WO2023094016A1 - Optical network security - Google Patents

Optical network security Download PDF

Info

Publication number
WO2023094016A1
WO2023094016A1 PCT/EP2021/083431 EP2021083431W WO2023094016A1 WO 2023094016 A1 WO2023094016 A1 WO 2023094016A1 EP 2021083431 W EP2021083431 W EP 2021083431W WO 2023094016 A1 WO2023094016 A1 WO 2023094016A1
Authority
WO
WIPO (PCT)
Prior art keywords
optical
signal
node
communications signal
network
Prior art date
Application number
PCT/EP2021/083431
Other languages
French (fr)
Inventor
Riccardo Ceccatelli
Roberto Magri
Francesco CISAMOLO
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to PCT/EP2021/083431 priority Critical patent/WO2023094016A1/en
Publication of WO2023094016A1 publication Critical patent/WO2023094016A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B10/00Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
    • H04B10/80Optical aspects relating to the use of optical transmission for specific applications, not provided for in groups H04B10/03 - H04B10/70, e.g. optical power feeding or optical transmission through water
    • H04B10/85Protection from unauthorised access, e.g. eavesdrop protection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B10/00Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
    • H04B10/27Arrangements for networking
    • H04B10/272Star-type networks or tree-type networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B10/00Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
    • H04B10/80Optical aspects relating to the use of optical transmission for specific applications, not provided for in groups H04B10/03 - H04B10/70, e.g. optical power feeding or optical transmission through water
    • H04B10/806Arrangements for feeding power
    • H04B10/807Optical power feeding, i.e. transmitting power using an optical signal

Definitions

  • Embodiments disclosed herein relate to an optical network, a method of controlling an optical communications signal in an optical network, a device for use in an optical node, a method of coupling an optical communications signal to or from an optical node, a device for use in an optical unit, and a method of controlling the coupling of an optical communications signal between an optical node and an optical unit.
  • Passive optical networks are good candidates for many communications applications including the fronthaul for Radio Access Network (RAN) which require low cost transport solutions.
  • passive splitters and/or other intermediate components are used to connect a Main Site to different remote Radio sites.
  • Splitters broadcast all the downstream signal to all ports (and combines upstream signals) which represents a security weakness. For example, unused ports may be accessed by malicious eavesdroppers via handhole or manhole access in remote unmanaged locations. Because of the passive nature of these splitters, no access control or monitoring is typically available.
  • Physical layer traffic isolation may be employed, for example WDM isolation where only one wavelength is transmitted per fiber.
  • WDM Wideband Division Multiple Access
  • ODN optical Distribution Network
  • an optical communications network which comprises an optical node and an optical unit coupled using an optical fiber and arranged to communicate using an optical communication signal.
  • the optical node comprises an optical switch to couple the optical communications signal between an optical fiber and the optical node, a receiver arranged to receive a secondary optical signal having a wavelength different from the optical communications signal, and control circuitry arranged to control the optical switch dependent on a message received on the secondary optical signal matching a predetermined code stored on the optical node.
  • the optical unit comprises an optical transmitter arranged to communicate with the optical node using the optical communications signal and which is arranged to transmit the secondary optical signal having a wavelength different from the optical communications signal.
  • Certain embodiments provide low cost and effective physical layer security suitable for passive optical network applications, whilst maintaining network flexibility.
  • a device for use in an optical node and for coupling an optical communications signal to or from the optical node.
  • the device comprises an optical switch to couple the optical communications signal between an optical fiber and the optical node, a receiver arranged to receive a secondary optical signal having a wavelength different from the optical communications signal, and control circuitry arranged to control the optical switch dependent on a message received on the secondary optical signal matching a predetermined code locally stored on the device.
  • control circuitry arranged to control the optical switch dependent on a message received on the secondary optical signal matching a predetermined code locally stored on the device.
  • the device comprises an optical transmitter for coupling with an optical unit arranged to communicate with the optical node the using optical communications signal, the optical transmitter arranged to transmit a secondary optical signal having a wavelength different from the optical communications signal, and a controller arranged to control the optical transmitter to transmit the secondary optical signal at an ON level for a predetermined time and then to generate a signaling sequence on the secondary optical signal that corresponds with a predetermined code associated with the optical node.
  • a method of controlling an optical communications signal in an optical network having an optical node and an optical unit comprises the optical node coupling an optical fiber carrying the optical communications signal using an optical switch, and the optical node controlling the optical switch dependent on a message received on a secondary optical signal matching a predetermined code stored on the optical node, wherein the secondary optical signal is transmitted from the optical unit to the optical node and having a wavelength different from the optical communications signal.
  • a method of coupling an optical communications signal to or from an optical node comprises receiving at the optical node a secondary optical signal having a wavelength different from the optical communications signal and determining if the secondary optical signal is carrying a message matching a predetermined code stored on the optical node. In response, coupling the optical communications signal between an optical fiber and the optical node.
  • a method of controlling the coupling of an optical communications signal between an optical node and an optical unit comprises transmitting a secondary optical signal having a wavelength different from the optical communications signal from the optical unit, controlling the secondary optical signal to be switched to an ON level for a predetermined time, and controlling the secondary optical signal to generate a signaling sequence that corresponds with a predetermined code associated with the optical node.
  • Figure 1 is a schematic diagram illustrating a passive optical network according to some embodiments
  • Figure 2 is a schematic diagram illustrating an optical unit according to some embodiments
  • Figure 3 is a schematic diagram illustrating an optical node according to some embodiments.
  • Figure 4 is a state diagram illustrating different states associated with an optical node according to some embodiments.
  • FIG. 5 illustrates optical signals and signaling sequences according to some embodiments
  • Figure 6 is flow diagram illustrating a method of operating a device used in an optical node according to some embodiments
  • Figure 7 is flow diagram illustrating a method of operating a device used in an optical unit according to some embodiments.
  • Figure 8 is a schematic diagram illustrating the architecture of a device for use with an optical node or an optical unit according to some embodiments.
  • Figure 9 is a schematic diagram illustrating an optical unit according to some embodiments.
  • Hardware implementation may include or encompass, without limitation, digital signal processor (DSP) hardware, a reduced instruction set processor, hardware (e.g., digital or analogue) circuitry including but not limited to application specific integrated circuit(s) (ASIC) and/or field programmable gate array(s) (FPGA(s)), and (where appropriate) state machines capable of performing such functions.
  • DSP digital signal processor
  • ASIC application specific integrated circuit
  • FPGA field programmable gate array
  • Memory may be employed to storing temporary variables, holding and transfer of data between processes, non-volatile configuration settings, standard messaging formats and the like. Any suitable form of volatile memory and nonvolatile storage may be employed including Random Access Memory (RAM) implemented as Metal Oxide Semiconductors (MOS) or Integrated Circuits (IC), and storage implemented as hard disk drives and flash memory.
  • Photonic integration may include photonics circuits or modules utilizing, without limitation, Silicon on Insulator (SOI) and/or Silicon Nitride (SiN) platforms.
  • SOI Silicon on Insulator
  • Some embodiments described herein relate to controlling an optical switch at an optical node in order to isolate the node from a port on the optical node.
  • the port may be coupled to an optical fiber carrying optical communications signals to and from an optical unit, but may also be used by malicious parties to try to eavesdrop or otherwise interfere with traffic on the network.
  • Security may be implemented using a secondary optical signal transmitted from the optical unit to the optical node, the secondary optical signal at a different wavelength from the optical communications signals. If the received optical secondary signal meets predetermined criteria, then the optical node is coupled with the optical fiber in order to allow optical communications signals to pass between the optical node and optical unit. If these criteria are no longer met, then the optical node is isolated from the port in order to prevent the communications signals passing between the optical node and the port.
  • the predetermined criteria may be that the secondary optical signal is received at the optical node, and/or that this comprises a predetermined code matching a code stored on the optical node. Different arrangements are possible in other embodiments.
  • FIG. 1 illustrates a passive optical network (PON) according to an embodiment.
  • the PON 100 couples a main site 105M to remotes sites 105D, 105RU, 105W, 105S via a passive splitter 1 10, using optical fiber 115.
  • the optical fiber 115 is coupled between the main site 105M and the splitter 110, and between the splitter 1 10 and each of the remote sites.
  • the remote sites may be associated with any one or a combination of the following: a radio dot network 105D; a radio unit 105RU; a WiFi access point 105W; an end user subscriber or customer 105S.
  • the main site 105M is a secure facility and comprises an optical line terminal 150 which converts between optical and electric signals for each wavelength.
  • the optical signals are combined using an optical add drop (OAD) filter 155 to generate a (dense) wavelength division multiplexed (WDM) optical communications signal.
  • This signal is transmitted to the remote sites using the PON.
  • the OAD filter 155 also receives a WDM signal from the remote sites, and uses the OAD filter to split these into separate wavelengths for respective ports of the OLT 150.
  • the main site 105M in this example also comprises an active or passive fronthaul 160 and a number of baseband units 165.
  • the optical splitter 1 10 is an optical node typically sited at a remote intermediate location which is not secured and may be accessible to unauthorized persons via a handhole or manhole for example.
  • the splitter 105 splits or copies the WDM optical communications signal transmitted from the main site into WDM signals which are coupled to optical fiber 1 15 connecting to respective downstream remote sites.
  • each downstream site receives all or some of the wavelengths of the WDM signal transmitted by the main site.
  • the splitter also combines upstream WDM signals from the remote sites to the main site. This approach enables flexibility in the PON network, for example to enable a remote site to retune to a different wavelength.
  • the splitter may split the WDM signal into sperate wavelengths (or groups of wavelengths) for each remote site.
  • the remote sites comprise an optical unit to interface between the rest of the PON and other equipment at the remote site.
  • the optical unit may comprise an optical add drop (OAD) filter 170 and an optical network terminal 175 at a subscriber remote site 105S, although other arrangements are possible for different site types.
  • OAD optical add drop
  • FIG. 2 illustrates an optical unit according to an embodiment.
  • the optical unit 200 comprises an OAD filter 280 and a protection enabling device 220, also referred to herein as a primary port protection circuit (PPP).
  • PPP primary port protection circuit
  • the OAD filter 280 demultiplexes a received WDM signal into one or more separate wavelengths for conversion into the electrical domain, and also multiplexes separate wavelengths for transmitting a WDM signal.
  • An optical unit may be installed at both the main and remote sites and enables port isolation at the optical node or splitter 1 10.
  • the protection enabling device or PPP 230 comprises an optical transmitter 225 such as a laser and which is controlled by a controller 230.
  • the optical transmitter 225 is arranged to transmit a secondary optical signal at a wavelength which is different from the wavelengths of the WDM optical communications signal.
  • the secondary optical signal may be at a 1310nm wavelength.
  • the secondary optical signal may be coupled with the outgoing WDM signal at the OAD filter 280, for example using the EXP port and so not requiring any additional components.
  • the controller 230 controls the secondary optical signal which is transmitted with the outgoing WDM signal to the splitter or optical node 110 in order to help control communication between the optical node 110 and the optical unit 200.
  • Each remote site and the main site may comprise a respective PPP 220 in order to help control communication between the optical node 110 and the respective site 105.
  • Each PPP 220 is associated with a respective predetermined code stored on the optical node 1 10 and this is transmitted on the secondary optical signal towards the optical node.
  • the wavelength of the secondary optical signal transmitted by each PPP may be the same or different.
  • the controller 230 controls the optical transmitter to signal the predetermined code to the optical node. This may be implemented using a signaling sequence in which the secondary signal is switched ON and OFF in a simple low-rate scheme, although other messaging approaches using the secondary optical signal to transmit the predetermined code may be employed.
  • Figure 5 illustrates the signaling sequence approach in which a particular sequence of ON, OFF states are imposed on the secondary optical signal 520.
  • the secondary optical signal 520 is at a different wavelength or frequency f compared with wavelengths 510 associated with the optical communications signal 515 as shown.
  • the secondary optical signal 520 may be switched ON for a predetermined period T 1 , which is followed by a signaling sequence SS corresponding to the predetermined code. This may be followed by another period T2 in which the signal is ON then the signaling sequence is repeated. In this way, the signaling sequence SS is repeated periodically.
  • the initial (and subsequent) ON period may be used by a passive optical node to accumulate power for subsequently detecting the signaling sequence. These ON periods may be omitted when the optical node has independent access to power. This particular signaling approach may be implemented cheaply and may also provide power for a passive optical node.
  • the PPP 220 may be an additional component integrated into the OAD filter 280, a separate unit, or integrated with transponder units (not shown).
  • the PPP functionality may advantageously be integrated with the D-OTDR itself. This is illustrated in Figure 9 and requires no new components for implementing the PPP.
  • the optical unit 900 of Figure 9 comprises an optical add drop filter 980 coupled to optical fiber 915 and the D-OTDR 920 which comprises a Linear SPF (small form pluggable) transceiver 925 controlled by a controller 930.
  • An optical circulator 990 couples the Tx and Rx ports of transceiver 925 with the EXP port of the OAD filter 980.
  • the D-OTDR can also be used to detect the point of disconnect or intrusion on the optical link between optical unit and optical node following any loss of signal (LOS).
  • FIG 3 illustrates an optical node 300 according to some embodiments.
  • the optical node may correspond to the passive optical splitter 110 of Figure 1 and comprises a number of protection implementing devices 320, also referred to herein as Secondary Port Protector circuits (SPP).
  • SPP Secondary Port Protector circuits
  • the optical node 300 comprises optical components and/or circuitry arranged to split an incoming WDM signal from the main site 105M at a main port 340-Main into copies of those WDM signals to be output from each of a number of sub-link ports 340-1 to 340-n.
  • the main port 340-Main may be coupled to the main site via optical fiber and the sub-link ports 340-1 to 340-n may be coupled via optical fiber to respective downstream remote sites 105D, 105RU, 105W, 105S.
  • the splitter 300 also combines upstream WDM signals from the remote sites towards the main site. Whilst this example includes a passive splitter as the optical node, alternative components include a Banded Filter which has one (downstream) input and a number of outputs but each output may only include a portion of the downstream spectrum.
  • Each port 340-1 to 340-n and 340-Main may each be associated with a respective SPP 320 - labelled SPP1 - SPPn and SPPMain respectively.
  • Each SPP 320 is coupled between the internal optical circuitry of the optical node and a respective input/output port.
  • Each SPP 320 controls whether the optical communications of WDM signal can pass through its associated port, or whether the optical node is isolated from the WDM signal at that port. This functionality can be used to increase the security of the PON.
  • SPP 320n A detail of one protection implementing device or SPP 320n is shown for SPPn associated with port 340-n and is representative of the internal architecture of the other SPP in the optical node 300.
  • Each SPP 320-n comprises an optical switch 330 coupled between its associated port 340-n and the internal optical circuitry of the optical node 300.
  • the optical switch 330 is bistable and when closed couples an optical communications signal between the port 340-n and the internal optical circuitry of the optical node. When the optical switch 330 is open, an optical communications signal at the output port is isolated from the internal optical circuitry of the optical node, and vice versa.
  • the optical communications signal may be a WDM signal 515 comprising a range of wavelengths divided into channels as illustrated in Figure 5 and for communicating between the main site and respective remote sites.
  • the SPP 320n comprises an optical filter 325 between the port 340-n and the optical switch 330.
  • the optical filter 325 is arranged to drop a secondary optical signal or pump tone received at the port 340-n to an optical-to-electrical converter 335.
  • the wavelength of the secondary optical signal 520 is outside the range of the optical communications or WDM signal as illustrated in Figure 5, with the optical filter 325 being configured for that wavelength.
  • the optical-to-electrical converter 335 may be a photodiode and is coupled to a detector circuit 340 and a power accumulator 345.
  • Each SPP may comprise its own power accumulator 345 or may be coupled to a common power accumulator shared by all SPP.
  • the power accumulator 345 is charged by electrical current generated by the photodetector 335 when the photodetector receives the pump-tone or secondary optical signal 520.
  • the power accumulator 345 is used to power operation of the optical switch 330n and the detector circuit 340n.
  • a capacitor may be employed as a power accumulator although any suitable arrangement may be used.
  • an external power supply or battery may be implemented to avoid the need for an accumulator.
  • the battery may be charged using solar panels or other renewable sources.
  • the detector circuit 340n is arranged to detect a signaling sequence SS impressed on the electrical correspondent of the secondary optical signal or pump tone, and to determine whether this matches a predetermined code 345n stored on the optical node 300 and associated with the SPP 320n. In order to further enhance security, each SSP 320 may be associated with its own respective predetermined code.
  • the detector circuit 340n is arranged to control operation of the optical switch 330n depending on whether a signaling sequence SS on the optical secondary signal matches the predetermined code 345n.
  • a low-rate signaling sequence on a secondary optical signal together with a locally stored predetermined code for matching with the signaling sequence is a low cost and low power consumption implementation well suited to a passive optical node environment where there may be no access to reliable power supply infrastructure.
  • the predetermined code may correspond to a simple binary sequence which can be matched with a corresponding binary sequence of ON OFF states of the pump tone.
  • the additional losses due to the additional filter 325n and to the optical switch 330n can be contained within 1 dB so with a minimum impact on the overall optical budget.
  • Other implementations are possible, such as modulating the secondary optical signal with a digital signal for forwarding a message which may be decoding and compared with the predetermined code 345n, however this will require more circuit complexity and power consumption.
  • the optical switch 330n When the signaling sequence SS matches the predetermined code of the port 320n (referred to herein as an unlock code), the optical switch 330n is closed so that an optical communications signal, the WDM signal, is allowed to pass between the port 340-n and the internal circuitry of the optical node 300.
  • the optical switch 330n When the signaling sequence SS does not match the predetermined code 345n, the optical switch 330n is opened which isolates any optical communications signal at the port 340-n from the internal optical circuitry of the optical node 300.
  • an unlock code is not received, or not received when expected, the optical switch 330n is opened.
  • the optical switch when there is a loss of signal (LOS) of the secondary optical signal, the optical switch is opened.
  • LOS loss of signal
  • This arrangement ensures that the port 340-n only remains coupled with the rest of the optical node 300 for an optical communications signal when a suitable secondary optical signal (with an unlock code matching that stored locally for the port) is also present at the port.
  • This arrangement can be used to improve the security of the port 340-n, only closing the optical switch when the port is coupled to a remote node which is generating an appropriate secondary optical signal, for example using a suitably configured PPP as previously described.
  • This prevents unconnected ports from being accessed by a malicious party as the lack of an appropriate secondary optical signal will isolate the port from the rest of the optical node 300.
  • the port will become isolated due to a LOS condition and/or the loss of the optical secondary signal.
  • the signaling or unlock sequence SS for each port of the optical node 300 can be factory determined and stored in an EEPROM (hard coded), or also changed by an operator before installation using a control interface. If a control interface is provided to the SPP, to ensure security, such interface can be implemented so that, when accessed (e.g. via USB port) it is automatically powered and configured to close all the optical ports of the node 300 so that any malicious intrusion can be easily and immediately detected as a traffic disruption of the whole node.
  • each respective sequence is known by a paired PPP at the remote or main site.
  • the corresponding PPP can be configured through a suitable control interface.
  • NMS Network Management System
  • the configuration can be done through that system using a control channel.
  • the PPP control interface if not under NMS control or if in a site out of control
  • the Key or predetermined code assignment and definition operations may be done only during installation, and maintenance is controlled such that any possible intrusion to the control interfaces is immediately detected.
  • the paired PPP 220 at a Main or Remote site, at any connection or reconnection sends repeatedly a pump tone or signal (secondary optical signal) modulated with a low frequency unlock key sequence correspondent to that stored in the paired port of the SPP at an intermediate site.
  • the duration and the repetition rate of the unlock sequence can be configured according to implementation specific considerations as discussed in more detail below.
  • the PPP 220 continues to transmit the feeder pump signal. If the SPP 320n detects a LOS of the feeder pump (e.g. connector is unplugged or in case of a fiber cut), the SPP 320n will immediately reopen the optical switch 330n and the WDM signal will automatically be prevented from flowing through that port 340n. This avoids eavesdropping or the malicious injection of disturbance into the optical signals from that port, as the port is isolated from the rest of the optical node. Once a legitimate connection is re-established, the SPP 320n again receives the power feeder or pump tone signal (secondary optical signal). However, to close the optical switch 330n again, the SPP 320n needs to detect a valid unlock sequence. This may be the same or a different unlock sequence depending on implementation. Through this mechanism the following use cases are addressed:
  • Man-in-the middle intrusion/eavesdropping In this situation an intruder tries to insert into the middle of the connection by inserting a tap. However, to perform this operation the link must be disconnected, and the LOS of the pump tone causes the SPP to automatically open the relevant optical port. The malicious intruder could attempt to rapidly insert a tap, but at this point the circuit is open and the system alarmed.
  • Various reconnection protocols may then be employed including the following options. Manual mode: after a misconnection the system can be restored only with a manual intervention and inspection providing full control to the network operator.
  • Automatic mode after a fixed time the SPP resends the sequence and restarts. The operators, in light of the alarm that occurred on that line may then check (or switch off remotely) the whole link based on an assessment of the alarm context, for example knowing that no maintenance operation have been performed on that link.
  • the protection mechanism of some embodiments is well suited for adoption in passive optical components, like splitters or filters, and equipped in intermediate locations of an optical network where powering is not generally available.
  • the mechanism to provide power uses the optical feeder or pump tone (secondary optical signal). For example, to provide a feeder pump signal at the PPP of 0 dBm and spanning 15 km, the span and coupling filters losses, in a very worst case may be around -10 dB (i.e. 0,1 mW of optical power) at the SPP photodetector. Assuming a conversion efficiency of 50%, this will provide 0.05 mW of electrical power.
  • This energy may be continuously provided by the PPP feeder pump signal and can be stored in a capacitor (energy accumulator) which, at this rate, can accumulate an energy of 10 mJ in 200 seconds (i.e. about 3 minutes). The energy of 10mJ may then be used to switch on a circuit of 100 mW for 100 ms.
  • This information may be used to dimension the unlock sequence duration and repetition rate.
  • the PPP may be configured to stop sending the unlock sequence and the SPP may then be configured to operate in an LOS detection mode only (and for this the energy required is very low).
  • the above considerations assume a worst case condition on the feeder pump tone and span length attenuation.
  • a more powerful PPP LASER and a shorter span would provide more optical power to the photodetector 335n and therefore less time for recharging (e.g. with 4 dBm from the LASER and 4 dB of span/filter attenuation, we could have 0.5 mW of power converted into the electrical domain, resulting in a charge time of the capacitor to 10mJ reduced to 20 sec instead of 200).
  • FIG. 4 illustrates a state diagram for an SPP according to some embodiments.
  • the protection implementing device or SPP 320 at switch on (SW ON) is in OPEN status, that is the optical switch is open and it does not allow the WDM signal to flow through the associated port 340.
  • the SPP changes its status to CLOSED, that is the optical switch is closed which allows the WDM signal to flow through the associated port.
  • the SPP will remain in CLOSED status until a LOS is detected, in response to which the SPP moves back to the OPEN status.
  • the SPP then remains in the OPEN state until it receives again the correct sequence from its paired PPP.
  • Figure 6 illustrates a method according to some embodiments.
  • the method 600 may be implemented on the protection implementing devices or SPP 320 of Figure 3 or using different hardware.
  • the hardware may include discrete optical and electrical components or circuits, or may be implemented using integrated photonics.
  • the method opens the optical switch. This prevents an optical communications signal such as a WMD signal from flowing between the port of an optical node and the internal circuitry of the node. This essentially isolates the optical node 1 10, 300 from any main or remote site to which the port is coupled, for example using optical fiber.
  • an optical communications signal such as a WMD signal
  • the method checks for a secondary optical signal such as an optical pump feeder signal.
  • the secondary optical signal should be at a wavelength corresponding to the tuning of a drop filter 325n and should be received for a minimum time period T1 . If this is not the case, the method returns to step 605 so that the SSP remains open. If this condition is met, the method moves to step 615.
  • the method determines whether the secondary optical signal comprises a signaling sequence which matches a predetermined code stored on the optical node.
  • a respective predetermined code may correspond to each SPP at the optical node. This may be achieved using a simple ON/OFF sequence of the pump feeder signal which is filtered by a filter 325n and provided to a photodetector 335n for checking by a detection circuit 340n. If this is not the case, the method returns to step 605 where the SPP remains open. If the signaling sequence of the secondary optical signal matches the predetermined code, the method moves to step 620.
  • the method closes the optical switch 330n. This allows an optical communications signal such as a WMD signal to flow between the port 340n of the optical node and the internal circuitry of the node. This essentially couples the optical node 1 10, 300 with any main or remote site to which the port is coupled, for example using optical fiber.
  • an optical communications signal such as a WMD signal
  • the method monitors for a LOS condition. If this does not occur, the optical signal remains closed allowing WDM signals to continue flowing. If a LOS condition occurs, the method returns to step 605 where the optical switch is opened, and the port is again isolated. Where this step is not used, the method may move from step 620 to step 610 or 615 depending on implementation.
  • Figure 7 illustrates a method according to some embodiments.
  • the method 700 may be implemented on the protection enabling devices or PPP 220 of Figure 2 or using different hardware.
  • the hardware may include discrete optical and electrical components or circuits, or may be implemented using integrated photonics.
  • the method transmits a secondary optical signal towards a paired SPP.
  • a secondary optical signal may be implemented using a LASER at a predetermined wavelength outside the wavelength band of the optical communications signal and where a predetermined signaling sequence is imposed which corresponds to a predetermined code associated with the paired SPP.
  • the PPP may also be configured to perform as a pump feeder signal, remaining ON between signaling sequences in order to provide power to the SPP.
  • the signaling sequence used may be set by an operator of the network, depending on the connection between an optical unit or site and the particular port used at the optical node such as an intermediate passive splitter.
  • the method monitors for expiration of timer T1. This is used to ensure that the secondary optical signal remains ON, acting as a pump feeder signal to power up the SPP at the passive optical node (where there is no external power available for the optical node).
  • the time period T 1 will be implementation specific, but an example has previously been described.
  • the method modulates the secondary optical signal using a signaling sequence.
  • This signaling sequence is the previously described unlock sequence which matches a predetermined code stored on the optical node and associated with the port of the optical node to which the PPP is coupled.
  • the PPP may send the unlock sequence repeatedly. As previously described, when the paired SPP determines that the unlock sequence matches its stored predetermined code (or the SPP receives for example N consecutive matching unlock sequences), it closes the optical switch allowing the WDM traffic to flow through the corresponding port.
  • the method may determine whether the PPP is operating in an AUTO or CONTROL mode.
  • the AUTO mode may be employed when the PPP cannot be remotely controlled and/or where its physical access is not comfortable.
  • the PPP automatically repeats the un-lock sequence after a configurable T2 timer by moving to step 730. The method then returns to step 715 where the signaling sequence is sent again.
  • the Control Mode may be used when the PPP is remotely controlled via an NMS.
  • the unlock sequence is only resent upon a specific NMS command once it has been determined if a real intrusion occurred or if the misconnection was accidental (such verification could be manual or also automatic in case an OTDR is present).
  • CONTROL mode the method moves to step 725 to await an NMS command, and then returns to step 715 where the signaling sequence is sent again.
  • FIG 8 illustrates a controller which may be implemented as the controller 230 of the PPP of Figure 2 or the detection circuit of the SPP of Figure 3.
  • the controller 800 comprises a processor 803 and memory 808 containing executable instructions 812.
  • the memory may also comprise an unlock sequence or predetermined code 817 which will be associated with a particular SPP.
  • the executable instructions 812 may be in the form of a computer program and may include instructions for executing one or more protocol step.
  • the processor or processing circuitry 803 may include one or more microprocessors or microcontrollers, as well as other digital hardware, which may include digital signal processors (DSPs), special-purpose digital logic, etc.
  • DSPs digital signal processors
  • the processor or processing circuitry may be implemented by any type of integrated circuit, such as an Application Specific Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA) etc.
  • the memory 808 may include one or several types of memory suitable for the processor, such as read-only memory (ROM), random-access memory, cache memory, flash memory devices, optical storage devices, solid state disk, hard disk drive etc.
  • the executable instructions 812 may be used to cause the processor 803 to operate a protection enabling device or PPP according to the method 700 (instructions 823 - 833) or to operate a protection implementing device or SPP according to the method 600 (instructions 853 to 863).
  • a secondary optical signal is received which has a wavelength different from the optical communications signal. This may be received in the electrical domain using an optical filter and photodetector as previously described, although other arrangements are possible.
  • the secondary optical signal is carrying a message matching a predetermined code stored on the local node.
  • the message may be carried by a signaling sequence imposed on the secondary optical signal.
  • an optical fiber carrying the optical communications signal is coupled to the node using an optical switch, in response to determining that the message does match the predetermined code.
  • a secondary optical signal having a wavelength different from the optical communications signals is transmitted. This may be implemented by controlling a LASER in the PPP.
  • the secondary optical signal is controlled to be switched ON for a predetermined time. This enables charging up of a connected SPP.
  • the secondary optical signal is controlled to generate a signaling sequence that corresponds with a predetermined code associated with the optical node, and in particular the port of the optical node to which the PPP is connected.

Landscapes

  • Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Electromagnetism (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Optical Communication System (AREA)

Abstract

Embodiments described herein relate to methods and apparatus for an optical communications network (100) which comprises an optical node (110) and an optical unit (105) coupled using an optical fiber (115) and arranged to communicate using an optical communication signal. The optical node comprises an optical switch (330) to couple the optical communications signal between an optical fiber (115, 315) and the optical node (110, 300); a receiver (325, 335) arranged to receive a secondary optical signal (520) having a wavelength different from the optical communications signal; and control circuitry (340, 500) arranged to control the optical switch (330) dependent on a message received on the secondary optical signal matching a predetermined code stored on the optical node. The optical unit comprises an optical transmitter (225) arranged to communicate with the optical node the using optical communications signal. The optical transmitter (225) is arranged to transmit a secondary optical signal (520) having a wavelength different from the optical communications signal (510). A controller (230) is arranged to control the optical transmitter to transmit the secondary optical signal at an ON level for a predetermined time (T1) and then to generate a signaling sequence (SS) on the secondary optical signal that corresponds with the predetermined code stored on the optical node.

Description

OPTICAL NETWORK SECURITY
Technical Field
Embodiments disclosed herein relate to an optical network, a method of controlling an optical communications signal in an optical network, a device for use in an optical node, a method of coupling an optical communications signal to or from an optical node, a device for use in an optical unit, and a method of controlling the coupling of an optical communications signal between an optical node and an optical unit.
Background
Passive optical networks (PON) are good candidates for many communications applications including the fronthaul for Radio Access Network (RAN) which require low cost transport solutions. Here passive splitters and/or other intermediate components are used to connect a Main Site to different remote Radio sites. Splitters broadcast all the downstream signal to all ports (and combines upstream signals) which represents a security weakness. For example, unused ports may be accessed by malicious eavesdroppers via handhole or manhole access in remote unmanaged locations. Because of the passive nature of these splitters, no access control or monitoring is typically available.
To prevent eavesdropping, a number of techniques have been employed or investigated. Security measures such as data encryption may be used, including stacking at different layers. However, these approaches increase cost and complexity. Furthermore, while higher layer technologies like encryption are well established, they are threatened by the continuous increase of computing power requiring countermeasures that increase cost and complexity. Enhancements like quantum key distribution are promising but still costly.
Active solutions such as power monitoring to trigger alarms when access is detected can be employed. However, these solutions also run counter to the low cost approach of using passive optical network technology.
Physical layer traffic isolation may be employed, for example WDM isolation where only one wavelength is transmitted per fiber. However, DWDM passive components deployed at ODN (Optical Distribution Network) sites add cost and reduce flexibility. This also runs counter to current commercial trends to leverage tunability at terminals (adding tunable filters) while leaving the optical distribution network (ODN) flexible, low cost and non-selective.
According to certain embodiments described herein there is provided an optical communications network which comprises an optical node and an optical unit coupled using an optical fiber and arranged to communicate using an optical communication signal. The optical node comprises an optical switch to couple the optical communications signal between an optical fiber and the optical node, a receiver arranged to receive a secondary optical signal having a wavelength different from the optical communications signal, and control circuitry arranged to control the optical switch dependent on a message received on the secondary optical signal matching a predetermined code stored on the optical node. The optical unit comprises an optical transmitter arranged to communicate with the optical node using the optical communications signal and which is arranged to transmit the secondary optical signal having a wavelength different from the optical communications signal.
Certain embodiments provide low cost and effective physical layer security suitable for passive optical network applications, whilst maintaining network flexibility.
According to certain embodiments described herein there is provided a device for use in an optical node and for coupling an optical communications signal to or from the optical node. The device comprises an optical switch to couple the optical communications signal between an optical fiber and the optical node, a receiver arranged to receive a secondary optical signal having a wavelength different from the optical communications signal, and control circuitry arranged to control the optical switch dependent on a message received on the secondary optical signal matching a predetermined code locally stored on the device. According to certain embodiments described herein there is provided a device for use in an optical unit and for controlling the coupling of an optical communications signal to or from an optical node. The device comprises an optical transmitter for coupling with an optical unit arranged to communicate with the optical node the using optical communications signal, the optical transmitter arranged to transmit a secondary optical signal having a wavelength different from the optical communications signal, and a controller arranged to control the optical transmitter to transmit the secondary optical signal at an ON level for a predetermined time and then to generate a signaling sequence on the secondary optical signal that corresponds with a predetermined code associated with the optical node.
According to certain embodiments described herein there is provided a method of controlling an optical communications signal in an optical network having an optical node and an optical unit. The method comprises the optical node coupling an optical fiber carrying the optical communications signal using an optical switch, and the optical node controlling the optical switch dependent on a message received on a secondary optical signal matching a predetermined code stored on the optical node, wherein the secondary optical signal is transmitted from the optical unit to the optical node and having a wavelength different from the optical communications signal.
According to certain embodiments described herein there is provided a method of coupling an optical communications signal to or from an optical node. The method comprises receiving at the optical node a secondary optical signal having a wavelength different from the optical communications signal and determining if the secondary optical signal is carrying a message matching a predetermined code stored on the optical node. In response, coupling the optical communications signal between an optical fiber and the optical node.
According to certain embodiments described herein there is provided a method of controlling the coupling of an optical communications signal between an optical node and an optical unit. The method comprises transmitting a secondary optical signal having a wavelength different from the optical communications signal from the optical unit, controlling the secondary optical signal to be switched to an ON level for a predetermined time, and controlling the secondary optical signal to generate a signaling sequence that corresponds with a predetermined code associated with the optical node.
Certain embodiments also provide corresponding computer programs and computer program products. Brief Drawings
For a better understanding of the embodiments of the present disclosure, and to show how it may be put into effect, reference will now be made, by way of example only, to the accompanying drawings, in which:
Figure 1 is a schematic diagram illustrating a passive optical network according to some embodiments;
Figure 2 is a schematic diagram illustrating an optical unit according to some embodiments;
Figure 3 is a schematic diagram illustrating an optical node according to some embodiments;
Figure 4 is a state diagram illustrating different states associated with an optical node according to some embodiments;
Figure 5 illustrates optical signals and signaling sequences according to some embodiments;
Figure 6 is flow diagram illustrating a method of operating a device used in an optical node according to some embodiments;
Figure 7 is flow diagram illustrating a method of operating a device used in an optical unit according to some embodiments;
Figure 8 is a schematic diagram illustrating the architecture of a device for use with an optical node or an optical unit according to some embodiments; and
Figure 9 is a schematic diagram illustrating an optical unit according to some embodiments.
Figure imgf000005_0001
Generally, all terms used herein are to be interpreted according to their ordinary meaning in the relevant technical field, unless a different meaning is clearly given and/or is implied from the context in which it is used. All references to a/an/the element, apparatus, component, means, step, etc. are to be interpreted openly as referring to at least one instance of the element, apparatus, component, means, step, etc., unless explicitly stated otherwise. The steps of any methods disclosed herein do not have to be performed in the exact order disclosed, unless a step is explicitly described as following or preceding another step and/or where it is implicit that a step must follow or precede another step. Any feature of any of the embodiments disclosed herein may be applied to any other embodiment, wherever appropriate. Likewise, any advantage of any of the embodiments may apply to any other embodiments, and vice versa. Other objectives, features and advantages of the enclosed embodiments will be apparent from the following description.
The following sets forth specific details, such as particular embodiments or examples for purposes of explanation and not limitation. It will be appreciated by one skilled in the art that other examples may be employed apart from these specific details. In some instances, detailed descriptions of well-known methods, nodes, interfaces, circuits, and devices are omitted so as not obscure the description with unnecessary detail. Those skilled in the art will appreciate that the functions described may be implemented in one or more nodes using hardware circuitry (e.g., analog and/or discrete logic gates interconnected to perform a specialized function, ASICs, PLAs, etc; and photonics integration) and/or using software programs and data in conjunction with one or more digital microprocessors or general purpose computers. Nodes that communicate using the air interface also have suitable radio communications circuitry. Moreover, where appropriate the technology can additionally be considered to be embodied entirely within any form of computer-readable memory, such as solid-state memory, magnetic disk, or optical disk containing an appropriate set of computer instructions that would cause a processor to carry out the techniques described herein.
Hardware implementation may include or encompass, without limitation, digital signal processor (DSP) hardware, a reduced instruction set processor, hardware (e.g., digital or analogue) circuitry including but not limited to application specific integrated circuit(s) (ASIC) and/or field programmable gate array(s) (FPGA(s)), and (where appropriate) state machines capable of performing such functions. Memory may be employed to storing temporary variables, holding and transfer of data between processes, non-volatile configuration settings, standard messaging formats and the like. Any suitable form of volatile memory and nonvolatile storage may be employed including Random Access Memory (RAM) implemented as Metal Oxide Semiconductors (MOS) or Integrated Circuits (IC), and storage implemented as hard disk drives and flash memory. Photonic integration may include photonics circuits or modules utilizing, without limitation, Silicon on Insulator (SOI) and/or Silicon Nitride (SiN) platforms.
Some embodiments described herein relate to controlling an optical switch at an optical node in order to isolate the node from a port on the optical node. The port may be coupled to an optical fiber carrying optical communications signals to and from an optical unit, but may also be used by malicious parties to try to eavesdrop or otherwise interfere with traffic on the network. Security may be implemented using a secondary optical signal transmitted from the optical unit to the optical node, the secondary optical signal at a different wavelength from the optical communications signals. If the received optical secondary signal meets predetermined criteria, then the optical node is coupled with the optical fiber in order to allow optical communications signals to pass between the optical node and optical unit. If these criteria are no longer met, then the optical node is isolated from the port in order to prevent the communications signals passing between the optical node and the port. The predetermined criteria may be that the secondary optical signal is received at the optical node, and/or that this comprises a predetermined code matching a code stored on the optical node. Different arrangements are possible in other embodiments.
Figure 1 illustrates a passive optical network (PON) according to an embodiment. The PON 100 couples a main site 105M to remotes sites 105D, 105RU, 105W, 105S via a passive splitter 1 10, using optical fiber 115. The optical fiber 115 is coupled between the main site 105M and the splitter 110, and between the splitter 1 10 and each of the remote sites. The remote sites may be associated with any one or a combination of the following: a radio dot network 105D; a radio unit 105RU; a WiFi access point 105W; an end user subscriber or customer 105S.
The main site 105M is a secure facility and comprises an optical line terminal 150 which converts between optical and electric signals for each wavelength. The optical signals are combined using an optical add drop (OAD) filter 155 to generate a (dense) wavelength division multiplexed (WDM) optical communications signal. This signal is transmitted to the remote sites using the PON. The OAD filter 155 also receives a WDM signal from the remote sites, and uses the OAD filter to split these into separate wavelengths for respective ports of the OLT 150. The main site 105M in this example also comprises an active or passive fronthaul 160 and a number of baseband units 165.
The optical splitter 1 10 is an optical node typically sited at a remote intermediate location which is not secured and may be accessible to unauthorized persons via a handhole or manhole for example. The splitter 105 splits or copies the WDM optical communications signal transmitted from the main site into WDM signals which are coupled to optical fiber 1 15 connecting to respective downstream remote sites. In other words, each downstream site receives all or some of the wavelengths of the WDM signal transmitted by the main site. The splitter also combines upstream WDM signals from the remote sites to the main site. This approach enables flexibility in the PON network, for example to enable a remote site to retune to a different wavelength. This does however represent a security risk as a malicious person may be able to couple to an unused port and access wavelength channels used on other connected ports. In other embodiments, the splitter may split the WDM signal into sperate wavelengths (or groups of wavelengths) for each remote site.
The remote sites comprise an optical unit to interface between the rest of the PON and other equipment at the remote site. The optical unit may comprise an optical add drop (OAD) filter 170 and an optical network terminal 175 at a subscriber remote site 105S, although other arrangements are possible for different site types.
Figure 2 illustrates an optical unit according to an embodiment. The optical unit 200 comprises an OAD filter 280 and a protection enabling device 220, also referred to herein as a primary port protection circuit (PPP). The OAD filter 280 demultiplexes a received WDM signal into one or more separate wavelengths for conversion into the electrical domain, and also multiplexes separate wavelengths for transmitting a WDM signal. An optical unit may be installed at both the main and remote sites and enables port isolation at the optical node or splitter 1 10.
The protection enabling device or PPP 230 comprises an optical transmitter 225 such as a laser and which is controlled by a controller 230. The optical transmitter 225 is arranged to transmit a secondary optical signal at a wavelength which is different from the wavelengths of the WDM optical communications signal. In one example, the secondary optical signal may be at a 1310nm wavelength. The secondary optical signal may be coupled with the outgoing WDM signal at the OAD filter 280, for example using the EXP port and so not requiring any additional components. The controller 230 controls the secondary optical signal which is transmitted with the outgoing WDM signal to the splitter or optical node 110 in order to help control communication between the optical node 110 and the optical unit 200. Each remote site and the main site may comprise a respective PPP 220 in order to help control communication between the optical node 110 and the respective site 105.
Each PPP 220 is associated with a respective predetermined code stored on the optical node 1 10 and this is transmitted on the secondary optical signal towards the optical node. The wavelength of the secondary optical signal transmitted by each PPP may be the same or different. For each PPP, the controller 230 controls the optical transmitter to signal the predetermined code to the optical node. This may be implemented using a signaling sequence in which the secondary signal is switched ON and OFF in a simple low-rate scheme, although other messaging approaches using the secondary optical signal to transmit the predetermined code may be employed.
Figure 5 illustrates the signaling sequence approach in which a particular sequence of ON, OFF states are imposed on the secondary optical signal 520. The secondary optical signal 520 is at a different wavelength or frequency f compared with wavelengths 510 associated with the optical communications signal 515 as shown. The secondary optical signal 520 may be switched ON for a predetermined period T 1 , which is followed by a signaling sequence SS corresponding to the predetermined code. This may be followed by another period T2 in which the signal is ON then the signaling sequence is repeated. In this way, the signaling sequence SS is repeated periodically. The initial (and subsequent) ON period may be used by a passive optical node to accumulate power for subsequently detecting the signaling sequence. These ON periods may be omitted when the optical node has independent access to power. This particular signaling approach may be implemented cheaply and may also provide power for a passive optical node.
The PPP 220 may be an additional component integrated into the OAD filter 280, a separate unit, or integrated with transponder units (not shown). In the case where a D-OTDR (Digital (Correlation) Optical Time Domain Reflectometer) is used at the main or remote sites, the PPP functionality may advantageously be integrated with the D-OTDR itself. This is illustrated in Figure 9 and requires no new components for implementing the PPP. The optical unit 900 of Figure 9 comprises an optical add drop filter 980 coupled to optical fiber 915 and the D-OTDR 920 which comprises a Linear SPF (small form pluggable) transceiver 925 controlled by a controller 930. An optical circulator 990 couples the Tx and Rx ports of transceiver 925 with the EXP port of the OAD filter 980. The D-OTDR can also be used to detect the point of disconnect or intrusion on the optical link between optical unit and optical node following any loss of signal (LOS).
Figure 3 illustrates an optical node 300 according to some embodiments. The optical node may correspond to the passive optical splitter 110 of Figure 1 and comprises a number of protection implementing devices 320, also referred to herein as Secondary Port Protector circuits (SPP). The optical node 300 comprises optical components and/or circuitry arranged to split an incoming WDM signal from the main site 105M at a main port 340-Main into copies of those WDM signals to be output from each of a number of sub-link ports 340-1 to 340-n. The main port 340-Main may be coupled to the main site via optical fiber and the sub-link ports 340-1 to 340-n may be coupled via optical fiber to respective downstream remote sites 105D, 105RU, 105W, 105S. The splitter 300 also combines upstream WDM signals from the remote sites towards the main site. Whilst this example includes a passive splitter as the optical node, alternative components include a Banded Filter which has one (downstream) input and a number of outputs but each output may only include a portion of the downstream spectrum.
Each port 340-1 to 340-n and 340-Main may each be associated with a respective SPP 320 - labelled SPP1 - SPPn and SPPMain respectively. Each SPP 320 is coupled between the internal optical circuitry of the optical node and a respective input/output port. Each SPP 320 controls whether the optical communications of WDM signal can pass through its associated port, or whether the optical node is isolated from the WDM signal at that port. This functionality can be used to increase the security of the PON.
A detail of one protection implementing device or SPP 320n is shown for SPPn associated with port 340-n and is representative of the internal architecture of the other SPP in the optical node 300. Each SPP 320-n comprises an optical switch 330 coupled between its associated port 340-n and the internal optical circuitry of the optical node 300. The optical switch 330 is bistable and when closed couples an optical communications signal between the port 340-n and the internal optical circuitry of the optical node. When the optical switch 330 is open, an optical communications signal at the output port is isolated from the internal optical circuitry of the optical node, and vice versa. The optical communications signal may be a WDM signal 515 comprising a range of wavelengths divided into channels as illustrated in Figure 5 and for communicating between the main site and respective remote sites.
The SPP 320n comprises an optical filter 325 between the port 340-n and the optical switch 330. The optical filter 325 is arranged to drop a secondary optical signal or pump tone received at the port 340-n to an optical-to-electrical converter 335. The wavelength of the secondary optical signal 520 is outside the range of the optical communications or WDM signal as illustrated in Figure 5, with the optical filter 325 being configured for that wavelength.
The optical-to-electrical converter 335 may be a photodiode and is coupled to a detector circuit 340 and a power accumulator 345. Each SPP may comprise its own power accumulator 345 or may be coupled to a common power accumulator shared by all SPP. The power accumulator 345 is charged by electrical current generated by the photodetector 335 when the photodetector receives the pump-tone or secondary optical signal 520. The power accumulator 345 is used to power operation of the optical switch 330n and the detector circuit 340n. In an example, a capacitor may be employed as a power accumulator although any suitable arrangement may be used. In other examples, an external power supply or battery may be implemented to avoid the need for an accumulator. The battery may be charged using solar panels or other renewable sources.
The detector circuit 340n is arranged to detect a signaling sequence SS impressed on the electrical correspondent of the secondary optical signal or pump tone, and to determine whether this matches a predetermined code 345n stored on the optical node 300 and associated with the SPP 320n. In order to further enhance security, each SSP 320 may be associated with its own respective predetermined code. The detector circuit 340n is arranged to control operation of the optical switch 330n depending on whether a signaling sequence SS on the optical secondary signal matches the predetermined code 345n.
The use of a low-rate signaling sequence on a secondary optical signal together with a locally stored predetermined code for matching with the signaling sequence is a low cost and low power consumption implementation well suited to a passive optical node environment where there may be no access to reliable power supply infrastructure. For example, the predetermined code may correspond to a simple binary sequence which can be matched with a corresponding binary sequence of ON OFF states of the pump tone. Also the additional losses due to the additional filter 325n and to the optical switch 330n can be contained within 1 dB so with a minimum impact on the overall optical budget. Other implementations are possible, such as modulating the secondary optical signal with a digital signal for forwarding a message which may be decoding and compared with the predetermined code 345n, however this will require more circuit complexity and power consumption.
When the signaling sequence SS matches the predetermined code of the port 320n (referred to herein as an unlock code), the optical switch 330n is closed so that an optical communications signal, the WDM signal, is allowed to pass between the port 340-n and the internal circuitry of the optical node 300. When the signaling sequence SS does not match the predetermined code 345n, the optical switch 330n is opened which isolates any optical communications signal at the port 340-n from the internal optical circuitry of the optical node 300. Similarly, when an unlock code is not received, or not received when expected, the optical switch 330n is opened. In addition, when there is a loss of signal (LOS) of the secondary optical signal, the optical switch is opened. This arrangement ensures that the port 340-n only remains coupled with the rest of the optical node 300 for an optical communications signal when a suitable secondary optical signal (with an unlock code matching that stored locally for the port) is also present at the port. This arrangement can be used to improve the security of the port 340-n, only closing the optical switch when the port is coupled to a remote node which is generating an appropriate secondary optical signal, for example using a suitably configured PPP as previously described. This prevents unconnected ports from being accessed by a malicious party as the lack of an appropriate secondary optical signal will isolate the port from the rest of the optical node 300. Similarly, were a malicious party to decouple a connected port from an optical fiber coupled to a legitimate remote site and then attempt to access the port, the port will become isolated due to a LOS condition and/or the loss of the optical secondary signal.
The signaling or unlock sequence SS for each port of the optical node 300 can be factory determined and stored in an EEPROM (hard coded), or also changed by an operator before installation using a control interface. If a control interface is provided to the SPP, to ensure security, such interface can be implemented so that, when accessed (e.g. via USB port) it is automatically powered and configured to close all the optical ports of the node 300 so that any malicious intrusion can be easily and immediately detected as a traffic disruption of the whole node.
Irrespective of the method used to assign the key sequences or predetermined codes to the ports of the optical node, each respective sequence is known by a paired PPP at the remote or main site. The corresponding PPP can be configured through a suitable control interface. For example, if the PPP is under the control of a Network Management System (NMS), the configuration can be done through that system using a control channel. As with the SPP, the PPP control interface (if not under NMS control or if in a site out of control) is protected so that any malicious intrusion is translated into an automatic LASER switch off. Therefore, this method foresees that the Key or predetermined code assignment and definition operations may be done only during installation, and maintenance is controlled such that any possible intrusion to the control interfaces is immediately detected.
According to some embodiments, to establish and open a secure connection with an SPP (eg 320n), the paired PPP 220 (at a Main or Remote site), at any connection or reconnection sends repeatedly a pump tone or signal (secondary optical signal) modulated with a low frequency unlock key sequence correspondent to that stored in the paired port of the SPP at an intermediate site. The duration and the repetition rate of the unlock sequence can be configured according to implementation specific considerations as discussed in more detail below. Once the correct sequence is detected by the SPP 320n, the SPP will close the optical switch 330n (normally open) allowing the WDM signal (optical communications signal) to flow downstream (and upstream) through the relevant port 320n to enable communication through the network 100.
During normal operation, the PPP 220 continues to transmit the feeder pump signal. If the SPP 320n detects a LOS of the feeder pump (e.g. connector is unplugged or in case of a fiber cut), the SPP 320n will immediately reopen the optical switch 330n and the WDM signal will automatically be prevented from flowing through that port 340n. This avoids eavesdropping or the malicious injection of disturbance into the optical signals from that port, as the port is isolated from the rest of the optical node. Once a legitimate connection is re-established, the SPP 320n again receives the power feeder or pump tone signal (secondary optical signal). However, to close the optical switch 330n again, the SPP 320n needs to detect a valid unlock sequence. This may be the same or a different unlock sequence depending on implementation. Through this mechanism the following use cases are addressed:
1 . Eavesdropping from a free connector of the passive component 300 in the intermediate site. In this situation a malicious intruder connects to a free or unconnected optical port of a splitter or other optical node such as a banded filter. In this case the eavesdropping is prevented because to open the optical port the intruder would need to send a power feeder or pump tone signal at the correct frequency and with the correct key-sequence, and depending on the implementation the correct repetition rate. The correct sequence is stored securely in the component EEPROM of the optical node. If an interface such as a USB port is available and this is accessed, the relevant control interface may be configured to isolate all or some ports of the optical node to trigger LOS alarms within the system which are monitored by an operator or NMS. 2. Man-in-the middle intrusion/eavesdropping. In this situation an intruder tries to insert into the middle of the connection by inserting a tap. However, to perform this operation the link must be disconnected, and the LOS of the pump tone causes the SPP to automatically open the relevant optical port. The malicious intruder could attempt to rapidly insert a tap, but at this point the circuit is open and the system alarmed. Various reconnection protocols may then be employed including the following options. Manual mode: after a misconnection the system can be restored only with a manual intervention and inspection providing full control to the network operator. Automatic mode: after a fixed time the SPP resends the sequence and restarts. The operators, in light of the alarm that occurred on that line may then check (or switch off remotely) the whole link based on an assessment of the alarm context, for example knowing that no maintenance operation have been performed on that link.
3. Accidental misconnection or fiber-break. In this situation there is an accidental misconnection or a fiber-break, for example due to authorized maintenance. In these situations, it is desirable is to recover the link connection easily and safely. Once the optical fiber connection is restored, the legitimate PPP sends the secondary optical signal which is detected by the SPP which in turn closes the optical switch to re-establish the optical communications signal.
The protection mechanism of some embodiments is well suited for adoption in passive optical components, like splitters or filters, and equipped in intermediate locations of an optical network where powering is not generally available. The mechanism to provide power uses the optical feeder or pump tone (secondary optical signal). For example, to provide a feeder pump signal at the PPP of 0 dBm and spanning 15 km, the span and coupling filters losses, in a very worst case may be around -10 dB (i.e. 0,1 mW of optical power) at the SPP photodetector. Assuming a conversion efficiency of 50%, this will provide 0.05 mW of electrical power. This energy may be continuously provided by the PPP feeder pump signal and can be stored in a capacitor (energy accumulator) which, at this rate, can accumulate an energy of 10 mJ in 200 seconds (i.e. about 3 minutes). The energy of 10mJ may then be used to switch on a circuit of 100 mW for 100 ms. This information may be used to dimension the unlock sequence duration and repetition rate. For example in one implementation, the unlock key sequences may be sent at a rate of 10 every 100ms, and the SPP may be configured to detect at least N (e.g. N=5) consecutive good sequences. Once the SPP has detected the appropriate number of unlock sequences, the port controlled by the SPP is closed. At that point the PPP may be configured to stop sending the unlock sequence and the SPP may then be configured to operate in an LOS detection mode only (and for this the energy required is very low). The above considerations assume a worst case condition on the feeder pump tone and span length attenuation. A more powerful PPP LASER and a shorter span would provide more optical power to the photodetector 335n and therefore less time for recharging (e.g. with 4 dBm from the LASER and 4 dB of span/filter attenuation, we could have 0.5 mW of power converted into the electrical domain, resulting in a charge time of the capacitor to 10mJ reduced to 20 sec instead of 200).
Figure 4 illustrates a state diagram for an SPP according to some embodiments. The protection implementing device or SPP 320 at switch on (SW ON) is in OPEN status, that is the optical switch is open and it does not allow the WDM signal to flow through the associated port 340. Once a correct unlock sequence is detected from its paired PPP 220, the SPP changes its status to CLOSED, that is the optical switch is closed which allows the WDM signal to flow through the associated port. The SPP will remain in CLOSED status until a LOS is detected, in response to which the SPP moves back to the OPEN status. The SPP then remains in the OPEN state until it receives again the correct sequence from its paired PPP.
Figure 6 illustrates a method according to some embodiments. The method 600 may be implemented on the protection implementing devices or SPP 320 of Figure 3 or using different hardware. The hardware may include discrete optical and electrical components or circuits, or may be implemented using integrated photonics.
At step 605, the method opens the optical switch. This prevents an optical communications signal such as a WMD signal from flowing between the port of an optical node and the internal circuitry of the node. This essentially isolates the optical node 1 10, 300 from any main or remote site to which the port is coupled, for example using optical fiber.
At step 610, the method checks for a secondary optical signal such as an optical pump feeder signal. In some embodiments the secondary optical signal should be at a wavelength corresponding to the tuning of a drop filter 325n and should be received for a minimum time period T1 . If this is not the case, the method returns to step 605 so that the SSP remains open. If this condition is met, the method moves to step 615.
At step 615, the method determines whether the secondary optical signal comprises a signaling sequence which matches a predetermined code stored on the optical node. A respective predetermined code may correspond to each SPP at the optical node. This may be achieved using a simple ON/OFF sequence of the pump feeder signal which is filtered by a filter 325n and provided to a photodetector 335n for checking by a detection circuit 340n. If this is not the case, the method returns to step 605 where the SPP remains open. If the signaling sequence of the secondary optical signal matches the predetermined code, the method moves to step 620.
At step 620, the method closes the optical switch 330n. This allows an optical communications signal such as a WMD signal to flow between the port 340n of the optical node and the internal circuitry of the node. This essentially couples the optical node 1 10, 300 with any main or remote site to which the port is coupled, for example using optical fiber.
In some embodiments, at step 625, the method monitors for a LOS condition. If this does not occur, the optical signal remains closed allowing WDM signals to continue flowing. If a LOS condition occurs, the method returns to step 605 where the optical switch is opened, and the port is again isolated. Where this step is not used, the method may move from step 620 to step 610 or 615 depending on implementation.
Figure 7 illustrates a method according to some embodiments. The method 700 may be implemented on the protection enabling devices or PPP 220 of Figure 2 or using different hardware. The hardware may include discrete optical and electrical components or circuits, or may be implemented using integrated photonics.
At step 705, the method transmits a secondary optical signal towards a paired SPP. This may be implemented using a LASER at a predetermined wavelength outside the wavelength band of the optical communications signal and where a predetermined signaling sequence is imposed which corresponds to a predetermined code associated with the paired SPP. Depending on the implementation, the PPP may also be configured to perform as a pump feeder signal, remaining ON between signaling sequences in order to provide power to the SPP. The signaling sequence used may be set by an operator of the network, depending on the connection between an optical unit or site and the particular port used at the optical node such as an intermediate passive splitter.
At step 710, the method monitors for expiration of timer T1. This is used to ensure that the secondary optical signal remains ON, acting as a pump feeder signal to power up the SPP at the passive optical node (where there is no external power available for the optical node). The time period T 1 will be implementation specific, but an example has previously been described.
At step 715, following expiry of the timer T1 , the method modulates the secondary optical signal using a signaling sequence. This signaling sequence is the previously described unlock sequence which matches a predetermined code stored on the optical node and associated with the port of the optical node to which the PPP is coupled.
The PPP may send the unlock sequence repeatedly. As previously described, when the paired SPP determines that the unlock sequence matches its stored predetermined code (or the SPP receives for example N consecutive matching unlock sequences), it closes the optical switch allowing the WDM traffic to flow through the corresponding port.
At step 720, the method may determine whether the PPP is operating in an AUTO or CONTROL mode. The AUTO mode may be employed when the PPP cannot be remotely controlled and/or where its physical access is not comfortable. In this mode, the PPP automatically repeats the un-lock sequence after a configurable T2 timer by moving to step 730. The method then returns to step 715 where the signaling sequence is sent again.
This allows, after an accidental misconnection, for the link to be automatically restored, in the worst case after a T2 time. On the other hand, if it there is a malicious intrusion, the system interrupts the traffic. Any malicious subsequent connection will be prevented by lack of the correct signaling sequence and may prompt an operator to manually perform other surveillance and testing.
The Control Mode may be used when the PPP is remotely controlled via an NMS. In this case, the unlock sequence is only resent upon a specific NMS command once it has been determined if a real intrusion occurred or if the misconnection was accidental (such verification could be manual or also automatic in case an OTDR is present). In CONTROL mode, the method moves to step 725 to await an NMS command, and then returns to step 715 where the signaling sequence is sent again.
Figure 8 illustrates a controller which may be implemented as the controller 230 of the PPP of Figure 2 or the detection circuit of the SPP of Figure 3. The controller 800 comprises a processor 803 and memory 808 containing executable instructions 812. The memory may also comprise an unlock sequence or predetermined code 817 which will be associated with a particular SPP. The executable instructions 812 may be in the form of a computer program and may include instructions for executing one or more protocol step. In some examples, the processor or processing circuitry 803 may include one or more microprocessors or microcontrollers, as well as other digital hardware, which may include digital signal processors (DSPs), special-purpose digital logic, etc. The processor or processing circuitry may be implemented by any type of integrated circuit, such as an Application Specific Integrated Circuit (ASIC), Field Programmable Gate Array (FPGA) etc. The memory 808 may include one or several types of memory suitable for the processor, such as read-only memory (ROM), random-access memory, cache memory, flash memory devices, optical storage devices, solid state disk, hard disk drive etc. The executable instructions 812 may be used to cause the processor 803 to operate a protection enabling device or PPP according to the method 700 (instructions 823 - 833) or to operate a protection implementing device or SPP according to the method 600 (instructions 853 to 863).
At 823, a secondary optical signal is received which has a wavelength different from the optical communications signal. This may be received in the electrical domain using an optical filter and photodetector as previously described, although other arrangements are possible.
At 827, it is determined whether the secondary optical signal is carrying a message matching a predetermined code stored on the local node. As previously described, the message may be carried by a signaling sequence imposed on the secondary optical signal.
At 833, an optical fiber carrying the optical communications signal is coupled to the node using an optical switch, in response to determining that the message does match the predetermined code.
In order to implement the controller of the PPP, at 853, a secondary optical signal having a wavelength different from the optical communications signals is transmitted. This may be implemented by controlling a LASER in the PPP.
At 857, the secondary optical signal is controlled to be switched ON for a predetermined time. This enables charging up of a connected SPP.
At 863, the secondary optical signal is controlled to generate a signaling sequence that corresponds with a predetermined code associated with the optical node, and in particular the port of the optical node to which the PPP is connected. Some embodiments may provide a number of advantages including solving a physical layer vulnerability of an optical network such as a passive optical network having an insecure intermediate optical node. There is provided a simple and cost-effective solution which is compatible with anticipated future deployment and configuration trends. Embodiments may prevent jamming and eavesdropping and may also be self-contained from a power supply perspective. Where an OTDR is present, this may advantageously employed to implement the security mechanism.
Modifications and other variants of the described embodiment(s) will come to mind to one skilled in the art having the benefit of the teachings presented in the foregoing descriptions and the associated drawings. Therefore, it is understood that the embodiment(s) is/are not limited to the specific examples disclosed and that modifications and other variants are intended to be included within the scope of this disclosure. Although specific terms may be employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.
It should be noted that the above-mentioned examples illustrate rather than limit the invention, and that those skilled in the art will be able to design many alternative examples without departing from the scope of the appended statements. The word “comprising” does not exclude the presence of elements or steps other than those listed in a claim, “a” or “an” does not exclude a plurality, and a single processor or other unit may fulfil the functions of several units recited in the statements below. Where the terms, “first”, “second” etc. are used they are to be understood merely as labels for the convenient identification of a particular feature. In particular, they are not to be interpreted as describing the first or the second feature of a plurality of such features (i.e. the first or second of such features to occur in time or space) unless explicitly stated otherwise. Steps in the methods disclosed herein may be carried out in any order unless expressly otherwise stated. Any reference signs in the statements shall not be construed to limit their scope.

Claims

1 . An optical communications network comprising: an optical node and an optical unit coupled using an optical fiber and arranged to communicate using an optical communication signal; the optical node comprising: an optical switch to couple the optical communications signal between an optical fiber and the optical node; a receiver arranged to receive a secondary optical signal having a wavelength different from the optical communications signal; control circuitry arranged to control the optical switch dependent on a message received on the secondary optical signal matching a predetermined code stored on the optical node; the optical unit comprising: an optical transmitter arranged to communicate with the optical node the using optical communications signal; the optical transmitter arranged to transmit the secondary optical signal having a wavelength different from the optical communications signal.
2. The network of claim 1 , wherein the optical node is a passive optical node.
3. The network of claim 1 or 2, wherein the receiver comprises a filter to couple the wavelength different from the optical communications signal to an optical-to- electrical converter.
4. The network of any one preceding claim, wherein the control circuitry comprises: a processor and memory storing the predetermined code; and a power accumulator to power the processor and arranged to be charged by the secondary optical signal.
5. The network of any one preceding claim, the optical node arranged to open the optical switch to prevent the optical communications signal passing between the optical node and the optical unit in response to loss of the secondary optical signal.
6. The network of any one preceding claim, wherein the optical unit comprises a controller arranged to control the optical transmitter to: transmit the secondary optical signal at an ON level for a predetermined time and then to generate a signaling sequence on the secondary optical signal that corresponds with the predetermined code stored on the optical node.
7. The network of any one preceding claim, wherein the optical node is arranged to close the optical switch to enable the optical communications signal to pass between the optical node and the optical unit in response to the secondary signal being at an ON level for a predetermined period followed by a signaling sequence matching the predetermined code.
8. The network of claim 7, wherein the optical node is arranged to open the optical switch to prevent the optical communications signal passing between the optical node and the optical fiber unless subsequent signaling sequences matching the predetermined code are received periodically.
9. The network of any one preceding claim, comprising a plurality of additional optical units coupled to the optical node, each said optical unit being associated with a different respective predetermined code stored on the optical node.
10. The network of any one preceding claim, wherein the network comprises a passive optical network, the optical node comprises a splitter, and the or each optical unit comprises one or more remote optical network terminals or an optical line terminal.
1 1. A method of controlling an optical communications signal in an optical network having an optical node and an optical unit, the method comprising: the optical node coupling an optical fiber carrying the optical communications signal using an optical switch; the optical node controlling the optical switch dependent on a message received on a secondary optical signal matching a predetermined code stored on the optical node, the secondary optical signal being transmitted from the optical unit to the optical node and having a wavelength different from the optical communications signal.
12. The method of claim 1 1 , comprising using power accumulated from the received secondary optical signal at the optical node to power controlling the optical switch.
13. The method of claim 11 or 12, wherein the optical switch is opened to prevent the optical communications signal passing between the optical node and the optical fiber in response to loss of the secondary optical signal.
14. The method of any one of claims 1 1 to 13, wherein the optical switch is closed to enable the optical communications signal to pass between the optical node and the optical fiber in response to the secondary signal being at an ON level for a predetermined period followed by a signaling sequence matching the predetermined code.
15. The method of claim 14, wherein the optical switch is closed to prevent the optical communications signal passing between the optical node and the optical fiber unless subsequent signaling sequences matching the predetermined code are received periodically.
16. The method of any of claims 1 1 to 15, comprising the optical unit transmitting the secondary optical signal at an ON level for a predetermined time and then transmitting a signaling sequence on the secondary optical signal that corresponds with the predetermined code stored on the optical node.
17. The method of any one of claim 16, comprising the optical unit repeating the signaling sequence periodically at a second predetermined time following the previous signaling sequence.
18. The method of claim 16, comprising the optical unit repeating the signaling sequence in response to a predetermined network management command.
19. A device for use in an optical node and for coupling an optical communications signal to or from the optical node, the device comprising: an optical switch to couple the optical communications signal between an optical fiber and the optical node; a receiver arranged to receive a secondary optical signal having a wavelength different from the optical communications signal; control circuitry arranged to control the optical switch dependent on a message received on the secondary optical signal matching a predetermined code locally stored on the device.
20. The device of claim 19, wherein the device is a passive component powered by the secondary optical signal.
22
21 . The device of claim 19 or 20, wherein the receiver comprises a filter to couple the wavelength different from the optical communications signal to an optical-to- electrical converter.
22. The device of any one of claims 19 to 21 , wherein the control circuitry comprises: a processor and memory storing the predetermined code; and a power accumulator to power the processor and arranged to be charged by the secondary optical signal.
23. The device of any one of claims 19 to 22, arranged to open the optical switch to prevent the optical communications signal passing between the optical node and the optical fiber in response to loss of the secondary optical signal.
24. The device of any one of claims 19 to 23, arranged to close the optical switch to enable the optical communications signal to pass between the optical node and the optical fiber in response to the secondary signal being ON for a predetermined period followed by a signaling sequence matching the predetermined code.
25. The device of any one of claims 19 to 23, arranged to open the optical switch to prevent the optical communications signal passing between the optical node and the optical fiber unless subsequent signaling sequences matching the predetermined code are received periodically.
26. An optical node comprising a device according to any one of claims 19 to 25.
27. The optical node of claim 26 comprising: additional devices according to any one of claims 19 to 25, each coupled to a
23 respective optical fiber, each device associated with a respective predetermined code; an accumulator arranged to be charged by a secondary optical signal received from a plurality of the optical fibres.
28. The optical node of claim 26 or 27 comprising a passive optical network splitter.
29. A passive optical network comprising the optical node of any one of claims 26 to 28.
30. A method of coupling an optical communications signal to or from an optical node, the method comprising: receiving at the optical node a secondary optical signal having a wavelength different from the optical communications signal; determine if the secondary optical signal is carrying a message matching a predetermined code stored on the optical node; in response, coupling the optical communications signal between an optical fiber and the optical node.
31 . The method of claim 30, wherein the message comprises a signaling sequence.
32. The method of claim 30 or 31 , wherein coupling the optical fiber to the optical node comprises controlling an optical switch.
33. The method of claim 32, comprising using power accumulated from the secondary optical signal to control the optical switch.
34. The method of claim 32 or 33, wherein the optical switch is opened to prevent
24 the optical communications signal passing between the optical node and the optical fiber in response to loss of the secondary optical signal.
35. The method of any one of claims 32 to 34, wherein the optical switch is closed to enable the optical communications signal to pass between the optical node and the optical fiber in response to the secondary signal being ON for a predetermined period followed by a signaling sequence matching the predetermined code.
36. The method of claim 35, wherein the optical switch is opened to prevent the optical communications signal passing between the optical node and the optical fiber unless subsequent signaling sequences matching the predetermined code are received periodically.
37. A device for use in an optical unit and for controlling the coupling of an optical communications signal to or from an optical node, the device comprising: an optical transmitter for coupling with an optical unit arranged to communicate with the optical node the using optical communications signal; the optical transmitter arranged to transmit a secondary optical signal having a wavelength different from the optical communications signal; a controller arranged to control the optical transmitter to: transmit the secondary optical signal at an ON level for a predetermined time and then to generate a signaling sequence on the secondary optical signal that corresponds with a predetermined code associated with the optical node.
38. The device of claim 37, wherein the controller is arranged to repeat the signaling sequence periodically at a second predetermined time following the previous signaling sequence.
25
39. The device of claim 37, wherein the controller is arranged to repeat the signaling sequence in response to receiving a predetermined network management command.
40. An optical unit for a passive optical network and comprising the device of any one of claims 37 to 39, the optical unit comprising an optical line terminal or an optical network terminal.
41. A method of controlling the coupling of an optical communications signal between an optical node and an optical unit, the method comprising: transmitting a secondary optical signal having a wavelength different from the optical communications signal from the optical unit; controlling the secondary optical signal to be switched to an ON level for a predetermined time; controlling the secondary optical signal to generate a signaling sequence that corresponds with a predetermined code associated with the optical node.
42. The method of claim 41 , comprising repeating the signaling sequence periodically at a second predetermined time following the previous signaling sequence.
43. The method of claim 41 , comprising repeating the signaling sequence in response to a predetermined network management command.
44. A computer program comprising instructions which, when executed on a processor, cause the processor to carry out the method of any one of claims 1 1 to 18;
30 to 36; 41 to 43.
26
45. A computer program product comprising non-transitory computer readable media having stored thereon a computer program according to claim 44.
27
PCT/EP2021/083431 2021-11-29 2021-11-29 Optical network security WO2023094016A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2021/083431 WO2023094016A1 (en) 2021-11-29 2021-11-29 Optical network security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2021/083431 WO2023094016A1 (en) 2021-11-29 2021-11-29 Optical network security

Publications (1)

Publication Number Publication Date
WO2023094016A1 true WO2023094016A1 (en) 2023-06-01

Family

ID=78829571

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2021/083431 WO2023094016A1 (en) 2021-11-29 2021-11-29 Optical network security

Country Status (1)

Country Link
WO (1) WO2023094016A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5488501A (en) * 1992-04-09 1996-01-30 British Telecommunications Plc Optical processing system
US20050185895A1 (en) * 2004-02-23 2005-08-25 Keenum John A. Connector port for network interface device
EP2859670A1 (en) * 2012-06-11 2015-04-15 Telefonaktiebolaget L M Ericsson (Publ) Security monitoring for optical network

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5488501A (en) * 1992-04-09 1996-01-30 British Telecommunications Plc Optical processing system
US20050185895A1 (en) * 2004-02-23 2005-08-25 Keenum John A. Connector port for network interface device
EP2859670A1 (en) * 2012-06-11 2015-04-15 Telefonaktiebolaget L M Ericsson (Publ) Security monitoring for optical network

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
DAVID DAHAN ET AL: "Security threats and protection procedures for optical networks", IET OPTOELECTRONICS, THE INSTITUTION OF ENGINEERING AND TECHNOLOGY, MICHAEL FARADAY HOUSE, SIX HILLS WAY, STEVENAGE, HERTS. SG1 2AY, UK, vol. 11, no. 5, 1 September 2017 (2017-09-01), pages 186 - 200, XP006109522, ISSN: 1751-8768, DOI: 10.1049/IET-OPT.2016.0150 *
SKORIN-KAPOV NINA ET AL: "Physical-layer security in evolving optical networks", IEEE COMMUNICATIONS MAGAZINE, IEEE SERVICE CENTER, PISCATAWAY, US, vol. 54, no. 8, 1 August 2016 (2016-08-01), pages 110 - 117, XP011619571, ISSN: 0163-6804, [retrieved on 20160809], DOI: 10.1109/MCOM.2016.7537185 *

Similar Documents

Publication Publication Date Title
US7586672B2 (en) Optical transmission system
US8045851B2 (en) Method and apparatus for automatic restoration detection and automatic restoration of optical communication system
US20120288273A1 (en) Intelligent splitter monitor
JP5073826B2 (en) Fail-safe optical splitter and method for isolating faults in passive optical networks
US20080166133A1 (en) Optical network remote power supply system for remote switching unit
US7787764B2 (en) Optical network transmission channel failover switching device
US20080152342A1 (en) Optical network transmission channel failover switching device
US20080152341A1 (en) Optical network transmission channel failover switching device
US9391421B2 (en) Optical amplification apparatus, optical transmission apparatus, and optical transmission system
US7660529B2 (en) System and method for providing failure protection in optical networks
JP4111163B2 (en) Abnormal light detection and blocking device
WO2023094016A1 (en) Optical network security
EP3300265B1 (en) Raman pumping arrangement with improved osc sensitivity
CN1863026B (en) WDM terminal apparatus using multi-wavelength laser
US7130537B1 (en) Safety shutdown system for a WDM fiber optic communications network
Straub et al. Field trial of a system-independent infrastructure monitoring system for access networks
US20110076012A1 (en) Optical network terminal and method for detecting transmission error in optical network terminal
US12035084B2 (en) Optical communications network and method for continuous service provision thereon
Teixeira et al. Security issues in optical networks physical layer
Sangmahamad et al. An optical fiber monitoring and alert system for a passive optical network based on iot
JP7491373B2 (en) Notification system, notification device, and notification method
Imtiaz et al. Self-healing hybrid protection architecture for passive optical networks
Perez-Herrera et al. A resilient Raman amplified double ring network for multiplexing fiber Bragg grating sensors
Dou et al. Demonstration of chaotic-laser based WDM-PON secure optical communication and real-time online fiber-fault detection and location
KR102692596B1 (en) System and method for blocking unauthorized line in passive optical network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21823518

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE