XG-PON Security

[Virtual Presenter] Good morning everyone. Today we will be reviewing XG-PON security and exploring the various methods of authentication and protection this technology offers. We are going to take a deep look into how XG-PON can help protect against threats such as replacing or re-programming an O-N-U connecting a malicious device at various points on the infrastructure and recording/replaying packets. We will also cover optional registration ID based authentication secure mutual authentication O-M-C-I based and IEEE 802.1X based methods. Let's begin..

[Audio] XG-PON security is designed to protect against malicious users who are potentially capable of replacing or re-programming onus and receiving downstream data or forging packets. This slide will explore the different aspects of XG-PON security and the following slides will go into more detail on the threats these features are designed to protect against..

[Audio] We will be looking at XG-PON security to protect against potential threats like malicious devices connected to infrastructure. For instance tampering with street cabinets spare ports or fibre cables could lead to interception or generation of traffic and the possible impersonation of an O-L-T or ONU. Moreover malicious users could record and replay packets over the P-O-N or conduct bit-flipping attacks. To safeguard an economical approach some XG-PON security features can be used as an optional measure. Let us now look into these security features further..

[Audio] This slide examines the security measures put in place for XG-PON technology. These include authenticating the optical line terminal (O-L-T--) to the optical network unit (O-N-U--) and vice versa as well as the use of pre-shared keys O-M-C-I and IEEE 802.1X solutions. These all guarantee secure connections and restrict potential malicious activities..

[Audio] XG-PON networks use a registration-based authentication procedure to ensure secure communication between the O-L-T and the ONU. This involves deriving a master session key or M-S-K from the O-N-U registration ID. This M-S-K is a 128-bit value used to generate all the other secret keys for secure communication..

[Audio] The slide is centered on the security component of an XG-PON network. It explicitly shows Registration ID-based Authentication and its benefits to generate session keys. This authentication process averts unauthorized access to the P-O-N network. The session key is formed by combining the O-N-U serial number PON-TAG and a hexadecimal representation of the A-S-C-I-I string into an information message. This session key is employed for further key derivations. Securing the P-O-N network through this fashion guarantees dependable connections and privacy of data..

[Audio] Slide 7 focuses on Derived Shared Keys and more specifically on the O-M-C-I integrity key OMCI_IK. The OMCI_IK is used to generate and verify the integrity of O-M-C-I messages. In order to do this the OMCI_IK is derived from the SK or the shared key by a specific formula. This formula uses the AES-CMAC function which is 128 bits long and uses a specific hexadecimal representation of the A-S-C-I-I string "OMCIIntegrityKey" in its information message parameter..

[Audio] In this slide we'll be discussing the second part of the derived shared keys known as the PLOAM_IK. This is an integrity key used to generate and verify the integrity of X-G-T-C layer unicast P-L-O-A-M messages. The PLOAM_IK is derived from an SK via the AES-CMAC function and the information message parameter of this function is 128 bits long. As for downstream broadcast P-L-O-A-M messages and for unicast P-L-O-A-M messages exchanged during O-N-U activation before the availability of the Registration-based M-S-K the default PLOAM_IK value is used..

[Audio] Slide 9 takes a look at Derived Shared Keys. A key Encryption Key also known as K-E-K is used to encrypt and decrypt data encryption keys that are carried in the P-L-O-A-M channel. It is derived from a shared key by using the AES-CMAC function which is an algorithm designed to encrypt and decrypt data keys. The information message parameter of the AES-CMAC function is 128 bits in size and consists of the hexadecimal representation of the A-S-C-I-I string ‘KeyEncryptionKey’..

[Audio] This slide provides an overview of the security features implemented in the XG-PON technology. XG-PON's two derived keys PLOAM_IK and OMCI_IK are used to authenticate and secure communication between both sides of the access network. PLOAM_IK is used to authenticate the ONT's access to the O-L-T and encrypt the data flows. OMCI_IK is used to secure the configuration and management of the O-N-U and its services. Together these two keys ensure the security of the whole system and protect all the service-level communications..

