WO2013104987A1 - Method for authenticating identity of onu in gpon network - Google Patents

Method for authenticating identity of onu in gpon network Download PDF

Info

Publication number
WO2013104987A1
WO2013104987A1 PCT/IB2013/000106 IB2013000106W WO2013104987A1 WO 2013104987 A1 WO2013104987 A1 WO 2013104987A1 IB 2013000106 W IB2013000106 W IB 2013000106W WO 2013104987 A1 WO2013104987 A1 WO 2013104987A1
Authority
WO
WIPO (PCT)
Prior art keywords
onu
olt
authentication
eap
identity
Prior art date
Application number
PCT/IB2013/000106
Other languages
French (fr)
Inventor
Yifeng Yao
Original Assignee
Alcatel Lucent
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alcatel Lucent filed Critical Alcatel Lucent
Publication of WO2013104987A1 publication Critical patent/WO2013104987A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer

Definitions

  • the present invention relates to the technical field of communication, and more particularly to a method for authenticating identity of an Optical Network Unit (ONU) in a Gigabit Passive Optical Network (GPON) system.
  • ONU Optical Network Unit
  • GPON Gigabit Passive Optical Network
  • the GPON technology is the latest generation of broadband passive optical integrated access technology based on the international telecommunication union ITU-TG.984.X standard, which has many advantages such as high bandwidth, high efficiency, large coverage, rich user interfaces, etc. and thus is regarded by most operators as an ideal technology for achieving broadband and integration revolution of access network traffic.
  • DoS Denial of Service
  • a malicious ONU can make an attack at the data link layer, e.g. it may masquerade as a legal user to register, and use up resources of OLT by frequent registration such that legal users may not register, etc..
  • the GPON initially uses a scrambling algorithm of low security, which now has been updated to an Advanced Encryption Standard (AES) of higher security, wherein the encryption key is regularly sent to the OLT by the ONU in a plaintext format.
  • AES Advanced Encryption Standard
  • such a security mechanism is established based on the directionality of PON optical communication (i.e. when an ONU sends an optical signal to an OLT, other ONUs may not receive the upstream optical signal sent by the ONU to the OLT).
  • the actual deployment experiences indicate that one ONU may also receive or detect optical signals sent by other ONUs due to a light splitter or construction quality, etc..
  • ITU-T G.987.3 Specification regulates several basic authentication manners that OLT can support identity authentication on ONU by a serial number, a serial number and a password, or a password only, as well as a plaintext based key exchange mechanism.
  • the ONU reports the serial number and password of the ONU to the OLT through Physical Layer Operation Management And Maintenance (PLOAM) messages, and thus the OLT may verify the legitimacy of the ONU according to the two information.
  • PLOAM Physical Layer Operation Management And Maintenance
  • the aforesaid several authentication manners merely provide the GPON with basic level of authentication mechanisms and are basic authentication functions forced to be implemented.
  • XG-PON Specification further incorporates two new ONU identity authentication methods, called as Strong Authentication manners, one of which is to implement identity authentication based on Operation Management Control Interface (OMCI), and the other is to implement the identity authentication and key agreement based on 802. IX.
  • OMCI Operation Management Control Interface
  • the two identity authentication manners further have following weakness in common: before performing the two kinds of strong authentication, the ONU needs to pass a basic authentication.
  • the ONU has completed registration and activation and enters the normal operating state; and further, the OLT has allocated corresponding resources to the ONU: when Strong Authentication is performed for OMCI based identity authentication, the OLT has allocated an OMCI specific GPON Encapsulation Method (GEM) port to the ONU on which an identity authentication is to be performed; and when Strong Authentication is performed for 802. IX based identity authentication, the OLT not only has allocated the OMCI specific GEM port and a GEM port for 802. IX authentication, but also has allocated resources necessary for the 802. IX authentication.
  • GEM GPON Encapsulation Method
  • the present invention aims to provide a technical solution for authenticating identity of an ONU in a GPON network so that the identity authentication in the GPON network system has high scalability to enhance the security of the system
  • a method for authenticating identity of an ONU in a GPON network system including an OLT and several ONUs connected thereto, including: firstly, agreeing on a PLOAM message type for identity authentication; then, performing an EAP (Extensible Authentication Protocol) based protocol message exchange for the identity authentication between the OLT and the ONU based on the PLOAM message type; and performing an authentication processing on the ONU by the OLT based on the protocol message exchange.
  • EAP Extensible Authentication Protocol
  • the OLT and the ONU may further carry out key mechanism agreement under the EAP based identity authentication protocol, wherein process of the key mechanism agreement is specified by an identity authentication method encapsulated in EAP.
  • the authentication processing in the aforesaid method may be configured before the ONU is activated, and the OLT determines whether to accept an registration of the ONU based on result of the authentication processing.
  • a method for authenticating an ONU in an OLT of a GPON network system Firstly, it determines a PLOAM message type for identity authentication; then, it carries out an EAP based protocol message exchange for identity authentication with the ONU through the PLOAM message type; and finally, it carries out an authentication processing on the ONU based on the protocol message exchange.
  • the OLT may further carry out key mechanism agreement with the ONU through the EAP message exchange, wherein process of the key mechanism agreement is specified by an identity authentication method encapsulated in EAP messages.
  • the authentication processing by the OLT on the ONU may be configured before the ONU is activated, and the OLT determines whether to accept registration of the ONU based on result of the authentication processing.
  • a method for authenticating identity in an ONU of a GPON network system comprising the ONU determining a PLOAM message type for identity authentication; performing an EAP based protocol message exchange for identity authentication with an OLT through the PLOAM message type; and receiving result of an identity authentication processing from the OLT.
  • the ONU may further carry out key mechanism agreement with the OLT through the EAP message exchange, wherein process of the key mechanism agreement is specified by an identity authentication method encapsulated in EAP.
  • the OLT and the ONU exchange EAP messages through a specific PLOAM message type to thereby support multiple types of identity authentication methods, and the identity authentication methods available to the system are flexible and high scalable and can be backward compatible with the existing standard security solutions. Furthermore, according to the key mechanism agreement specified by the identity authentication method as used in the EAP message, the OLT and the ONU may carry out encryption and decryption processing on upstream and downstream data flows based on agreed encryption and decryption algorithms and keys, and they do not exchange key information in a plain text format so that the key exchange may be more secure and the existing encryption and decryption functions can be reutilized.
  • the ONU before an ONU is successfully authenticated, the ONU does not enter operating state and the system does not need to establish OMCI channels and GEM ports for the ONU, thereby protecting the OLT from DoS attacks on these resources, and eliminating the possibility for an illegal user to utilize these resources for communication or other uses, so as to make the system more secure.
  • FIG. 1 is a structure diagram of a protocol stack in the GPON system provided in the present invention.
  • FIG. 2 is a structure diagram of a specific PLOAM message type based EAP message provided in the present invention.
  • FIG. 3 is a diagram of an ONU activation flow in the GPON system provided in the present invention.
  • FIG. 4 is a flow diagram for authenticating identity of an ONU in the
  • FIG. 1 is a structure diagram of a protocol stack in the GPON system provided in the present invention, including a Physical Medium Dependent (PMD) layer, a GPON Transmission Convergence (GTC) layer, and a PLOAM module, an OMCI module, a GEM client.
  • PMD Physical Medium Dependent
  • GTC GPON Transmission Convergence
  • PLOAM PLOAM module
  • OMCI OMCI module
  • the PMD layer corresponds to an optical transmission interface between OLT and ONU.
  • the GTC layer is the core layer of GPON, comprising a GTC framing sublayer and a GTC adaptation sublayer.
  • the GTC framing sublayer has three functions of multiplexing and demultiplexing, frame head generating and decoding, and internal routing.
  • the GTC adaptation sublayer provides 2 TC adapters, i.e. a GEMTC adapter and an OMCI adapter.
  • the OMCI adapter receives related OMCI instructions from the OLT via a standard ONT management control interface so as to control theONT, and the GEMTC adapter generates Protocol Data Units (PDUs) for respective GEM blocks from the GTC framing sublayer and maps these PDUs to corresponding blocks.
  • PDUs Protocol Data Units
  • the PLOAM module is used for operation, management and maintenance of the physical layer, and performs functions such as registration and ID allocation of the ONU, ranging, Port ID allocation, VPI/VCI allocation, data encryption management, state detection, and error rate monitoring, etc..
  • the OMCI module provides a general way to manage higher layers.
  • the OLT may establish and release the connection with the ONT, manage UNIs on the ONT, request configuration information and performance statistics, automatically report events such as link failure to the system administrator, etc..
  • the OLT allocates OMCI specific GEM resources to the ONU, and identity authentication and key agreement may be performed between the OLT and the ONU through the OMCI mechanism.
  • the OLT may initiate a bidirectional authentication procedure and the OLT and the ONU share one MSK, but the authentication manner is similar to the Challenge Handshake Authentication Protocol (CHAP) in the poor scalability, and it is necessary to extend OMCI messages one by one if it is required to support the newly added identity authentication protocol.
  • CHAP Challenge Handshake Authentication Protocol
  • the GEM client identifies its own traffic flow through the GEM port ID and uses the GPON for communication.
  • the OLT and the ONU may implement 802. IX based identity authentication and key agreement based on the GEM client.
  • the OLT not only has allocated the OMCI specific GEM port and the GEM port for 802. IX authentication, but also has allocated resources required for the 802. IX authentication.
  • 802. IX for identity authentication, it is necessary to respectively control both Uncontrolled Ports and Controlled Ports according to the authentication procedure in accordance with 802. IX model.
  • the structure of the protocol stack will further comprise an EAP (Extensible Authentication Protocol) module.
  • EAP messages for identity authentication will be exchanged based on the PLOAM module to implement the identity authentication of ONU.
  • the OLT and the ONU may bear EAP based protocol messages for identity authentication through specific PLOAM message type, and the OLT may perform a local authentication processing on the identity information provided by the ONU to further determine whether to accept registration of the ONU and allocate resources to the ONU.
  • the OLT may also perform EAP message forwarding between an authentication server and the ONU.
  • EAP message forwarding between an authentication server and the ONU.
  • Various identity authentication methods encapsulated and used by the EAP messages are implemented by the authentication server, and the OLT only needs to care about the authentication result returned from the authentication server to further determine whether to accept registration of the ONU and allocate resources to the ONU.
  • some identity authentication protocols under the EAP manner may further support key mechanism agreement, and the OLT (or the authentication server) and the ONU may negotiate the key mechanism, including the encryption and decryption algorithms and key, etc. used by the OLT and the ONU so as to support the encryption and decryption processing on upstream and downstream data.
  • the OLT or the authentication server
  • the ONU may negotiate the key mechanism, including the encryption and decryption algorithms and key, etc. used by the OLT and the ONU so as to support the encryption and decryption processing on upstream and downstream data.
  • the system may use a stronger encryption algorithm to update the system to an advanced encryption standard with higher security, and the upstream data frames of the ONU may be sent in a non plain text format to the OLT according to the agreed encryption algorithm so as to ensure the security.
  • FIG. 2 is a structure diagram of a specific PLOAM message type based EAP message provided in the present invention.
  • One PLOAM message has a length of 13 bytes, including Message lD, ONU ID, Data, and CRC domains.
  • Message lD indicates the type of the PLOAM message.
  • the CRC is the check field of the domain. If an error occurs in the CRC check, the message will be discarded.
  • Data domain is used to indicate that the payload under the agreed PLOAM message type is an EAP data packet, and an EAP data packet includes Code, Identifier, Length, and Data fields.
  • the Code field includes 1 byte, indicating the type of the EAP data packet.
  • the EAP Type value of 1 represents Identity method for inquiring the identity of the other party
  • the EAP Type value of 4 represents the EAP-MD5 authentication method, which, similar to the PPP CHAP protocol, includes an inquiry message
  • the EAP Type value of 13 indicates an EAP-TLS authentication method.
  • the Identifier field is used for matching Request message
  • the Length field indicates the length of the EAP packet including all of the Code, Identifier, Length and Data domains, which is determined by the type of Code field, in unit of byte.
  • one EAP message may be piecewise processed and encapsulated in multiple PLOAM messages at the sending end, and may be rebuilt at the receiving end.
  • the PLOAM message nor the EAP message has a message serial number, they are both request and response type protocols, and thus can be rebuilt.
  • FIG. 3 is a diagram of an ONU activation flow in the GPON system provided in the present invention.
  • the OLT and the ONU negotiate operating parameters, measure the logic distance between the OLT and the ONU, and establish upstream and downstream communication channels.
  • the ONU activation process is controlled by the OLT and approximately comprises three stages: ONU initialization, serial number acquisition, and ranging.
  • the OLT will perform identity authentication on the ONU before the ONU is activated. Only after being authenticated successfully, the ONU will be activated and enter the operating state, and the OLT will allocate related resources to it. For ONUs being authenticated unsuccessfully, since the system does not need to establish related resources for the ONU such as OMCI channels and GEM ports, etc., unnecessary system resource overhead can be avoided, and the OLT can be protected from DoS attack at some extent, thereby reducing the risk of the system.
  • the ONU activation flow includes the following steps.
  • Step S301 of ONU initialization the ONU receives operating parameters through an Upstream_Overhead message, and adjusts its own parameters (e.g. optical transmitting power) according to the received operating parameters.
  • its own parameters e.g. optical transmitting power
  • Step S302 of serial number acquisition the OLT finds serial numbers of new ONUs via a Serial_Number_Acquisition flow, and allocates ONU_IDs to all the new ONUs.
  • the ONU performs identity authentication based on the acquired ONU ID.
  • the OLT and the ONU will perform EAP message exchange based on the agreed type of PLOAM message, and the ONU may learn whether the identity authentication is passed through the EAP-SUCCESS or EAP -FAILURE messages it finally acquires, and the specific flow diagram may further refer to the following FIG. 4.
  • Step S304 of ranging after the ONU identity authentication is passed, the OLT measures the equalization delay of the ONU and communicates the measured equalization delay to the ONU, which in turn adjusts, based on the equalization delay, the start point for sending its upstream frames.
  • Step S305 the ONU is activated to enter the operating state, and by that time, the system central office OLT has allocated related resources to it.
  • the ONU after performing the identity authentication at Step S303, the ONU starts the ranging operation of Step S304. Since the ONU identity authentication is arranged before the ranging, the authentication communication between the ONU and the OLT uses a silent window. The features of the silent window determine that conflict may occur when multiple ONUs communicate with a OLT in the same silent window, which may result in resending messages and may cause reduced authentication efficiency. However, before the ONU is successfully authenticated, the system does not need to perform ranging operation on it, which may save system resources at some extent.
  • the ONU may firstly perform the ranging operation of Step S304. After the ranging, respective ONUs may use respective authorized windows to communicate with dthe OLT, and then start the identity authentication of Step S303. During the authentication procedure, the OLT and the ONU will perform EAP message exchange based on the agreed PLOAM message type. Thus, the ONUs using respective specific channels to communicate with the OLT will not result in conflict between different ONUs, and thus the authentication efficiency may be higher.
  • FIG. 4 is a flow diagram for authenticating identity of an ONU in the GPON system provided in the present invention.
  • the ONU may initiate an identity authentication.
  • the OLT and the ONU will perform EAP based message exchange for identity authentication based on the agreed PLOAM message type.
  • the EAP-MD5 authentication method is employed as an example for explanation.
  • the ONU sends an EAP-Start to the OLT to request an access authentication and start the authentication procedure.
  • the OLT sends an EAP-R EQUEST-Identity to the ONU to request to authenticate identity of the ONU.
  • the ONU sends to the OLT an EAP-RESPONSE-Identity response, including user information of the ONU, and the user information may be ONU serial number, password, or other agreed information, thereby to improve the flexibility of authentication.
  • the OLT sends to the ONU an EAP-REQUEST-MD5-Challenge to request to authenticate the MD5 check value of the password.
  • the ONU sends to the OLT an EAP-RESPONSE-MD5 -Challenge response.
  • the OLT performs the MD5 algorithm based on the user information and the provided MD5 check value, which may determine whether the ONU user is legal through local authentication processing. That is, the OLT terminates the received EAP messages, implements the identity authentication on the ONU based on the local ONU authentication database, and then sends an EAP-Success or EAP -Failure message to the ONU. If the authentication is successful, the OLT accepts registration of the ONU, and it may carry in the aforesaid EAP-Success message the negotiation parameters and relevant traffic attributes of the ONU user to the user.
  • the OLT may determine whether the ONU user is legal through remote authentication processing. That is, the OLT does not terminate the received EAP messages but performs EAP messages forwarding between the authentication server and the ONU. Specifically, the OLT extracts the EAP message from the PLOAM message of the ONU and encapsulates it in a RADIUS (Remote Authentication Dial-In User Service) protocol message or a DIAMETER protocol message to transfer to a remote authentication server.
  • RADIUS Remote Authentication Dial-In User Service
  • the OLT encapsulates EAP-RESPONSE messages (EAP-RESPONSE/Identity, EAP-Response-MD5-Challege) from the ONU in the aforesaid Steps S403 and S405 into a RADIUS Access-Request message to send to the remote authentication server, or encapsulates the EAP message in the RADIUS message or DIAMETER message from the authentication server into a specific type of PLOAM message to transfer to the ONU.
  • the authentication server that actually implements various authentication methods, while the OLT only needs to concern the authentication result to further determine whether to accept registration of the ONU and allocate resources to the ONU.
  • EAP is an authentication framework protocol, rather than a special authentication mechanism.
  • EAP provides some public functions and allows both parties involved in the authentication to negotiate desired EAP authentication method.
  • the methods defined in RFC of IETF comprise EAP-MD5, EAP-OTP, EAP-GTC, EAP-TLS, EAP-SIM and EAP-AKA.
  • the EAP-MD5 authentication method illustrated in the aforesaid embodiments is a IETF open standard and provides least security.
  • the OLT and the ONU may further implement key mechanism agreement based on the aforesaid EAP messages, and the key mechanism agreement may be completed in two ways.
  • the first one is to implement the key mechanism agreement by key exchanging as specified by a specific identity authentication method such as Transport Layer Security Protocol (EAP-TLS) identity authentication method, which has supported mutual authentication before data exchange during the identity authentication process, and negotiates the encryption algorithm and the key.
  • EAP-TLS Transport Layer Security Protocol
  • the key of the negotiation result may be used as a MK (Master Key).
  • the MK may be used as a data encryption key after being transformed in some manner (e.g. using MD5 and some random information exchanged with other parties involved in the authentication for processing).
  • the MK or the aforesaid transformed key may be used as a Key Encryption Key, which is used to encrypt the Data Encryption Key and then encapsulate it in the EAP message for exchanging between both parties involved in the authentication (exchanging in a ciphertext format).
  • the second one is to define extended key exchange protocol based on the identity authentication protocol, and use extended EAP message to exchange key information, which is not detailed here.
  • the OLT and the ONU may negotiate the key mechanism between themselves to support encryption of both upstream and downstream data, and thus existing encryption and decryption functions of the OLT and the ONU may be reutilized.
  • the OLT and the ONU may further negotiate, via key mechanism agreement, mutually supported upstream and downstream encryption and decryption algorithms and key parameters.
  • the system may use a stronger encryption algorithm to update the system to an advanced encryption standard with higher security.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention provides a method for authenticating identity of an ONU in a GPON network system including an OLT and several ONUs connected thereto, wherein the OLT and the ONU agree on a PLOAM message type for identity authentication, perform an EAP based protocol message exchange for identity authentication based on the PLOAM message type; and the OLT performs an authentication processing on the ONU based on the protocol message exchange. The authentication processing may be configured before the ONU is activated, and the OLT determines whether to accept registration of the ONU based on result of the authentication processing. The GPON system under the technical solution of the present invention supports multiple types of identity authentication methods, has high scalability and can further negotiate encryption and decryption algorithms and keys based on the key mechanism agreement specified by the used identity authentication methods so as to encrypt the upstream and downstream data flow. Before the ONU is successfully authenticated, the system does not need to establish relevant resources for the ONU and thus the system is more secure.

Description

METHOD FOR AUTHENTICATING IDENTITY OF ONU IN GPON
NETWORK
FIELD OF THE INVENTION
[0001] The present invention relates to the technical field of communication, and more particularly to a method for authenticating identity of an Optical Network Unit (ONU) in a Gigabit Passive Optical Network (GPON) system.
BACKGROUND OF THE INVENTION
[0002] The GPON technology is the latest generation of broadband passive optical integrated access technology based on the international telecommunication union ITU-TG.984.X standard, which has many advantages such as high bandwidth, high efficiency, large coverage, rich user interfaces, etc. and thus is regarded by most operators as an ideal technology for achieving broadband and integration revolution of access network traffic.
[0003] However, there are many problems in terms of security of GPON network, including but not limited to:
[0004] 1) Denial of Service (DoS) attack: this kind of attack is of great variety and may be implemented at different levels. A malicious ONU can make an attack at the data link layer, e.g. it may masquerade as a legal user to register, and use up resources of OLT by frequent registration such that legal users may not register, etc..
[0005] 2) Tapping: due to the point to multipoint structure nature of a PON (Passive Optical Network) system, the downstream transmission of the PON system is in a manner of broadcasting. An ONU may physically receive information sent from an Optical Line Terminal (OLT) to other ONUs, and thus it is possible for a malicious user to tap information of a downstream frame at a certain downstream point. However, in order to ensure the security of downstream information, the GPON introduces security encryption mechanism at the transmission convergence layer, and the OLT encrypts the downstream traffic by using the key provided by the ONU. In this aspect, the GPON initially uses a scrambling algorithm of low security, which now has been updated to an Advanced Encryption Standard (AES) of higher security, wherein the encryption key is regularly sent to the OLT by the ONU in a plaintext format. However, such a security mechanism is established based on the directionality of PON optical communication (i.e. when an ONU sends an optical signal to an OLT, other ONUs may not receive the upstream optical signal sent by the ONU to the OLT). The actual deployment experiences indicate that one ONU may also receive or detect optical signals sent by other ONUs due to a light splitter or construction quality, etc..
[0006] It can be seen from above that defects exist in the current security mechanism. The key agreement mechanism between OLT and ONU is not scalable and is of poor security. In addition, the security of upstream is also worth considering since the upstream frame of an ONU is sent to an OLT in a plaintext (including the key) and a malicious user can thereby obtain keys or other information of other ONUs.
[0007] In view of the above, ITU-T G.987.3 Specification regulates several basic authentication manners that OLT can support identity authentication on ONU by a serial number, a serial number and a password, or a password only, as well as a plaintext based key exchange mechanism. For example, during the activation process, the ONU reports the serial number and password of the ONU to the OLT through Physical Layer Operation Management And Maintenance (PLOAM) messages, and thus the OLT may verify the legitimacy of the ONU according to the two information. However, the aforesaid several authentication manners merely provide the GPON with basic level of authentication mechanisms and are basic authentication functions forced to be implemented.
[0008] As an extension of GPON, XG-PON Specification further incorporates two new ONU identity authentication methods, called as Strong Authentication manners, one of which is to implement identity authentication based on Operation Management Control Interface (OMCI), and the other is to implement the identity authentication and key agreement based on 802. IX. However, the two identity authentication manners further have following weakness in common: before performing the two kinds of strong authentication, the ONU needs to pass a basic authentication. At this time, in general sense, the ONU has completed registration and activation and enters the normal operating state; and further, the OLT has allocated corresponding resources to the ONU: when Strong Authentication is performed for OMCI based identity authentication, the OLT has allocated an OMCI specific GPON Encapsulation Method (GEM) port to the ONU on which an identity authentication is to be performed; and when Strong Authentication is performed for 802. IX based identity authentication, the OLT not only has allocated the OMCI specific GEM port and a GEM port for 802. IX authentication, but also has allocated resources necessary for the 802. IX authentication. In short, in the above two identity authentication manners, registration of the ONU has been accepted in substance and resources have been allocated to it before performing the Strong Authentication, and thus security problems exists, for example, DOS attacks may be made on OLT resources and the GEM port that has been allocated by the OLT may be used to exchange other information, etc.. SUMMARY OF THE INVENTION
[0009] The present invention aims to provide a technical solution for authenticating identity of an ONU in a GPON network so that the identity authentication in the GPON network system has high scalability to enhance the security of the system
[0010] According to one aspect of the present invention, there is provided a method for authenticating identity of an ONU in a GPON network system including an OLT and several ONUs connected thereto, including: firstly, agreeing on a PLOAM message type for identity authentication; then, performing an EAP (Extensible Authentication Protocol) based protocol message exchange for the identity authentication between the OLT and the ONU based on the PLOAM message type; and performing an authentication processing on the ONU by the OLT based on the protocol message exchange.
[0011] Preferably, in the aforesaid method, the OLT and the ONU may further carry out key mechanism agreement under the EAP based identity authentication protocol, wherein process of the key mechanism agreement is specified by an identity authentication method encapsulated in EAP.
[0012] Preferably, the authentication processing in the aforesaid method may be configured before the ONU is activated, and the OLT determines whether to accept an registration of the ONU based on result of the authentication processing.
[0013] According to another aspect of the present invention, there is provided a method for authenticating an ONU in an OLT of a GPON network system. Firstly, it determines a PLOAM message type for identity authentication; then, it carries out an EAP based protocol message exchange for identity authentication with the ONU through the PLOAM message type; and finally, it carries out an authentication processing on the ONU based on the protocol message exchange.
[0014] Preferably, in the aforesaid method, the OLT may further carry out key mechanism agreement with the ONU through the EAP message exchange, wherein process of the key mechanism agreement is specified by an identity authentication method encapsulated in EAP messages.
[0015] Preferably, in the aforesaid method, the authentication processing by the OLT on the ONU may be configured before the ONU is activated, and the OLT determines whether to accept registration of the ONU based on result of the authentication processing.
[0016] According to another aspect of the present invention, there is provided a method for authenticating identity in an ONU of a GPON network system, comprising the ONU determining a PLOAM message type for identity authentication; performing an EAP based protocol message exchange for identity authentication with an OLT through the PLOAM message type; and receiving result of an identity authentication processing from the OLT.
[0017] Preferably, in the aforesaid method, the ONU may further carry out key mechanism agreement with the OLT through the EAP message exchange, wherein process of the key mechanism agreement is specified by an identity authentication method encapsulated in EAP.
[0018] Technical advantages of the present invention:
[0019] With the embodiments provided in the present invention, the OLT and the ONU exchange EAP messages through a specific PLOAM message type to thereby support multiple types of identity authentication methods, and the identity authentication methods available to the system are flexible and high scalable and can be backward compatible with the existing standard security solutions. Furthermore, according to the key mechanism agreement specified by the identity authentication method as used in the EAP message, the OLT and the ONU may carry out encryption and decryption processing on upstream and downstream data flows based on agreed encryption and decryption algorithms and keys, and they do not exchange key information in a plain text format so that the key exchange may be more secure and the existing encryption and decryption functions can be reutilized.
[0020] With the embodiments provided by the present invention, before an ONU is successfully authenticated, the ONU does not enter operating state and the system does not need to establish OMCI channels and GEM ports for the ONU, thereby protecting the OLT from DoS attacks on these resources, and eliminating the possibility for an illegal user to utilize these resources for communication or other uses, so as to make the system more secure.
BRIEF DESCRIPTION OF THE DRAWINGS
[0021] The features, properties and advantages of the present invention will become more obvious by making references to the following detailed description in conjunction with the accompanying drawings, the same elements in the accompanying drawings having the same sign, in which:
[0022] FIG. 1 is a structure diagram of a protocol stack in the GPON system provided in the present invention;
[0023] FIG. 2 is a structure diagram of a specific PLOAM message type based EAP message provided in the present invention;
[0024] FIG. 3 is a diagram of an ONU activation flow in the GPON system provided in the present invention; and
[0025] FIG. 4 is a flow diagram for authenticating identity of an ONU in the
GPON system provided in the present invention.
DETAILED DESCRIPTION OF EMBODIMENTS
[0026] Preferred embodiments of the present invention will be described below in detail by making references to the accompanying drawings.
[0027] FIG. 1 is a structure diagram of a protocol stack in the GPON system provided in the present invention, including a Physical Medium Dependent (PMD) layer, a GPON Transmission Convergence (GTC) layer, and a PLOAM module, an OMCI module, a GEM client.
[0028] The PMD layer corresponds to an optical transmission interface between OLT and ONU.
[0029] The GTC layer is the core layer of GPON, comprising a GTC framing sublayer and a GTC adaptation sublayer. The GTC framing sublayer has three functions of multiplexing and demultiplexing, frame head generating and decoding, and internal routing. The GTC adaptation sublayer provides 2 TC adapters, i.e. a GEMTC adapter and an OMCI adapter. The OMCI adapter receives related OMCI instructions from the OLT via a standard ONT management control interface so as to control theONT, and the GEMTC adapter generates Protocol Data Units (PDUs) for respective GEM blocks from the GTC framing sublayer and maps these PDUs to corresponding blocks.
[0030] The PLOAM module is used for operation, management and maintenance of the physical layer, and performs functions such as registration and ID allocation of the ONU, ranging, Port ID allocation, VPI/VCI allocation, data encryption management, state detection, and error rate monitoring, etc..
[0031] The OMCI module provides a general way to manage higher layers. With the OMCI module, the OLT may establish and release the connection with the ONT, manage UNIs on the ONT, request configuration information and performance statistics, automatically report events such as link failure to the system administrator, etc.. As described above, after accepting registration of the ONU, the OLT allocates OMCI specific GEM resources to the ONU, and identity authentication and key agreement may be performed between the OLT and the ONU through the OMCI mechanism. The OLT may initiate a bidirectional authentication procedure and the OLT and the ONU share one MSK, but the authentication manner is similar to the Challenge Handshake Authentication Protocol (CHAP) in the poor scalability, and it is necessary to extend OMCI messages one by one if it is required to support the newly added identity authentication protocol.
[0032] The GEM client identifies its own traffic flow through the GEM port ID and uses the GPON for communication. As described above, after the OLT accepts registration of the ONU, the OLT and the ONU may implement 802. IX based identity authentication and key agreement based on the GEM client. When implementing the strong identity authentication in this manner, the OLT not only has allocated the OMCI specific GEM port and the GEM port for 802. IX authentication, but also has allocated resources required for the 802. IX authentication. Furthermore, when using 802. IX for identity authentication, it is necessary to respectively control both Uncontrolled Ports and Controlled Ports according to the authentication procedure in accordance with 802. IX model.
[0033] In the embodiments provided by the present invention, the structure of the protocol stack will further comprise an EAP (Extensible Authentication Protocol) module. EAP messages for identity authentication will be exchanged based on the PLOAM module to implement the identity authentication of ONU. The OLT and the ONU may bear EAP based protocol messages for identity authentication through specific PLOAM message type, and the OLT may perform a local authentication processing on the identity information provided by the ONU to further determine whether to accept registration of the ONU and allocate resources to the ONU.
[0034] When performing the authentication processing, the OLT may also perform EAP message forwarding between an authentication server and the ONU. Various identity authentication methods encapsulated and used by the EAP messages are implemented by the authentication server, and the OLT only needs to care about the authentication result returned from the authentication server to further determine whether to accept registration of the ONU and allocate resources to the ONU.
[0035] With different identity authentication methods encapsulated and used by the EAP, some identity authentication protocols under the EAP manner may further support key mechanism agreement, and the OLT (or the authentication server) and the ONU may negotiate the key mechanism, including the encryption and decryption algorithms and key, etc. used by the OLT and the ONU so as to support the encryption and decryption processing on upstream and downstream data. Thus, in case that the existing AES encryption algorithm is cracked, the system may use a stronger encryption algorithm to update the system to an advanced encryption standard with higher security, and the upstream data frames of the ONU may be sent in a non plain text format to the OLT according to the agreed encryption algorithm so as to ensure the security.
[0036] Seen from the aforesaid structure diagram of the protocol stack, since the system only accepts specific types of PLOAM messages before the ONU is successfully authenticated, the implementation thereof is much more simple that it is unnecessary for the system to establish OMCI channels and GEM ports before the ONU is successfully authenticated, thereby protecting the OLT from DoS attacks on these resources, and eliminating the possibility of utilizing these channels for communication or other uses, so as to be more secure.
[0037] FIG. 2 is a structure diagram of a specific PLOAM message type based EAP message provided in the present invention. One PLOAM message has a length of 13 bytes, including Message lD, ONU ID, Data, and CRC domains.
[0038] Here, Message lD indicates the type of the PLOAM message. In the
G.984.3 protocol specification, 19 types of downstream PLOAM messages and 9 types of upstream PLOAM messages are defined, thereby functions may be implemented such as the registration and ID allocation of the ONU, ranging, state detection, error rate monitoring, etc... Here, specific types of upstream and downstream PLOAM messages may be agreed on between the OLT and the ONU to implement EAP message exchange.
[0039] The ONU ID indicates the target ONU that the PLOAM message is directed to, and ONU_ID=l 1111111 indicates broadcasting information.
[0040] The CRC is the check field of the domain. If an error occurs in the CRC check, the message will be discarded.
[0041] According to the embodiments provided by the present invention, the
Data domain is used to indicate that the payload under the agreed PLOAM message type is an EAP data packet, and an EAP data packet includes Code, Identifier, Length, and Data fields.
[0042] The Code field includes 1 byte, indicating the type of the EAP data packet. There are 4 types of EAP data packet including Request, Response, Success and Failure, wherein the Success and Failure types of EAP data packets do not have the Data domain, and the value of the corresponding Length domain is 4, and the Data domain of the Request and Response types of EAP data packet will further include EAP Type indicating the type of the identity authentication method for the EAP and Type Data with content determined by the aforesaid type of identity authentication method. For example, the EAP Type value of 1 represents Identity method for inquiring the identity of the other party; the EAP Type value of 4 represents the EAP-MD5 authentication method, which, similar to the PPP CHAP protocol, includes an inquiry message; and the EAP Type value of 13 indicates an EAP-TLS authentication method.
[0043] The Identifier field is used for matching Request message and
Response message.
[0044] The Length field indicates the length of the EAP packet including all of the Code, Identifier, Length and Data domains, which is determined by the type of Code field, in unit of byte.
[0045] It should be pointed out that in view of the PLOAM message length limit, one EAP message may be piecewise processed and encapsulated in multiple PLOAM messages at the sending end, and may be rebuilt at the receiving end. Although neither the PLOAM message nor the EAP message has a message serial number, they are both request and response type protocols, and thus can be rebuilt.
[0046] Seen from the aforesaid structure diagram, implementing identity authentication through specific PLOAM message type will result in flexible and good scalability. If the system wants to support newly added identity authentication protocol, it is unnecessary to extend the PLOAM message, and the OLT and the ONU can negotiate and specify the authentication method, even the key mechanism supported by both parties, based on the aforesaid EAP message structure.
[0047] FIG. 3 is a diagram of an ONU activation flow in the GPON system provided in the present invention. In GPON related specifications, the OLT and the ONU negotiate operating parameters, measure the logic distance between the OLT and the ONU, and establish upstream and downstream communication channels. The ONU activation process is controlled by the OLT and approximately comprises three stages: ONU initialization, serial number acquisition, and ranging.
[0048] According to the embodiments provided by the present invention, the
OLT will perform identity authentication on the ONU before the ONU is activated. Only after being authenticated successfully, the ONU will be activated and enter the operating state, and the OLT will allocate related resources to it. For ONUs being authenticated unsuccessfully, since the system does not need to establish related resources for the ONU such as OMCI channels and GEM ports, etc., unnecessary system resource overhead can be avoided, and the OLT can be protected from DoS attack at some extent, thereby reducing the risk of the system. With reference to the diagram, the ONU activation flow includes the following steps.
[0049] At Step S301 of ONU initialization, the ONU receives operating parameters through an Upstream_Overhead message, and adjusts its own parameters (e.g. optical transmitting power) according to the received operating parameters.
[0050] At Step S302 of serial number acquisition, the OLT finds serial numbers of new ONUs via a Serial_Number_Acquisition flow, and allocates ONU_IDs to all the new ONUs.
[0051] At Step S303, the ONU performs identity authentication based on the acquired ONU ID. During the authentication procedure, the OLT and the ONU will perform EAP message exchange based on the agreed type of PLOAM message, and the ONU may learn whether the identity authentication is passed through the EAP-SUCCESS or EAP -FAILURE messages it finally acquires, and the specific flow diagram may further refer to the following FIG. 4.
[0052] At Step S304 of ranging, after the ONU identity authentication is passed, the OLT measures the equalization delay of the ONU and communicates the measured equalization delay to the ONU, which in turn adjusts, based on the equalization delay, the start point for sending its upstream frames.
[0053] At Step S305, the ONU is activated to enter the operating state, and by that time, the system central office OLT has allocated related resources to it.
[0054] The above activation process is implemented by exchanging upstream and downstream flags and PLOAM messages.
[0055] In the aforesaid embodiments, after performing the identity authentication at Step S303, the ONU starts the ranging operation of Step S304. Since the ONU identity authentication is arranged before the ranging, the authentication communication between the ONU and the OLT uses a silent window. The features of the silent window determine that conflict may occur when multiple ONUs communicate with a OLT in the same silent window, which may result in resending messages and may cause reduced authentication efficiency. However, before the ONU is successfully authenticated, the system does not need to perform ranging operation on it, which may save system resources at some extent.
[0056] According to another embodiment provided by the present invention, during the aforesaid ONU activation process, after acquiring a new ONU_ID, the ONU may firstly perform the ranging operation of Step S304. After the ranging, respective ONUs may use respective authorized windows to communicate with dthe OLT, and then start the identity authentication of Step S303. During the authentication procedure, the OLT and the ONU will perform EAP message exchange based on the agreed PLOAM message type. Thus, the ONUs using respective specific channels to communicate with the OLT will not result in conflict between different ONUs, and thus the authentication efficiency may be higher.
[0057] FIG. 4 is a flow diagram for authenticating identity of an ONU in the GPON system provided in the present invention. With reference to the ONU activation process in FIG. 3, after acquiring its own ONU ID, the ONU may initiate an identity authentication. During the authentication procedure, the OLT and the ONU will perform EAP based message exchange for identity authentication based on the agreed PLOAM message type. In this embodiment, the EAP-MD5 authentication method is employed as an example for explanation.
[0058] At S401, the ONU sends an EAP-Start to the OLT to request an access authentication and start the authentication procedure.
[0059] At S402, the OLT sends an EAP-R EQUEST-Identity to the ONU to request to authenticate identity of the ONU.
[0060] At S403, the ONU sends to the OLT an EAP-RESPONSE-Identity response, including user information of the ONU, and the user information may be ONU serial number, password, or other agreed information, thereby to improve the flexibility of authentication.
[0061] At S404, the OLT sends to the ONU an EAP-REQUEST-MD5-Challenge to request to authenticate the MD5 check value of the password.
[0062] At S405, the ONU sends to the OLT an EAP-RESPONSE-MD5 -Challenge response.
[0063] At S406, the OLT performs the MD5 algorithm based on the user information and the provided MD5 check value, which may determine whether the ONU user is legal through local authentication processing. That is, the OLT terminates the received EAP messages, implements the identity authentication on the ONU based on the local ONU authentication database, and then sends an EAP-Success or EAP -Failure message to the ONU. If the authentication is successful, the OLT accepts registration of the ONU, and it may carry in the aforesaid EAP-Success message the negotiation parameters and relevant traffic attributes of the ONU user to the user. If the authentication fails, the OLT refuses registration of the ONU, and it may inform the ONU through the aforesaid EAP-Failure message. [0064] In the aforesaid embodiments, the OLT may determine whether the ONU user is legal through remote authentication processing. That is, the OLT does not terminate the received EAP messages but performs EAP messages forwarding between the authentication server and the ONU. Specifically, the OLT extracts the EAP message from the PLOAM message of the ONU and encapsulates it in a RADIUS (Remote Authentication Dial-In User Service) protocol message or a DIAMETER protocol message to transfer to a remote authentication server. In other words, the OLT encapsulates EAP-RESPONSE messages (EAP-RESPONSE/Identity, EAP-Response-MD5-Challege) from the ONU in the aforesaid Steps S403 and S405 into a RADIUS Access-Request message to send to the remote authentication server, or encapsulates the EAP message in the RADIUS message or DIAMETER message from the authentication server into a specific type of PLOAM message to transfer to the ONU. In this manner, it is the authentication server that actually implements various authentication methods, while the OLT only needs to concern the authentication result to further determine whether to accept registration of the ONU and allocate resources to the ONU.
[0065] It should be pointed out that EAP is an authentication framework protocol, rather than a special authentication mechanism. EAP provides some public functions and allows both parties involved in the authentication to negotiate desired EAP authentication method. Now there are about 40 different authentication methods. The methods defined in RFC of IETF (Internet Engineering Task Force) comprise EAP-MD5, EAP-OTP, EAP-GTC, EAP-TLS, EAP-SIM and EAP-AKA. The EAP-MD5 authentication method illustrated in the aforesaid embodiments is a IETF open standard and provides least security.
[0066] The OLT and the ONU may further implement key mechanism agreement based on the aforesaid EAP messages, and the key mechanism agreement may be completed in two ways. The first one is to implement the key mechanism agreement by key exchanging as specified by a specific identity authentication method such as Transport Layer Security Protocol (EAP-TLS) identity authentication method, which has supported mutual authentication before data exchange during the identity authentication process, and negotiates the encryption algorithm and the key. The key of the negotiation result may be used as a MK (Master Key). The MK may be used as a data encryption key after being transformed in some manner (e.g. using MD5 and some random information exchanged with other parties involved in the authentication for processing). Or the MK or the aforesaid transformed key may be used as a Key Encryption Key, which is used to encrypt the Data Encryption Key and then encapsulate it in the EAP message for exchanging between both parties involved in the authentication (exchanging in a ciphertext format). The second one is to define extended key exchange protocol based on the identity authentication protocol, and use extended EAP message to exchange key information, which is not detailed here.
[0067] Thus, if the OLT and the ONU use existing algorithms for data encryption and decryption, they may negotiate the key mechanism between themselves to support encryption of both upstream and downstream data, and thus existing encryption and decryption functions of the OLT and the ONU may be reutilized. In addition, the OLT and the ONU may further negotiate, via key mechanism agreement, mutually supported upstream and downstream encryption and decryption algorithms and key parameters. The system may use a stronger encryption algorithm to update the system to an advanced encryption standard with higher security.
[0068] Although the above description provide some embodiments for the present invention, they are not intended to limit the protection scope of the present invention, and those skilled in the art would further understand that various illustrative logic modules or steps described in combination with the embodiments disclosed herein may be implemented as electronic hardware, computer software or the combination thereof. In order to clearly explain the interchangeability between hardware and software, various illustrative logic modules or steps are generally clarified according to their functions. Whether the functions are implemented as hardware or software depends on specific application programs and designs employed by the entire system. Those skilled in the art would realize the interaction between hardware and software in these circumstances, and how to best implement the functions of each specific application program. Those skilled in the art may implement the functions in a different way for each specific application, but such implementation should not be construed as resulting in departure from the scope of the present invention.

Claims

WHAT IS CLAIMED IS:
1. A method authenticating identity of an ONU (Optical Network Unit) in a GPON (Gigabit Passive Optical Network) system including an OLT (Optical Line Terminal) and several ONUs connected thereto, characterized by comprising steps of:
a. agreeing on a PLOAM (Physical Layer Operation Management and Maintenance) message type for identity authentication;
b. performing an EAP (Extensible Authentication Protocol) based protocol message exchange for the identity authentication between the OLT and the ONU based on the PLOAM message type; and
c. performing an authentication processing on the ONU by the OLT based on the protocol message exchange.
2. The method according to Claim 1, characterized in that: in the step c, the authentication processing is configured before the ONU is activated, and the OLT determines whether to accept registration of the ONU based on result of the authentication processing.
3. The method according to claim 1, characterized in that: in the step c, when performing the authentication processing, the OLT carries out EAP message forwarding between an authentication server and the ONU, and determines whether to accept registration of the ONU based on result of the authentication processing by the authentication server.
4. The method according to any of claims 1 to 3, characterized in that: in the step b, the OLT and the ONU further carry out key mechanism agreement under the EAP based identity authentication protocol, wherein process of the key mechanism agreement is specified by an identity authentication method encapsulated in EAP messages.
5. A method for authenticating identity of an ONU in an OLT of a GPON network system, characterized by comprising steps of:
al . determining a PLOAM message type for identity authentication; bl. performing an EAP based protocol message exchange for identity authentication with the ONU by the PLOAM message type; and
cl . performing an authentication processing on the ONU based on the protocol message exchange.
6. The method according to claim 5, characterized in that: in the step cl, the authentication processing is configured before the ONU is activated, and the OLT determines whether to accept registration of the ONU based on result of the authentication processing.
7. The method according to claim 5, characterized in that: in the step cl, when performing the authentication processing, the OLT carries out EAP message forwarding between an authentication server and the ONU, and determines whether to accept registration of the ONU based on result of the authentication processing by the authentication server.
8. The method according to any of claims 5 to 7, characterized in that: in the step bl, the OLT further carries out key mechanism agreement with the ONU through the EAP message exchange, wherein process of the key mechanism agreement is specified by an identity authentication method encapsulated in EAP messages.
9. The method according to any of claims 5 to 7, characterized in that: the authentication processing is configured to be performed before ranging to the ONU, and the PLOAM message for identity authentication between the ONU and the OLT uses a silent window format.
10. The method according to any of claims 5 to 7, characterized in that: the authentication processing is configured to be performed after ranging to the ONU.
11. A method for authenticating identity in an ONU of a GPON network system, characterized by comprising steps of:
a2. determining a PLOAM message type for identity authentication; b2. performing an EAP based protocol message exchange for identity authentication with an OLT through the PLOAM message type; and
c2. receiving result of an authentication processing from the OLT.
12. The method according to claim 10, characterized in that: in the step b2, the
ONU further carries out key mechanism agreement with the OLT through the EAP message exchange, wherein process of the key mechanism agreement is specified by an identity authentication method encapsulated in EAP.
PCT/IB2013/000106 2012-01-10 2013-01-10 Method for authenticating identity of onu in gpon network WO2013104987A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN2012100064790A CN103200161A (en) 2012-01-10 2012-01-10 Optical network unit (ONU) identity authentication method in gigabit passive optical network (GPON)
CN201210006479.0 2012-01-10

Publications (1)

Publication Number Publication Date
WO2013104987A1 true WO2013104987A1 (en) 2013-07-18

Family

ID=48044941

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IB2013/000106 WO2013104987A1 (en) 2012-01-10 2013-01-10 Method for authenticating identity of onu in gpon network

Country Status (2)

Country Link
CN (1) CN103200161A (en)
WO (1) WO2013104987A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111786773A (en) * 2020-06-24 2020-10-16 重庆邮电大学 TWDM-PON system physical layer security method based on MD5 check sum AES encryption
CN112787801A (en) * 2021-01-21 2021-05-11 深圳市西迪特科技有限公司 Method for authentication between PON (Passive optical network) equipment based on MD5 algorithm
CN113014554A (en) * 2021-02-07 2021-06-22 博为科技有限公司 Automatic switching method and system for internet access channel, ONU (optical network unit) equipment and OLT (optical line terminal) equipment
CN113490081A (en) * 2021-06-29 2021-10-08 青岛海信宽带多媒体技术有限公司 ONU gateway and PON state lamp lighting method
CN115190022A (en) * 2022-07-25 2022-10-14 武汉烽火技术服务有限公司 ONU configuration deployment method and device

Families Citing this family (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103824406A (en) * 2014-02-08 2014-05-28 上海波汇通信科技有限公司 Optical fiber sensing-based tunnel cable invasive detection method and system
CN103905209A (en) * 2014-04-30 2014-07-02 殷爱菡 Mutual authentication method based on NTRUSign passive optical network access
WO2018112981A1 (en) * 2016-12-24 2018-06-28 华为技术有限公司 Data communication system, optical line terminal, and baseband unit
CN112769732A (en) * 2019-10-21 2021-05-07 中兴通讯股份有限公司 NAT security and access control method, device, equipment and storage medium
CN116170712A (en) * 2021-11-24 2023-05-26 中兴通讯股份有限公司 ONU registration method, communication method, ONR, OLT, ONU and optical communication system
CN116074413A (en) * 2023-01-28 2023-05-05 天津科谱技术有限公司 Message transmission method, device, equipment and storage medium of communication network

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1968089A (en) * 2006-09-29 2007-05-23 华为技术有限公司 Subscriber authentication method for passive optical network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
DRAFT RECOMMENDATION ITU-T G.987.3: "10-Gigabit-capable passive optical networks (XG-PON): Transmission convergence (TC) specifications", ITU-T DRAFT ; STUDY PERIOD 2009-2012, INTERNATIONAL TELECOMMUNICATION UNION, GENEVA ; CH, vol. Study Group 15, 28 August 2010 (2010-08-28), pages 1 - 154, XP017448108 *

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111786773A (en) * 2020-06-24 2020-10-16 重庆邮电大学 TWDM-PON system physical layer security method based on MD5 check sum AES encryption
CN111786773B (en) * 2020-06-24 2022-10-18 重庆邮电大学 TWDM-PON system physical layer security method based on MD5 check and AES encryption
CN112787801A (en) * 2021-01-21 2021-05-11 深圳市西迪特科技有限公司 Method for authentication between PON (Passive optical network) equipment based on MD5 algorithm
CN113014554A (en) * 2021-02-07 2021-06-22 博为科技有限公司 Automatic switching method and system for internet access channel, ONU (optical network unit) equipment and OLT (optical line terminal) equipment
CN113014554B (en) * 2021-02-07 2023-06-13 博为科技有限公司 Automatic switching method and system for internet surfing channels, ONU (optical network Unit) equipment and OLT (optical line terminal) equipment
CN113490081A (en) * 2021-06-29 2021-10-08 青岛海信宽带多媒体技术有限公司 ONU gateway and PON state lamp lighting method
CN113490081B (en) * 2021-06-29 2024-05-07 青岛海信宽带多媒体技术有限公司 ONU gateway and PON status lamp lighting method
CN115190022A (en) * 2022-07-25 2022-10-14 武汉烽火技术服务有限公司 ONU configuration deployment method and device
CN115190022B (en) * 2022-07-25 2023-08-22 武汉烽火技术服务有限公司 ONU configuration deployment method and device

Also Published As

Publication number Publication date
CN103200161A (en) 2013-07-10

Similar Documents

Publication Publication Date Title
WO2013104987A1 (en) Method for authenticating identity of onu in gpon network
JP3844762B2 (en) Authentication method and authentication apparatus in EPON
US7865727B2 (en) Authentication for devices located in cable networks
US7730305B2 (en) Authentication method for link protection in Ethernet passive optical network
JP5366108B2 (en) Passive optical network security enhancement based on optical network terminator management control interface
US7797745B2 (en) MAC security entity for link security entity and transmitting and receiving method therefor
US8490159B2 (en) Method for increasing security in a passive optical network
KR100594153B1 (en) Formation of Logical Link and Its Secure Communication Method in Network of Point-to-Manage Topology
US6839320B2 (en) Performing authentication over label distribution protocol (LDP) signaling channels
US7305551B2 (en) Method of transmitting security data in an ethernet passive optical network system
US20050008158A1 (en) Key management device and method for providing security service in ethernet-based passive optical network
US8948401B2 (en) Method for filtering of abnormal ONT with same serial number in a GPON system
CN101577620A (en) Authentication method of Ethernet passive optical network (EPON) system
EP1830517A1 (en) A method, communication system, central and peripheral communication unit for packet oriented transfer of information
KR100594023B1 (en) Method of encryption for gigabit ethernet passive optical network
Roh et al. Security model and authentication protocol in EPON-based optical access network
CN114614984B (en) Time-sensitive network secure communication method based on cryptographic algorithm
KR100608906B1 (en) Method for discovering a security module for a link protection in EPON
Roh et al. Design of authentication and key exchange protocol in Ethernet passive optical networks
JP2004180183A (en) Office device, subscriber device, and system and method for point/multipoint communication
Chen et al. Encryption and authentication mechanism of 10G EPON systems based on GCM
Jun-Suo A security communication scheme for Real-Time EPON
Jin et al. Analysis of security vulnerabilities and countermeasures of ethernet passive optical network (EPON)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13713488

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13713488

Country of ref document: EP

Kind code of ref document: A1