on epon security issues - IEEE Xplore

1ST QUARTER 2007, VOLUME 9, NO. 1

www.comsoc.org/pubs/surveys

ON EPON SECURITY ISSUES

MAREK HAJDUCZENIA, SIEMENS NETWORKS S.A. AND UNIVERSIDADE DE COIMBRA PEDRO R. M. INACIO, SIEMENS NETWORKS AND RUA MARQUES DE ÁVILA E BOLAMA HENRIQUE J. A. DA SILVA, UNIVERSIDADE DE COIMBRA MARIO M. FREIRE, RUA MARQUES DE ÁVILA E BOLAMA PAULO P. MONTEIRO, SIEMENS NETWORKS AND UNIVERSIDADE DE AVEIRO ABSTRACT In this article we discuss in detail all major security-related issues inherently present in PON systems. Ethernet PON (EPON) type networks have very specific requirements for data- and system-level security, due to combining — for the first time using Ethernet links — residential and business customers with different security awareness levels and protection demands. Various types of potential network structure targeted attacks are elaborated, starting from simple passive monitoring, through flavors of denial of service (DoS), towards masquerading and theft of service (ToS), presenting a complete and detailed image of security threats in EPONs. Authentication and security mechanisms, as well as their shortcomings, are also briefly examined.

E

thernet Passive Optical Networks (EPONs) have very specific security requirements, due to the broadcast character of the transmission medium, providing services to a number of private/business customers, potentially transmitting security sensitive data (Fig. 1). The downstream broadcast channel is potentially available to any party interested in eavesdropping, since this is typically as simple as disabling the logical link identifier (LLID) filtering rules at the optical network unit (ONU) level and operating the module in a so-called promiscuous mode, with access to all downstream data flows. It is expected that service providers, using EPONs as a base for delivery of tri-play services, will assure sufficient levels of subscriber data privacy while maintaining network access mechanisms to be as simple and user friendly as possible. It is therefore imperative to provide viable and efficient means of preventing eavesdropping (either global or local, on a per-neighboring station basis) and theft of service (ToS), where a malicious user impersonates another EPON subscriber and uses network resources (services, bandwidth, etc.) at his expense. The remainder of the article is structured as follows. We present briefly the two major aspects of the EPON system operation, namely, the MPCP protocol and Dynamic Bandwidth Allocation (DBA) mechanisms, along with their impact on the system security. We present in detail security threats

68

1553-877X

and prevention mechanisms for passive data mining and monitoring (eavesdropping), followed by a section devoted to the discussion of denial of service (DoS) attacks (at both system and data-plane levels). We elaborate ToS and masquerading attacks, which attempt to grant a malicious user unauthorized access to system resources, that may be prevented by the introduction of authentication mechanisms, which is elaborated on briefly. Various flavors of security mechanisms proposed so far for application in EPON systems are discussed. We present the forecast developments in the field of EPON systems, with various forms of transmission channel capacity upgrades, ranging from WDM overlay, through raw data-rate increase and mixed scenarios, and ending with the OSP multiplication. The article ends with general security considerations and conclusions, followed by the references.

EPON SYSTEM OPERATION MPCP PROTOCOL The Multi-Point Control Protocol (MPCP) was developed by the IEEE 802.3ah Task Force to resolve the problems related with point-to-point (P2P) Ethernet operation in the point-tomultipoint (P2M) environment of EPON systems. The said arbitration mechanism is used in the EPON system to dynami-

IEEE Communications Surveys & Tutorials • 1st Quarter 2007

LAN switch

Drop

sect io

n

802.3ah standard allows additionally for existence of so-called queue thresholds, providing the ONU with ONU CO of ISP the ability to indicate several delineation boundaries per single queue, FTTH mixed solution increasing the scheduling efficiency FTTH solution at the OLT side by providing addiONU tional information on the internal PSC Feeder section structure of each particular queue. OLT The said mechanism was never elaborated in the aforementioned Optical link standard, and its implementation Copper link was left open for system developers. Once received at the OLT side, ONU ONU the REPORT MPCP DU is parsed FTTB solution and then passed to the DBA modFTTC solution for residential areas ule, which is responsible for Servers/data servers scheduling the size and start time disk arrays for upstream transmission slots in such a manner that the resulting Figure 1. Standard EPON deployment with various scenarios of FTTx solution: FTTB, transmissions from various ONUs FTTC. FTTH, and mixed FTTH. do not overlap at the OLT receiver. The size of each allocated slot depends on the actual bandwidth demand, selected service cally allocate access to the transmission medium (fiber chanpolicy (whether static or dynamic bandwidth allocation is nel) to individual ONUs connected to the given PON strucused), number of active LLIDs, amount of available bandture, thus effectively assigning upstream transmission slots to width, poling protocol in use, and so on. The MPCP was all active slave devices. Provided that stable operation condidesigned in such a manner that it operates with any DBA tions are maintained in the network and no link suffers from mechanism, thus providing a common control plane for develcatastrophic variations of the round-trip time (RTT), the alloopment of new bandwidth allocation protocols with arbitrary cated slots are always nonoverlapping, meaning that upon complexity. Once the DBA module completes the slot size their arrival at the OLT’s receiver module, the data frames and time estimation process, a GATE MPCP DU is constructcan be received properly, and delineated and decoded suced, loaded with the respective DBA-estimated information, cessfully, thus providing a data transmission path between a and delivered downstream at the first possible opportunity subscriber and the upper network layers (MAN/WAN), which (please remember that Ethernet frames cannot be fragmentthe given EPON instance is connected to. The MPCP protoed, and thus all MPCP DUs are transmitted with the highest col therefore provides the complete signaling infrastructure priority, although may be queued after a long frame under (so-called control plane) for coordinating data transmissions transmission). In accordance with the IEEE 802.3ah standard, originating from numerous active ONUs towards a single a GATE MPCP DU allows the central OLT controller to OLT receiver (thus P2M operation mode in the upstream schedule at most four transmission slots at once (so-called direction). The operation principle of the MPCP mechanism can be scheduling into the future), with the size of 216 – 1 TQ (1 TQ = explained as follows: the whole available upstream channel 2 B = 16 ns for effective 1 Gb/s data rate), resulting in a sinbandwidth is divided into transmission units (typically termed gle transmission slot limited to roughly 128 kB. Upon reception of such a MPCP DU, the ONU updates its local clock slots) using the Time Division Multiplexing (TDM) technique, index using the time-stamp field carried in the message body, which can be assigned to the active ONUs (more specifically thus effectively maintaining global synchronization with the to the respective LLIDs) based on the DBA mechanism under OLT clock without the need for a separate clock signal. The operation in the OLT central packet scheduler. This packet scheduling information is parsed and processed accordingly, scheduler assigns each LLID a certain fraction of the upstream resulting in the creation of transmission events, which are exetransmission slot, which depends on the current bandwidth cuted once the local clock value reaches the slot start value, as demand of the given entity (as indicated using the REPORT indicated in the previously processed GATE MPCP DU. DurMPCP DU), available bandwidth, bandwidth demand of other ing a transmission slot, the given ONU delivers backlogged LLIDs, number of LLIDs, employed service policy, and so Ethernet frames using its local intra-ONU scheduler, effecforth. The ONU is then notified about the size and start of tively attempting to fill in the allocated slot as much as possithe transmission slot using the complementary GATE MPCP ble. Since Ethernet frames cannot be fragmented and DU. delineation bounds typically change between the REPORT The MPCP transmission arbitration is based on two mesMPCP DU transmission and reception of the respective sages, namely, REPORT and GATE MPCP DUs, as indicated GATE MPCP DU, unused slot remainders are created, leadabove. The REPORT MPCP DUs are transmitted by the ing to certain inefficiencies in the upstream channel transmisONU and are used to indicate the current bandwidth demand sion, examined in detail in [2]. The remaining frames, which to the central OLT controller. The bandwidth demand is typido not fit the currently allocated slot, will be delayed until the cally estimated based on the current queue occupancy (a sinnext transmission opportunity is granted by the OLT schedgle ONU can hold a number of packet queues storing uler. Ethernet frames, mapped into a number of available LLID Apart from the transmission scheduling, the MPCP protoentities [1]), with the maximum number of queue reports col is also responsible for a number of other functions, vital included in a single REPORT MPCP DU limited to 13 due to for proper operation of the EPON system, namely auto-disthe finite and pre-defined size of a MPCP DU. The IEEE

n


69

covery, registration, and ranging (RTT computation) operations for newly added ONUs. The said operations constitute the so-called Discovery Process, during which the newly connected ONUs are allowed to register in the network structure and the OLT obtains information on their distance and capabilities (number of grants which can be queued, physical transmitted parameters, etc.). The Discovery Process itself is quite complex, featuring a time period named Discovery Window, during which all standard data transmission is withheld, allowing for unsynchronized delivery of REGISTER_REQ MPCP DUs, originating from newly connected ONUs, which have at least one unregistered LLID entity. The process is driven by the specific OLT agent, which periodically makes Discovery Windows available, by broadcasting GATE MPCP DUs with the Discovery flag enabled, containing the starting time and length of the discovery windows. The Discovery Window is the only period of time during which several ONUs can access the upstream channel simultaneously and in an unsynchronized manner, and thus the originating transmissions can overlap, leading to packet collisions and the need to re-attempt registration at the next opportunity. In order to reduce transmission overlaps, a contention algorithm is used by all ONUs in the form of a Random Delay mechanism, which deters transmission of the REGISTER_REQ MPCP DU in the allocated Discovery Windows by a random number of time units, thus reducing the probability of packet collision. Therefore, the OLT may receive more than one valid register request during a single Discovery Window. A valid REGISTER_REQ MPCP DU contains the ONU’s MAC address and the maximum number of pending grants. Upon receipt of a valid REGISTER_REQ message, the OLT registers the ONU, allocating and assigning new port identities (LLIDs), and bonding the corresponding MAC addresses to the LLIDs. After this is completed, the ONU needs to be notified on the successful reception of the register request, which is carried out by the use of a REGISTER MPCP DU containing the newly assigned LLID number and the OLT’s required synchronization time (physical layer parameter). Additionally, the OLT echoes the maximum number of pending grants, thus indicating that the information was received properly and that the scheduling process will be commenced. Next, a GATE MPCP DU is scheduled for the newly registered LLID, allowing the given ONU to transmit upstream the REGISTER_ACK MPCP DU, which completes the registration process. More details about the registration phase as well as RTT measurements can be found in the current version of the IEEE 802.3ah standard as well as in [3].

