[afnog] GPON FTTH networks (in)security

Loganaden Velvindron loganaden at gmail.com
Sun Nov 6 16:27:55 UTC 2016 

On Sun, Nov 6, 2016 at 4:06 PM, Mark Tinka <mark.tinka at seacom.mu> wrote:
>
>
> On 6/Nov/16 12:18, Loganaden Velvindron wrote:
>
> European ISPs have already invested in their FTTH infrastructure. By
> contrast we are still deploying the internet in our region. Instead of
> focusing so much resources on the core of the network, it makes
> economical sense to also invest in the edge of the network, by
> improving the security, instead of simply aiming for IPv6 deployment.
>
>
> I'm not sure what IPv6 has to do with it.
[speaking for myself only]

We talk a lot about IPv6 as a primary requirement that all CPE should
have, as IPv4 resources are depleting.

>
> FTTH is a Layer 2 service, so any insecurities would affect both IPv4 and
> IPv6.
>
> I will echo your sentiment that GPON, perhaps, was not built with the utmost
> security in mind. This is a problem that can be associated with several
> consumer technologies (the recent Dyn IoT issue being a clear example).
>
> The fact remains that GPON and Active-E are popular technologies in use to
> deliver FTTH services to consumers. So it is reasonable for clueful
> engineers such as Pierre Kim to bring these issues to the fore for both
> service providers and vendors to fix.
>

I see those as opportunities for us. The opportunity to learn from
others mistakes, and make the internet in Africa, competitive. I see
the FTTH, Mirai DDOS, and other recent problems as part of the same
set of issues that could have been addressed by investing at the edge
of the network. I would argue strongly that  "investing in the edge"
has very high return on investment for Afrinic members.

For example, assuming there's a remote vulnerability that affects all
FTTH CPE equipment in Mauritius. The market would react to this as:
"Hey ISP, I don't want your equipment, it's insecure. Fix it or I go
somewhere else". The ISP would then tell the equipment vendor to send
it an updated firmware that it would deploy. This is how things should
happen in a free market. The customers vote with their wallet.
However, in our region, we do not have the "triggers" that make the
market behave that way. We need those triggers to make ourselves
competitive, and improve the quality of the internet in our region.
Internet should be (relatively) cheap, reliable, secure & fast as far
as ISP customers are concerned.

Personally, I believe that it is financially feasible to make this a
reality. I've seen ISPs sitting on a lot of money, but not knowing
where to invest it. When you show them how they can improve the
services for their own customers, some of them listen. Ultimately,
having a good internet in Africa is just as important as having good
roads.

More information about the afnog mailing list