FOT Lesson: XG-PON certification and security features

XG-PON’s security threat model introduction

When considering the security of XG-PON, you should pay attention to the following threat models:

  1. Since the downlink data is broadcasted to all ONUs connected to the OLT, the malicious user can receive downlink data of other users by replacing the ONU or reprogramming the ONU.
  2. Since the uplink data received by the OLT can be from any ONU connected to the ODN, the malicious user can fake the ONU into the ONU device of other users by replacing the ONU or reprogramming the ONU.
  3. An attacker can connect a malicious device to a fiber device in a variety of ways to steal data or generate a counterfeit data stream. These malicious devices can be spoofed as OLTs or ONUs depending on the location of the connection point.
  4. In any of the above scenarios, a malicious user can intercept and reproduce data interacting on the line or perform a bit flip attack.

XG-PON certification and security features

  Since the construction environment of the PON network is very diverse, in some cases, the installation of the ODN and the optical splitter or even the ONU must take into consideration the physical security and the security of the service data. However, from the economic point of view, the security features of XG-PON are optional.

XG-PON’s certification

1)Certification Overview
  The XG-PON system can support the following three authentication methods.

  1. ONU authentication based on the registration ID: This authentication is performed during the activation of the ONU. The identity of the ONU device is authenticated, but the OLT device cannot be authenticated.
  2. Two-way authentication based on OMCI message interaction.
  3. Two-way authentication based on IEEE802.1X message interaction.

  The XG-PON system should have the capability of three authentication methods at the same time, but whether the latter two authentication methods are used depends entirely on the actual needs of the operators. In other words, the TC layer implementation should have the ability to support mutual authentication, but the device itself does not necessarily support these features.

  If the ONU device fails to be authenticated, the OLT should take measures to recover the function, including repeated authentication, intercepting the upstream and downstream data streams, and deactivating or disabling the ONU and rogue ONU diagnostic processing.

2) Authentication based on registration ID

  The authentication mechanism based on the registration ID is only applicable to the authentication of the ONU device, and is an authentication mechanism that the XG-PON system should enforce. To achieve certification based on registration ID, you need to have the following prerequisites:

  • Assign the registration ID to the user on the management side;
  • The registration ID is configured to the OLT and is provided to the field operator or directly to the user.

  The authentication method based on the registration ID requires some method to configure the registration ID to the ONU. The specific method can be consulted by our engineers.
  During the ONU activation phase, the ONU responds to the ranging authorization and reports its registration ID to the OLT through the PLOAM channel. The OLT authenticates the ONU based on the received registration ID.
  After that, the operator can decide whether to restart the authentication process according to his own demands. The re-authentication process is: the operator requests the “Request_Registrator PLOAM” message, the ONU responds to the request and reports its registration ID through the Registrar PLOAM, and the OLT authenticates the ONU again according to the received registration ID information.

  If the operator chooses not to provide the registration ID to the ONU, the ONU shall report the default registration ID value during the activation and registration response phase.

3) Secure two-way certification/authentication

  There are two optional two-way authentication methods: OMCI-based authentication and IEEE802.1X-based authentication. These two methods can not only authenticate the ONU on the OLT, but also authenticate the OLT on the ONU to ensure the security of the system at the central office and the terminal.
  If the system supports mutual authentication and the operator also chooses to enable mutual authentication, the OLT can initiate two-way authentication after the ONU is activated and before user data interaction. Thereafter, the operator decides whether it is necessary to restart the re-authentication.

Key generation during XG-PON system working

  Under the following conditions, the OLT and the ONU participate in the key generation process:

  • During the activation, the ONU reports its registration ID to the OLT;
  • The ONU responds to the OLT’s “Request_Registrator PLOAM” request message and reports its registration ID.
  • Two-way authentication based on OMCI or IEEE802.1X-based.

  The XG-PON system can adopt multiple encryption algorithms. Before the encryption algorithm is enabled, the OLT and the ONU should negotiate the encryption algorithm through the OMCI channel.

Read more Next generation PON system blogs!

Latest Blog

About Us

Why FTTH can save telecom cost

FTTH: saving money

【Our Goal】

Benefits our customers via Fiber Network (FTTH).

【FOT Telecom】

Your reliable fiber network equipment and service provider: Read More

Contact us

Email: SKYPE: fanny-lee2007 Tel: +86-20-22098370
Add.:97th Science Avenue, Science Town,  Guangzhou, Guangdong, China