1. Field of the Invention
The invention relates to communication networks and optical transmission technology. Particularly, the invention relates to Ethernet passive optical networks and improving security therein using optical disturbing reflectors.
2. Description of the Related Art
In the last few years the requirements for consumer bandwidth have grown rapidly. To meet the demand for increased bandwidth new access network technologies have been developed. One such technology is based on the Institute of Electrical and Electronics Engineers (IEEE) 802.3ah standard. 802.3ah is a trademark of the IEEE Inc. The standard is also known as Ethernet in the First Mile (EFM). The aim of IEEE 802.3ah is to bring Ethernet to ordinary consumers, thereby becoming an alternative for modem dial up lines and DSL connections as the primary access between a consumer and her internet service provider. The IEEE 802.3ah standard also introduces the Ethernet Passive Optical Networks (EPON) concept. The EPON is a Point-to-Multipoint (P2MP) network topology. The topology is implemented with passive optical splitters and Media Access Control (MAC) and MAC Control sublayers and physical layers that support this topology.
Reference is now made to FIG. 1, which illustrates the architecture of a prior art EPON. The EPON comprises a HUB 100, to which an optical fiber 120 is connected. HUB 100 may be a passive physical layer signal repeater or a higher protocol layer equipment such as a bridge or a router. In some contexts a HUB is also referred to as an OLT (Optical Line Terminal). For the purpose of this invention a HUB such as HUB 100 is generally any kind of piece of network equipment that engages in communication with at least one optical network unit in the EPON or other equivalent medium. The optical fiber must be connected to Optical Network Units (ONU) 110, 112, 114 and 116. Typically, the ONUs are located in customer premises. HUB 100 connects the EPON to an Internet Service Provider (ISP) access router or similar equipment via an upstream connection 128. In order to accomplish the connecting of HUB 100 to each of the ONUs 110-116, an optical fiber 120 connects to an optical splitter 102, which connects to fibers 121 and 122. Fiber 121 connects to fibers 123 and 124 via an optical splitter 104. Finally, fiber 123 is connected to ONU 110, fiber 124 to ONU 112, a fiber 125 to ONU 114 and a fiber 126 to ONU 116. The direction from the ONUs 110-116 towards HUB 100 is referred to as upstream, whereas the opposite direction from HUB 100 towards the ONUs 110-116 is referred to as downstream. A signal 130, 131 transmitted from ONU 110 traverses towards HUB 100 via optical splitters 104 and 102. However, a part of signal 130 may be reflected, for instance, from splitter 104 making the signal perceivable at ONU 112. Upstream and downstream signal traverses in the same fiber using different wavelengths. Other option is to have separate fiber for up and downstream but this does not remove the security problem.
The drawback of the prior art IEEE 802.3ah is that the upstream traffic from any given ONU may be detectable from other ONU access points due to various unwanted signal reflections. The unwanted signal reflections may not be removed or even noticed from the network beforehand. The problem is further illustrated in FIG. 2. An ONU 202 transmits a signal 220 that is to be received exclusively by a HUB 230. Along the transmission path from ONU 202 to HUB 230, there is at least a first fiber 212, an optical splitter 200 and a second fiber 210. Fiber 210 connects to at least two fibers 212 and 214 by means of optical splitter 200. Associated with fiber 210 is also a reflecting element 206, which reflects part of signal 220 as a reflection 222, which is an unwanted reflection Reflection 222 is in turn split at optical splitter 200 and becomes perceivable at an ONU 204. Reflecting element 206 can be, for instance, a fiber connector, a fiber breaking point, an open fiber end or a second splitter along the fiber path between ONU 202 and HUB 230. Reflecting elements where discrete back reflections may occur cause privacy and confidentiality problems in EPONs. The most critical places in EPONs are on the upstream side of the splitter that is closest to the transmitting user.
In order to overcome these problems various solutions have been proposed in prior art. One such solution is to use encryption for the upstream data traffic, for instance, so that an encrypted point-to-point data link layer connection is formed between HUB 230 and transmitting ONU 202. The encryption may be based on a symmetric encryption method or an asymmetric encryption method. However, due to the point-to-multi point nature of EPONs, the downstream traffic from HUB 230 to a given ONU may be encrypted in order to prevent eavesdropping by other ONUs connected to the same EPON. The key exchange mechanisms to be used in the case where the upstream connection cannot be regarded as secure, are vastly more complicated compared to the case where the upstream connection can be regarded as reliable. By a secure connection in this case is meant a connection supporting privacy and confidentiality. More complicated mechanisms always leads to the consumption of processing capacity, for example, in ONUs 202, 204, and delays in transmission. Encryption is not a mandatory feature as such in EPON. In some implementations the system could be used without encryption.
An example of a key exchange mechanism to be used when the upstream connection is not reliable is the Diffie-Hellman protocol, which is disclosed, for example, in IETF RFC 2631. If the upstream connection is secure, the establishing of a secure downstream connection from, for example, HUB 230 to ONU 202, is rather easy. For example, it is sufficient to transmit a shared secret or encryption key from ONU 202 to HUB 230 prior to downstream signal transmission.
If separate fiber is used for up and downstream optical isolators can be used to overcome the security problems. This is a rather expensive solution.