**2. TON vulnerabilities to physical-layer attacks**

The high data rates employed by TONs make them extremely sensitive to communication failures, whether they result from component malfunctions caused by external factors or fatigue, or from deliberate attacks. However, the differences between component faults and deliberate attacks make their consequences and recovery scenarios fundamentally different. Namely, disruption caused by component faults is restricted to the connections passing through the affected component, so rerouting these connections using classical survivability mechanisms usually solves the problem until the component is replaced/fixed. On the other hand, attacks can propagate to many users and different parts of the network, significantly complicating their detection and localization. Furthermore, the traffic itself can be the source of attack so rerouting affected connections may even worsen the consequences of the attack, instead of alleviating them. Furthermore, attacks, unlike failures, may appear sporadically so as to avoid detection.

Overviews of various physical-layer attacks in TONs can be found in (Fok et al., 2011; Mas et al., 2005; Médard et al., 1997). An attacker can gain access to the physical network

each of them, called Routing and Wavelength Assignment (RWA). The set of established lightpaths then comprises a so-called virtual topology over the given physical topology. Intermediate nodes perform wavelength-switching without regenerating or even interpreting the carried signals. Namely, full 3R (re-amplification, re-shaping, re-timing) signal regeneration in the optical domain is still in the experimental phase. Therefore, optical signals can only be re-amplified (1R) in the optical domain, while re-shaping and retiming require OEO conversion. We are currently witnessing the evolution of optical networking from opaque networks with all-electronic switching, implying OEO conversion at every node, to transparent networks with all-optical switching and no OEO conversions at intermediate nodes. Networks in which most of the nodes are transparent and some of them are strategically equipped with 2R and/or 3R regenerators to improve the quality of

The absence of lightpath regeneration in transparent optical networks not only provides signal transparency to bit rates, protocols and modulation formats but also reduces the costs and energy consumption associated with OEO conversion. However, transparency introduces significant changes to the security paradigm of optical networks by allowing signals whose characteristics fall out of the protocol-specific bounds or component working ranges to propagate through the network undetected. This creates a security vulnerability which can be exploited by a malevolent user to perform deliberate attacks aimed at degrading the proper functioning of the network. Due to the high data rates and latency employed in back-bone optical networks, even sporadic attacks of short duration can cause

Section 2 gives an overview of different types and methods of physical-layer attacks in TONs, along with experimental evaluation of some of the vulnerabilities of network components that can be exploited by malicious users. Section 3 gives an overview of the current issues and trends in attack management and control in TONs, as well as some methods and guidelines for increasing network resilience to attacks. Finally, Section 4

The high data rates employed by TONs make them extremely sensitive to communication failures, whether they result from component malfunctions caused by external factors or fatigue, or from deliberate attacks. However, the differences between component faults and deliberate attacks make their consequences and recovery scenarios fundamentally different. Namely, disruption caused by component faults is restricted to the connections passing through the affected component, so rerouting these connections using classical survivability mechanisms usually solves the problem until the component is replaced/fixed. On the other hand, attacks can propagate to many users and different parts of the network, significantly complicating their detection and localization. Furthermore, the traffic itself can be the source of attack so rerouting affected connections may even worsen the consequences of the attack, instead of alleviating them. Furthermore, attacks, unlike failures, may appear sporadically

Overviews of various physical-layer attacks in TONs can be found in (Fok et al., 2011; Mas et al., 2005; Médard et al., 1997). An attacker can gain access to the physical network

analog optical signals are called translucent (Shen & Tucker, 2007).

**2. TON vulnerabilities to physical-layer attacks** 

large data and revenue losses.

concludes this chapter.

so as to avoid detection.

components as a legitimate user (or impersonating one) or by otherwise breaching into the network. The attacker may be an outsider or, equally likely, a person with inside access to the network facilities, according to (Richardson, 2008).

Depending on the intentions of the attacker, physical-layer attacks can be divided into two main groups:


Tapping attacks imply breaches in communication privacy and confidentiality. Occurrences of these attacks have been recorded in the past, e.g. in 2000 when three main trunk lines of the Deutsche Telekom network were breached at Frankfurt Airport in Germany or when an illegal eavesdropping device was discovered attached to Verizon's optical network in 2003 (Miller, 2007). The most likely purpose of these attacks was industrial espionage. Estimates indicate that only in the year 2000, corporate espionage cost US companies approximately \$20 billion in purely technical means (Oyster Optics Inc., 2002).

The goal of service disruption attacks is to deteriorate the signal quality of legitimate communication channels. Depending on the severity of these attacks, their consequences may range from slight deterioration of the signal-to-noise ratio (SNR) to complete loss of service availability. They can also be aimed at manipulating communication by injecting false information or undermining the integrity of the transmitted data. Most commonly, these attacks are realized by injecting a malicious high-powered jamming signal which interferes with legitimate signals inside various network components. Methods of exploiting the vulnerabilities of the key building blocks of TONs (i.e. optical fibers, amplifiers and switches) to perform tapping and service disruption attacks are described in the following subsections.

### **2.1 Optical fibers**

Optical fibers are immune to electromagnetic interference, which eliminates the possibility of eavesdropping through observation of side-channel effects, but, unless shielded, they are still susceptible to eavesdropping through other means. Namely, under normal operating conditions, light is kept inside the fiber core through total internal reflection, where the angle between the light beam and the core inner surface exceeds the critical angle and the beam is totally reflected back into the core. Bending the fiber violates the condition of total internal reflection of light inside the fiber core and causes part of the signal to be radiated out of the fiber, as shown in figure 2. If a photodetector is placed at the fiber bend, it can pick up such leakage and deliver the transmitted content to the intruder. Commercial tapping devices which introduce losses below 0.5 dB can be found on the market. There are also techniques which introduce losses below 0.1 dB, making such attacks extremely difficult to detect by network monitoring systems.

Some of these devices may cause a short interruption of service due to the necessity of cutting the fiber in order to install the device, after which the transmission is re-established. If this interruption is noticed, the technical personnel is quite likely to find the location of

Physical-Layer Attacks in Transparent Optical Networks 127

Fig. 3. Three energy levels of Er3+ ions in silica glass for 980 nm pumping. Each discreet

Figure 3 shows three energy levels – E1, E2 and E3 of Er3+ ions in silica glass. In reality, the energy levels shown here as discreet are spread into a continuous energy band. The energy difference between levels E1 and E3 corresponds to the energy of photons of light at 980 nm. When light at that wavelength is pumped into the erbium-doped fiber, its absorption causes the transition of ions from E1 to E3. Light at 1480 nm can also be used for pumping, but the pumping process is more efficient at 980 nm, resulting in a higher gain for the same pump power (Ramaswami & Sivarajan, 2002). The excited ions stay at the E3 level for a very short time and then quickly transit to level E2. The lifetime of the transition from level E2 to E1 is much longer, about 10 ms, and it is accompanied by the emission of photons on a wavelength between 1525 and 1570 nm. With pumping power high enough, the ions which fall back to level E1 are quickly raised to E3. The result of the synergy of these two processes is that most of the ions can be found at level E2, i.e. population inversion between levels E2 and E1 is achieved. Under such conditions, light on wavelengths of 1525-1570 nm is

An optical amplifier is characterized by its gain, gain bandwidth, gain saturation, polarization sensitivity and amplifier noise (Mukherjee, 2006). The gain is defined as the ratio between the power of the signal at the output of the amplifier and its power at the input. Gain bandwidth specifies the frequency range over which the amplifier is effective. This parameter limits the number of wavelengths available in a network for a given channel spacing. Gain saturation is the value of output power after which an increase in input power no longer causes an increase in output power. It is usually defined as the output power at which there is a 3 dB reduction in the amplifier gain. Polarization sensitivity measures the difference in gain between two orthogonal polarizations of the dominant signal mode (HE11 mode). The prevailing component of amplifier noise for EDFAs is Amplifier Spontaneous Emission (ASE), which arises from spontaneous transitions of ions from energy level E2 to E1, independent of any external radiation. Although the radiated photons have the same energy as the incoming optical signal, their frequency, phase, polarization and direction do

EDFAs have several advantages over other types of optical amplifiers, such as Raman and semiconductor optical amplifiers. They provide high gain, are capable of simultaneous amplification of WDM signals independent of the light polarization state, have a low noise figure and low sensitivity to temperature (Laude, 2002). However, they also have drawbacks such as additional noise (ASE), dependency of gain on the spectrum and power of the incoming signal, and transients which occur when individual WDM channels are dropped.

energy level represents a continuous energy band.

amplified by stimulated emission from level E2 to level E1.

not match.

the tap, making this method short-lived (Witcher, 2005). However, some eavesdropping devices can be clamped onto the fiber and create micro bends causing leakage without actually cutting the fiber. Retrieval and interpretation of tapped data may require more sophisticated methods, depending on the signal wavelength, polarization, modulation format and other characteristics, but a well equipped attacker should be able to overcome these obstacles.

