home tags events about login
one honk maybe more

igloo honked 19 Jan 2025 19:35 -0800

Digging through some specs today led to some fun places.

On GPON networks, downstream flows are encrypted, but upstream flows are (by the spec) never encrypted[1]. On XGS-PON, upstream flows are optionally encrypted[2]. At least one large FTTH ISP in North America (and I'd imagine many others) doesn't seem to actually be enabling it[3].

Not that the built in encryption provides much protection. All keys chain back to a symmetric session key that can be derived by any party that witnesses the initial handshake[4].

While the logic of "we broadcast downstream and use timeslots for upstream" does make the need for downstream encryption feel more important, listening on all timeslots for a given loop to snatch data sent upstream feels like something we should have solved by 2025.

[1] ITU G.984.4 page 52 (pdf 58)
[2] ITU G.988 page 107 (pdf 113), Image 1
[3] Image 2
[4] ITU G.9807.1 page 216 (pdf 208)

QwxgvJ9pYf6nxlSG44.png ymWJ6g3wQZ5xPvYnbv.png

benjojo@benjojo.co.u.. honked back 20 Jan 2025 07:47 -0800
in reply to: https://tupek.org/u/igloo/h/5rcK27Zx3tTdjG1HF8

@igloo I guess on DOCSIS it matters a lot more to encrypt upstream traffic, as it's much more snoopable than a optical path

The encryption (and efforts relating to managing a KMS) hikes up the cost quite a lot so I'm not surprised, that being said GPON is also really quite old! XGS-PON seemingly came around the time when vendors managed to nail down fast-and-cheap L1 encryption (and exporting such tech was less awful)

igloo honked back 20 Jan 2025 08:48 -0800
in reply to: https://benjojo.co.uk/u/benjojo/h/8RHP7jDy39JC2jB6pK

@benjojo Both GPON an XGS-PON devices necessarily will have some sort of AES(-CTR and possibly -ECB) hardware support, though in GPON land the ONTs/ONUs might only have decryption support. While it might have been cost-prohibitive to put encryption support on an ONT/ONU in 2004 (the first GPON rev), by 2010 (the latest GPON rev) it was far more practical to have both - revisions to support it as an option could be made.

XGS-PON's first rev (2016) didn't do as much as one might expect with the underlying crypto. Camilla was added as an option, as were larger key sizes for AES, though the derivation mechanism and modes remained unchanged (AEADs weren't new news in 2016!).

I suspect the desire was solely to prevent nosy neighbors and not to prevent someone a little more dedicated - i.e. no mass market "spy on your neighbors" devices could practically be sold due crypto and upstream attenuation. Everything else was out of the threat model. While practical, it wouldn't have taken much (barring export controls / implementer will, which are probably limiting factors) to provide much stronger controls.