MALICIOUS ATTACKS IN PONS
Anton R. Saltykov,
Assistant Professor, the Bonch-Bruevich Saint-Petersburg State University of Telecommunications, Russia, Saint-Petersburg, [email protected]
Keywords: optical fiber networks, passive optical networks, risk mitigation and alarming schemes.
Recently, optical fiber networks are being deployed to reach directly to the homes (FTTH), buildings, street cabinets or small office parks; where the optical fiber plant is now exposed to more possibilities for unauthorized access or it is put in a fragile security situation by being so widely deployed. Private and public optical fiber networks today do not incorporate methods for detecting optical taps in real-time, thus offering an intruder a relatively easy and unno-ticeable opportunity to extract data and traffic information. As optical fiber access links transport large volumes of data; for example a single home connection is expected soon to operate a 1 Gbit/s, all optical methods are preferred instead of electronic inspection that will lead to high complexity due to high speed and throughput considerations. Moreover, optical methods for tap detection have the potential of being less intrusive and offer better reliability at lower complexity and cost.
Fiber macrobend tapping is a simple yet unsolved security breach in passive optical networks. In this paper the possibility of such attacks has been proved.
A number of measures to assure security have being proposed for optical access networks such as encryption methods in time division multiplexing passive optical networks (PON) optical fiber monitoring systems using an optical time domain reflectometer (OTDR) technique, and round-trip-time logic in PON operation, administration, and maintenance (OAM) function. However, little work has been done in order to detect and physical (optical)-layer security attacks such as tapping of optical power. In this paper, it's demonstrated that in a conventional TDM-PON, 1 -2% of optical power tapped by a fiber macrobend is sufficient to retrieve the transmitted information, but at the same time low enough for the attack to remain undetected by the management system.
I propose a hybrid monitoring system and localization algorithm capable of at the same determining which branch of a PON is under attack and locating the point of attack on an OTDR trace. The operational principle of the proposed scheme is based on the fact that optical fiber macrobends correspond to unreflecting heterogeneities. In combination with network management and initialization information, this allows for successful localization of the malicious attack.
This paper focuses on the conception and assessment of novel methods for monitoring and detection of un-authorized access and optical tapping in optical fiber access networks. This paper also considers a comprehensive formulation on vulnerability and risk criteria for possible malicious tapping scenarios and the development of corresponding techniques for risk mitigation and alarming schemes.
Introduction
The rapid growing deployment of fiber to the home {FTTH) networks implies that millions of end users will have access to optical fiber links. In this era, thousands of optical fibers are accommodated in a central office (CO). Passive Optical Networks {PONs) provide the main FTTN service based on Gigabit Ethernet PON (GE-PON), where several customers' optical network units (ONUs) share an optical line terminal (OLT) and an optical fiber [ I -2].
Thus protecting any security vulnerability at the optical access segment of the network becomes crucial for guaranty the security of the Internet. In this paper I have carried out consequently optical fiber macrobends investigation to estimate the boundary tapping conditions for potential intruder. For our researches we have analyzed and compared several most popular optical fiber (G.652) manufactures. Simulating different PON configurations we demonstrated that in a conventional TDM-PON, 1-2% of optical power tapped by fiber macrobend is sufficient to retrieve the transmitted information while the management system does not detect it. and the users don't notice any service degradation.
For the next step potential threshold of sensitivity for the state-of-the-art photoreceivers has been evaluated. It was proved that we can choose the optimum solution for photo-receiver to detect a low optical power levels corresponding the outermost cases of malicious attacks by macrobends creating in PONs.
A number of vulnerability levels have been identified, and a number of measures to assure security have being proposed for optical access networks such as encryption methods in time division multiplexing PON [3-5] optical fiber monitoring systems using an optical time domain reflectome-ter (OTDR) technique [6-9], and round-trip-time logic in PON operation, administration, and maintenance (OAM) function [10]. However, no methods or measures have been developed to cope with simple security attacks such as tapping of optical power, or for the detection and localization of the place in the network where the malicious attack is taking place. In this paper, we propose a new hybrid monitoring system and localization algorithm that is able to determine which branch of the PON is affected by a malicious macrobend tapping together with its location on an OTDR trace. The operational principle of our proposed detection and localization algorithm is based on the fact, that optical fiber macrobends corresponds to unreflecting heterogeneities and in combination with network management and initialization information successfully allows for the localization of malicious optical tapping points. A macrobends identification criterion was formed to identify a concrete branch fiber where the malicious macrobend can take a place.
