 1

P2 Background: ITU-T G.984.x Passive Optical Network (PON) In order to fully deploy the potentiality of the NGN and related services (e.g. Video-On- Demand, interactive gaming, video conferencing), telco Operators are migrating their broadband access network (copper based) to the ultrabroadband fiber-based access networks. Passive Optical Networks (PON) appear to be the best candidate for the Next Generation Access (NGA) network. GPON is an International Telecommunication Union (ITU)-backed standard, supported by the Full Service Access Network (FSAN) group, a forum comprising mostly carriers. GPON can support to 2.5 Gbps downstream and 1.25 Gbps upstream data transmissions Like all PON standards, GPON uses a point-to-multipoint access architecture downstream (to the user) and a point-to-point architecture upstream. 2

P3 Background: (G)PON deployment scenarios FTTCab cabinet CO Cabinet ONU DSL OLT S Underground FTTB FTTH Street Aerial CPE CPE ONT ONT CPE ONT ONU DSL S 3

P4 Background: currently defined ITU.T G.984.3 security mechanisms Currently G.984.3 defines two identification/activation mechanisms Method A: pre-provision of ONU/ONT serial number to an OLT Method B: the serial number is not known in advance and the OLT activates the ONT/ONU on the fly There are currently 2 security mechanisms, both specified as optional: Authentication of the ONU/ONT by means of (PLOAM) password; Encryption of the downstream traffic only (from the CO to the customer side) by means of AES (128 bit) The upstream traffic is not considered at risk because the high directionality of the PON components (it is assumed that the traffic sent from one ONT to the OLT cannot be sniffed by other ONTs). 4

P5 Background: currently defined ITU.T G.984.3 security mechanisms (optional) OLT Splitter ONT/ONU RANGING Request_Password Password Cleartext Request_Key Encryption_Key AES (128bit) encrypted communication (downstream only) 5

P6 GPON main security threats The security mechanisms already defined are based on the assumption that all the GPON elements will be strongly physically protected. GPON communication are vulnerable to severe security issues, such as: Fake/Forged OLT: currently no OLT identification and authentication mechanisms have been specified Man In The Middle (MITM) attacks Passive attacks: password and keys sent as cleartext Active attack: sensitive PLOAM messages are not authenticated (e.g. PASSWORD, encryption KEY) Several kind of DOS (Denial of Service) at GPON level e.g. during the activation phases. 6

P7 Main Security Threats: Fake OLT scenario (1/3) The ONT/ONU have no means to detect the fake OLT OLT Fake OLT ONT/ONU RANGING PROCEDURE Request_Password Password Request_Key Encryption_Key AES encrypted communication 7

P8 Main Security Threats: Passive MITM (2/3) The attacker can intercept data traffic and sensitive (unencrypted) information: authentication passwords and encryption keys (to be used later for e.g. unlawful interception) OLT ONT/ONU attacker Request_Password Password Request_Key Encryption_Key 8

P9 Main Security Threats: Active MITM (3/3) The attacker can modify sensitive (unencrypted) information: authentication passwords and encryption keys (in order to cause e.g. denial of service) OLT ONT/ONU attacker Request_Password Modified Password Request_Password Password Request_Key Modified Encryption_Key Request_Key Encryption_Key 9

P10 Main Security Threats: A robust security mechanism is missing Although some of these security threats could be addressed with security mechanisms implemented at the physical layer or at higher layer (e.g. IPSec), the GPON-based NGA remains vulnerable to several security attacks. It is important that the GPON infrastructure provides the missing security mechanisms in order to follow the layered security principle and to minimize OPEX and CAPEX of the Operators All the currently defined mechanisms cannot provide an adequate security level to the Operator needs. Moreover the described security gap in the standard could cause the definition of proprietary solutions. 10

P11 Profiling a complete security mechanism for GPON In order to face the listed security threats it is needed to add a new, complete, security mechanism. Such a mechanism should provide the following features: Strong authentication: the password used for the authentication should not be sent as cleartext (to avoid a passive MITM attacks) Mutual authentication: also the OLT should be authenticated by the ONT/ONU (to prevent fake OLT) Message authentication: the most sensitive messages should be authenticated (to prevent packet injection during active MITM attacks). Key management: the keys used for the encryption of the downstream traffic should be generated and exchanged in a secure way (to avoid privacy violations). 11

P12 How to enhance the current security mechanism: a proposal The enhanced security mechanism could be based on the following: The mutual authentication could be based on a challenge and response mechanisms (e.g. RFC2617) and a pre-shared secret provisioned on both, the OLT and the ONT, never sent as clear text. For example the current GPON Request_Password and Password messages can be used to convey the challenge and response values instead of the actual password The AES encryption keys could be generated independently by the OLT and the ONT/ONU. For example the current Request_key and Encryption_key messages can be used to convey parameters to be used in conjunction with the shared secret for the generation of the encryption keys, without the need to send any sensitive information as clear text. The preshared secret permits also the authentication of the exchanged messages in order to protect them from security attacks (messages forging). 12

P13 Conclusions The current specification cannot address properly several severe security issues: Fake/Forged OLT, passive and active MITM, DOS during GPON activation procedures At present, in order to cope with these security threats, the operator should adopt additional security mechanisms (e.g. at physical layer) and then increase its OPEX and CAPEX There is a need to increase the security of the current GPON systems, by means of a new security mechanism. Such a mechanism should fill in the security gap by adding the following features: Mutual and strong authentication between the OLT and ONT/ONU Secure key management for the generation and exchange of the (AES) encryption keys Low impact on the current GPON technology and Standards 13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information