infrastructure limitations imposed by the implementation of the CSMA/CD in the optical domain. Here, due to the scope of the article, we will examine only the impact of the DBA mechanism on the security in EPON systems. DBA and Security Issues in EPONs — Operation of the DBA mechanism with a dynamic bandwidth assignment algorithm enabled (apart from the case of constant slot size allocation) has significant security impact on the whole EPON system. Since the bandwidth request originating from a single ONU cannot be forecasted precisely, let alone all the bandwidth requests from all active ONUs in the system, the sizes of the allocated upstream channel transmission slots can be assessed only statistically, thus imposing several security oriented repercussions: • A malicious user can never know the size of the slot allocated to a given ONU in advance, unless static bandwidth allocation is used; • The size of the allocated slot can only be assessed from the GATE MPCP DU transmitted from the OLT towards the given ONU, thus demanding constant observation and analysis of the data stream originating from the OLT. Due to the effective data rate of 1 Gb/s, such a task requires expert knowledge on the operation of the said system, as well as exploitation of very fast computational resources, capable of capturing and decoding Ethernet frame contents in real time at the full line rate. In this way, the operation of the DBA mechanism has an advantageous effect on the overall system’s security, preventing simple network infiltrations based only on the polling order knowledge. In order to launch a successful attack, a malicious user has to have the ability to intercept the downstream MPCP DU stream, decode their contents and act accordingly, thus requiring expert knowledge on the operation of the EPON systems. However, the DBA mechanism does not prevent network structure attacks and only makes them harder to concoct, since even the RTT times, known only by the OLT based on the RTT measurements carried out as part of the MPCP protocol, can be assessed indirectly, providing that upstream and downstream channels can be observed and decoded. However, this requires active interference into the upstream transmission channel, which is relatively secure due to its M2P character, which makes this kind of activity both illegal (since the PSC modules is the property of the local service provider) and extremely difficult in practice (since the PSC modules are enclosed and need to be virtually destroyed to gain access to unused ports).

OVERVIEW OF DYNAMIC BANDWIDTH ALLOCATION MECHANISMS

EAVESDROPPING IN EPONS

So far, a number of DBA schemes have been proposed, increasing the upstream channel utilization and reducing the average packet delay along with the packet drop probability and expected length of packet queues. In general, EPON specific DBA algorithms may be classified into the following protocol groups: • Statistical multiplexing algorithms (IPACT, IPACT extensions, and the like) • QoS assurance algorithms (BGP and the like) • Decentralized algorithms (CSMA/CD, DQDB) Several DBA mechanisms are examined in detail in [4], namely Interleaved Polling with Adaptive Cycle Time (IPACT) [5], IPACT extensions [6–8], Bandwidth Guaranteed Polling (BGP) [9], and Deterministic Effective Bandwidth (DEB) [7]. Additionally, a few decentralized algorithms are available [10, 11], though they are not practically used due to serious PON

In Passive Optical Networks (PONs), eavesdropping is always possible in the downstream direction simply by operating one of the registered ONUs in the so-called promiscuous mode. Since each ONU in the network receives a copy of every single downstream packet transmitted by the Optical Line Terminal (OLT) (more correctly: broadcast by the OLT, since the downstream channel has P2M properties), no extensive modifications are required in the ONU hardware to enable its operation in a malicious mode. All that a network attacker has to do in this case is simply to disable LLID filtering rules and enjoy unrestricted access to all information transmitted in the downstream channel. What makes the situation worse, in this case, is that the employed eavesdropping method is completely passive, undetectable at the OLT level, and does not trigger any visible side-effects in the network structure/behavior. Therefore, it might go unnoticed and, what is even worse,

70


Coupler housing Output

1x2 C. 50/50 Splice

Input a)

b)

n Figure 2. a) Actual PSC unit with secure casing; and b) internal structure. undisturbed 24 hours per day, seven days per week. This definitely violates all the provisions for data confidentiality and privacy. In the upstream channel, subscriber data are more secure since, inherently, the network architecture prevents other subscribers from eavesdropping transmission contents from other stations, at the hardware level. As such, the upstream channel is considered secure, as far as passive monitoring is concerned. Only the OLT receives ONU transmissions and is aware of the activity periods of individual ONUs. It was argued [12], that the presence of a Passive Splitter/Combiner (PSC — Fig. 2) in the transmission path might introduce signal reflections sufficient (with enough amplification) to reconstruct upstream transmissions originating from other ONUs in the network. However, it has not been proven practically, until now, that such a mechanism is feasible [13] and that the existing signal reflections have sufficient power level to allow extraction of any useful signal above the noise floor in the network. It is therefore questionable whether this mechanism might be practically exploited, and further research (including practical signal strength measurements) is required to disprove/confirm this theory. Additionally, it is argued that such reflected upstream transmissions takes place at a wavelength different from that used in the downstream, and thus ONUs [3] are typically not equipped with properly tuned receivers, though a malicious user might easily bypass this limitation by operating two ONUs with properly fine-tuned receivers. Additionally, it is also pointed out that the PSC unit itself constitutes a significant security threat, since this device is typically manufactured as a fully reciprocal device. Therefore, even though only one port of the device is connected to the trunk channel, many more ports are available but remain unconnected. A custom-designed device might therefore be connected to such an unused port of the PSC, and deliver optical signal to a traffic analyzer, thereby providing access to subscriber and system sensitive data. However, progress in PSC packaging technology prevents currently this eavesdropping method, by applying so-called secure packaging, where only one trunk port and a pre-defined number of drop section ports are available, while others are hidden in a hermetic casing. Access to other ports is disabled and, typically, device destruction is required to open the casing, if attempting to gain unauthorized access to the upstream channel signal. Figure 2 presents an example of a modern PSC module in a secure casing, with one input and a pre-defined number of output ports. Eavesdropping is typically one of the initial stages of the network attack, targeting the overall EPON network structure along with gaining unrestricted access to the transmission medium. It is therefore commonly considered as a preparation stage during which, by using simple and completely transparent data mining techniques, an attacker can obtain all types of sensitive information, beginning with subscriber data (confidential contents), subscriber activity periods (to be used


later, when launching DoS or ToS attacks), system sensitive data (LLID and MAC addresses of individual ONUs in the system), and ending with polling protocol settings (which can be assessed based on GATE MPCP DUs and their contents). Having obtained all types of the aforementioned system and subscriber sensitive data, an attacker can go ahead with more visible and ultimately more destructive security breaches (namely, masquerading, DoS, ToS, etc.), as described in detail in the following sections.

DENIAL- OF-SERVICE IN EPONS DOWNSTREAM CHANNEL TRANSMISSION IN EPONS In the downstream direction, Ethernet packets broadcast by the OLT pass through a 1 × N Passive Splitter Combiner (PSC) or a PSC cascade to reach the ONUs. Each ONU receives a copy of every downstream data packet. The number of connected ONUs can vary typically between 4 and 64, with 16 being a typical IEEE standard provisioned value (practical implementations generally include 32 units), limited by the available optical power budget. The downstream channel properties in this PON system make it a shared-medium network: packets broadcast by the OLT are selectively extracted by the destination ONU, which applies simple packet-filtering rules based on MAC and LLID addresses (see [1] for details). The downstream channel operation is best depicted in Fig. 3, where packets destined to different end subscribers are filtered out by the ONUs from the broadcast data flow.

UPSTREAM CHANNEL TRANSMISSION IN EPONS In the upstream direction (Fig. 4), from the ONU towards the OLT, the EPON operates in the M2P mode, where numerous ONUs transmit their data packets to a single receiver module located in the OLT. Moreover, since individual ONUs are not aware of other ONUs’ transmissions (as the PSC is a directional device, an ONU cannot see the signal transmitted upstream by any other ONU), the resulting connectivity seems to be similar to the P2P architecture, where centrally managed access to the upstream channel allows for only a single ONU at a time to deliver pending packets. However, since all ONUs belong to a single collision domain, centrally managed channel access is required (typically via a DBA algorithm for short), and ONUs in their default state are not allowed to transmit any data unless granted specifically by the OLT. In this way, data collisions are avoided since, at any and every moment of time, the central OLT controller is aware of the scheduled transmissions from individual ONUs. The only exception from this centrally managed upstream channel access scheme is the so-called Discovery Process (as defined in [1]), where new and not initialized ONUs are allowed to register in the EPON system. A multiple access protocol is required in the upstream direction, since the EPON operates as a M2P network and every single ONU talks directly to the OLT. A contentionbased media access mechanism (similar to CSMA/CD [1, 10]) is difficult to implement since, in the typical network deployment, ONUs cannot detect a collision at the OLT, and providing the architecture with a feedback loop leading to every single ONU is not economically feasible. Contention-based schemes have the drawback of providing a nondeterministic service, i.e., node throughput and channel utilization may be described as statistical averages, and hence there is no guarantee of an ONU getting access to the media in any small inter-

71

2 1 3 1 PSC

1

ONU1

1

MDU subscribers

avoid disrupting transmission. The former solution is feasible and ONU2 might typically be employed in an EPON under DoS attack, while OLT 2 1 3 1 3 ONU3 the latter is quite difficult to carry Ethernet 802.3 frame out, mainly due to fixed-waveLAN/PAN length laser sources mounted in Header Payload FCS ONUs, as well as lack of a proper signaling protocol. All in all, such a Figure 3. Downstream channel transmission in an EPON (P2M operation [broadcast] & simple DoS attack can have a very LLID packet filtering). serious and disruptive impact on the network structure, QoS, and data security. Since EPONs feature a completely passive network strucval of time, which means that this type of access protocol is ture, with no active signal routers between the ONUs and the ill-suited for delay-sensitive transmissions, such as video conOLT, all forms of DoS attacks relying on system-specific feaferencing or VOIP. In order to introduce determinism in the tures (such as disrupting routing tables, etc.), cannot be inherframe delivery, different noncontention schemes based on ently perpetrated in this case. Only disruption of system request/grant mechanisms have been proposed [5, 9, 14, 15]. sensitive data, including MAC and LLID addresses, is possible, along with forging fake REPORT MPCP DUs with exagUPSTREAM CHANNEL DENIAL OF SERVICE gerated bandwidth requests, causing a poorly designed DBA algorithm to assign a huge share of the available system A Denial-of-Service (DoS) attack causes loss of standard serresources to a malicious ONU, while starving the remaining, vices observed by all registered and active subscribers and legitimate subscribers. Introduction of a single ONU with frepotential loss of network connectivity, if network equipment is quently changing MAC address might cause the central OLT under attack, or severe service quality deterioration, if only controller to quickly exhaust the available number of MAC one local machine is subject to such an intrusion. Typically, instances and deny registration for any newly connected legitithe said attack is carried out by consuming a significant share mate ONU. The same situation can be forged at the LLID of the available bandwidth and network resources in the tarlevel. LLID addressing space is finite, and thus a malicious geted system, overloading any existing pieces of hardware with ONU running a modified registration policy might attempt strenuous and in many cases infinite tasks, resulting in denial registering several thousand LLIDs, until the central OLT of service for legitimate subscribers and/or deterioration in controller again runs out of addressing space and starts denyquality of service (QoS), as observed from a user point of ing services for legitimate subscribers. A possible counterview. A standard DoS attack can be perpetrated in a number measure against such an attack (both MAC and LLID based) of ways, comprising three major types of security breaches: includes either subscriber sensitive data encryption • Consumption of computational resources, such as band(LLID/MAC fields transmitted in scrambled format) connectwidth, disk space, or CPU time ed with authentication [16, 17], or utilization of time-out • Disruption of system sensitive configuration information, events. Time-outs were selected originally for IEEE 802.3 ah such as routing information, LLIDs, MAC addresses; standardization, causing automatic deregistration of a VLAN tags, and so forth MAC/LLID instance which does not respond to a keep-alive • Disruption of network connectivity at the physical level, mechanism [1] within a pre-defined period of time. This prefor example, by flooding the upstream channel with a vents less sophisticated forms of system level DoS, where a strong laser signal, thereby preventing useful transmissingle malicious ONU is operated with frequently changing sions from any legitimate subscriber LLID/MAC data. However, the recent introduction of disThe simplest type of DoS attack which can be perpetrated tributed DoS (DDoS) attacks, as well as a very simple modifiin PON networks, and more specifically in EPONs, is a simple cation of the DoS attack within a single network instance, network connectivity disruption, which in this particular case might prove time-out events useless as far as system level (since the EPON has a P2M architecture) is limited to turning security is concerned. on a strong laser signal source transmitting in the upstream channel at the proper wavelength (Fig. 5), coherent with the selected upstream transmission window. MDU ONU1 This might lead to a network subscribers 11 1 1 PSC lock-down in the upstream channel Residential and, additionally, due to the operaONU2 subscriber 2 2 11 2 3 tion of a keep-alive mechanism, will OLT result in a system restart, thus facilONU3 3 3 itating resource hacking and bringing down the meticulously crafted LAN/PAN Time slot security mechanisms. The system Ethernet 802.3 frame Guardband under such an attack can be protected only in two ways: either the whole PON system is brought down and the DoS source is detected (e.g., by using passive signal power Header Payload FCS measurement techniques) and dealt with, or the upstream transmission Figure 4. Upstream channel transmission in an EPON (M2P operation) - standard TDM channel is shifted dynamically to based channel sharing. 2 1 3 1

2 1 3 1

2

Residential subscriber

n

n

72


PSC

11

ONU1

1 1

1

MDU subscribers

missions (upstream/downstream channel) and is inserted by both 2 2 Faulty ONU ONU and OLT in transmitted data OLT frames. However, transmission of ONU3 3 Faulty ONU such vital and security sensitive data in plain-text format provides a LAN/PAN Time slot perfect means for launching a masRandom patterns (cross-talk) querading attack, followed most typically by ToS, where the malicious subscriber simply forges his Figure 5. Upstream channel transmission in an EPON (M2P operation) - DoS from one own LLID, substituting it with the ONU. legitimate LLID of another ONU, while transmitting upstream towards the OLT. Assuming that the subscriber in question Providing that a malicious user operates an ONU in a has sufficient knowledge on EPON hardware, this step is not promiscuous mode, with unrestricted access to the downmore difficult than disabling LLID filtering, required for passtream data channel, and has the capability of tracking down sive traffic monitoring, as described earlier. Of course, faking all data flows between the target MACs/LLIDs and the OLT, LLID and transmitting frames at a random moment of time is it is fairly easy to assign the given modified ONU a series of no good, since the upstream channel is slotted and access time LLIDs and MAC addresses, and track operation of the keepis strictly supervised by the central OLT controller. Thus, such alive mechanism in EPONs. When a keep-alive GATE MPCP an impersonator must also have the capability of passive monDU is delivered to such a phantom ONU, an attacker would itoring all downstream traffic, filtering incoming data stream only need to spoof a “legitimate” REPORT MPCP DU with against LLIDs and, specifically, tracking and decoding GATE zero/maximum bandwidth request, depending on the targeted MPCP DUs, which carry information on scheduled transmisaction. If MAC/LLID addressing space overflow is targeted, a sion windows, specifically their times and sizes. ToS and maszero size REPORT is transmitted, forcing the OLT to keep querading attacks are typically hard to detect once under way, the given ONU instance in tracking, while maximum size since a malicious user is perceived as a legitimate one, and the REPORT additionally requests bandwidth for such a phantom EPON system cannot properly identify a security breach in device, limiting the resource availability for legitimate subthis case. scribers. The interesting issue here is that other PON systems are also not immune to such an attack, since both GPON and older APON/BPON systems allow for such an attack to occur. It is also argued at this point that only a properly designed AUTHENTICATION AND encryption and authentication mechanism, protecting system D ATA PRIVACY IN EPONS sensitive data (MAC and LLID addresses in case of EPONs), can limit the scope of such a malicious activity. Since EPONs are very open in terms of the network architecture and medium access, a new ONU (subscriber) is connected automatically during the Discovery Process as defined in MASQUERADING AND [1], unless the predefined number of ONUs (LLIDs) is exhausted and no new devices may enter the system. HowevTHEFT- OF-SERVICE IN EPONS er, such an open operation mode allows for an unauthorized A theft of service (ToS) attack occurs, in general, when one user to gain access to system resources, simply by turning on subscriber attempts to impersonate another legitimate nethis ONU and connecting it to a drop section which should be work user (masquerading), by forging his digital signature and theoretically inactive (was left for example for future deployattempting to use network resources (bandwidth, access to ment or as a back-up line, or was not populated at deployspecific premium services, etc.) that are not billed in the ment time). Subscriber authentication is therefore a necessary impersonator’s account or are not available to him in the first feature in such an open system structure. It is typically considplace. The initial masquerading attack upon the network ered that ONUs must be authenticated, though it is necessary structure is based on passive monitoring, during which the to consider that each ONU may possess a certain number of malicious user collects information about the target machine LLIDs, and subscribers actually sign a Service-Level Agree(ONU), including the number of LLIDs, its MAC address, ment (SLA) with the ISP defining clearly the number of RTT, and so on. The collected information is used to masLLIDs (and corresponding traffic classes) that will be used. querade the malicious ONU, by manipulating the system senThe actual number of LLIDs assigned to a particular ONU is sitive data contained in each transmitted data frame (MAC typically a compromise between the transmission overhead and LLID addresses) as depicted in Fig. 6. The attacker subimposed by the increased number of logical entities [2] and stitutes the LLID, preamble CRC code as well as MAC the QoS/SLA requirements, with the single LLID per ONU address fields (not depicted in the said figure for clarity), genscenario officially supported by the standard (IEEE 802.3 erated automatically by the EPON hardware (ONU) in his 2005 — Clause 64.1.1), and multiple LLIDs per ONU scenarpossession, with the respective values from a targeted ios provided by some chip vendors, extending the existing machine, thus making his frames look like if they originated standard specifications and providing multiport ONU modfrom a different ONU. This way he can easily get away with ules. In the case of the nonstandard compliant implementatransmitting a lot of upstream data and not being charged for tions with multiple logical entities per ONU unit, the actual it, since the generated traffic will be billed to another subnumber of LLIDs allocated ranges typically between 3 and 8, scriber (subscriber group) using the targeted ONU, while the depending on the supported number of traffic classes, their malicious subscriber will enjoy lower medium access costs. mapping as well as QoS granularity which is provided to end It must be noted here that the OLT provides a digital idensubscribers. tity watermark for each ONU, during its registration phase It is expected though that the future generation of EPON (LLID [1]), which is subsequently used during bilateral transequipment might provide support for the LLID triplet for ONU2

Residential subscriber

n


73

Before masquerading Target machine’s preamble

Malicious machine’s preamble

CRC CRC

CRC

LLID

CRC

0x55 0x55 0x55

CRC

0x55

SLD

0x55 0x55

0x55 0x55

SLD

0x55 0x55

CRC CRC

LLID

CRC

0x55 0x55 0x55

0x55

SLD

0x55 0x55

0x55 0x55

SLD

0x55 0x55

link level, since a huge share of existing higher-level protocols assume by default that the link layer provides a secure transmission channel, thus avoiding duplication of features at higher protocol stack levels. Masquerading under way Individual subscribers cannot be expect• ed to become security sensitive experts LLID LLID overnight, when switching from DSL lines b) to EPONs, and thus extra measures must be taken at the link level to assure a smooth LLID LLID transition for typical ISP customers, without privacy degradation. Huge company LANs (inherently secure • After masquerading due to P2P connectivity, internal security Target machine’s preamble Malicious machine’s preamble measures, application of firewalls, etc.) can be suddenly open to any types of security c) LLID LLID breaches, once linked to the WAN layer through insecure PON systems, and thus it is imperative to provide inherent data priFigure 6. Masquerading process based on passive monitoring and modificavacy, authentication, and payload security; tion of preamble in data frames originating from the malicious machine. otherwise, business customers might stick with existing leased lines. Additionally, since such customers are typically very well informed on security breaches, and are aware of the syseach connected subscriber, providing that the increased transtem sensitive information value, payload security suffimission overhead can be mitigated through availability of cient to meet residential customers needs might not higher channel bandwidth for data transactions, and/or by suffice in this case. Effective link-level intrusion prevenmodifications to overcome the MPCP inefficiencies. tion is also required. Exact scenarios may vary, since a single user might be Additionally, many opponents of link level security mechaassigned only an individual LLID, for example. In either case, nisms indicate that existing solutions, for example, Secure authentication data should be issued on a per LLID basis Socket Layer (SSL), are more than sufficient to handle data rather than for an ONU as a whole entity. This could prevent transaction security, though again certain issues need to be ONU misuse, where a single device is shared by legitimate emphasized at this point: and malicious subscribers, and service severance targeted at • Large servers using the SSL protocol and handling a the latter would also affect the former. growing amount of data traffic, at a certain point might Various forms of authentication protocols were proposed be simply saturated with the demand for encryption of all for EPONs [16–20], though typically they require far-reaching outgoing and decryption of all incoming data streams, modifications to standardized MPCP DU flow, especially durmaintaining huge key arrays on a per flow basis. This ing the Discovery Process, as well as optional utilization of type of scenario is not unrealistic, once we observe the third-party services (e.g., RADIUS) in the form of secure data traffic growth profile as well as the number of authentication servers. Such solutions, though providing highsecure connections required for banking, online shoplevel authentication, complicate the overall network structure ping, payments, and so on. and are incompatible with existing MPCP specifications. • A significant share of everyday use and rudimentary proWhile there is little hope for dramatic modifications to the tocols does not provide means for per-data transaction said standard in the near future, other forms of ONU/LLID protection. Global keys and security mechanisms are level authentication are required, using inherent EPON sysused which can be easily compromised in, for example, tem information, and new methods for data integrity verificaDNS data transfers, PPP authentication messages, and tion, as well as (most likely) strong payload encryption for all several instant messaging systems, leading to increasing MPCP messages and other mechanisms, still unidentified. unwillingness to use them in the first place. • It was also proposed to use higher-level security protocols in internal EPON data transactions (between ONU and PROPOSED SECURITY MECHANISMS FOR OLT), though such a proposal has obvious shortcomings: EPONS in order to assure full system interoperability, a single security mechanism would have to be selected and agreed Up to now, a number of security mechanisms were proposed upon for implementation; additionally, ONUs and OLTs for application in EPONs, ranging from simple and straightwould need to become inherently IP packet routers, forward subscriber payload protection, starting with the use of operating at protocol stack layer 3 and above, thus limitstate of the art AES encryption (with either 128 or 256 bit ing Ethernet versatility while not preventing such simple long keys), through GPON/APON originating solutions based forms of attacks as data mining, passive monitoring, and on periodic key churning [17, 20], and ending with proposals so forth, which can be avoided if a strict link-layer securito use complex authentication servers (RADIUS [16, 17]) and ty mechanism is employed. higher-level security mechanisms (IPSec, for example, see In order to avoid most common problems with server over[21]), though it is also argued that transport networks should load, transition problems, system interoperability, security provide protection at the link layer and not rely on any higher threats, and lack of data privacy, it is necessary to make layer implementations [22]. Link layer security should be proPONs, and EPONs specifically, immune to most common vided for a number of reasons, including the following most types of security breaches, including passive monitoring, data vital aspects: mining, masquerading, ToS, and certain variants of • Subscriber privacy and data security is expected at the a)