Part I. Macrobends investigation in PONs
Theoretically we can consider and calculate bend losses in optical fiber. Through analyzing of the different types of glass fibers (there is a difference between core/cladding and cladding/coating interfaces) we have used the Sellmeier expression which can be applied both for MMF and for SMF. The refraction index is estimated by the following expression:
A.-X2
(I)
M^-Xf}
where, A, and X,y{i=l, 2, 3) can be taken from the Sellmeier's
coefficient table. Let us assume that cladding is purely Si02. Then refraction index of core can be found as following expression:
I ndaük "fe"
cladding
A
(2)
Theoretically core radius can be calculated as result of the next equation:
2 v (3)
a - w—
In
2 xyNA
where, NA is fiber numerical aperture; h> is fiber mode field diameter;
In tab.! I have considered and compared the four most popular optical fiber (G.652) manufacturers:
Table I
Parameter
Mode field diameter, m km
L=l550nm
Parameter of Index profile, %_
Corning SMF-28, SMF-28e
9,2 ±0,4
10.4 ±0,8
0,36
OFS (SM-332)
9,2 ±0,4
10,5± 1,0
0,33
Samsung Electronics SF-SMF-x
9,2 ±0,4
I0,4±0.8
0,34
Fujtkura Future Guide-SM
9,2 ±0,4
I0,4±0,8
0,36
Bend loss coefficient can be evaluated using Marcuse and Snyder [6] formulas:
Tt"- f a ] V2-Wvl
-exp
Uw.J V \ 3 a-V
4 A
(4)
where, Q =a-(k:-n5 .-p")l,: ~ mode parameter of the fiber
core; (5)
W =a-($i-k2 ~ m°de parameter of the fiber
cladding; (6)
V = ~ n°rmalized fre~
quency; (7)
^ _ ZlE - wave number (for the vacuum); (8)
X
a ~ core radius; A14 —in2 ~n2 V " - fiber numerical
I t ore cladding J
aperture; (9)
[i - mode propagation constant; A - normalized difference between refraction index.
Using approximation it was developed the new engineering formula, where the approximation error was not more than 3.44%;
.71 a
aw =4.34-10 — -(2.113-F - 2.256) x
xexp
2a R,
3 a J
(10)
T-Comm #1-2015
(<V,=7J+I3.5 = 20.8 dB):
Configuration setup:
Splitters: 1/4 and 1/16
¿max = 20-!03[«n] - refer to 802.3ah standards; N of connectors {pair) - 4; N of fusions - 0; A a =3 [dB] is additional loss margin;^ =0.25 [dB/km] is optical fiber attenuation coefficient (SMF G.652).
Optical power level at the end of PON fiber line is calculated via the next formula [dB]:
-a. —a . -a . -A« A
(12)
P
1 PGS t,Ki
■10
■10 10 10 10 10
where, p
=10-«^-10
is transmitting optical power from OLT side
[mWl; a is summarized fusion losses [dB]; a is sum-
u fiaitm J Spikt
marized spiice losses [dB]; a is summarized planar light
circuit (PLC) splitter losses [dB]; Aa,iKi is additional loss
margin considering network degradation etc [dB],
Potential difference between optical power levels which can be used for malicious attack possibility is expressed as follow:
P =P -P (13)
1 iiij 1 PON mi ' amine v '
where, P0NUrei is receiving optical power at the ONU side [dBm].
Optical power both at the start and end points of the
macrobend ( p' and p'
1 ma! itart tr
P'. =IO-lg
mat _ i'itri ü
P
OLTir
нш! _L-mJ ■10 10
) can be written as in ( 14, 15):
¡0 10 10 18 >10 10 (14)
p' - p' -p
пм1 _ etui чы1 _ start Л/
(15)
where» / is variable fiber length in situ of potential mali* malicious о ■
cious attack.
