[AusNOG] NBN - GPON encryption

Julien Goodwin ausnog at studio442.com.au
Thu Jun 11 00:26:14 EST 2015


On 10/06/15 14:33, Radek Tkaczyk wrote:
>  >> And all directional splitters have some back propagation.
>
> Exactly – that is the problem we are investigating.
>
> If there is no encryption on the upstream, then this can be intercepted.
>
> What’s worse – is that if the encryption keys are sent in the clear on
> the upstream, then an attacker could in theory get those encryption
> keys, and then decrypt the downstream traffic as well.
>
> I just hope I’m wrong about this….

Which is exactly why if you're deploying encryption you want to do it on 
endpoints under your total control.

Even ignoring external threats all it would take is one mistake[1], 
bug[2], or malicious actor inside NBNco for they, or possibly others to 
have access to your traffic.

And that's without even trotting out intercept requests etc.

NBNco links, as with any other third party (electrically) multiplexed 
service, are best treated the same way you'd treat a random Internet path.


1: Meant to debug by sniffing traffic on link 13443, accidentally 
sniffed 14334.
2: I've seen bad route memory in routers do some horrible things. And 
without good monitoring you might not even notice if all it caused was a 
few extra hops.


More information about the AusNOG mailing list