My OLT ( Optical Line Termination ) is a VSOL V1600GS-O32. It comes with one GPON port with an attached internal 32 port splitter. Why this one? Honestly, I wasn’t able to find a cheap enough used OLT so I went for the I think cheapest new one. In addition having the internal splitter, it saved me from buying one of those. In return it doesn’t allow me to attack the line between OLT and splitter but I guess I’m far from doing that anyways.

What’s interesting about an OLT?

In current FTTH / GPON / xGPON setups, the passive part of “PON” implies that a single fibre strain goes from the OLT to a passive splitter, where all local customers are connected. With the splitter being fully passive, all customers on the same OLT port, on the same fibre strain, on the same splitter receive exactly the same data. Thus, the downstream communication is encrypted by default and an individual key is stored in every single ONT . While this setup makes sense and is easy to do securely, well, it’s interesting to look at. In addition, the same as with a DSLAM in DSL , the OLT in fibre allows me access to the ONT from the operator side and as such hopefully to management interfaces. A further question to answer is, whether a trivial MitM setup is possible, just as in DSL.
One further aspect to look into is the organization of the upstream channel. As every customer on the same splitter also transmitts they’re upstream via the same fibre straine, time division multiplexing is used. This way each ONT as an individual time window in which it may reply. here the “individual” goes further than just evenly distributing the time slots, as this would waste precious time. Due to each line having a differnt length (the distance of the houses from the distribution box grows, as you move down the street), the signal runtime also varies. Thus the length of the line should be measured and the time slot for each customer adjusted, to ensure an optimal use of the available capacity. This factor might be interesting for injection (complex), DoS (too easy) and MitM scenarios, where one might need a long line infront of the interception point, to stay both synchronized or hidden.

The OLT

Seemingly, plugging in the OLT, connecting an ethernet cable and an ONT is all that’s necessary to have a functioning fibre network. The ONT has to be manually added to the known devices and then starts forwarding traffic. I chose to use the Sn as lone authentication property for an easy start.

The first thing I noticed after connecting ONTs was the direct exposure of the SN, SnPW, loid and loidpw. Not surprising, but good to know! This way, in a MitM position, it’s trivial to extract this information. Also it’s the easiest way to extract configuration from a random ONT.

Notes

• The default credentials are admin and Xpon@Olt9417#
• Config changes are not persistent until stored under System Configuration -> Device Management -> Config file
• The OLT offers a mirror function, also allowing mirroring the PON port to one of the ethernet ports
• When having the OLT and ONT on the same switch / Layer 2 Domain, you have created a loop of death
  • Some ONTs simply go directly into transparent mode, just as the OLT, and thus …

Links

• Product Page
• Quick Start Guide
• Cloud EMS
• ITU: OMCI
• V1600D Series OLT CLI User Manual