n

74


DoS/DDoS. Hardware-level attacks cannot be avoided without introduction of a dynamic wavelength management system, which is both expensive and unwieldy.

PROTECTION OF SYSTEM SENSITIVE DATA IN EPON FRAME PREAMBLES EPON systems modify the preamble of a standard Ethernet frame by replacing the standard contents shown in Fig. 9a, a 0 × 5516 sequence, 7 bytes long, followed by the Start of Frame Delimiter (SFD) with the structure presented in Fig. 7b. These modifications are done at the bottom layer of the protocol stack, shortly before encoding the frame with the 8B/10B encoder and passing it to the output buffer for transmission. Upon reception, the extended EPON specific preamble is stripped and replaced with the standard Ethernet preamble. This process is transparent for higher protocol layers, which allowed for partial reutilization of the existing 1 Gb/s Ethernet MAC chipsets when designing dedicated ones for EPON equipment. However, the extended EPON specific frame preamble stores one system critical piece of information, which is the LLID address of the entity which was sending (upstream direction) or which is the recipient (downstream direction) of the given data stream. Based on the LLID value stored in the incoming frames, the ONUs perform packet filtering, discarding any frames with a mismatching or corrupt LLID value, while the OLT demultiplexes the received packets based on the LLID into correct MAC ports and this information is later on used for proper scheduling, processing, and all other internal mechanisms (e.g., keep-alive, registration, polling, etc.). Such system-sensitive information is transmitted in plaintext format in both downstream and upstream directions, allowing for easy extraction and then utilization of such information, mainly during the passive monitoring process (for data mining purposes, subscriber profiling etc.), and then for masquerading and ToS attacks. What is worse is that currently there is no mechanism allowing for protection of this data field, since all encryption mechanisms employed in EPON chipsets are typically based on the (Advanced Encryption Standard) AES encryption of the frame’s payload, leaving the preamble in plain-text format altogether.

PROTECTION OF SYSTEM-SENSITIVE DATA IN EPON FRAME PAYLOAD Ethernet frame payload security is typically considered as the only and sufficient security mechanism providing data privacy, confidentiality, and data origin authentication in the EPON network structure. Payload security mechanisms considered for implementation in EPON network structures are by default based on the AES 128 bits mechanism, due to its strong cryptographic properties and very long life cycle, as well as direct hardware implementation [23]. Although encryption of the Ethernet frame payload has already been proposed by other parties (and by some IEEE 802.3ah task force members) as a solution to the confidentiality problems, it is insufficient to eliminate all confidentiality and privacy problems. Initial proposals of the EPON system encryption mechanism left out the Frame Check Sequence (FCS), containing CRC32 calculated over the payload of the packet, in plain text format, which can be used to facilitate the decryption attempt. However, more mature proposals presented at IEEE 802.3 EFM Working Group (WG) (e.g., [17, 22]) stress already the need to encrypt this security sensitive information, thus effectively scrambling the whole payload of the Ethernet frame, starting from the source and destination


addresses, through subscriber payload and ending with the FCS sequence. This is a de facto standard in terms of encryption mechanism for Ethernet PON systems. The existing key exchange protocols, providing encryption keys for the AES mechanism, are designed to operate in a centralized mode, in which the OLT is responsible for generation and delivery of the security keys to all ONUs, although this takes place in an insecure downstream channel (though the keys are not delivered in a plain-text format but rather in specialized MPCP DU messages, encrypted in a manner consistent with the utilized security mechanism). Such protocol design makes sense from a logical point of view, since the best processing capabilities are located in the OLT (better and more powerful microprocessor), while the ONUs should remain simple and be equipped with relatively low priced electronics. There are however serious concerns about the broadcast nature of the downstream channel and the mechanisms provisioned to deliver encryption keys to ONUs in a “safe” manner, which can be compromised simply by disabling the LLID filtering rules (when keys are delivered in plain-text format), or by attempting decryption in the case of public key infrastructure mechanisms, which contain a number of wellknown cryptographic weaknesses. Pure payload encryption does not prevent data monitoring and masquerading (DoS/ToS attacks), since a promiscuous ONU can be maliciously connected to the EPON system and store all downstream traffic for off-line and time-delayed analyses based on a LLID classification. Certainly, the encryption mechanism makes such attempts impossible to concoct in a real-time manner, though we must emphasize here, that monitoring and profiling activities are typically carried out in an off-line manner, over longer periods of time, which brings about the concerns about leaving out important system information (namely, LLID in the preamble) in the plain-text format, available to any eavesdropped in the system. Data mining techniques can infer important information about users connected to the EPON structure. Payload encryption assures limited and indirect data origin authentication to the OLT only at MPCP layer (only the ONU with the correct key can send correctly encrypted data payloads).

PROPOSED DATA SECURITY MECHANISMS FOR EPON SYSTEMS Data Encryption with Key Churning (US 2005/0201554 A1) — The proposed EPON encryption mechanism , which is based on the AES algorithm published by the National Institute of Standards and Technology (NIST) in the United States [24], allows for application of 128-, 192-, or 256-bit keys. This mechanism is quite similar to the one used in GPON systems based on ITU G984.3 specifications, although it contains the necessary modifications required to adapt its operation to the EPON environment. As indicated above, the Ethernet frame format, including the preamble and IPG, is not modified in order to remain compliant with IEEE standards and avoid potential issues from future extension of the IEEE 802.3 standard. In order to enable data privacy and origin authentication, the said method encrypts a complete Ethernet frame, including the Ethernet header and FCS field. The MPCP and OAM control messages are also encrypted, thus providing a complete and secure data transmission channel for both subscriber data and system-sensitive information. Block Cipher Mode (CTR) for AES Encryption — Since Ethernet frames are larger than 128 bits, a block cipher mode of the AES mechanism must be used, where a long message is necessarily divided into a series of fixed size blocks and each

