[AusNOG] NBN - GPON encryption

yaleman at ricetek.net yaleman at ricetek.net
Thu Jun 11 06:52:21 EST 2015


This. If you don't control it end to end, and you actually need it
secure, then you need to secure it with your own methods. 

James

On Thu, 11 Jun 2015, at 00:26, Julien Goodwin Swrote:
> On 10/06/15 14:33, Radek Tkaczyk wrote:
> >  >> And all directional splitters have some back propagation.
> >
> > Exactly – that is the problem we are investigating.
> >
> > If there is no encryption on the upstream, then this can be intercepted.
> >
> > What’s worse – is that if the encryption keys are sent in the clear on
> > the upstream, then an attacker could in theory get those encryption
> > keys, and then decrypt the downstream traffic as well.
> >
> > I just hope I’m wrong about this….
> 
> Which is exactly why if you're deploying encryption you want to do it on 
> endpoints under your total control.
> 
> Even ignoring external threats all it would take is one mistake[1], 
> bug[2], or malicious actor inside NBNco for they, or possibly others to 
> have access to your traffic.
> 
> And that's without even trotting out intercept requests etc.
> 
> NBNco links, as with any other third party (electrically) multiplexed 
> service, are best treated the same way you'd treat a random Internet
> path.
> 
> 
> 1: Meant to debug by sniffing traffic on link 13443, accidentally 
> sniffed 14334.
> 2: I've seen bad route memory in routers do some horrible things. And 
> without good monitoring you might not even notice if all it caused was a 
> few extra hops.
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog


More information about the AusNOG mailing list