[afnog] GPON FTTH networks (in)security

Mark Tinka mark.tinka at seacom.mu
Mon Nov 7 07:05:31 UTC 2016

On 6/Nov/16 18:27, Loganaden Velvindron wrote:

> [speaking for myself only]
> We talk a lot about IPv6 as a primary requirement that all CPE should
> have, as IPv4 resources are depleting.

Right, but what does that have to do with the original subject of this

The insecurities identified in these GPON deployments would affect both
IPv4 and IPv6. So have a secure IPv6 on your CPE won't save you from the
issues that would affect IPv4.

This research is about the fundamental GPON technology and its
implementation with the various vendors in question.

> I see those as opportunities for us. The opportunity to learn from
> others mistakes, and make the internet in Africa, competitive. I see
> the FTTH, Mirai DDOS, and other recent problems as part of the same
> set of issues that could have been addressed by investing at the edge
> of the network. I would argue strongly that  "investing in the edge"
> has very high return on investment for Afrinic members.

Well, the GPON tech. being run in France is not that dissimilar from
what is running in Africa. So not sure what you mean by "investing in
the edge", but in the context of this thread, perhaps you mean investing
in the time and energy to discover these issues and bring them to the
attention of both the operators and vendors.

Building a network is easy. Building a secure network (particularly a
consumer network); now that's a whole other discussion.

> For example, assuming there's a remote vulnerability that affects all
> FTTH CPE equipment in Mauritius. The market would react to this as:
> "Hey ISP, I don't want your equipment, it's insecure. Fix it or I go
> somewhere else". The ISP would then tell the equipment vendor to send
> it an updated firmware that it would deploy. This is how things should
> happen in a free market. The customers vote with their wallet.
> However, in our region, we do not have the "triggers" that make the
> market behave that way. We need those triggers to make ourselves
> competitive, and improve the quality of the internet in our region.
> Internet should be (relatively) cheap, reliable, secure & fast as far
> as ISP customers are concerned.

Vendors are strange things.

If you've had to deal with them for any extended period of time, you'd
realize it's not always that straight forward. I wish it were.

If you look at the Pierre Kim's logs on his reporting time line to
Orange, he submitted his findings to Orange on 11th May. He only makes
meaningful headway 5 months later. Granted, Orange aren't a vendor, but
you get the scale of the issue.

> Personally, I believe that it is financially feasible to make this a
> reality. I've seen ISPs sitting on a lot of money, but not knowing
> where to invest it. When you show them how they can improve the
> services for their own customers, some of them listen. Ultimately,
> having a good internet in Africa is just as important as having good
> roads.

DM me the names of those cash-laden ISP's. It's time for a consulting
gig :-)...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.afnog.org/pipermail/afnog/attachments/20161107/0f0e7a14/attachment.html>

More information about the afnog mailing list