Various methods and systems for securing data transport in communication networks and in particular for securing data transport in an Ethernet on Passive Optical access Network (EPON) are possible. Methods and systems may improve on standard security standards, for example MACsec (Medium Access Control security) standards as put forth in the IEEE 802.1AE and 802.1af of standards documentation published in 2006 by The Institute of Electrical and Electronics Engineers, Inc., 3 Park Avenue, New York, N.Y. 10016-5997, USA.
Illustrated in FIG. 1 is an example of an EPON 10. EPON 10 includes an Optical Line Terminal (OLT 12), which coordinates communication in EPON 10 over a single, shared optical trunk fiber 15. Inexpensive optical splitters 18a and 18b divide trunk fiber 15 into separate strands (branch fibers 16a, 16b, 16c, 16d, 16e, 16f and 16g) which feed individual N=6 Optical Network Units (ONUs) 14a, 14b, 14c, 14d, 14e and 14f which are the subscribers to the network. EPON 10 is called “passive” because the active components of the network are associated with end points (OLT 12 and ONUs 14a-f), and EPON 10 does not require active electronics within the access network.
EPON 10 uses N+1 optical transceivers (OT) 22a, 22b, 22c, 22d, 22e, 22f, 22g. EPON 10 requires no electrical power in the field. The drop throughput can be up to the line rate on the trunk link. EPON 10 can support downstream (from OLT 12 to multiple ONUs 14a-f) broadcast such as video.
EPON 10 is based on the Ethernet standard. Ethernet standards enable the economies-of-scale and provide simple, easy-to-manage connectivity to Ethernet-based equipment, both at the customer premises and at the central office. As with other Gigabit Ethernet and 10 Gigabit Ethernet media, it is well-suited to carry packetized traffic, which is dominant at the access layer, as well as time-sensitive voice and video traffic.
EPON 10 is configured in full duplex mode (since all communication is coordinated by the OLT, there is no need for crash detection and mediation CD/CSMA) in a single fiber point-to-multipoint (P2MP) topology. All subscribers (ONUs 14a-f), see all downstream (DS) traffic from OLT 12. Upstream (US) traffic (for example from ONU 14a) to OLT 12 is not to be seen by other subscribers (in the example ONUs 14b-f), and peer-to-peer communication is done through the OLT 12. OLT 12 allows only one subscriber at a time to transmit using a Time Division Multiplex Access (TDMA) protocol. Upstream and downstream traffic are transmitted at the same time using Wave Division Multiplexing (WDM).
EPON 10 introduces a security challenge because DS data is broadcasted and exposed to all ONUs (14a-f). This creates a possibility of data snooping. Also Upstream (US) a hostile body (for example a rogue ONU) can forge packets and masquerade as a different ONU. Upstream data may also be considered not confident as there is low reflected light power coming back at optical splitters 18a and 18b which might be snooped with the right equipment. Therefore a security scheme for EPON which is based on encryption of the data and authentication of the data is important. The IEEE 802.1 standard defined a (layer 2) L2 security model and authentication mechanism in two specifications-802.1ae and 802.1af.
The IEEE 802.3ah for Gigabit EPON and IEEE 802.3av for 10 Gigabit EPON specifications define a Multi-Point Control Protocol (MPCP) and a Point-to-Point Emulation (P2PE) necessary to build an EPON system. Industry standard protocols are reviewed by security experts and enable worldwide interoperability. IEEE 802.1ae and 802.1af are standardized security solutions for L2, meaning they provide security to the data transported in an L2 EPON by the following means: Packet content is encrypted—starting from Ethernet header, and a message digest is appended. An AES-GCM encryption and authentication algorithm is used to encrypt and to authenticate the payload. An 128 bit key is used to do the encryption. Key negotiation between the ONU and OLT is done through the 802.1af key exchange protocol. The security scheme allows both downstream and upstream encryption. The security standard allows handling of multicast traffic in a separate encrypted manner, by separation of the groups in different keys and by allowing a handling of the specific single copy broadcast (SCB) traffic of the EPON in a separate key. The security standard also allows having a few security offsets exposing the desired portion of the packet. The standard allows use of predefined values of offsets. The smallest offset which does not cover entirely the packet is 30 bytes, which exposes all data of the Ethernet header.
The current standards, as described above and in the IEEE 802.1ae and 802.1af specifications lack security features that are desirable in an EPON environment. For example, according to current security protocols, MPCP messages cannot be encrypted this leads to possible security breaches, for example a hostile body can intercept the gate packets to a particular ONU and jam upstream traffic from the ONU. Another source of security breaches in the current standards is the limitation of offset values, which do not allow encryption of the standard Ethernet header and MAC address when an offset is in use. Thus, it is possible for a hostile body to identify a user by his MAC address, monitor the header information of the packet data and perform traffic analysis. A further source of a security breaches under the current standards are auto discovery gate packets and registration requests and register packets messages that are not encrypted and therefore a hostile body can jam an ONU through false registration/deregistration requests. Another disadvantage of the current MACsec standards is that an encrypted packet must have a full long MACsec header requiring increased bandwidth for all traffic inside the EPON.
There is thus a widely recognized need for, and it would be highly advantageous to have improved security measures for securing data on an EPON network and particularly for protecting upstream and downstream data, for preventing hostile identification and jamming of particular ONUs, and for reducing bandwidth of encrypted messages.