75

0x55 0x55 0x55 0x55 0x55 0x55 0x55 0x55 SFD

a) Standard ethernet data frame Destination MAC address 1 6 7

Source Data Size Data MAC address 6 2 46-1500

FCS

CRC

0x55 0x55 SLD 0x55 0x55

bits, providing the life span of 2 48 – 1 TQ = 4 503 599 627 370 480 ns ≈ 52.125 days, which is b) EPON data frame more than sufficient for the said application. Destination Source Data LLID FCS MAC address MAC address Size Data The aforementioned counter resolution exten2 1 2 1 6 6 2 46-1500 4 2 sion was affected by adding block counters, which are elaborated in greater detail in the [26] patent, and the discussion of which is out of Figure 7. Preamble formats: a) standard Ethernet preamble and b) EPON scope of this article. specific preamble with LLID extensions. It is worth noting that due to the variability in propagation and processing delays at the OLT and an ONU, the MPCP counters may become slightly misone is encrypted separately, potentially with the same (nonaligned. This side- ffect was accounted for by concatenating counter mode) or changing (counter mode — CTR) keys [25]. the resulting cipher counter values, thus limiting slightly the In the CTR scheme, a block cipher generates a stream of 128possible key life cycle but providing a more robust system, bit wide output blocks, which are the product of the cipher which is not susceptible to fluctuations in the RTT times and function applied to the input stream of counters and which processing delays, which are unavoidable in any electronic sysare then XORed (bitwise exclusive-OR operation) with the tem. input plain text to produce the cipher text (Fig. 8a). Since the lack block in the plain-text message may be of size different than adopted key size (128 bits), it is XOR’d with the most Encryption/Decryption Key Life Time — As indicated significant portion of the last output block, thus avoiding above, the value of the cipher counter must not repeat during padding and any encryption overhead which occurs in the case the lifetime of a session key, thus effectively defining the lifeof plain-text frame being padded to match the key delineation time of the said keys. This way, the extended MPCP counter boundaries. wraps around after 248 – 1 increments, thus effectively providThe decryption process is quite similar to the encryption ing the AES key life span of 248 – 1 TQ = 4 503 599 627 370 data flow: the received frame is broken into 128-bit blocks 480 ns ≈ 52.125 days. The frequency of the key exchange is (depending on the size of the adopted key, which was obviously defined as 52 days at maximum, while few subexchanged between the two communicating stations) and then scribers remain connected to the network structure for such a each of the said blocks is XORed with the corresponding long period of time in an uninterrupted manner. Additionally, cipher output block to regenerate the plain text. In order to the network administration might impose a shorter key life produce the transmitted data stream, the receiving station cycle to provide higher data security measures, since shorter must use exactly the same stream of counters encrypted by the key life span lowers the chances of the AES mechanism being cipher, otherwise the resulting decoded message will be compromised. scrambled, producing a corrupt frame (Fig. 8b). One of the advantages of the proposed solution is the fact CTR Encryption for the Downstream Direction — In the that both transmitting and receiving stations use the same downstream direction, the OLT based transmitted requires cipher function, thus implementing only the encrypting (foronly a single cipher counter, since all outgoing frames are ward cipher) portion of the AES block cipher, lowering the encrypted with the same cipher, though using different AES implementation cost, and allowing for higher optimization of keys on the per LLID bases. Simple modification of the said related hardware. mechanism might allow for the OLT to provide a separate cipher counter per LLID, although this measure does not increase the overall system security while increasing the comInput Values for the CTR Process — The CTR process plexity of the resulting OLT hardware and the amount of requires an input stream of nonrepeating ciphers (also called required memory storage space. a counter value), where a single value is associated with the The initial value of the OLT’s cipher counter is delivered given 128-bit-wide text block. Additionally, it is vital that the to the given ONU (more specifically, LLID) during the initial cipher input values are tightly synchronized with the encryptkey exchange process shortly after or even during the Discoved/decrypted message, meaning that it is always possible to ery Process, while the selected key delivery method does not delineate the text blocks (whether in plain-text or encrypted result in undesirable frame chaining in which a lost or corforms) in exactly the same manner, regardless of the data link rupted frame would inhibit proper decryption of all subsestation location. In EPON systems, operation of the MPCP quent frames, as would be the case when, for example, the protocol provides ONUs with the means to synchronize their cipher counter counts frames. Each data frame is indepenlocal clocks with the central, high-quality OLT clock; thus, at dently encrypted and decrypted based on the time of the least in the downstream direction, the cipher input values can frame’s departure and arrival times, which correspond to the be derived directly from the MPCP clock. time of transmission of the first octet of the frame (first octet The CTR process has one requirement, however, which of the destination address field). cannot be met directly by the operation on the MPCP clock values alone. During the lifetime of the encryption keys, the cipher input values cannot be duplicated; otherwise, the CTR Encryption for the Upstream Direction — In the encryption mechanism may suffer from a security weakness, upstream transmission process, the situation with the cipher providing a way for a malicious user to attempt decryption counters is slightly different, since they are not aligned (i.e., and compromise the system. The MPCP counters, which are the OLT clock is not locally aligned to the transmitted local by definition 32 bits long, provide sufficient space for approxiONU clock values). For encrypting upstream frames, the mately 70 s of operation (2 32 – 1 TQ = 68 719 476 735 ns ≈ ONU (and, more specifically, LLID) uses the value of its cipher counter corresponding to the grant start time, thus the 68.72 s), after which the counter values do begin to repeat and first block of the first frame in a slot is associated with the wrap around. That in turns would impose a very short key life cipher counter value corresponding to the start time of the span, demanding frequent key exchanges and increasing the given grant. Once the first text block is transmitted, the cipher possibility of key interception and attack attempt. counter starts operating in the standard manner, increasing The MPCP counter resolution was thus extended to 48 4

n

76


Input blocks Ui a)

Encrypter

Cypher text Ci

Session key K

Output blocks Vi=E(Ui,K) Plain text Pi

Input blocks Ui b)

Encrypter

Cypher text Ci

Session key K

Output blocks Vi=E(Ui,K) Plain text Pi

n Figure 8. CTR mode implementation with AES encryption mechanism in EPON systems: a) encryption and b) decryption process.

every 16 ns (1 TQ = 16 ns = 2 B), while the complimentary counter on the receiving (OLT) side will perform exactly the same process. Decryption of the received data frames at the OLT level is performed based on the stored grant arrival times; thus, effectively the first text block arriving within the previously stored grant window shall be decrypted using the cipher counter value associated with the stored future time. This requires the OLT to maintain a complete list of any grants issued to the given ONU (more specifically, LLID), allowing also for the granting into the future process, as described earlier. The AES decryption process is identical with the downstream AES encryption, thus allows for replication and reutilization of the hardware modules. Key Exchange and Update Mechanisms — Since the upstream channel is relatively more secure when compared with that in the the downstream direction, the new encryption keys are always generated on the ONU side and delivered to the OLT for acceptance. Such a provision allows for the network administrator to enable only the downstream encryption, if the given subscriber population does not require encryption of the upstream data. Therefore, in the case of unicast LLIDs, the key exchange is initiated by the ONU and the OLT is only informed on the allocated keys. However, in the case of multicast logical links, multiple ONUs must use the same key, so that the OLT initiates the key exchange process and generates the new key values, which are then only delivered in the downstream channel to individual LLIDs, utilizing already secure unicast connections. It must be noted here that multicast LLIDs were never officially defined by the IEEE 802.3 EFM WG, and as such have remained until now a proprietary solution of EPON equipment manufacturers and EPON chip vendors (e.g., [27–29]). The elaborated system defines three new organization-specific messages (OAMPDUs), namely: • KEY_REQUEST MPCP, which is made by the OLT to request a new key from an ONU. This message also provides the ONU with a future value of the cipher counter at which a new key is be activated. It is important to note that in order to provide uninterrupted data flow, the new key must be activated on both sides of the transmission link simultaneously. Otherwise, the mismatching cipher counter values will produce corrupted frame upon is decryption on the OLT side. • KEY_ASSIGN MPCP, which is issued by the OLT to assign a new key to an ONU. The said MPCP DU conveys a new key as well as the time stamp of the key switch event, when the old encryption key is discarded and the new key is activated. Under standard operation mode, the key is generated in the ONU and delivered to the OLT, though under certain circumstances, the OLT is forced to generate the new key set and provide it to the respective ONUs (operation of the multicast chan-


nel), since all of them must operate with the very same AES encryption key. • KEY_RESPONSE MPCP, which is issued by an to acknowledge the reception of the KEY_REQUEST MPCP or KEY_ASSIGN MPCP. This message allows the ONU to deliver the new key value to be used after the switch-over. Additionally, the ONU confirms the reception of the key switch-over counter value, thus allowing for the OLT to go ahead with the key exchange process.

Authentication in EPON Systems [30] — This particular solution targets provision of RADIUS server [RFC 2869] authentication function in the OLT module, thus effectively allowing for the OLT to authenticate all ONUs and LLIDs based on the RADIUS server functionalities. A generic MD-5 algorithm, adapted to be used between the OLT and the RADIUS server, is significantly simplified so that it can be used in the EPON network architecture without imposing significant transmission overhead. First, the ONU sends towards the OLT based RADIUS server a data frame notifying the OLT controller on the start of an authentication process, which is processed and initiates the RADIUS specific routines. Then, the OLT sends the “Identification Request” packet, requesting full ONU/user identification, comprising a preselected username — the complimentary password is not exchanged at this stage. In response to the “Identification Request” packet, the ONU sends the username to the OLT, thus delivering effectively a packet named “Identification Response.” Based on the information gathered during the authentication mechanism start-up, the OLT identifies the characteristic value/identifier, describing the given ONU in a unique manner (“Username”). Providing that the previously transmitted “Username” is valid, the OLT transmits “Authentication Success” packet, thus notifying the given ONU on successful identification and allowing it to access the network resources. Otherwise, the “Authentication Failure” packet is transmitted, thus notifying the ONU that its authentication attempt failed due to corrupt frame and/or invalid “Username” value. Regardless of the result of the authentication process, the OLT notifies the ONU on the termination of the authentication stage by sending a specific data packet “Authentication Termination,” allowing for the given ONU to restart the process in the case of failure in the previous attempt. Secure Data Delivery in EPON Systems (US 2005/0201554 A1) — This examined method provides a complete infrastructure for secure delivery of subscriber and MPCP protocol frames over EPON system. A new format for the encrypted data frame is proposed, with the said frame consisting of a number of fields, namely, the preamble (PA) field, a destination address (DA) field, a source address ()SA field, a clear PON tag header field, a protected tag header field, a PDU field, a packet data unit (PAD) field, an integrity check value (ICV), and a frame check sSequence (FCS) field, as depicted in Fig. 9a. Several of the aforementioned data fields are already present in current IEEE 802.3 compliant EPON systems (PA, DA, SA, and FCS), while the remaining ones are strictly related with the proposed security mechanism. The meaning and detailed description of the individual frame fields can be found in [31]. Gigabit Ethernet-based Passive Optical Network and Data Encryption Method [32, 33] — This particular propos-

77

al includes a complete security and authentication mechanism based on the public key infrastructure, where upon power-up event an ONU transmits a registration request towards the OLT containing a public key, which will be used to deliver the secret encryption keys in the downstream channel. The encryption keys are then generated by the OLT only for the successfully registered ONUs and encrypted with the previously delivered public ONU key and once ready, delivered downstream in a specialized instance of the MPCP DU. Upon reception of the aforementioned MPCP DU, the ONU decrypts the message with its public key, retrieves the stored secret encryption keys and confirms successful reception of the aforementioned keys with a “decryption completion successful” message, delivered towards the OLT. The OLT and ONU use the generated secret encryption keys in the bilateral data transmissions in both downstream and upstream channel, effectively creating thus a secure P2P connection between the central network node (OLT) and subscriber module (ONU). The system defined in [32] is transparent to the employed encryption method based on the traded secret keys, with the RSA and AES standards named in the examined patent. It is obvious though that as long as the secret keys can be traded using specialized MPCP DUs between the OLT and one of the ONUs and both stations utilize the same encryption mechanism, virtually any scheme can be implemented on top of the proposed authentication system. Additionally, it is stated clearly that no data in the system is ever transmitted in plain text format (Ethernet frame payload, source and destination fields as well as the FCS sequence), excluding the preamble section, which is not subject to encryption and/or scrambling. The examined method is not directly compatible with the definitions of the IEEE 802.3 2005 specifications in a number of ways. First of all, the public key infrastructure keys of the total length of 1024 bits must be exchanged between the ONUs and the OLT, thus requiring the REGISTER_REQ MPCP DU message to grow in size up to 288 bytes, which is significantly more than the standard provisioned 72 bytes (including preamble) for MPCP DUs. Other standard MPCP DU messages will also have to change their size, for example, the GATE MPCP DU which is delivered to the ONU after successful reception of the REGISTER_REQ MPCP DU (168 bytes, containing secret AES encryption key and additional signaling). Secondly, the modification of the internal structure of the MPCP DU messages eliminates any claims in terms of backward compatibility of such system, requiring both hardware and logical layer changes in the MPCP processing layer. Finally, the selected secret key sharing method (downstream channel) is not the best possible option, since the ONUs may generate the encryption keys and deliver them to the OLT, utilizing a more secure upstream channel. MAC Security Mechanism (MACSec) for Ethernet Passive Optical Networks [34] — This examined security mechanism comprises of a new encryption and/or authentication entity placed in between the MAC and MPCP layer, thus allowing for selective encryption/decryption of all types of frames transmitted in EPON systems, including subscriber datagrams, MPCP DUs and OAM frames. The selection of frames for security processing is based on a set of rules defined by the network administrator, thus effectively creating a number of MACSec policies and security management options. A detailed description of the operation of the MACSec mechanism can be found in [34] — here, we will only briefly outline the most important steps in the processing and encryption/decryption of the data frames. The input frame classifier, part of the MACSec layer, veri-

78

fies the type of the incoming data frame and cross-checks what type of processing is required as set forth in the security policy defined by the network administrator. Providing that the frame is not to be processed at all, it is relayed to a delay unit (termed bypass unit in the examined patent), the task of which is to provide the unprocessed packets with exactly the same delay the processed packets are subject to. This way the internal jitter and processing delay variations between security enabled and disabled frames are minimized, limiting synchronization and ranging precision issues between ONUs and the OLT. The applied delay time can be easily estimated as the total of the processing times of individual stages of the security mechanism employed in the MACSec layer, as described in more detail in Clauses 0040 to 0043 of the examined patent. A data frame, which was selected for security oriented processing, is stripped from its FCS sequence prior to encryption and passed to the transmission frame encoder unit, which adds a SECTag along with the sequential packet number (PN) to the data frames with stripped FCS sequence. Next, several additional sequences are generated, namely, the IV sequence, encryption key, additional authentication data (ADD) and secure MAC service data unit (MSDU), and processed with the prepared data frame in the encryption module. The resulting structure is transferred to the output multiplexer and then delivered to the output buffer. Based on the information provided by the initial frame classifier, two types of encryption keys can be used, namely a session key or a master key. The selection of the proper key is based on the value of the LLID tag in the frame preamble and security settings defined for the particular LLID by the network administration. Providing that the given data frame is to be relayed to the Ethernet bridge residing on top of the MAC layer, a session key is used since the target unit lies within the same administration domain. On the other hand, all outbound packets, which are to be relayed to higher network layers, are encrypted with either master key (MPCP and OAM frames) or session key, depending on the security requirements defined for the given LLID. The frame decryption process is complimentary to the encryption data flow outlined above. The frames are first filtered based on the LLID value and lined up for further processing. The nonencrypted datagrams are relayed to the delay block, the functionality of which was briefly described before. Providing that the frame from the given LLID should be encrypted, as indicated by the security policies defined for the particular LLID entity, and the examined frame is actually in plain-text form, the system discards the frame as invalid. Such security mechanism testing is performed based on the value stored in the 16-bit-wide Ethernet security ID field, due to which the MACSec mechanism can determine whether the frame is transmitted in a unicast or a broadcast security channel and whether any encryption was applied to it or not. The opposite situation is also true (i.e., encrypted frames with the LLID and security tag indicating lack of any security mechanism will also be discarded as suspicious). This way any potential DoS frames circulating within the PON domain are restricted to a single connection only rather than affecting other subscribers in the network. Next, the frame which successfully passed though the DoS filtering stages, is stripped from the security FCS sequence (attached by the MACSec layer on the transmitting side) and passed to the decryption unit, which descrambles the frame using the proper key (either master or session key, as discussed above) and calculates and attaches a standard FCS sequence at the end of the frame, thus preparing its structure for processing in the MAC layer. Detailed operation of the MACSec decoder module can be found in Clauses 0063 to


ICV

FCS

Protected tag header

PAD

Clear PON tag header

PDU

SA

DA

a) PA

to the given OLT using any of the available distribution methods, most likely again a public key infrastructure. An alternative approach could include hard-wiring a master b) key value into ONU module chipsets, though cross-compatibility issues might arise between machines from differDesignator PAID Optional ent vendors. Another drawback of the proposed mechanism is the delivery mode for the random key values. In accordance with the proposed solution, the initial random values are g-bits LLID SID delivered in plain text in the downstream and/or upstream VLAN ID channel, depending on the selected mode of transport. The downstream channel with its broadcast nature would Figure 9. a) Modified Ethernet frame contents; and b) contents of require initial encryption of the exchanged random value the Clear PON tag header. which are used later on to derive session keys for AES frame encryption. The upstream channel, on the other hand, is considered secure in the patent, thus the question arises as to the purpose of the whole complex key derivation 0069 of the examined patent. process. Providing that this transmission channel is secure, the The MACSec layer provides additionally means for data exchanged random value, delivered from the ONU to the origin authentication by using the values relayed in the AAD OLT, can be already used as an encryption key itself, since a and MSDU field, exchanged between the transmitting and potential attacker has no way to learn its value. receiving sides. Any frame with the unexpected authentication key is discarded as invalid and potentially malicious, thus effectively protecting the network against DoS and/or replay attacks. Detailed description of the authentication mode of NEXT-GENERATION EPON SYSTEMS AND the MACSec operation is included in Clauses 0070 to 0078 of SECURITY CONSIDERATIONS the examined patent. The proposed mechanism comes however with a price tag EPONs constitute a giant leap forward in the access systems’ attached, since the encryption mechanism requires a signifienvironment when compared with DSL and cable modem cant transmission overhead with an 8-byte-wide SecTAG and technologies. With an effective data rate of 1 Gb/s (1.25 Gb/s a 16-byte-wide ICV field for authentication purposes. Thereline rate due to 8-to-10 bit encoding performed ay PHY layer) fore, any data frame which is transferred in the EPON netand typically 16 to 64 subscribers served per single EPON syswork using this particular security mechanism needs to be tem, each ONU will receive between 15 to 60 Mb/s of usable expanded by 24 bytes, thus increasing the minimum frame size bandwidth, which is far more than any standard DSL solution from 64 to 88 bytes and the maximum frame size from 1518 to can deliver in the foreseeable future (probably apart from 1542 bytes. With the average frame size around 500 bytes [2], VDSL with a very short reach from the CO of the ISP) while 24 bytes of transmission overhead mean that approximately remaining cost-effective. Still, as more bandwidth-intensive 4.8 percent of the useful bandwidth is lost for transmission of services become available to users, this bandwidth capacity security related information. will get exhausted. It is therefore, crucial for the success of EPON technology to provide a smooth path for future upgrades, regardless of the selected development scenario. Authentication and Key Distribution Mechanism for EthIt is quite difficult to envision the exact development path ernet Passive Optical Networks [35] — The examined solufor EPON systems, since a lot depends on the actual success tion comprises of a mutual authentication and key distribution of field deployments and deployed unit volumes. Providing mechanism for EPON systems, where public key infrastructure that all the aforementioned factors indicate future interest is used to deliver secret encryption keys generated by the from ISP and larger telecommunication companies, EPON OLT towards individual ONUs, upon first registration of the have at least three distinct system capacity upgrade paths, said subscriber units in the network structure. The process is allowing for gradual transitions form current 1 Gb/s solutions described in detail in [35] and we will present only a brief outinto transmission systems with more raw transmission capacity line of the proposed solution. (data-rate upgrade), increased number of individual transmisFirst, the OLT generates a pair-wise master key (PMK) for sion channels (wavelength upgrade) or a mixture of both each connected ONU, based on the initially exchanged ranallowing to increase the system capacity in a most radical way dom value (delivered to the OLT by the ONU during the Dis(spatial upgrade). covery Process) and predistributed master key. The said operation is carried out using hash functions to assure lack of correlation between the initial key values and the output PMK WAVELENGTH UPGRADE — SCENARIO AND SECURITY value. The final PMK key is delivered to the target ONU CONSIDERATIONS using public key infrastructure. Next, the OLT generates a second random value, which is delivered to the target ONU, Providing that Wavelength Division Multiplexing (WDM) which generates a temporary security key based on the aforetechnology reaches a significant level of maturity in the near mentioned random number, OLT MAC address (which is future — sufficient to provide high volume component proknown from the incoming data transmissions) and the own duction capacities while slashing down costs — the number of ONU MAC address as well as delivered PMK value. Again, individual wavelength channels in a single EPON instance hashing functions are used to derive the temporary security might be gradually increased, adding a separate WDM overlay key to assure lack of correlation and proper message digest. on top of existing burst mode operated systems. In this This way, the keys can be distributed over EPON network scheme, some of the already deployed and active ONUs structure without using any dedicated secure transmission would be assigned in a static manner into a distinct wavechannel. length domain for both upstream and downstream transmisThe master key is predistributed to all machines connected sion lanes and while the effective data rate on each wavelength

n


79

will remain the same, there will simply be fewer ONUs to share that raw bandwidth capacity, thus increasing the bandwidth available to the subscriber. The wavelength upgrade into WDM EPON systems (with a wavelength channel pair assigned per subscriber) is considered to be the most QoS-oriented solution in existence (of course, the increase in the available channel bandwidth is also the target of the said system upgrade), since in the final stage of the examined PON system evolution each subscriber is assigned a separate and unique wavelength channel, thus effectively transmitting in a dedicated channel over a shared passive optical medium. However, as far as the security is concerned, a future WDM EPON is not much more secure than an existing TDM system. The downstream transmission channel is dedicated for the given ONU, thus passive monitoring is as simple as fine-tuning a malicious monitoring device into the correct wavelength and enjoying unrestricted access to transmitted data. The situation is even worse, since the delivered data stream is not composed of multiplexed streams designated for several individual machines, but rather of a P2P Ethernet frame stream, which is far easier to monitor than in the case of downstream traffic in existing IEEE compliant EPON systems. In the upstream channel, the lack of TDM multiplexing facilitates any ToS attempts, since malicious packets may be inserted into the channel, providing that proper timing can be maintained, which is not technically unfeasible at the effective line rate of 1 Gb/s. The DoS attacks on the network infrastructure in the case of WDM EPON systems would require a broadband light source, capable of delivering sufficient laser power to block transmissions originating from all the ONUs in the system. Isolation attacks are more probable with the malicious user preventing only one subscriber or a subscriber group from gaining channel access, though that again requires the knowledge on the wavelength allocation, which in the case of dynamic wavelength assignment changes at random. However, the WDM EPON system security can be extended by application of wavelength hopping scheme, where individual ONUs change their downstream and upstream transmission channels in a random manner, as directed by the central OLT controller, thus effectively making a passive monitoring process more complex and demanding real-time analysis of the control plane messages. Unfortunately, the wavelength hopping frequency would have to relatively high (in the order of a few GHz) to make the passive monitoring techniques unfeasible to concoct, since an malicious attacker would have to know not only the wavelength hopping pattern but also be able to tune the receiving devices in accordance with the changes of the wavelengths in the system. The other approach comprises of recording all downstream data channels simultaneously and observing the wavelength hopping patterns in an off-line manner. The ToS and masquerading attacks can be problematic to carry out since the attacker needs to know both the assigned downstream and upstream wavelengths, have the proper equipment with a broadband tuneable laser and a tuneable, narrowband receiver and be able to track down the changes in the wavelength allocation in the system. Since passive monitoring is highly problematic in WDM systems with random wavelength hopping, ToS is devoid of its information source, thus effectively making it virtually impossible to conduct.

RAW DATA RATE UPGRADE: SCENARIO AND SECURITY CONSIDERATIONS 80

Migration to higher data rates by targeting the increase of the available bandwidth is the simplest way to increase the supported subscriber population or provide more bandwidth demanding services to an already existing customer base. The EPON roadmap for the following years includes migration to a target data rate of 10 Gb/s. Current kick-off and Call For Interest (CFI [36]) for 10 Gb/s EPON systems indicates that at least for now, system capacity upgrade under consideration is mainly linked with increase in the raw transmissions channel data rate. With 10 Gb/s Ethernet systems already standardized by IEEE community and advanced research carried out for 40 and 100 Gb/s Ethernet solutions, raw data rate upgrade with maintaining the same wavelength channel count seems an attractive solution. In order to allow for incremental system capacity upgrade, only part (e.g., premium customers) might be moved to 10 Gb/s solution at first, and since 10 Gb/s and 1 Gb/s might share the same hardware resources, the already deployed fiber plant can be reused, providing that the assumed target reach does not introduce unfavorable conditions for 10 Gb/s Ethernet transmission. The raw data rate upgrade scenario is effectively limited to increasing the clock rate for transmitted data stream, while the basic functionality and mechanism for data delivery and security provisions remain the same. As such, this particular scenario does not improve overall EPON system security, apart from the fact that passive data mining at higher data rates requires prohibitively expensive equipment and increased processing power, which may not be available for malicious subscribers attempting to gain unauthorized access to transmission media. It must be noted though that the very same forms of network structure attack, described in detail in this article, would also be possible in higher data rate EPON systems, thus indicating the need for effective and scalable security solutions.

MIXED UPGRADE: SCENARIO AND SECURITY CONSIDERATIONS Most interesting system capacity upgrade scenarios include both WDM overlay as well as raw data rate upgrade, resulting in a significantly increased amount of subscriber accessible bandwidth while making the best from both system capacity upgrade scenarios. Typically two mixed upgrade scenarios are possible: • WDM scenario similar to the one employed in 10 GBaseLX4 systems, where 4 2.5 Gb/s transmission channels are multiplexed into a single transmission fiber, carrying in total 10 Gb/s of subscriber data, delivering four data streams to each ONU. This particular scenario allows for each ONU to maintain using lower cost electronic circuitry, requited to operate at 2.5 Gb/s rather than 10 Gb/s though at the same time multiples (four times) the number of receivers and requires data stream recovery processing. Such a solution is therefore most attractive when deploying 10 Gb/s EPON systems over very lowgrade OSP, though as previously discussed this might not be the case, as existing OSP is relatively new and features low dispersion fibers. • Second upgrade scenario assumes that ONU maintains its single transceiver module, tune to receive one of 4 downstream wavelengths, thus providing 2.5 time capacity increase per ONU (from 1 to 2.5 Gb/s in the downstream direction). A number of ONUs can be supported per downstream wavelength, providing higher flexibility in future potential system extension, where only new downstream wavelengths are added, along with deploying properly tuned ONUs. The obvious drawback is that a


single ONU does not have access to full 10 Gb/s downstream channel; thus, capacity upgrade in this case is achieved by reducing the number of ONUs serviced per single wavelength. Additionally, it is typically expected that such a mixed system capacity upgrade is related with maintaining 1 Gb/s upstream transmission speed, since deploying multiple laser sources in ONU modules is still too expensive at the current development stage and does not allow for cost-effective solution. The mixed upgrade scenario suffers from all the disadvantages of the current EPON systems, since the TDMA channel sharing mechanism is not eliminated, while introduction of WDMA provides increased intradomain security, as described above. Therefore, even though this scenario is the most attractive as far as the increased channel capacity is concerned, general data security is only slightly improved, mainly due to the limitation of the size of a single administration domain (fewer customers per wavelength) and the isolation of individual administration domains in the frequency spectrum.

SPATIAL UPGRADE: SCENARIO AND SECURITY CONSIDERATIONS Providing that fiber prices diminish significantly in the future following an increased market demand, a simple spatial upgrade might be considered where a subset of preselected ONUs is simply relocated into a new EPON instance. In this scenario, a new trunk fiber is deployed from the CO, spanning all the way to the PSC and some branches are reattached to a new trunk fiber (and a new splitter). To avoid the cost of additional fiber deployment, this upgrade fiber can be predeployed at the time of the original deployment. The spatial upgrade scenario does not resolve any security problems characteristic for the PON shared medium, since the network structure remains virtually unchanged, except for the number of connected ONU modules. As such, this particular OSP upgrade path will suffer from the very same security issues as the current EPON systems: • The decreased size of a single PON domain means that fewer customers are affected by a localized network attack, including DoS, where only one of the local EPON system branches can suffer at the time. A network attacker can thus directly influence only the network branch he is connected to, while other branches operate under normal conditions. • Passive monitoring and ToS attacks become easier to identify and isolate due to decreased number of subscribers in the given administration domain. A ToS exploit results in a significant alternation in the traffic pattern and activity characteristics for the target ONU/subscriber, thus can be detected providing that a number of traffic statistics are maintained for the given domain. In the case of increased number of subscribers, such statistics are difficult to maintain and analyze mainly due to the amount of data which has to be sifted through.

GENERAL CONSIDERATIONS AND CONCLUSIONS When considering security mechanisms at the link layer for application in EPONs, several myths must be refuted. For many years it was commonly accepted that Ethernet as a transport layer did not need any security mechanisms, mainly due to its P2P nature and deployment in inherently safe envi-


ronments, typically located within a single building, under strict supervision from IT staff. However, Ethernet migration to access networks, which by their nature have a more open architecture and can be subject to more dangerous security breaches, interconnecting residential and business customers, with inherently different security management policies and awareness, requires flexible security mechanisms with highest possible resilience to any system level attacks. Another typically accepted misconception is that encryption is expensive and time consuming. This might hold true for a large corporate server, where all internal communications pass through such a gateway and only then are relayed to outside routers. However, in the case of EPON systems, all security features could be included in silicon (hardware level) rather than in software operating on top of a busy server, which would cause overall network performance degradation. Moreover, a silicon-based solution does not necessarily have to be expensive, especially in the era of programmable logic, multifunctional microprocessors, and very short development cycles for ASIC chips. An additional factor which is typically omitted in this context is the scale factor: once EPONs become a widely deployed type of access networks (which is actually under way right now, at least in Japan [37], Korea and China [38–43], as well as in the United States [44, 45] and Europe [41, 46]), the cost of manufacturing and deploying a commonly adopted security mechanism on silicon will fall dramatically, adding at the same time to the marketing value and attractiveness of the overall solution. The last, but not least, myth about security in optical networks is related to their very nature: some believe that, since the transmission channel is passive and uses optical fiber instead of a standard copper line transmission medium, there is no electromagnetic interference and thus no way to eavesdrop the data stream. This particular idea probably stems from the comparison of optical and wireless networks with their broadcast transmissions and ease of eavesdropping in the latter. However, as indicated clearly in the section “Eavesdropping in EPONs” above, data mining (in particular, passive monitoring) is also possible in PON systems, and actually constitutes one of the first attacks to be attempted upon such networks.

ACKNOWLEDGMENTS The authors would like to acknowledge Glen Kramer (Teknovus Inc., Petaluma, CA) and Nuno Borges (Siemens Networks S.A., Portugal) for being open to all questions related to EPONs. We would also like to thank the anonymous reviewers for their constructive criticism and insightful comments. The authors kindly acknowledge financial support from Fundação para a Ciência e a Tecnologia, Portugal, through the grant contract SFRH/BDE/15524/2004 and from Siemens S.A., Portugal.

REFERENCES

[1] IEEE, “802.3,” IEEE, Standard 2005. [2] M. Hajduczenia, H. J. A. d. Silva, and P. P. Monteiro, “EPON versus APON and GPON: a Detailed Performance Comparison,” OSA J. Opt. Net., vol. 5, 2006, pp. 298–319. [3] G. Kramer, Ethernet Passive Optical Networks, 1st ed., New York: McGraw-Hill, 2005. [4] M. P. McGarry, M. Maier, and M. Reisslein, “Ethernet PONs: A Survey of Dynamic Bandwidth Allocation (DBA) Algorithms,” IEEE Commun. Mag., vol. 42, 2004, pp. S8–S15. [5] G. Kramer, B. Mukherjee, and G. Pesavento, “Interleaved Polling with Adaptive Cycle Time (IPACT): A Dynamic Bandwidth Distribution Scheme in an Optical Access Network,”

