[AusNOG] NBN - GPON encryption
Julien Goodwin
ausnog at studio442.com.au
Thu Jun 11 00:26:14 EST 2015
On 10/06/15 14:33, Radek Tkaczyk wrote:
> >> And all directional splitters have some back propagation.
>
> Exactly – that is the problem we are investigating.
>
> If there is no encryption on the upstream, then this can be intercepted.
>
> What’s worse – is that if the encryption keys are sent in the clear on
> the upstream, then an attacker could in theory get those encryption
> keys, and then decrypt the downstream traffic as well.
>
> I just hope I’m wrong about this….
Which is exactly why if you're deploying encryption you want to do it on
endpoints under your total control.
Even ignoring external threats all it would take is one mistake[1],
bug[2], or malicious actor inside NBNco for they, or possibly others to
have access to your traffic.
And that's without even trotting out intercept requests etc.
NBNco links, as with any other third party (electrically) multiplexed
service, are best treated the same way you'd treat a random Internet path.
1: Meant to debug by sniffing traffic on link 13443, accidentally
sniffed 14334.
2: I've seen bad route memory in routers do some horrible things. And
without good monitoring you might not even notice if all it caused was a
few extra hops.
More information about the AusNOG
mailing list