Fig. 2. Bending the fiber violates the conditions of total internal reflection and causes light to leak outside the fiber core.

Bending the fiber also enables a jamming signal to be inserted into the network. Under normal operating conditions, transmission effects in fibers are fairly linear, but high distances or high input powers increase the nonlinear effects among signals, of which fourwave mixing and cross-phase modulation are the most significant. A powerful jamming signal injected into the fiber enhances these effects and deteriorates the SNR of other signals. Due to the low attenuation of optical fibers, such a jamming signal can propagate from the entry point to other network components without losing its power and cause damage inside optical amplifiers and switches. This may be especially significant in new optical fiber access networks, where splitters and fibers are largely placed in public areas, with easy access to anyone.

#### **2.2 Optical amplifiers**

Erbium-doped fiber amplifiers (EDFAs) are the most commonly used optical amplifiers in today's WDM networks. They use an erbium-doped optical fiber core as gain medium to amplify optical signals. The energy of ionized erbium atoms can change between discrete levels. Atoms in lower energy levels have less energy and they can be raised to a higher level by absorbing an amount of energy equal to the difference between the two levels. Equivalently, a transition from a higher to a lower energy level results in the emission of a photon whose energy equals the difference between the two levels. In a normal state, the amount of erbium ions in the ground energy level is much higher than those in upper levels. To achieve amplification, the gain medium is pumped with an external source of energy which causes the number of ions in higher energy levels to exceed their number in lower levels, i.e. obtaining population inversion. When light of the appropriate frequency passes through such a medium, its photons stimulate the transition of excited electrons to lower energy levels, resulting in the stimulated emission of photons which have the same frequency, direction of propagation, phase and polarization as the incident photons. In this way, the incoming optical signal is amplified.

the tap, making this method short-lived (Witcher, 2005). However, some eavesdropping devices can be clamped onto the fiber and create micro bends causing leakage without actually cutting the fiber. Retrieval and interpretation of tapped data may require more sophisticated methods, depending on the signal wavelength, polarization, modulation format and other characteristics, but a well equipped attacker should be able to overcome

Fig. 2. Bending the fiber violates the conditions of total internal reflection and causes light to

Bending the fiber also enables a jamming signal to be inserted into the network. Under normal operating conditions, transmission effects in fibers are fairly linear, but high distances or high input powers increase the nonlinear effects among signals, of which fourwave mixing and cross-phase modulation are the most significant. A powerful jamming signal injected into the fiber enhances these effects and deteriorates the SNR of other signals. Due to the low attenuation of optical fibers, such a jamming signal can propagate from the entry point to other network components without losing its power and cause damage inside optical amplifiers and switches. This may be especially significant in new optical fiber access networks, where splitters and fibers are largely placed in public areas, with easy access to

Erbium-doped fiber amplifiers (EDFAs) are the most commonly used optical amplifiers in today's WDM networks. They use an erbium-doped optical fiber core as gain medium to amplify optical signals. The energy of ionized erbium atoms can change between discrete levels. Atoms in lower energy levels have less energy and they can be raised to a higher level by absorbing an amount of energy equal to the difference between the two levels. Equivalently, a transition from a higher to a lower energy level results in the emission of a photon whose energy equals the difference between the two levels. In a normal state, the amount of erbium ions in the ground energy level is much higher than those in upper levels. To achieve amplification, the gain medium is pumped with an external source of energy which causes the number of ions in higher energy levels to exceed their number in lower levels, i.e. obtaining population inversion. When light of the appropriate frequency passes through such a medium, its photons stimulate the transition of excited electrons to lower energy levels, resulting in the stimulated emission of photons which have the same frequency, direction of propagation, phase and polarization as the incident photons. In this way, the incoming optical signal is

these obstacles.

leak outside the fiber core.

anyone.

amplified.

**2.2 Optical amplifiers** 

Fig. 3. Three energy levels of Er3+ ions in silica glass for 980 nm pumping. Each discreet energy level represents a continuous energy band.

Figure 3 shows three energy levels – E1, E2 and E3 of Er3+ ions in silica glass. In reality, the energy levels shown here as discreet are spread into a continuous energy band. The energy difference between levels E1 and E3 corresponds to the energy of photons of light at 980 nm. When light at that wavelength is pumped into the erbium-doped fiber, its absorption causes the transition of ions from E1 to E3. Light at 1480 nm can also be used for pumping, but the pumping process is more efficient at 980 nm, resulting in a higher gain for the same pump power (Ramaswami & Sivarajan, 2002). The excited ions stay at the E3 level for a very short time and then quickly transit to level E2. The lifetime of the transition from level E2 to E1 is much longer, about 10 ms, and it is accompanied by the emission of photons on a wavelength between 1525 and 1570 nm. With pumping power high enough, the ions which fall back to level E1 are quickly raised to E3. The result of the synergy of these two processes is that most of the ions can be found at level E2, i.e. population inversion between levels E2 and E1 is achieved. Under such conditions, light on wavelengths of 1525-1570 nm is amplified by stimulated emission from level E2 to level E1.

An optical amplifier is characterized by its gain, gain bandwidth, gain saturation, polarization sensitivity and amplifier noise (Mukherjee, 2006). The gain is defined as the ratio between the power of the signal at the output of the amplifier and its power at the input. Gain bandwidth specifies the frequency range over which the amplifier is effective. This parameter limits the number of wavelengths available in a network for a given channel spacing. Gain saturation is the value of output power after which an increase in input power no longer causes an increase in output power. It is usually defined as the output power at which there is a 3 dB reduction in the amplifier gain. Polarization sensitivity measures the difference in gain between two orthogonal polarizations of the dominant signal mode (HE11 mode). The prevailing component of amplifier noise for EDFAs is Amplifier Spontaneous Emission (ASE), which arises from spontaneous transitions of ions from energy level E2 to E1, independent of any external radiation. Although the radiated photons have the same energy as the incoming optical signal, their frequency, phase, polarization and direction do not match.

EDFAs have several advantages over other types of optical amplifiers, such as Raman and semiconductor optical amplifiers. They provide high gain, are capable of simultaneous amplification of WDM signals independent of the light polarization state, have a low noise figure and low sensitivity to temperature (Laude, 2002). However, they also have drawbacks such as additional noise (ASE), dependency of gain on the spectrum and power of the incoming signal, and transients which occur when individual WDM channels are dropped.

Physical-Layer Attacks in Transparent Optical Networks 129

Fig. 4. The power of the legitimate signal at the output of the EDFA as a function of the power superiority of the interfering signal on the neighboring WDM channel, at 40 mW EDFA

The gain of the legitimate signal also depends on variations in the wavelength of the interfering signal of constant, high power. Figure 5 shows this dependency for the legitimate signal at 1549,74 nm and a 20 dB stronger interfering signal whose nominal wavelength varies from 1530 nm to 1550 nm, in 5 nm increments. The influence of different operating points of the EDFA on the output power of the legitimate signal in this scenario was investigated by changing the pump power from 40 mW to 80 mW. In figure 5, *P\_legit* denotes the power of the legitimate signal, and *P\_interfering* the power of the interfering signal at the EDFA output. Power levels measured for pump powers of 40 mW and 80 mW have suffixes *\_40mWpump* and *\_80mWpump*, respectively. From figure 5, it can be seen that the amount of gain robbed from the legitimate signal by the high-powered jamming signal

Table 1 summarizes the influence of wavelength separation and power superiority of the interfering signal over the legitimate signal at 1549,74 nm. In the first case, the wavelength of the interfering signal matches the used EDFA gain peak at 1531 nm. In the second case, it is at the first neighboring WDM channel, i.e. at 1549,08 nm. For both cases, we investigate the gain of the legitimate signal for jamming signal power levels 10 dB and 20 dB higher than the legitimate signal. For two pump powers, i.e. 40 mW and 80 mW, the first row in the table shows the gain of the legitimate signal when no jamming signal is present. The values in the table clearly show that the presence of a strong signal results in weaker amplification of the signal at lower power level. The gain of the legitimate signal drops as the power of the interfering signal increases. Furthermore, for a given power level of the interfering signal, its harmful effect to the legitimate signal is more intense when their wavelengths are close in

pumping power.

increases as their wavelength separation decreases.

the spectrum, as highlighted in the table.