81

Photonic Network Commun., vol. 4, 2002, pp. 89–107. [6] H.-J. Byun, J.-M. Nho, and J.-T. Lim, “Dynamic Bandwidth Allocation Algorithm in Ethernet Passive Optical Networks,” IEEE Electron. Letters, vol. 39, 2003, pp. 1001–02. [7] L. Zhang and et al., “Dual DEB-GPS Scheduler for Delay-Constraint Applications in Ethernet Passive Optical Networks,” IEICE Trans. Commun., vol. E86-8, 2003, pp. 1575–84. [8] S.-I. Choi and J.-D. Huh, “Dynamic Bandwidth Allocation Algorithm for Multimedia Services over Ethernet PONs,” ETRI Journal, vol. 24, 2002, pp. 465–68. [9] M. Ma, Y. Zhu, and T. H. Cheng, “A Bandwidth Guaranteed Polling MAC Protocol for Ethernet Passive Optical Networks,” presented at IEEE INFOCOM 2003, San Francisco, CA, 2003. [10] C. Chang-Joon, E. Wong, and R. S. Tucher, “Optical CSMA/CD Media Access Scheme for Ethernet Over Passive Optical Network,” IEEE Photonics Technology Letters, vol. 14, 2002, pp. 711–13. [11] S. R. Sherif et al., “A Novel Decentralized Ethernet-Based PON Access Architecture for Provisioning Differentiated QoS,” IEEE J. Lightwave Tech., vol. 22, 2004, pp. 2483–97. [12] G. Kramer, B. Mukherjee, and A. Maislos, Multiprotocol over DWDM: Building the Next Generation Optical Internet: Ethernet Passive Optical Networks, Hoboken, NJ: Wiley, 2003. [13] O.-P. Pohjola and A. Tervonen, “Secure Upstream Transmission in Passive Optical Networks,” vol. US 2005/0074239 A1, 2005, p. 12. [14] G. Kramer, B. Mukherjee, and G. Pesavento, “IPACT: A Dynamic Protocol for an Ethernet PON (EPON),” IEEE Commun. Mag., vol. 40, 2002, pp. 74–80. [15] G. Kramer et al., “Fair Queuing With Service Envelopes (FQSE): A Cousin-Fair Hierarchical Scheduler for Subscriber Access Networks,” IEEE JSAC, vol. 22, 2004, pp. 1497–513. [16] K. Murakami, Y. Fujimoto, and O. Yoshihara, “Authentication and Encryption in EPON,” IEEE802.3ah Ethernet in the First Mile, White Paper, 2002. [17] J. Kim, “Authentication and Privacy in EPON,” IEEE802.3ah Ethernet in the First Mile (white paper), 2002. [18] D. Romascanu and C. Ribeiro, “Security Aspects of the OAM Protocol for EFM,” IEEE802.3ah Ethernet in the First Mile (white paper), 2002. [19] A. Gummalla et al., “Security Threats and Mechanisms,” IEEE 802.3 EFM (white paper), 2001. [20] O. Haran, “Ethernet PON, Security Considerations,” IEEE802.3ah Ethernet in the First Mile (white paper), 2001. [21] Y. L. Goff et al., “Encryption Layer Comparison,” IEEE802.3ah Ethernet in the First Mile (white paper), 2002. [22] O.-P. Hiironen, A. Pietiläinen, and A. Nylund, “Privacy in EPON,” IEEE802.3ah Ethernet in the First Mile (white paper), 2002. [23] S. J. Park, “Analysis of AES Hardware Implementations,” Department of Electrical & Computer Engineering, Oregon State University, Corvallis, Oregon 97331 (white paper), 2005, http://islab.oregonstate.edu/koc/ece679/project/2003/park.pdf [24] “Federal Information Processing Standard 197, Advanced Encryption Standard,” National Institute of Standards and Technology, U.S. Department of Commerce 2001. [25] M. Dworkin, “Recommendation for Block Cipher Modes of Operation — Methods and Techniques,” National Institute of Standards and Technology, 2001. [26] G. Kramer et al., “US2005/0201554A1 — Method for data encryption in an Ethernet Passive Optical Network,” vol. A1, American Patent Office, Ed., 2005. [27] L. D. Davis, “US2005/0100036A1 — Method and Apparatus for Bandwidth-Efficient Multicast in Ethernet Passive Optical Networks,” vol. A1, American Patent Office, Ed. United States of America, 2005, p. 18. [28] J.-Y. Song et al., “US2004/0057431A1 — Method for Checking Multicast LLID Transmission in Ethernet Passive Optical Networks,” vol. A1, American Patent Office, Ed. United States of America, 2004, p. 13. [29] J. S. Sung, T. I. Kim, and H. H. Lee, “US2005/0135365A1 — Method for Supporting Multicast Service in Ethernet Passive Optical Network System,” vol. A1, American Patent Office, Ed. United States of America, 2005, p. 12. [30] S.-H. Kim, Y.-S. Kim, and Y.-J. Oh, “US2004/0179521A1 —

82

Authentication Method and Apparatus in EPON,” American Patent Office, Ed. United States of America, 2004. [31] A.-J. Kim et al., “US2004/0028409A1 — Method for Transmitting Security Data in Ethernet Passive Optical Network System,” vol. A1, American Patent Office, Ed. United States of America, 2004, p. 9. [32] H.-P. Lee et al., “US2005/0047602A1 — Gigabit Ethernetbased Passive Optical Network and Data Encryption Method,” vol. A1, American Patent Office, Ed. United States of America, 2005, p. 15. [33] H.-P. Lee and W.-J. Sung, “US2005/0135609A1 — Gigabit Ethernet Passive Optical Network for Securely Transferring Data Through Exchange of Encryption Key and Data Encryption Method Using the Same,” vol. A1, American Patent Office, Ed. United States of America, 2005, p. 20. [34] K. S. Han, K. O. Kim, and T. W. Yoo, “US2006/0136715A1 — MAC Security Entity for Link Security Entity and Transmitting and Receiving Method Thereof,” vol. A1, American Patent Office, Ed. United States of America, 2006, p. 23. [35] J. S. Eun et al., “US2006/0129814A1 — Authentication Method for Link Protection in Ethernet Passive Optical Network,” vol. A1, American Patent Office, Ed. United States of America, 2006, p. 23. [36] IEEE 802.3, “Call For Interest: 10 Gb/s PHY for EPON,” online report, 2006, http://www.ieee802.org/3/cfi/0306_1/ cfi_0306_1.pdf [37] H. Shinohara, “Broadband Access in Japan: Rapidly Growing FTTH Market,” IEEE Commun. Mag., vol. 43, 2005, p. 72–78. [38] C. Mathas, “One Million bi-di FTTH Transceivers Shipped,” Network Systems Designline, 2006. [39] N. Yoshimoto, “NTT’s Deployment of FTTH Services and Future Developments,” presented at FTTH Council Conf., Las Vegas, NV, 2005. [40] E. Shraga, “GPON and EPON (GE-PON) Economical Comparison,” FlexLight Networks 06.2005, 2005. [41] H. Tauber, “European FTTH: time for a last-minute equalizer?,” Fiber Systems Europe, vol. 11, 2005, pp. 16–18. [42] G. Kramer and G. Pesavento, “EPON: Challenges in Building a Next Generation Access Network,” presented at 1st Int’l. Wksp. Community Networks and FTTH/P/x, Dallas, 2003. [43] O. Haran and M. Abrams, “The Case for Ethernet in FTTH,” presented at FTTH Council Conf., Las Vegas, NV, USA, 2005. [44] M. Abrams et al., “FTTP Deployments in the United States and Japan — Equipment Choices and Service Provider Imperatives,” IEEE J. Lightwave Tech., vol. 23, 2005, pp. 236–46. [45] A. Maislos and M. Abrams, “Fiber Deployment in the United States: Let’s Learn from Japan!,” presented at FTTH Council Conf., Las Vegas, NV, USA, 2005. [46] G. Finnie, “Next-Generation Broadband in Europe: the Need for Speed,” Heavy Reading, vol. 3, 2005, p. 59.

BIOGRAPHIES

M AREK H AJDUCZENIA ([email protected]) received M.Sc. and Engineer diplomas in the field of electronics and telecommunication, with a specialization in optical transmission systems, from Technical University in Bialystok, Poland in June 2003 (with honors). In 2004 he was accepted for Ph.D. studies at University of Coimbra, Portugal at the Department of Electrical and Computer Engineering where he is currently working toward a Ph.D. degree in electrical engineering from the same university. He is currently a research Ph.D. student working at Siemens Networks, S.A., Portugal on projects connected with Next-Generation EPONs (Dynamic Bandwidth Allocation schemes, network architectures). His main research interests include self-similar stochastic processes, access networks’ control management layer, IPv4/IPv6 transition problems, optical burst switching. His major interests are in the areas of computer simulation and modeling of highspeed telecommunication systems. PEDRO R. M. INACIO ([email protected]) received a degree in Mathematic/Informatics from the University of Beira Interior, in 2005. In the same year he was accepted for a Ph. D. course at University of Beira Interior, Portugal. He is currently a research Ph.D. student working at Siemens Networks, S.A., Portugal, on


projects related to Network Security, namely Intrusion Detection, Cryptography and Key Exchange mechanisms. His main research interests include analyses of the self-similarity of the network traffic, security mechanisms for information networks and cryptography. HENRIQUE J. A. DA SILVA ([email protected]) received a Ph.D. degree in communication systems engineering from the University of Wales, United Kingdom, in 1988. Since then he has been with the Department of Electrical and Computer Engineering at the University of Coimbra, where he is now an associate professor. He is the leader of the Optical Communications Group of Instituto de Telecomunicações at Coimbra, Portugal, since 1992. His research interests include optical and mobile communication systems, with emphasis on enabling technologies and transmission techniques. He is a member of the IEEE Communications Society and of the IEEE Lasers and Electrooptics Society. MARIO MARQUES FREIRE ([email protected]) received a five-year B.S. in electrical engineering and an M.Sc. degree in systems and automation in 1992 and 1994, respectively, from the University of Coimbra, Portugal. He received a Ph.D. degree in electrical engineering from the University of Beira Interior, Portugal, in 2000. Presently, he is an Associate Professor at the Department of Informatics of the University of Beira Interior, Covilhã, Portugal, where he is the Head of the Department and the Director of the M.Sc. course in Informatics Engineering. He is also the leader of the Network and Multimedia Computing Group. His main research interests include high-speed networks and Internet technologies. He has been the editor of two books and has authored or coauthored around 90 papers in international refereed journals and conferences. He served as a technical program committee member for several tens of IEEE and IASTED conferences. He was the General Chair of IEEE HSNMC’2003 and a General Co-Chair of


ECUMN’2004, and he is the TPC Chair of ICN’2005. He is also a member of the editorial review board of the International Journal of Business Data Communications and Networking. He is a licensed Professional Engineer by the Order of Engineers — Informatics College (Portugal) and he is a member of the IEEE Computer Society, the IEEE Communications Society, ACM SIGCOMM, ACM SIGSAC, and the Internet Society. PAULO P. MONTEIRO ([email protected]) received diploma and doctoral degrees in electronics and telecommunications from the University of Aveiro and an M.Sc. (Eng) degree from the University of Wales, UK. He is research management of Optical Networks at Siemens Networks, S.A. (Portugal) and Associate Professor at the University of Aveiro where he has been teaching courses of telecommunications and computer science. He is also a researcher at the Instituto de Telecomunicações. His main research interests include High Speed Optical Networks, Protocols and Network Management. He has acted as a reviewer of the IEEE Journal of Lightwave Technology, IEE Electronics Letters, and ETRI Journal. He has participated in European Projects RACE R1051Multi-Gigabit Transmission in the IBCN Subscriber Loop, R2011(HD) TV Transport on Very High Bitrate Optical Links; in ACTS projects ESTHER — Exploitation of Soliton Transmission Highways in the European Ring, UPGRADE — High Bitrate 1300 nm Upgrade of the European Standard Single-Mode Fibre Network and SPEED — Superhighway by Photonically and Electronically Enhanced Digital transmission and IST projects ATLAS — All-optical Terabit per second Lambda-Shifted, MUFINS — Multi-Functional Integrated Arrays of Interferometric Switches) and TRIUMPH — Transparent Ring Interconnection Using Multi-wavelength Photonic Switches and Eureka THE MOST — Highly Efficient Micro & millimetrewave Optical Smart Transceivers and OPTRONET — OPtimized Transponders for Robust Optical NETworks. He has authored/co-authored more than 150 papers in journals and conferences.

83