[AusNOG] NBN - GPON encryption

Mark ZZZ Smith markzzzsmith at yahoo.com.au
Thu Jun 11 12:34:25 EST 2015 

      From: Julien Goodwin <ausnog at studio442.com.au>
 To: Radek Tkaczyk <radek at tkaczyk.id.au>; John Lindsay <johnslindsay at mac.com>; Aftab Siddiqui <aftab.siddiqui at gmail.com> 
Cc: AusNOG Mailing List <ausnog at ausnog.net> 
 Sent: Thursday, 11 June 2015, 0:26
 Subject: Re: [AusNOG] NBN - GPON encryption
   
On 10/06/15 14:33, Radek Tkaczyk wrote:
>  >> And all directional splitters have some back propagation.
>
> Exactly – that is the problem we are investigating.
>
> If there is no encryption on the upstream, then this can be intercepted.
>
> What’s worse – is that if the encryption keys are sent in the clear on
> the upstream, then an attacker could in theory get those encryption
> keys, and then decrypt the downstream traffic as well.
>
> I just hope I’m wrong about this….

Which is exactly why if you're deploying encryption you want to do it on 
endpoints under your total control.
/ So NBN(co) stick a box on your wall that isn't physically protected from you (i.e., inside a locked rack) that holds those keys and others. Since security is a weakest link problem, I wonder how strong the "link" stuck on your wall is. Temper evident/proof case? Signed and verified firmware images? Hardware security module/secure cryptoprocessor to hold the keys?
/ I'd think it more likely that people could discover the critical keys from cracking open the NTU than getting them off of the wire via an optical tap (and even then, those keys should only really be session keys that roll-over periodically).
/ Then again, going by the recent articles about widespread vulnerabilities, the device behind the NTU (the RG/CPE) is likely to be a far more attractive target for somebody to spend time on.
/ People need to do proper threat modelling before worrying about mitigating specific threats. If they don't, they might miss the vulnerability that the attacker is most likely to target (e.g., focus on buying the best possible locks for the front door, while overlooking the fact that the windows don't have any locks at all ...)

Even ignoring external threats all it would take is one mistake[1], 
bug[2], or malicious actor inside NBNco for they, or possibly others to 
have access to your traffic.

And that's without even trotting out intercept requests etc.

NBNco links, as with any other third party (electrically) multiplexed 
service, are best treated the same way you'd treat a random Internet path.


1: Meant to debug by sniffing traffic on link 13443, accidentally 
sniffed 14334.
2: I've seen bad route memory in routers do some horrible things. And 
without good monitoring you might not even notice if all it caused was a 
few extra hops.


_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog


  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20150611/ff7783b1/attachment.html>

More information about the AusNOG mailing list