If we consider each of the discrete energy levels in the doped fiber as a continuous energy band, then EDFAs are capable of simultaneously amplifying signals on several different wavelengths. As mentioned before, they most commonly amplify signals within the 1525- 1570 nm wavelength range. However, due to the fact that the distribution of excited electrons is not uniform at various levels within a band, the gain of an EDFA depends on the wavelength of the incoming signal, with a peak around 1532 nm (Ramaswami & Sivarajan, 2002). This can be compensated for by employing passive or dynamic gain equalization (Bae et al., 2007; Laude, 2002). However, the limited number of available upper-state photons necessary for signal amplification must be divided among all incoming signals. Each of the signals is granted photons proportional to its power level, which can lead to so-called *gain competition*, where stronger incoming signals receive more gain, while weaker signals receive less. Due to the large number of input channels and high data rates employed in today's WDM networks, the dependency of EDFA gain assignment on the spectrum and power of the incoming signals can have a significant impact on network functioning.

Gain competition can be exploited to create service disruption as described in (Mas et al., 2005; Médard et al., 1998). In an *out-of-band jamming attack*, a malicious user injects a powerful signal (e.g. 20 dB above normal) on a wavelength different from those of other, legitimate signals, but still within the pass-band of the amplifier. The amplifier, unable to distinguish between the attacking signal and legitimate data signals, provides gain to each signal indiscriminately. The stronger, malicious signal will get more gain than the weaker, legitimate signals, robbing them of power. Thereby, the QoS level on the legitimate signals will deteriorate, potentially leading to service denial. Furthermore, the power of the attacking signal will have an additional increase downstream of the amplifier, allowing it to spread through other transparent nodes and affect other signals at their common EDFAs.

### **2.2.1 Laboratory assessment of gain competition**

The impact of the jamming signal depends on its power level and wavelength. We tested this relation in laboratory setting (Furdek et al., 2010a) using two EXFO IQ-2600 tunable lasers sources, variable attenuators EXFO IQ-3100 to attenuate the signals and simulate losses in the optical fiber and an EDFA with 36 m of erbium-doped fiber Lucent Technologies HE-980 as the gain medium, pumped with a 980 nm pump signal from an Agilent FPL4812/C laser pump. One of the laser sources represented a legitimate signal with constant power (-25,51 dBm before entering the EDFA) and wavelength (1549,74 nm), while the other represented a powerful jamming signal with varying power and wavelength. Figure 4 shows the dependence of the amount of gain given to the legitimate signal on the power of the jamming signal on the next WDM channel, at 1549,05 nm. The power of the interfering signal was increased in 2 dB increments from the same level as the legitimate signal, until it was 20 dB stronger. The pump power was set to 40 mW. The measurements in figure 4 show how the amount of gain of the legitimate signal decreases in response to an increase in the power of the interfering signal. This is due to the fact that the interfering signal, as it becomes more powerful, consumes more and more upper-state photons in the EDFA, and thus robs the legitimate signal of gain.

If we consider each of the discrete energy levels in the doped fiber as a continuous energy band, then EDFAs are capable of simultaneously amplifying signals on several different wavelengths. As mentioned before, they most commonly amplify signals within the 1525- 1570 nm wavelength range. However, due to the fact that the distribution of excited electrons is not uniform at various levels within a band, the gain of an EDFA depends on the wavelength of the incoming signal, with a peak around 1532 nm (Ramaswami & Sivarajan, 2002). This can be compensated for by employing passive or dynamic gain equalization (Bae et al., 2007; Laude, 2002). However, the limited number of available upper-state photons necessary for signal amplification must be divided among all incoming signals. Each of the signals is granted photons proportional to its power level, which can lead to so-called *gain competition*, where stronger incoming signals receive more gain, while weaker signals receive less. Due to the large number of input channels and high data rates employed in today's WDM networks, the dependency of EDFA gain assignment on the spectrum and power of the incoming signals can have a significant

Gain competition can be exploited to create service disruption as described in (Mas et al., 2005; Médard et al., 1998). In an *out-of-band jamming attack*, a malicious user injects a powerful signal (e.g. 20 dB above normal) on a wavelength different from those of other, legitimate signals, but still within the pass-band of the amplifier. The amplifier, unable to distinguish between the attacking signal and legitimate data signals, provides gain to each signal indiscriminately. The stronger, malicious signal will get more gain than the weaker, legitimate signals, robbing them of power. Thereby, the QoS level on the legitimate signals will deteriorate, potentially leading to service denial. Furthermore, the power of the attacking signal will have an additional increase downstream of the amplifier, allowing it to spread through other transparent nodes and affect other signals at their

The impact of the jamming signal depends on its power level and wavelength. We tested this relation in laboratory setting (Furdek et al., 2010a) using two EXFO IQ-2600 tunable lasers sources, variable attenuators EXFO IQ-3100 to attenuate the signals and simulate losses in the optical fiber and an EDFA with 36 m of erbium-doped fiber Lucent Technologies HE-980 as the gain medium, pumped with a 980 nm pump signal from an Agilent FPL4812/C laser pump. One of the laser sources represented a legitimate signal with constant power (-25,51 dBm before entering the EDFA) and wavelength (1549,74 nm), while the other represented a powerful jamming signal with varying power and wavelength. Figure 4 shows the dependence of the amount of gain given to the legitimate signal on the power of the jamming signal on the next WDM channel, at 1549,05 nm. The power of the interfering signal was increased in 2 dB increments from the same level as the legitimate signal, until it was 20 dB stronger. The pump power was set to 40 mW. The measurements in figure 4 show how the amount of gain of the legitimate signal decreases in response to an increase in the power of the interfering signal. This is due to the fact that the interfering signal, as it becomes more powerful, consumes more and more upper-state photons in the EDFA, and thus robs the legitimate

impact on network functioning.

**2.2.1 Laboratory assessment of gain competition** 

common EDFAs.

signal of gain.

Fig. 4. The power of the legitimate signal at the output of the EDFA as a function of the power superiority of the interfering signal on the neighboring WDM channel, at 40 mW EDFA pumping power.

The gain of the legitimate signal also depends on variations in the wavelength of the interfering signal of constant, high power. Figure 5 shows this dependency for the legitimate signal at 1549,74 nm and a 20 dB stronger interfering signal whose nominal wavelength varies from 1530 nm to 1550 nm, in 5 nm increments. The influence of different operating points of the EDFA on the output power of the legitimate signal in this scenario was investigated by changing the pump power from 40 mW to 80 mW. In figure 5, *P\_legit* denotes the power of the legitimate signal, and *P\_interfering* the power of the interfering signal at the EDFA output. Power levels measured for pump powers of 40 mW and 80 mW have suffixes *\_40mWpump* and *\_80mWpump*, respectively. From figure 5, it can be seen that the amount of gain robbed from the legitimate signal by the high-powered jamming signal increases as their wavelength separation decreases.

Table 1 summarizes the influence of wavelength separation and power superiority of the interfering signal over the legitimate signal at 1549,74 nm. In the first case, the wavelength of the interfering signal matches the used EDFA gain peak at 1531 nm. In the second case, it is at the first neighboring WDM channel, i.e. at 1549,08 nm. For both cases, we investigate the gain of the legitimate signal for jamming signal power levels 10 dB and 20 dB higher than the legitimate signal. For two pump powers, i.e. 40 mW and 80 mW, the first row in the table shows the gain of the legitimate signal when no jamming signal is present. The values in the table clearly show that the presence of a strong signal results in weaker amplification of the signal at lower power level. The gain of the legitimate signal drops as the power of the interfering signal increases. Furthermore, for a given power level of the interfering signal, its harmful effect to the legitimate signal is more intense when their wavelengths are close in the spectrum, as highlighted in the table.

Physical-Layer Attacks in Transparent Optical Networks 131

When EDFAs are used in a cascade, the flatness of their gain becomes a critical issue. Namely, slight differences between the amounts of gain available for signals at different wavelengths get multiplied as they traverse the cascaded amplifiers. Because of this, signals on certain wavelengths might get amplified several times, while others may suffer from significant SNR deterioration (Ramaswami & Sivarajan, 2002). This situation is shown in figure 6. There are several ways of dealing with this issue. For example, signals on different wavelengths can be pre-equalized, so that the signals on wavelengths with higher gain are attenuated, and those with lower gain are amplified before entering the cascaded amplifier segment. Another way of dealing with the problem is to introduce gain equalization at each

Fig. 6. The cumulative effect of unequal amplifier gain at different wavelengths after a

In case of cascaded EDFAs, power transients potentially present a great security threat. Due to the fact that the amplifier gain depends on the total input power, the failure of one channel will lead to surviving channels getting more gain and, thus, have higher power when they arrive to their receivers. This means that setting up or tearing a channel down affects other channels that share amplifiers with it (Karásek & Vallés, 1998). This effect may cause serious problems in dynamic optical networks where suppression of transients becomes increasingly important. A typical amplifier implementation used in today's networks consists of two EDFA stages working in gain mode, where setting up a new channel will not affect power levels of existing channels (Zsigmond, 2011). Automatic gain control (AGC) solves the problem of transients by monitoring the power levels in different ways and keeping the output power per channel constant, regardless of the input power. In such a network, high-power signals could not propagate. However, this is only valid for deviations of power within a certain window defined by the component specifications. If the difference between the power of the jamming signal and the normal users' signals exceeds this range, amplifiers with AGC may not be able to provide power equalization. (Way et al., 1993) proposed optical limiting amplifiers able to limit the output power of all signals within a dynamic range of input power and thwart the propagation of jamming attacks, but at a trade-off with a higher price of such equipment. Today, most commercially available amplifiers are capable of monitoring channel power and reducing the excessive power levels of jamming signals (Zsigmond, 2011). However, (Deng & Subramaniam, 2004) describe an attack which can affect even networks with ability to equalize excessive power levels. It is referred to as a *low power QoS attack*. Amplifier placement along the link usually ensures compensation for the preceding fiber span. If an attacker attacks a splitter at the beginning of a link, they are able to attenuate the power of the signal more than the amplifier is able to compensate for. Such induced attenuation can significantly degrade the performance metrics of attacked lightpaths. The attenuation at the end of the link on which the splitter is installed may not be significant enough to generate an alarm at that exact location, but it

**2.2.2 Amplifier cascades** 

amplifier stage.

cascade of amplifiers.

Fig. 5. The power of the legitimate and interfering signal at the output of the EDFA as a function of the wavelength of the interfering signal, at 40 mW and 80 mW EDFA pumping power and the interfering signal 20 dB stronger than the legitimate.

Out-of-band jamming can also be used to tap a signal. In some optical amplifiers, gain competition occurs at the modulation rate, which enables tapping by observing crossmodulation effects.


Table 1. An overview of the gain of the legitimate signal at 1549,74 nm for different test scenarios, with the power of the interfering signal at 10 and 20 dB above that of legitimate signal.

#### **2.2.2 Amplifier cascades**

130 Optical Communications Systems

Fig. 5. The power of the legitimate and interfering signal at the output of the EDFA as a function of the wavelength of the interfering signal, at 40 mW and 80 mW EDFA pumping

Table 1. An overview of the gain of the legitimate signal at 1549,74 nm for different test scenarios, with the power of the interfering signal at 10 and 20 dB above that of legitimate

Out-of-band jamming can also be used to tap a signal. In some optical amplifiers, gain competition occurs at the modulation rate, which enables tapping by observing cross-

> Wavelength of the interfering signal [nm]


<sup>20</sup>1530,84 12,62


<sup>20</sup>1530,84 15,63

1549,08 **15,38** 

1549,08 **8,01** 

1549,08 **20,03** 

1549,08 **11,59** 

Gain of the legitimate signal [dB]

power and the interfering signal 20 dB stronger than the legitimate.

Power superiority of the interfering signal [dB]

modulation effects.

EDFA pump power [mW]

40

80

signal.

When EDFAs are used in a cascade, the flatness of their gain becomes a critical issue. Namely, slight differences between the amounts of gain available for signals at different wavelengths get multiplied as they traverse the cascaded amplifiers. Because of this, signals on certain wavelengths might get amplified several times, while others may suffer from significant SNR deterioration (Ramaswami & Sivarajan, 2002). This situation is shown in figure 6. There are several ways of dealing with this issue. For example, signals on different wavelengths can be pre-equalized, so that the signals on wavelengths with higher gain are attenuated, and those with lower gain are amplified before entering the cascaded amplifier segment. Another way of dealing with the problem is to introduce gain equalization at each amplifier stage.

Fig. 6. The cumulative effect of unequal amplifier gain at different wavelengths after a cascade of amplifiers.

In case of cascaded EDFAs, power transients potentially present a great security threat. Due to the fact that the amplifier gain depends on the total input power, the failure of one channel will lead to surviving channels getting more gain and, thus, have higher power when they arrive to their receivers. This means that setting up or tearing a channel down affects other channels that share amplifiers with it (Karásek & Vallés, 1998). This effect may cause serious problems in dynamic optical networks where suppression of transients becomes increasingly important. A typical amplifier implementation used in today's networks consists of two EDFA stages working in gain mode, where setting up a new channel will not affect power levels of existing channels (Zsigmond, 2011). Automatic gain control (AGC) solves the problem of transients by monitoring the power levels in different ways and keeping the output power per channel constant, regardless of the input power. In such a network, high-power signals could not propagate. However, this is only valid for deviations of power within a certain window defined by the component specifications. If the difference between the power of the jamming signal and the normal users' signals exceeds this range, amplifiers with AGC may not be able to provide power equalization. (Way et al., 1993) proposed optical limiting amplifiers able to limit the output power of all signals within a dynamic range of input power and thwart the propagation of jamming attacks, but at a trade-off with a higher price of such equipment. Today, most commercially available amplifiers are capable of monitoring channel power and reducing the excessive power levels of jamming signals (Zsigmond, 2011). However, (Deng & Subramaniam, 2004) describe an attack which can affect even networks with ability to equalize excessive power levels. It is referred to as a *low power QoS attack*. Amplifier placement along the link usually ensures compensation for the preceding fiber span. If an attacker attacks a splitter at the beginning of a link, they are able to attenuate the power of the signal more than the amplifier is able to compensate for. Such induced attenuation can significantly degrade the performance metrics of attacked lightpaths. The attenuation at the end of the link on which the splitter is installed may not be significant enough to generate an alarm at that exact location, but it

Physical-Layer Attacks in Transparent Optical Networks 133

thermo-optical or electro-optical technologies (Tzanakaki et al., 2004). The WSF can be reconfigurable or fixed. A fixed or non-reconfigurable switching fabric has manually hardwired connections between input and output ports, which cannot be changed on demand. On the other hand, connections between input and output ports of reconfigurable WSFs can be dynamically reconfigured in times ranging from several milliseconds (MEMS, bubble, liquid crystal, opto-mechanical, thermo-optic switch), several microseconds (acousto-optic switch) to several nanoseconds (electro-optic, SOA-based switch) (Papadimitriou et al., 2003; Rohit et al., 2011). After switching is performed, wavelengths intended to each output fiber

The main security vulnerability of optical switches arises from their proneness to signal leaking, giving rise to crosstalk. Almost all TON components, i.e., filters, multiplexers, demultiplexers and switches, introduce crosstalk in one form or another. Malicious users can take advantage of this phenomenon to cause service degradation and/or perform

Fig. 8. (a) An optical multiplexer/demultiplexer and (b) an optical switch as sources of

In general, there are two types of crosstalk in transparent optical networks – interchannel and intrachannel crosstalk. Interchannel crosstalk occurs between signals on sufficiently spaced wavelengths, i.e. such that they do not fall inside each other's receiver pass-bands. Adjacent channels are usually the primary sources of crosstalk, while the influence of channels with higher wavelength separation is usually negligible. Inside OXCs, this type of crosstalk arises from non-ideal demultiplexing, where one channel is selected while the others are not perfectly dropped. This scenario is shown in figure 8(a). Depending on the implementation of the (de)multiplexers, their levels of crosstalk may range from 12 dB for TFF to 30 dB for AWG, MZI and FBG (Mukherjee, 2002). Intrachannel crosstalk occurs among signals on the same wavelength, or signals whose wavelengths fall within each

Multiplexers, demultiplexers and optical switches can all be sources of intrachannel crosstalk. Namely, when demultiplexers separate incoming signals at different wavelengths, a small portion of each signal leaks onto ports reserved for signals at other wavelengths. After switching, when multiple signals at different wavelengths are multiplexed back onto the same output fiber, small portions of a certain wavelength that had leaked onto other wavelengths can leak back onto the common fiber (Rejeb et al., 2006b). Consequently, the signal on that wavelength will have crosstalk originating from its very own components carrying the same information, but suffering from different delays and phase shifts, as

are combined by multiplexers.

interchannel and intrachannel crosstalk.

other's receiver pass-band.

eavesdropping.

may cause other network elements with power equalization capabilities (e.g., switches) to reduce the power of other signals in an effort to maintain an even distribution of power among channels. Hence, other lightpaths suffer from attenuation and may cause the same effect in other parts of the network. When service degradation along a lightpath finally crosses the preset threshold, the location of the raised alarm may be far from the original placement of the attached splitter. This type of an attack may be especially significant for networks employing Raman amplifiers, whose usage is increasing in long haul transmission suffering from high attenuation (Zsigmond, 2011). Security advantages of Raman amplifiers include more reliable amplification, higher saturation power than EDFA and more accurate monitoring, resulting in faster generation of alarms in case of signal anomalies (Islam, 2003). However, output powers of Raman amplifiers are high and require splicing. Multiple splices can cause the Raman pumps to be reflected and, thus, highly reduce the amplifier gain. This vulnerability can be a target of a planned attack, possibly leading to a link outage (Zsigmond, 2011). Furthermore, Raman amplifiers require high-power pump sources at the right wavelength and an attacker with inside access to an amplifier may endanger the amplification process by tampering with any of these parameters.

#### **2.3 Optical switches**

The main functions of wavelength-selective optical cross-connects (OXC), also referred to as reconfigurable wavelength routing switches, can include lightpath provisioning, wavelength switching, protection switching (rerouting connections), wavelength conversion and performance monitoring. Such optical switches usually consist of demultiplexers, photonic switching fabric and multiplexers. A typical architecture of a wavelength-selective OXC is shown in figure 7.

Fig. 7. The typical architecture of a wavelength-selective OXC, consisting of multiplexers, demultiplexers and wavelength switching fabric (WSF).

The incoming signal is first decomposed by demultiplexers into constituent wavelengths, which are then directed each onto their own switching fabric. Multiplexing and demultiplexing can be realized using Arrayed Waveguide Gratings (AWGs), Thin-Film Filters (TFF), Mach-Zehnder Interferometers (MZIs), Fiber Bragg Gratings (FBG) and other. The Wavelength Switching Fabric (WSF), i.e., the central part of the node, performs transparent switching of WDM channels from their input to output ports. Optical switches can be implemented using 2D or 3D Micro-Electro-Mechanical Systems (MEMS), semiconductor optical amplifier (SOA) gates, holographic switches, liquid crystal, and

may cause other network elements with power equalization capabilities (e.g., switches) to reduce the power of other signals in an effort to maintain an even distribution of power among channels. Hence, other lightpaths suffer from attenuation and may cause the same effect in other parts of the network. When service degradation along a lightpath finally crosses the preset threshold, the location of the raised alarm may be far from the original placement of the attached splitter. This type of an attack may be especially significant for networks employing Raman amplifiers, whose usage is increasing in long haul transmission suffering from high attenuation (Zsigmond, 2011). Security advantages of Raman amplifiers include more reliable amplification, higher saturation power than EDFA and more accurate monitoring, resulting in faster generation of alarms in case of signal anomalies (Islam, 2003). However, output powers of Raman amplifiers are high and require splicing. Multiple splices can cause the Raman pumps to be reflected and, thus, highly reduce the amplifier gain. This vulnerability can be a target of a planned attack, possibly leading to a link outage (Zsigmond, 2011). Furthermore, Raman amplifiers require high-power pump sources at the right wavelength and an attacker with inside access to an amplifier may endanger the

The main functions of wavelength-selective optical cross-connects (OXC), also referred to as reconfigurable wavelength routing switches, can include lightpath provisioning, wavelength switching, protection switching (rerouting connections), wavelength conversion and performance monitoring. Such optical switches usually consist of demultiplexers, photonic switching fabric and multiplexers. A typical architecture of a wavelength-selective

Fig. 7. The typical architecture of a wavelength-selective OXC, consisting of multiplexers,

The incoming signal is first decomposed by demultiplexers into constituent wavelengths, which are then directed each onto their own switching fabric. Multiplexing and demultiplexing can be realized using Arrayed Waveguide Gratings (AWGs), Thin-Film Filters (TFF), Mach-Zehnder Interferometers (MZIs), Fiber Bragg Gratings (FBG) and other. The Wavelength Switching Fabric (WSF), i.e., the central part of the node, performs transparent switching of WDM channels from their input to output ports. Optical switches can be implemented using 2D or 3D Micro-Electro-Mechanical Systems (MEMS), semiconductor optical amplifier (SOA) gates, holographic switches, liquid crystal, and

demultiplexers and wavelength switching fabric (WSF).

amplification process by tampering with any of these parameters.

**2.3 Optical switches** 

OXC is shown in figure 7.

thermo-optical or electro-optical technologies (Tzanakaki et al., 2004). The WSF can be reconfigurable or fixed. A fixed or non-reconfigurable switching fabric has manually hardwired connections between input and output ports, which cannot be changed on demand. On the other hand, connections between input and output ports of reconfigurable WSFs can be dynamically reconfigured in times ranging from several milliseconds (MEMS, bubble, liquid crystal, opto-mechanical, thermo-optic switch), several microseconds (acousto-optic switch) to several nanoseconds (electro-optic, SOA-based switch) (Papadimitriou et al., 2003; Rohit et al., 2011). After switching is performed, wavelengths intended to each output fiber are combined by multiplexers.

The main security vulnerability of optical switches arises from their proneness to signal leaking, giving rise to crosstalk. Almost all TON components, i.e., filters, multiplexers, demultiplexers and switches, introduce crosstalk in one form or another. Malicious users can take advantage of this phenomenon to cause service degradation and/or perform eavesdropping.

Fig. 8. (a) An optical multiplexer/demultiplexer and (b) an optical switch as sources of interchannel and intrachannel crosstalk.

In general, there are two types of crosstalk in transparent optical networks – interchannel and intrachannel crosstalk. Interchannel crosstalk occurs between signals on sufficiently spaced wavelengths, i.e. such that they do not fall inside each other's receiver pass-bands. Adjacent channels are usually the primary sources of crosstalk, while the influence of channels with higher wavelength separation is usually negligible. Inside OXCs, this type of crosstalk arises from non-ideal demultiplexing, where one channel is selected while the others are not perfectly dropped. This scenario is shown in figure 8(a). Depending on the implementation of the (de)multiplexers, their levels of crosstalk may range from 12 dB for TFF to 30 dB for AWG, MZI and FBG (Mukherjee, 2002). Intrachannel crosstalk occurs among signals on the same wavelength, or signals whose wavelengths fall within each other's receiver pass-band.