[Audio] Slide 11 examines integrity protection and data origin verification for PLOAM a significant security consideration for upstream and downstream transmissions. Each P-L-O-A-M message contains an 8-byte message integrity check (M-I-C--) field utilized for sender identity validation and to prevent forgery. The M-I-C is calculated using the P-L-O-A-M integrity key and the 40-byte P-L-O-A-M message content. Additionally the direction code is employed to differentiate between upstream and downstream messages. Realizing the importance of this security protocol allows us to guarantee our transmissions are secure..

[Audio] For secure data transmissions integrity protection and data origin verification are applied to the Physical Link Operations Administration Management (P-L-O-A-M) messages. Slide 12 of this presentation focuses on these security measures which involve the use of cryptographic algorithms to add an extra layer of protection to P-L-O-A-M transmissions as depicted in the images on the slide. This helps to detect any unauthorized modification of the messages and any attempts to spoof them..

[Audio] XG-PON the latest in optical access network technology provides integrity protection and data origin verification for O-M-C-I through a 4-byte Message Integrity Check (M-I-C--) field. The M-I-C is calculated by combining the O-M-C-I integrity key and O-M-C-I message content dependent on the direction code either downstream or upstream. This allows both the sender and receiver to calculate the M-I-C field to ensure secure communication..

[Audio] This slide will cover the security measures taken to protect the Optical Multi-Point Control Interface (O-M-C-I-) including unauthorized access prevention data modification prevention and thwarting of malicious activities. We will also look at how XG-PON applies advanced encryption methods to ensure the data transmitted is not tampered with or intercepted..

[Audio] Today we will be discussing XG-PON security. XG-PON is an optical fibre technology that uses integrity and data origin verification key switching to ensure secure communication. This key is initially set as the default value of (0x55)16 when the O-N-U activation starts. With successful communication a basic M-S-K is established and all the derivative shared keys are obtained. The specified messages such as the broadcast P-L-O-A-M messages require a M-I-C that is generated with the default P-L-O-A-M integrity key. This ensures continued secure communication even if the O-L-T and O-N-U no longer agree on the keys..

[Audio] Authentication for XG-PON Security is implemented as a three-step symmetric-key-based challenge-response procedure. The O-L-T writes the O-L-T random challenge table attribute then refrains from sending any O-M-C-I messages unrelated to the authentication. The O-N-U then generates a random challenge calculates the response to the O-L-T challenge and initiates the secure M-S-K and derived shared key calculation procedure. After being computed the secure keys are stored for later use..

[Audio] The xG-PON standard is continuously being developed to create a secure network impervious to external threats. An essential feature of this standard is a secure mutual authentication process. OMCI-based authentication can deliver this requirement. The O-M-C-I protocol sets up a verifiable session to validate the access point and user before creating a connection. This grants a secure connection with access control and confidentiality for data..

[Audio] We will discuss the key switching process for secure mutual authentication in XG-PON networks which is based on the OMCI-based authentication. Upon receipt of an authentication request from the O-L-T the O-N-U must verify the OLT's authentication status and commit the new OMCI_IK. This is done by transmitting an attribute value change on the O-N-U authentication state attribute utilising the next available default Alloc-ID grant opportunity. The A-V-C message will be generated with the new OMCI_IK which will then become active at the ONU..

[Audio] The O-L-T in order to secure XG-PON networks initiates a P-L-O-A-M handshake with the ONU. This handshake is intended to activate secure shared keys if authentication is successful and obtain registration-based M-S-K and derived shared keys if authentication fails. This handshake is safeguarded with the default PLOAM_IK. Upon sending the Request_Registration message the O-L-T will commit the new PLOAM_IK as active on transmit..

[Audio] We have discussed key switching for OMCI-based secure mutual authentication in this slide. This involves the reception of a Request_Registration P-L-O-A-M message from the O-L-T then an upstream Registration P-L-O-A-M message is generated from the O-N-U and protected with the default PLOAM_IK. When the message is transmitted the O-N-U sets the new PLOAM_IK and K-E-K as active. Then when the O-L-T receives the Registration message it sets the PLOAM_IK and K-E-K as active concluding the key switching procedure. That concludes our presentation. Thank you..