Thread Links			Date Links
Thread Prev	Thread Next	Thread Index	Date Prev	Date Next	Date Index

Re: [LinkSec] EPON security

To: "Marcus Leech" <mleech@nortelnetworks.com>, <stds-802-linksec@ieee.org>
Subject: Re: [LinkSec] EPON security
From: "Dolors Sala" <dolors@ieee.org>
Date: Thu, 23 Jan 2003 10:25:25 -0500
References: <3E2D87B3.B4E3ECF9@NORTELNETWORKS.COM>
Sender: owner-stds-802-linksec@majordomo.ieee.org


Marcus,

FSAN is in the process of upgrading the security system of APON as they
define the mechanism for GPON specification. They do recognize that it is a
weak system. It was designed on 1995 with the intention of avoiding just
casual (non-sophisticated) intruders. And it relies on higher layer security
for strong protection. Also, the assumption was to consider the upstream a
secure channel. Therefore it only encrypts downstream but not upstream.

And going back to your question, it only supports point-to-point encryption.
Therefore, they do not support group keys.

We have members of FSAN in this list and they may be able to give you a more
recent summary of this activity. If you are interested in reading APON spec,
FSAN made it available to the 802.3ah participants. So it is available in
the private area of 802.3ah.

We talked a little in the Vancouver meeting about the need of multicast and
group keys at layer two. We decided that more discussion was needed to
decide whether it was needed or not. So let me turn it around to you and ask
for your, and other opinions, on the subject.

The issue was: Most of multicast traffic is encrypted at higher layer
because it is an actual service such as movies. Therefore, can we always
rely on higher layer encryption when there are multiple destinations of a
stream traffic? Opinions?

My personal feeling is that we cannot. However, I have not been able to find
an example yet. But, even if all applications today encrypt at higher layer,
the usage of these systems may evolve with new applications they do not.

There may also be an issue of demarcation, or provider responsibility. Do
the providers have the ability of saying to their customers that they
provide secure point-to-point communication but the security of multicast
service is the customers responsibility?

What is your opinion? Are there other factors to consider?

Dolors

----- Original Message -----
From: "Marcus Leech" <mleech@nortelnetworks.com>
To: <stds-802-linksec@ieee.org>
Sent: Tuesday, January 21, 2003 12:47 PM
Subject: [LinkSec] EPON security


>
> In both Antti's presentation in Vancouver, and in a paper by Liu,
Valencia, and
>   Kabaya, encryption of the downstream link (OLT to ONU) is referred to
frequently,
>   along with "key churn technology" (in the Liu, et al, paper).
>
> Does this imply a SHARED KEY in the downstream direction?  Inquiring minds
want
>   to know...
>
> --
> ----------------------------------------------------------------------
> Marcus Leech                             Mail:   Dept 8M70, MS 012, FITZ
> Advisor                                  Phone: (ESN) 393-9145  +1 613 763
9145
> Security Architecture and Planning       Fax:   (ESN) 393-9435  +1 613 763
9435
> Nortel Networks                          mleech@nortelnetworks.com
> -----------------Expressed opinions are my own, not my employer's------
>

Follow-Ups:
- Re: [LinkSec] EPON security
  - From: "Marcus Leech" <mleech@nortelnetworks.com>

References:
- [LinkSec] EPON security
  - From: "Marcus Leech" <mleech@nortelnetworks.com>

Prev by Date: Re: [LinkSec] EPON security
Next by Date: [LinkSec] An interesting analysis by David Wagner of APON
Prev by thread: [LinkSec] EPON security
Next by thread: Re: [LinkSec] EPON security
Index(es):
- Date
- Thread