Multiplexers, demultiplexers and optical switches can all be sources of intrachannel crosstalk. Namely, when demultiplexers separate incoming signals at different wavelengths, a small portion of each signal leaks onto ports reserved for signals at other wavelengths. After switching, when multiple signals at different wavelengths are multiplexed back onto the same output fiber, small portions of a certain wavelength that had leaked onto other wavelengths can leak back onto the common fiber (Rejeb et al., 2006b). Consequently, the signal on that wavelength will have crosstalk originating from its very own components carrying the same information, but suffering from different delays and phase shifts, as

Physical-Layer Attacks in Transparent Optical Networks 135

different outputs. In the latter case, due to crosstalk, small portions of the signal passing through the coupler are directed onto unintended outputs, deteriorating the Signal to Noise Ratio (SNR) of the signal which was intended for that output. Levels of this crosstalk

We tested the crosstalk of couplers in a laboratory setting from (Furdek et al., 2010b), using a FIS WDM13500129U coupler/splitter with SMF28 Singlemode fiber, operating at wavelengths 1310/1550 nm +/- 20 nm. This coupler was used as a wavelength-selective splitter for dividing the incoming WDM signal from the input port into its constituent wavelengths to two different

Fig. 10. Power at the coupler outputs dedicated to wavelengths at 1310 and 1550 nm for

the central frequency of the 1310 nm output, the undesirable leakage intensifies.

Figure 10 shows the effects of imperfect splitting of the incoming signal to ports dedicated to wavelengths at 1310 and 1550 nm, i.e. the power of the incoming signal at various wavelengths near 1550 nm present at the 1310 nm output. As the wavelength of the incoming signal decreases from 1560,32 nm to 1529,90 nm (in 5 nm steps), and approaches

Fig. 11. The spectrum of the incoming signal at 1550 nm on the output port corresponding to

1550 nm (upper line) and on the output port corresponding to 1310 nm (lower line).

depend on the exact wavelengths of the incoming signals.

different wavelength of the incoming signal.

**2.3.1 Laboratory assessment of crosstalk in optical couplers** 

output ports, i.e. one for signals at 1310 nm, and the other one for 1550 nm.

shown in figure 8(a). Intrachannel crosstalk can also arise in optical switches due to nonideal switching. Namely, switching ports are not perfectly isolated from each other, so components of different signals transmitted on the same wavelength can leak and interfere with each other. Since the damaging signal is on the same wavelength as the legitimate signal, intrachannel crosstalk cannot be filtered out by optical filters or removed by demultiplexers (Deng et al., 2004). Figure 8(b) shows an optical switch as a source of intrachannel crosstalk. Crosstalk levels of optical switches range from 35 dB (SOA, liquid crystal, electro-optical, thermo-optical and holographic switches) to 55 dB for MEMS.

Optical couplers are the basic building blocks of optical switches, multiplexers and demultiplexers, modulators, filters and wavelength converters (Ramaswami & Sivarajan, 2002) and are the source of a significant amount of inter/intra-channel crosstalk. Generally, an optical coupler is a device used to combine or split signals in an optical network and can be passive or active. In passive couplers, employed in TONs, signals are redistributed without opto-electrical conversion and do not require any external power.

Fig. 9. A (a) directional coupler and its two states: (b) cross state and (c) bar state.

A passive directional 2×2 coupler is shown in figure 9(a). It consists of a pair of parallel optical waveguides in close proximity. The most commonly used couplers, called fused fiber couplers, are made by fusing two fibers together in the middle (Ramaswami & Sivarajan, 2002). The fraction of the signal power that is transferred from the input to the output of an optical waveguide is defined by the coupling ratio α, denoting that a fraction α of the power of the signal at the input of a waveguide is transferred to its output, while the remaining 1-α of the power is directed to the output of the other waveguide. Ideally, all the input power on one waveguide of a directional coupler is coupled to the other waveguide for the cross state, while in the bar state there should be no coupling between the two waveguides.

Figures 9(b) and (c) show the cross state and the bar state of an optical coupler, respectively. In reality, however, light is not perfectly coupled and components of signals from different waveguides leak onto unintended outputs, giving rise to crosstalk. Non-ideal signal coupling also causes signal losses and attenuation, which can be compensated by placing optical amplifiers at the splice output. In this way, however, the desired part of the signal will be amplified as well as the undesired part, which makes crosstalk the main deficiency of optical couplers (Vaez & Lea, 2000). Crosstalk in a directional coupler is defined as the ratio of light power at the undesired output port to the power at the desired output port with crosstalk levels varying between -20 dB and -30 dB. It can occur for various reasons, including waveguide asymmetry, absorption loss, non-optimal coupling length, unequal excitation of the symmetric and asymmetric modes at the input, or fabrication variations (Chinni et al., 1995).

Couplers can be wavelength selective, and they are often used to combine signals at 1310 nm and 1550 nm onto a single fiber, or to split them from the same incoming fiber to two

shown in figure 8(a). Intrachannel crosstalk can also arise in optical switches due to nonideal switching. Namely, switching ports are not perfectly isolated from each other, so components of different signals transmitted on the same wavelength can leak and interfere with each other. Since the damaging signal is on the same wavelength as the legitimate signal, intrachannel crosstalk cannot be filtered out by optical filters or removed by demultiplexers (Deng et al., 2004). Figure 8(b) shows an optical switch as a source of intrachannel crosstalk. Crosstalk levels of optical switches range from 35 dB (SOA, liquid

crystal, electro-optical, thermo-optical and holographic switches) to 55 dB for MEMS.

without opto-electrical conversion and do not require any external power.

Fig. 9. A (a) directional coupler and its two states: (b) cross state and (c) bar state.

while in the bar state there should be no coupling between the two waveguides.

(Chinni et al., 1995).

A passive directional 2×2 coupler is shown in figure 9(a). It consists of a pair of parallel optical waveguides in close proximity. The most commonly used couplers, called fused fiber couplers, are made by fusing two fibers together in the middle (Ramaswami & Sivarajan, 2002). The fraction of the signal power that is transferred from the input to the output of an optical waveguide is defined by the coupling ratio α, denoting that a fraction α of the power of the signal at the input of a waveguide is transferred to its output, while the remaining 1-α of the power is directed to the output of the other waveguide. Ideally, all the input power on one waveguide of a directional coupler is coupled to the other waveguide for the cross state,

Figures 9(b) and (c) show the cross state and the bar state of an optical coupler, respectively. In reality, however, light is not perfectly coupled and components of signals from different waveguides leak onto unintended outputs, giving rise to crosstalk. Non-ideal signal coupling also causes signal losses and attenuation, which can be compensated by placing optical amplifiers at the splice output. In this way, however, the desired part of the signal will be amplified as well as the undesired part, which makes crosstalk the main deficiency of optical couplers (Vaez & Lea, 2000). Crosstalk in a directional coupler is defined as the ratio of light power at the undesired output port to the power at the desired output port with crosstalk levels varying between -20 dB and -30 dB. It can occur for various reasons, including waveguide asymmetry, absorption loss, non-optimal coupling length, unequal excitation of the symmetric and asymmetric modes at the input, or fabrication variations

Couplers can be wavelength selective, and they are often used to combine signals at 1310 nm and 1550 nm onto a single fiber, or to split them from the same incoming fiber to two

Optical couplers are the basic building blocks of optical switches, multiplexers and demultiplexers, modulators, filters and wavelength converters (Ramaswami & Sivarajan, 2002) and are the source of a significant amount of inter/intra-channel crosstalk. Generally, an optical coupler is a device used to combine or split signals in an optical network and can be passive or active. In passive couplers, employed in TONs, signals are redistributed different outputs. In the latter case, due to crosstalk, small portions of the signal passing through the coupler are directed onto unintended outputs, deteriorating the Signal to Noise Ratio (SNR) of the signal which was intended for that output. Levels of this crosstalk depend on the exact wavelengths of the incoming signals.

### **2.3.1 Laboratory assessment of crosstalk in optical couplers**

We tested the crosstalk of couplers in a laboratory setting from (Furdek et al., 2010b), using a FIS WDM13500129U coupler/splitter with SMF28 Singlemode fiber, operating at wavelengths 1310/1550 nm +/- 20 nm. This coupler was used as a wavelength-selective splitter for dividing the incoming WDM signal from the input port into its constituent wavelengths to two different output ports, i.e. one for signals at 1310 nm, and the other one for 1550 nm.

Fig. 10. Power at the coupler outputs dedicated to wavelengths at 1310 and 1550 nm for different wavelength of the incoming signal.

Figure 10 shows the effects of imperfect splitting of the incoming signal to ports dedicated to wavelengths at 1310 and 1550 nm, i.e. the power of the incoming signal at various wavelengths near 1550 nm present at the 1310 nm output. As the wavelength of the incoming signal decreases from 1560,32 nm to 1529,90 nm (in 5 nm steps), and approaches the central frequency of the 1310 nm output, the undesirable leakage intensifies.

Fig. 11. The spectrum of the incoming signal at 1550 nm on the output port corresponding to 1550 nm (upper line) and on the output port corresponding to 1310 nm (lower line).

Physical-Layer Attacks in Transparent Optical Networks 137

registered at the network management system. However, an attacker can still request a legitimate data channel and then not send any information over it, but use it to tap other signals at the same wavelength. In figure 12, the tapper is User 1, whose false data connection at wavelength λ2 picks up components of User 2's legitimate connection at the same

Intrachannel crosstalk enables *in-band jamming*, an attack method in which an attacker inserts a powerful signal within the signal window of the legitimate user he is trying to affect. Consequently, two signals may undesirably exchange information at their common switch.

Fig. 13. An example of a jamming attack exploiting intra-channel crosstalk in an optical

Figure 13 shows an example of a jamming attack via intrachannel crosstalk in optical switches. Here, an attacker injects a high-powered signal on the same wavelength as other, legitimate data signals. Components of the high-powered signal will leak onto adjacent channels inside their common optical switches, impairing the quality of the transmission on those signals. If the attacking signal is strong enough, it is possible that enough power is transferred onto adjacent channels inside their common switch, for them to gain attacking capabilities. Consequently, the attacked signal becomes an attacker itself, allowing the attack to propagate through the network, affecting signals which do not even share any physical components with the original attacking signal. This type of attack is shown in figure 14. Via intra-channel crosstalk in switches, the attacker managed to affect not only user 1's legitimate signal, but the attack also propagated to users 2 and 3, which share no common physical components with the original attacker. This type of attack is particularly hazardous to network operation since the nature of its propagation makes localization of the original

Jamming attack exploiting intrachannel crosstalk in switches has been previously identified in the literature by (Wu & Somani, 2005), and recently (Peng et al., 2011) provided an experimental validation of the proposed attack model. They proved through simulation that high-power jamming attacks indeed possess propagation capabilities in affecting other lightpaths at the same wavelength via intrachannel crosstalk inside their common switches and lightpaths at different wavelengths via interchannel crosstalk inside their common fibers. The propagation of intrachannel crosstalk attacks ends after at most three stages of optical switches, while interchannel crosstalk attacks get attenuated after traversing three fiber segments. This means that, in the scenario from figure 14, the signal quality of user 3

would not suffer from serious BER degradation from the attacker's jamming signal.

wavelength that had leaked inside their common switch.

switch.

source of attack very difficult.

Figure 11 shows this effect for incoming signal at a nominal wavelength of 1550 nm. The upper line shows the spectrum of the signal at the output port corresponding to wavelengths around 1550 nm, while the lower line shows the spectrum at the output port corresponding to wavelengths around 1310 nm. The peak of the signal recorded at the 1310 nm-output clearly indicates the amount of the signal at 1550 nm that had leaked onto the unintended output. The signal power level of 1,48 dBm at the 1550 nm port, combined with -20,50 dBm at the 1310 nm port, indicates that the level of crosstalk is -21,98 dB. This value by itself is not large enough to significantly impact signal quality. However, many network components consist of several cascaded optical couplers, which all contribute to the overall level of crosstalk. Furthermore, signals traverse numerous components on their path from source to destination. When these factors combine, enough crosstalk can accumulate over the propagation path of a signal for the risk of service degradation to increase significantly even in cases when there is no high-powered jamming signal. When such a signal is present in the network, it causes an additional increase in the leakage inside couplers and components they comprise, resulting in a significant damage to co-propagating user signals.

#### **2.3.2 Crosstalk attacks**

Although crosstalk originating from direct couplers can have a significant impact on the overall Quality of Service (QoS) in the network, problems caused by crosstalk in optical networks can go beyond such signal quality deterioration. Namely, a malevolent user can take advantage of crosstalk to perform attacks aimed at eavesdropping, tapping, and/or degrading the quality of service (QoS) of other users. An overview of methods using crosstalk for attack purposes can be found in (Mas et al., 2005).

Fig. 12. An example of a tapping attack exploiting intra-channel crosstalk in a wavelengthselective switch.

Figure 12 shows an example of a tapping attack exploiting intrachannel crosstalk in a wavelength-selective switch, as described in (Médard et al., 1997). The upper input port is not used, while the bottom port receives incoming signals on wavelengths λ1 and λ2. Each of the signals on those two wavelengths is switched on its own switching fabric. Due to mechanisms of intrachannel crosstalk in demultiplexers, multiplexers and switching fabric described in the previous sections, components of both signals leak onto unintended outputs and get amplified by the power amplifier (EDFA). If a tapper gains access to one of the unused output ports, e.g. the upper output port in figure 12, part of the signal at λ2 is delivered straight into his hands. This problem can be solved by individually amplifying only signals on connections which are

Figure 11 shows this effect for incoming signal at a nominal wavelength of 1550 nm. The upper line shows the spectrum of the signal at the output port corresponding to wavelengths around 1550 nm, while the lower line shows the spectrum at the output port corresponding to wavelengths around 1310 nm. The peak of the signal recorded at the 1310 nm-output clearly indicates the amount of the signal at 1550 nm that had leaked onto the unintended output. The signal power level of 1,48 dBm at the 1550 nm port, combined with -20,50 dBm at the 1310 nm port, indicates that the level of crosstalk is -21,98 dB. This value by itself is not large enough to significantly impact signal quality. However, many network components consist of several cascaded optical couplers, which all contribute to the overall level of crosstalk. Furthermore, signals traverse numerous components on their path from source to destination. When these factors combine, enough crosstalk can accumulate over the propagation path of a signal for the risk of service degradation to increase significantly even in cases when there is no high-powered jamming signal. When such a signal is present in the network, it causes an additional increase in the leakage inside couplers and components they comprise, resulting in a significant damage to co-propagating user signals.

Although crosstalk originating from direct couplers can have a significant impact on the overall Quality of Service (QoS) in the network, problems caused by crosstalk in optical networks can go beyond such signal quality deterioration. Namely, a malevolent user can take advantage of crosstalk to perform attacks aimed at eavesdropping, tapping, and/or degrading the quality of service (QoS) of other users. An overview of methods using

Fig. 12. An example of a tapping attack exploiting intra-channel crosstalk in a wavelength-

Figure 12 shows an example of a tapping attack exploiting intrachannel crosstalk in a wavelength-selective switch, as described in (Médard et al., 1997). The upper input port is not used, while the bottom port receives incoming signals on wavelengths λ1 and λ2. Each of the signals on those two wavelengths is switched on its own switching fabric. Due to mechanisms of intrachannel crosstalk in demultiplexers, multiplexers and switching fabric described in the previous sections, components of both signals leak onto unintended outputs and get amplified by the power amplifier (EDFA). If a tapper gains access to one of the unused output ports, e.g. the upper output port in figure 12, part of the signal at λ2 is delivered straight into his hands. This problem can be solved by individually amplifying only signals on connections which are

crosstalk for attack purposes can be found in (Mas et al., 2005).

**2.3.2 Crosstalk attacks** 

selective switch.

registered at the network management system. However, an attacker can still request a legitimate data channel and then not send any information over it, but use it to tap other signals at the same wavelength. In figure 12, the tapper is User 1, whose false data connection at wavelength λ2 picks up components of User 2's legitimate connection at the same wavelength that had leaked inside their common switch.

Intrachannel crosstalk enables *in-band jamming*, an attack method in which an attacker inserts a powerful signal within the signal window of the legitimate user he is trying to affect. Consequently, two signals may undesirably exchange information at their common switch.

Fig. 13. An example of a jamming attack exploiting intra-channel crosstalk in an optical switch.

Figure 13 shows an example of a jamming attack via intrachannel crosstalk in optical switches. Here, an attacker injects a high-powered signal on the same wavelength as other, legitimate data signals. Components of the high-powered signal will leak onto adjacent channels inside their common optical switches, impairing the quality of the transmission on those signals. If the attacking signal is strong enough, it is possible that enough power is transferred onto adjacent channels inside their common switch, for them to gain attacking capabilities. Consequently, the attacked signal becomes an attacker itself, allowing the attack to propagate through the network, affecting signals which do not even share any physical components with the original attacking signal. This type of attack is shown in figure 14. Via intra-channel crosstalk in switches, the attacker managed to affect not only user 1's legitimate signal, but the attack also propagated to users 2 and 3, which share no common physical components with the original attacker. This type of attack is particularly hazardous to network operation since the nature of its propagation makes localization of the original source of attack very difficult.