The threshold optical power level [dBm] would be defined for any intruder as follows:
^mtit яtart ^mctl eitif ^ / I / 4
(16)
threshold
= 101g
10
-10
The value of optical power tapped by a half-round macrobend in single-mode fibers by the expression given in (17).
Рщ*-= 10-lg
Hillen Jf ' L t
1—10
■10
J
■10 so
■10
(17)
where, a is bend loss coefficient (depends from the radius
of curvature creating by illegal access device) [dB/m]; ^ ( is
illegal coupling coefficient (depends from the type of intruder's photodetector)
On OLT side we can use 2X10 SFF PON Transceiver which incorporates a high performance 1310 nm burst mode APD Receiver and 1490 nm CW mode DFB transmitter. Transceiver for the ONU incorporates a high performance 1310 nm, 64 nanosecond burst mode F-P transmitter and 1490 nm CW mode P-l-N receiver.
?ш1*=3-5 dBm
- typical
= -27 dBm ■ Comparing the values of Pn
value;
P,„t„„,„ - 2 dBm ;
ill. iff mm
=7 dBm; = -27 dBm
, and p it was found
Ihrcuhohl
that Pma{ < Plhreshou ■ Fig. 5 represents the results of the numerical simulation. The optimum radius of curvature depends on the basic wavelengths used in TDMA PON - 1310 nm, 1490 nm and 1550 nm respectively. From Fig. 5 it was found the minimum optical power level required by the malicious attacker is equal to -39.191 dBm, i.e. sufficient for error free detection using erbium doped fiber preamplified receiver. This means that the intruder can achieve a malicious attack after the second splitter.
Then we will decrease / from 20km to Okm etc us-
malicious
ing (18):
(L
a
moiiciota V malicioia
G -5 "10 -15 -30 -25 -30 -35 "40 "45 -50 -55 -60 4>5 -10 -75 -SO.
i) ^mal min Ки
(18)
Pihreshold = -27 063 dBm
V —
t I
r malicious = -jy.ivi dam
4
\
1310 um 1490 um IS SO um lb S0 tun
Netwoi"îi Threshold optical power level
Oprimim ш.dirions optical power level
IS 10 12 J 15 115 20 22 5 25 Eleiid radius [mm]
Fig. 5. Macrobend radius dependence for the malicious optical power (Corning SMF-28e)
Part 2. Malicious photoreceivers investigation
Calculation of equivalent optical illegal receiver power
The root mean-square value of noise-current is dependent from both the shot and avalanche noises [15-16]:
(19)
R, Mclntyre formula for excess noise factor:
(20)
F(M) = M
I — CI
-»fir)
where, k is the hole to electron impact ionization coefficients ratio.
Take into account that / < / when we have very
photo ' dark '
small signals. Therefore after changes:
<TUm*) = j2-e{M1-F(M)-Im+Imm)-Af = S-M-PJPD (21)
where, S is sensitivity of photo detector (the ratio of the output photocurrent to the incident optical radiation power); PApD is threshold optical power at the input of
photodetector
j2-e-(M2-F(M)-/„,+f,myAf
?лт ' S-M
С = 2-¿if is transmission rate
(22) (23)
T-Comm #1-2015
Let us assume that/j = Ю"'°. rj = 0.8, Л1 = 1310 nm, /12 = 1490nm, ЯЗ = 1550nm.
10 loo io" io" Transmission rare [Mbps]
Fig. 8. Bit rate dependence for threshold optical power at the input PD limited by the quantum noise of radiation source
Photon-counting techniques (PCT)
Average value of dark current electrons:
- V 11,, = -2—
(33)
where, t is measuring time.
Then average of photons (consequently and electrons) is equally [17]:
>h h-v
(34)
which is defined only pulse stream dispersion for the APD dark current.
a ,,=
^--''"^б-Ю7: p ±1ДЫ0г» W.
where, Pm is Input optical power, v is light frequency;
From each photon {electron} the M-electronic pulse is generated in APD. When the multiplication gain coefficient is big enough (A/>100) this pulse suppresses thermal noise of the next amplifier cascade in APD that allows to register it. For in = ]o '"A, «„=6-10" per second. Thus an average
value of a time interval for occurrence of one pulse is approximately equally to 1,6-I0~7sec. If to use a time interval of registration with a triple margin r, =5-10 N sec (Clock frequency of 20 MHz), probability of occurrence on this interval more than one pulse it is very small. Thus PCT it is possible to realize at comparatively simple technical solutions. For example let's evaluate threshold optical power for X = 1490 nm and r = ]0sec. Then nB = 6- IO7 ±aD and
n - pt*"10 +rr . where a, and G , - electron stream
\ 33.10-" '
dispersions; at Poisson process = ani' a,-r
The next algorithm of calculation: in absence of light it is counted up the number of pulses jf on account of the
dark current on measuring time /. Then Jf D is remembered and subtracted from resulting number of pulses (n D+npll) on measuring time t. After subtraction there is a
number in registering device: nph ±a D±typh which is directly
proportionally of measured optical power.
At very small measured power levels it takes place that aD±crp)l • As result we can calculate threshold optical power
1.33-10 19
We can see that PCT is the best solution in the field of low optical power measurements such as in the first part of our investigations. But PCT lack is the narrow dynamic range. For example when input optical power =10 "W
our counting device must have clock frequency not less that 10 GHz to provide no more than one pulse for one clock interval.
Part 3. OTDR simulation model
In PON, the upstream data received in the OLT is based on the sum of alt the ONU transmitted data, so the OLT regulates the timing with which the data is sent from the ONUs based on the round-trip time between an OLT and an ONU.
Example of operational algorithm for power tapping detection system is shown on Fig. 9. At the onset of a fault, the first step is to isolate the category of fault occurring in the optical fiber line or on the customer's premises by monitoring the control signals on different wavelengths (Aland/12) from the ONU side. In according with this algorithm a time function for the changes in level of these control signals has been developed and thus define the reason for the macrobend - whether it is a malicious attack or due to other external factors. In accordance with the system operation algorithm we can find both the ONU unique identifier (UID) and branch fiber.
Simultaneous (fanamission of two control signals from OLT side [Л1, Л2)
Optical power lever measurement of control signals for each ONU and OUT reference _polnl_
Optical power level values transmission from ONUs to OUT side
Data recording in DB (time of measurement. ONU UID, optical роме! level values)
Calculation of delta attenuation for each control signal
Calculation of macrobend radius In aocord with the given delta attenuation
Application of macrobend s Identification criteria (Rbend1=Rbend2)
Fault location by means of OTDR application
\7
Fig. 9. Operation algorithm for detection of macrobends in PONs. Both optical power meters and OTDR for precise macrobend location are used here
The second step involves estimating the fiber length based on the OTDR measurements to determine the precise macrobend location. Fig. 10 shows the simulated macrobend losses on the OTDR trace caused by the malicious user {the same worst case scenario as in Fig.X). In principle, the evolu-
tion of the difference between the two traces (reference and current) indicates the position of the fault (in our case the macrobend). OTDR traces 2 and 3 show the acceptable ievel of macrobend identification. Here the macrobend ("step" on the OTDR trace) is a conspicuous object for the network operator. Traces I and 4 represent a complexity of identification due to the excessive spatial resolution (trace I) and the widened OTDR pulse width (trace 4). Note that OTDR, linearity (attenuation accuracy) has been selected as optimum for a good data acquisition. The measurement conditions were, a 10" (n=0, I, 2, 3) ns pulse width and an average of 2" measurements (number of OTDR sampling points).
The OTDR trace is built from the additive contributions of Rayleigh back scattering from different fibers (16 branches in this example). Therefore an OTDR with high dynamic range (near 40 dB for 1650 nm control wavelength) and spatial resolution (not less than 2 m) has been assumed. It is also assumed that the macrobend is a heterogeneity with a reflection index equal to zero. In the example analyzed here, the potential difference between the optical power levels which can be used for the malicious attack is evaluated as A«mv=2.1 dB. This means that any macrobend event on an OTDR trace can be located with a good accuracy.
Calculations:
OTDR Dynamic range:
D = V,
so
\P(rSM
/
NO
+ 7.S-lg\ —
ln
+ 2.5-/g(N) <35>
Oq-AJ-Î
/> = />-«,-G A/10 10 *
For /o<^i</u + A/
(36)
/f=i>0 10
"ri.;..,.
(m
a-G M-10
i mfidaui _
AI
JäsL 1+10 5
For
A/-/
> malicious + ^
(37)
P{ G-AI'10
aH^matkioUf
5
y
•10 5 -10 5 (38) where, = m _ 5 is excess coefficient, a is backscat-
tering coefficient, G is backscattering factor, P0 is power of OTDR ranging signal.
OTDR threshold optical power can be expressed as follow:
.ST
PN —Pnq
(39)
The number of measured points along OTDR trace:
CT
(40)
After calculation with logarithms:
I)
where, p is OTDR photoreceiver's noise, P1 is fiducially
value (I mW).
Instantaneous noise amplitude:
<42>
\n j,,
where, n is the quantity of random values distributed evenly (n=50).
Tncc 1
9 -«I-
c -10 to
I -43.1Î •3
I -m
•a
I -51,25
'19995
-38
-35
-40
Truer 2
ï-l0D«r
20
20 005
2001 19 55
20
20D5
20
where, Ys„ is power level of backscattered signal from near point of the fiber (yjfl = -40.5 dB); r is OTDR pulse width; M is avalanche multiplication factor; S is APD sensitivity; IN0 is effective noise current r(l - 1 is normalized pulse width value [ns].
Discrete backscattered power from macrobend can be written as follow expression: for a/ ' 1 follows:
t 'malicious
Tnre 3
-33 -33.75 -343 "35.25
Fibsr optic length [Van] t=\{№ Tnrc4
-36.
\
L
"26
-3Ï -30 -32
r = 10 ßs
19 5
20
20.5
21
Fibtr optic length [km]
20
20.5
Fig. 10. Computer simulation results for macrobend losses after the second splitter inclusive of four various OTDR pulse width. OTDR traces 2 and 3 show the acceptable level of macrobend identification. Traces I and 4 represent a complexity of macrobend identification
In global analysis monitoring, system spatial resolution has a huge importance for two cases: firstly, when the distances between subscribers are small, hence discrimination between two end reflection peaks is difficult. And secondly, if there is a high Fresnel reflection in the field which creates dead zones masking the faults.
For the first case where the reflection peaks coming from close users superimpose, a supplementary software analysis using neural network was claimed to improve the spatial resolution [18], Another software analysis method was proposed for the second problematic case. This is called dead-zone-free signal analysis and is based on the utilization of a secondary OTDR 'ghost' signal to obtain a virtual bidirectional OTDR trace analysis.
Applications of low bend loss optical fibers
One of the most simple, preclusive and cost-effective detecting methods under PON network construction is to use the low bend fiber compatible with G.657 [19]. This standard describes two categories of SMF suitable for use in the access networks: category A and category B. In according with our findings we can partially limit its application reposing on:
• Mostly the G.657 compliance fiber is installed directly near ONU and limited by length not more than 80 m (maximum length for standard SMF patch cord). In that case the malicious user can realize the attempt of attack before SMF G.657 distribution,
• Minimum specified bend radius is limited by 10 mm (category A) and 7.5 mm (category B). In the first part it has been calculated that in some cases we can create macrobend whose radius of curvature will less than 7.5 mm.
Conclusions
1. Optical fiber Macrobend model has been investigated to get all necessary expressions including new engineering formula for bend loss coefficient with very small approximation error.
2. It was proved theoretically that malicious attack by means of simple macrobending can happen in PON in a way that none can even suspect. Usually PON operator is oriented on stable optical loss budget taking into account at most the additional loss margin because of network degradation in future. Our model of malicious attack assumes the most critical cases in PONs after last passive splitter (64 subscribers per each OLT PON port) with a very small value of the leaked light. And we have proved that can extract enough of optical power there to convert and reshape it without any network crash.
3. Malicious attack by means of simple macrobending is possible in the case for several very common PON standards. In this paper we have focused on TDMA PON. In generally it can be expanded on WDM PON because the nature of macrobends is universal and doesn't depend from the multiplex mode.
4. This type of malicious attack can happen for several common used fiber types, especially for G.652 SMF which is widely used in PON and whose manufactures were considered in this paper. Also it can be expanded on G.655/G.656 NZDSF etc.
5. Both shot and avalanche noise influence was considered taking into account optimal SNR for malicious photore-ceiver.
6. It was proved that we can choose the optimum solution for photorecelver to detect a low optical power levels corresponding the outermost cases of malicious attacks by macrobends creating in PONs,
7. Detection hybrid system including both OTDR and power a meter was proposed with workable operation algorithm.
8. OTDR possibilities for macrobend detection were considered both for primary trunk fiber before second splitter and for all PON monitoring. We have proven that on the boundary conditions we have a good probability to identify macrobend losses even after second splitter.
9. Application of low bend loss optical fibers has been analyzed.
1. ITU-T Recommendation G.984.3, Transmission Convergence Layer for Gigabit Passive Optical Networks, October, 2003,
2. G. Kramer, Ethernet Passive Optical Networks, McGraw-Hill Professional, ISBN: 0071445625, Publication date: March 2005.
3. LG. Kazovsky et a!., "TDM-PON Security Issues: Upstream Encryption is Needed", Proceedings of IEEE/OSA OfC 2007, Mar. 2007.
4. Y. Horiuchi, N. Edagawa, "ONU Authentication Technique Using Loopback Modulation within a PON Disturbance Environment", Proceedings of OFC 2005, OFI3.
5. S. Wong, W.-T. Shaw, S. Dos, LG. Kazovsky, "Enabling Security Countermeasure and Service Restoration in Passive Optical Networks", Proceedings of IEEE Globecom 2006.
6. T. Hasegawa et al„ Proceedings of OFC 2009, NWA5, (2009).
7. Y. Enomoto. et a/., "Over 31.5 dB Dynamic Range Optical Fiber Testing System with Optical Fiber Fault Isolation Function for 32-Branched PON", Proc. of Optical Fiber Communications Conference, OFC'03, Atlanta, ThAA3 (2003).
8. K. Yuksel. et al„ "OTDR-Based Fault Surveillance Method for Passive Tree-Structured Networks", Proc. of the ISth International Symposium on Services and Local Access (ISSLS 2004), Edinburg, (2004).
9. K. Yukse/, et al„ "Centralised Optical Monitoring of Tree-structured Passive Optical Networks using a Raman-assisted OTDR", International Conference on Transparent Optical Networks (ICTON). pp. 175-177, Rome (I), 01/07-05/07, 2007 (2007/07/01).
10. Nazuki Honda, et aL Proc. of ECOC. 2010, Torino, Italy, Paper Mo.2.B,6,
I I. AW. Snyder, J. D. Love, Optical Waveguide Theory, London: Chapman and Hall, 1983.
12, W.A. Gambling, H. Matsumura, CM. Ragdale, R.A. Sammit, "Measurement of Radiation Loss in Curved Single Mode Fibers", Microwaves. Optics and Acoustics, vol. 2. no, 4. July, 1978.
I 3. D. Marcuse, "Bend Loss of Slab and Fiber Modes Computed with Diffraction Theory", IEEE journal Quantum Electron, vol.29, December. 1993, pp. 2957-2961.
14. IEEE Std 802.3ah (2004).
15. A. Spinelli, A. L. Lacaita, "Physics and Numerical Simulation of Single Photon Avalanche Diodes", IEEE Transaction of Electronic Devices, vol. 44, no. 11, November, 1997.
16. Suemotsu J., Kataoka C., Kisino K., The Fundamentals of Optoelectronics: textbook - M„ 1988.
17. B. Huttner, J. Brendel, "Photon-Counting Techniques for Fiber Measurements", Journal of Lightwave Technology. August, 2000.
18. N. Araki, Y. Enomoto, and N. Tomita, "Improvement of Fault Identification Performance Using Neural Networks in Passive Double Star Optical Networks," in Optical Fiber Communication Conference, Vol. 2 of 1998 OSA Technical Digest Series (Optical Society of America. 1998), paper WM38.
19. ITU-T Recommendation G.657, Characteristics of a Bending Loss Insensitive Single Mode Optical Fiber and Cable for the Access Network. October. 2009.
References