Jamming attack exploiting intrachannel crosstalk in switches has been previously identified in the literature by (Wu & Somani, 2005), and recently (Peng et al., 2011) provided an experimental validation of the proposed attack model. They proved through simulation that high-power jamming attacks indeed possess propagation capabilities in affecting other lightpaths at the same wavelength via intrachannel crosstalk inside their common switches and lightpaths at different wavelengths via interchannel crosstalk inside their common fibers. The propagation of intrachannel crosstalk attacks ends after at most three stages of optical switches, while interchannel crosstalk attacks get attenuated after traversing three fiber segments. This means that, in the scenario from figure 14, the signal quality of user 3 would not suffer from serious BER degradation from the attacker's jamming signal.

Physical-Layer Attacks in Transparent Optical Networks 139

The headstone of an efficient NMS in TONs is a flexible and robust control plane, which relies on accurate and timely monitoring in the optical domain. Control plane functions can

Resource management – accurate information on resource availability must be available

 Lightpath provisioning – initially, the topology and resources must be automatically discovered. For each incoming lightpath demand, the control plane should calculate a physical route based on the available resources and tentative QoS requirements. For this, accurate information regarding resource availability and the associated service

 Signaling – information exchange regarding connection establishment, maintenance and tear-down between nodes, as well as the management of alarms in cases of failures,

Optical network security requires protective and/or preventive measures which minimize network accessibility to attackers, limit attack propagation and reduce the damage proportions inflicted by attacks. However, when an attack occurs in spite of these

 Detect the attack – discover a deterioration of signal quality, an intrusion in the fiber, a loss of service or any other direct consequence of an attack. After detecting the presence of an attack, its exact location must be determined and the source of the attack must be

 React to the attack – by triggering reaction mechanisms, the attacker's access point must be isolated and the harmful effects must be neutralized. The affected connections must

The risks and damage associated with physical-layer attacks can be alleviated through careful network planning, employment of additional equipment, quick and accurate postattack recovery and optical cryptography. Achieving complete protection requires large investments by the network operator and may be economically unviable. Thus, an advantageous trade-off between the costs and achieved protection must be found. Attack

 Hardware measures – shielding the fiber to protect from tapping, introducing additional equipment in the network capable of limiting excessive power (e.g. optical limiting amplifiers or variable optical attenuators), or using optical fuses which melt under high power (Shuto et al., 2004) to protect from high-power jamming. Using components with lower crosstalk levels also helps reduce the risk from jamming and tapping attacks. Transmission schemes – applying different modulation and coding techniques or limiting the bandwidth and power of certain signals may help against tapping and jamming. Architecture and protocol design – identifying and avoiding risky links or assigning different routes and wavelengths to separate trusted from untrusted users may decrease the risk. Here, assessment of link risk and user trustworthiness is crucial,

protection may include the following measures (Fok et al., 2011; Médard et al., 1997):

be restored and communication should resume as fast as possible.

roughly be divided into following tasks (Rejeb et al., 2010; Saha et al., 2003):

at all times and updated upon lightpath establishment or tear-down.

mechanisms, the NMS needs to undertake the following steps:

quality is crucial.

must be present.

identified.

**3.1 Protection and prevention of attacks** 

which may be extremely complicated.

Fig. 14. Propagation of intra-channel crosstalk attacks in an all-optical network.

The vulnerability of TONs to high-power jamming attacks depends on employed hardware components and node architectures, as well as the architecture of the established virtual topology. Besides the wavelength-selective (WS) realization of OXCs, they can also be implemented as broadcast-and-select (B&S) devices. In B&S architecture, the wavelength switching fabric is replaced by passive splitters and couplers which connect the incoming signal to tunable filters. After filtering the desired wavelength, the signals from filter outputs are coupled onto the desired OXC output port. (Arbués et al., 2007) report that B&S architectures exhibit greater vulnerability to in-band jamming due to low isolation of tunable filters. WS architecture performs slightly better due to improved isolation at the multiplexing and demultiplexing stages.

(Liu & Ji, 2007) studied the impact of the physical topology in conjunction with its constituent devices and the network traffic on the network resilience to in-band jamming attacks. Under the assumption of a fully connected virtual topology, i.e. a connection between each node pair and assuming that jamming attack propagation is not possible, they find that fully-connected mesh, star and ring physical topologies are the least resilient to attacks. The main cause of low resilience of a fully-connected mesh is its high nodal degree and, hence, a high expected number of affected channels at each node. The latter is also the reason why star networks are highly susceptible to attacks. For ring topologies, their vulnerability stems from large route lengths. A chord network topology is distinguished as the most resilient to attacks, with a logarithmic increase in resilience loss for a linear growth of the network size.

#### **3. Security in TONs**

As previously mentioned, the high data rates and huge throughput associated with transparent optical networks make them extremely sensitive to communication failures caused by component faults or deliberate attacks. A secure network should provide physical security of communication, i.e. provide service availability, guarantee a certain level of QoS and protect data integrity and privacy of communication. It should also ensure semantic security, i.e. protect the confidentiality and the meaning of data through authentication and cryptography mechanisms. Transparent optical transmission and the properties of attacks as described in the previous section impose a new set of demands on the network management system (NMS), responsible for network configuration, performance engineering, fault handling and the secure and safe functioning of the network (Rejeb et al,. 2010; Li et al., 2002).

Fig. 14. Propagation of intra-channel crosstalk attacks in an all-optical network.

multiplexing and demultiplexing stages.

of the network size.

**3. Security in TONs** 

The vulnerability of TONs to high-power jamming attacks depends on employed hardware components and node architectures, as well as the architecture of the established virtual topology. Besides the wavelength-selective (WS) realization of OXCs, they can also be implemented as broadcast-and-select (B&S) devices. In B&S architecture, the wavelength switching fabric is replaced by passive splitters and couplers which connect the incoming signal to tunable filters. After filtering the desired wavelength, the signals from filter outputs are coupled onto the desired OXC output port. (Arbués et al., 2007) report that B&S architectures exhibit greater vulnerability to in-band jamming due to low isolation of tunable filters. WS architecture performs slightly better due to improved isolation at the

(Liu & Ji, 2007) studied the impact of the physical topology in conjunction with its constituent devices and the network traffic on the network resilience to in-band jamming attacks. Under the assumption of a fully connected virtual topology, i.e. a connection between each node pair and assuming that jamming attack propagation is not possible, they find that fully-connected mesh, star and ring physical topologies are the least resilient to attacks. The main cause of low resilience of a fully-connected mesh is its high nodal degree and, hence, a high expected number of affected channels at each node. The latter is also the reason why star networks are highly susceptible to attacks. For ring topologies, their vulnerability stems from large route lengths. A chord network topology is distinguished as the most resilient to attacks, with a logarithmic increase in resilience loss for a linear growth

As previously mentioned, the high data rates and huge throughput associated with transparent optical networks make them extremely sensitive to communication failures caused by component faults or deliberate attacks. A secure network should provide physical security of communication, i.e. provide service availability, guarantee a certain level of QoS and protect data integrity and privacy of communication. It should also ensure semantic security, i.e. protect the confidentiality and the meaning of data through authentication and cryptography mechanisms. Transparent optical transmission and the properties of attacks as described in the previous section impose a new set of demands on the network management system (NMS), responsible for network configuration, performance engineering, fault handling and the secure

and safe functioning of the network (Rejeb et al,. 2010; Li et al., 2002).

The headstone of an efficient NMS in TONs is a flexible and robust control plane, which relies on accurate and timely monitoring in the optical domain. Control plane functions can roughly be divided into following tasks (Rejeb et al., 2010; Saha et al., 2003):


Optical network security requires protective and/or preventive measures which minimize network accessibility to attackers, limit attack propagation and reduce the damage proportions inflicted by attacks. However, when an attack occurs in spite of these mechanisms, the NMS needs to undertake the following steps:

