**5. GPON frame structure and activation process analysis**

At present, GPON is one of the most promising solutions for modern access networks. Among other useful and important features, it provides us with triple play services on a single optical fiber, good scalability, DBA, simple topology management, etc. In comparison with the previous standards that only supported transmission over asynchronous transfer mode (ATM), GPON is the first standard that supports transmission over both ATM and ethernet technologies. In the ethernet mode, the ethernet frames are encapsulated using GPON encapsulation mode (GEM) and transferred inside GEM frames. As a result, some ethernet structures, such as interpacket gap, preamble, or start of frame delimiter, are not available. For more information, see **Figure 6**.

The basic GPON topology comprises the following three components: OLT, ONU, and optical distribution network (ODN). Typically, there is/are a single/ more OLT/s in the network (depending on the preferences of the associated Internet service provider) performing encapsulation and de-encapsulation of downstream and upstream network traffic, respectively, for multiple end users (up to 128 end users per port). The ONU is located at the end user's premises and converts the signals from the optical to the electrical domain. Finally, an ODN is composed of the elements placed between OLTs and ONUs such as optical fibers, splitters, and connectors.

**Figure 6.**

*Ethernet encapsulation into the GEM frame [26].*

**Figure 7.** *Interception of downstream communications.*

The risk of passive interception of communications results directly from the nature of PON communication. Downstream communication can be secured; however, the major disadvantage is that security is only optional. A potential attacker could, therefore, modify the firmware of an ONU and eavesdrop on all the communication in the downstream direction [26, 27]. The traffic in this direction can also be captured using optical radiation detectors, not necessarily an ONU detector, so encryption of data in the downstream direction had to be introduced [28]. However, the subsequent processing of the captured signal is an essential next step. The situation where the modified end unit receives all frames, including those not directly assigned to it, can be seen in **Figure 7**.

The previously mentioned passive interception could also occur in the upstream direction because no security is used for the upstream communication. This type of interception is complicated; however, it is feasible. The recommendations for use do not define any security for this direction of communication. The reason for this is based on the fact that it is not possible to capture the communication of other end users in the upstream direction via the ONU, so communication is not necessary to be encrypted. To eavesdrop on the communications in this direction, a potential

**75**

start and stop times.

*Deployment of PON in Europe and Deep Data Analysis of GPON*

level of the retroreflection and the type of connector in use [31].

the measurement back to the customer.

attacker would have to disrupt the PON optical line. This situation would, however, affect the transmission properties of the network in question, which should be captured by the service provider's surveillance center. This way of interception is

The abovementioned reason resulted in the fact that no security standard has been provided for any of the individual PON standards. In the event of encryption of the downstream transmission, e.g., using advanced encryption standard (AES) or other secret key-based technology, these keys would have to be sent in an unsecured form—plain text in the upstream direction. It was based on the assumption that upstream communication was safe; therefore, it was not necessary to provide

The research described in [31] focused specifically on the possibilities of interception of the communication in the upstream direction. The authors tested whether it was possible to intercept the communication through the back reflections of the optical signal. These reflections could be caused by a variety of commonly used optical components, such as passive optical hubs and/or connectors. Moreover, the optical positive-intrinsic-negative (PIN) detectors and avalanche photodiode (APD), as well as the preamplifiers, also had an effect on capturing the communications in the upstream direction. Testing was carried out at various ODN configurations, mainly aimed at testing the back reflection of the optical signal. The success of the potential attacker depended primarily on the type of connector used and the photodetector. A polished connector (PC) was considered inappropriate in terms of network security. The angled polish connector (APC) reduced signal reflections by virtual vertical grinding. Using an APD connector, however, increased the probability of a successful interception of the communicating ONU. Nevertheless, the capability of eavesdropping in the upstream direction was not dependent on the particular bit rate; it depended mostly on the power

The following demonstrates how to intercept communication in both directions with a specialized tool in hand. Real-time network analysis of the transmitted data (ONU management and control interface (OMCI) channel and GEM data units for end units) was performed. For the purpose of the demonstration, the GPONxpert tool was used. This tool has been developed specifically for passive optical networks. The tool allows for the real-time analysis of ONU-ID, performance levels, and Alloc-ID. However, a detailed analysis of the transmitted data is still necessary to be implemented in the form of postprocessing. Although the manufacturer, TraceSpan, also has other modifications to this device, for our purposes, the most popular measuring device was used. The lite versions contained support for ONU-ID analysis. The real-time analysis of levels, Alloc-IDs, and other parameters was stored using field programmable gate array (FPGA) and sent to the device manufacturer for the postprocessing. The manufacturer then sent the report from

This work is focused on the analysis of downstream and upstream transmission in GPON standard topology. At the start of the measurement, all ONUs search for their associated network parameters (e.g., serial number, ONU-ID, etc.) that are stored inside the previously mentioned GEM frames. Since the distance between the ONUs and the OLT are different, it was also necessary to use an equalization delay parameter that is assigned by the OLT during the activation process. For more information, see [31, 32]. Consequently, all ONUs wait for a random period prior to starting data transmission. In the frame of this work, data are broadcasted in the downstream direction. In the upstream direction, time slots assigned by the OLT are used instead. Moreover, in this work, we did not use the DBA algorithm. Consequently, all ONUs are expected to transfer data in time slots with prespecified

*DOI: http://dx.doi.org/10.5772/intechopen.82679*

therefore very unlikely [29].

any additional security [30].

The risk of passive interception of communications results directly from the nature of PON communication. Downstream communication can be secured; however, the major disadvantage is that security is only optional. A potential attacker could, therefore, modify the firmware of an ONU and eavesdrop on all the communication in the downstream direction [26, 27]. The traffic in this direction can also be captured using optical radiation detectors, not necessarily an ONU detector, so encryption of data in the downstream direction had to be introduced [28]. However, the subsequent processing of the captured signal is an essential next step. The situation where the modified end unit receives all frames, including those

The previously mentioned passive interception could also occur in the upstream direction because no security is used for the upstream communication. This type of interception is complicated; however, it is feasible. The recommendations for use do not define any security for this direction of communication. The reason for this is based on the fact that it is not possible to capture the communication of other end users in the upstream direction via the ONU, so communication is not necessary to be encrypted. To eavesdrop on the communications in this direction, a potential

not directly assigned to it, can be seen in **Figure 7**.

**74**

**Figure 6.**

**Figure 7.**

*Ethernet encapsulation into the GEM frame [26].*

*Interception of downstream communications.*

attacker would have to disrupt the PON optical line. This situation would, however, affect the transmission properties of the network in question, which should be captured by the service provider's surveillance center. This way of interception is therefore very unlikely [29].

The abovementioned reason resulted in the fact that no security standard has been provided for any of the individual PON standards. In the event of encryption of the downstream transmission, e.g., using advanced encryption standard (AES) or other secret key-based technology, these keys would have to be sent in an unsecured form—plain text in the upstream direction. It was based on the assumption that upstream communication was safe; therefore, it was not necessary to provide any additional security [30].

The research described in [31] focused specifically on the possibilities of interception of the communication in the upstream direction. The authors tested whether it was possible to intercept the communication through the back reflections of the optical signal. These reflections could be caused by a variety of commonly used optical components, such as passive optical hubs and/or connectors. Moreover, the optical positive-intrinsic-negative (PIN) detectors and avalanche photodiode (APD), as well as the preamplifiers, also had an effect on capturing the communications in the upstream direction. Testing was carried out at various ODN configurations, mainly aimed at testing the back reflection of the optical signal. The success of the potential attacker depended primarily on the type of connector used and the photodetector. A polished connector (PC) was considered inappropriate in terms of network security. The angled polish connector (APC) reduced signal reflections by virtual vertical grinding. Using an APD connector, however, increased the probability of a successful interception of the communicating ONU. Nevertheless, the capability of eavesdropping in the upstream direction was not dependent on the particular bit rate; it depended mostly on the power level of the retroreflection and the type of connector in use [31].

The following demonstrates how to intercept communication in both directions with a specialized tool in hand. Real-time network analysis of the transmitted data (ONU management and control interface (OMCI) channel and GEM data units for end units) was performed. For the purpose of the demonstration, the GPONxpert tool was used. This tool has been developed specifically for passive optical networks. The tool allows for the real-time analysis of ONU-ID, performance levels, and Alloc-ID. However, a detailed analysis of the transmitted data is still necessary to be implemented in the form of postprocessing. Although the manufacturer, TraceSpan, also has other modifications to this device, for our purposes, the most popular measuring device was used. The lite versions contained support for ONU-ID analysis. The real-time analysis of levels, Alloc-IDs, and other parameters was stored using field programmable gate array (FPGA) and sent to the device manufacturer for the postprocessing. The manufacturer then sent the report from the measurement back to the customer.

This work is focused on the analysis of downstream and upstream transmission in GPON standard topology. At the start of the measurement, all ONUs search for their associated network parameters (e.g., serial number, ONU-ID, etc.) that are stored inside the previously mentioned GEM frames. Since the distance between the ONUs and the OLT are different, it was also necessary to use an equalization delay parameter that is assigned by the OLT during the activation process. For more information, see [31, 32]. Consequently, all ONUs wait for a random period prior to starting data transmission. In the frame of this work, data are broadcasted in the downstream direction. In the upstream direction, time slots assigned by the OLT are used instead. Moreover, in this work, we did not use the DBA algorithm. Consequently, all ONUs are expected to transfer data in time slots with prespecified start and stop times.


#### **Figure 8.**

*GPON activation process with encryption channel establishment messages [29].*

To summarize, on the one hand, this work is interested in the analysis of user data and the activation process. However, on the other hand, the description of the activation process is omitted, as has already been described in our previous work [32]. Since the user plane and control plane data are transferred using GEM frames, it is not possible to use a common packet analyzer such as Wireshark. For this purpose, we used a GPONxpert analyzer in a standalone mode in which all data are transferred and saved to a hard drive. Therefore, to perform a deeper inspection or analysis, all the data must to be postprocessed. In general, the control plane data can be divided into signaling, OMCI. First, we focused on the signaling data analysis. When the connection is established, messages such as Assign ONU-ID, Configure Port-ID, Assign Alloc-ID, Encrypted Port-ID, Encryption\_key, key\_request\_message, and Key\_switching\_time are transmitted three times. This, as well as a complete GPON signalization, can be seen in **Figure 8**.

It can be seen that a physical layer operations, administrations and maintenance (PLOAM) message, specifically the "Serial number ONU," are transferred from the ONU to the OLT. This message holds information such as the vendor serial number, a list of supported data profiles, and the value of random delay of 82 μs [28]. The OLT uses these messages to extract the serial number and allocate the associated ONU-ID. Moreover, to minimize the impact of unequal distances among the ONUs and the OLT, it uses unique random delays for each of the ONUs that are based on the time between two successive "Serial number ONU" messages. As soon as the

**77**

*Deployment of PON in Europe and Deep Data Analysis of GPON*

OLT receives the ONU-ID, it sends the PLOAM message: "Assign ONU-ID." At this point, even though the OLT is aware of the assigned ONU-ID, it is not able to use unicast addressing because the ONU itself still cannot recognize the ONU-ID as its own, and therefore, broadcast addressing needs to be used (the ONU serial number is taken as the identifier) [29]. This means that every ONU receives this message; however, based on the comparison of the incoming and internal serial numbers, only the targeted ONU processes the message. In **Table 1**, it can also be seen that ZTE company is the final unit manufacturer. Based on hard-defined bytes in the MAC address, the manufacturer can be checked directly using its unique label: "0xC03B4EB4." GPON networks supported the transfer of ATM cells; however, in the last review in 2014, this support completely disappeared as these networks did not find their real application. For this reason, "ATM support Disable" can also be observed in the captured data. On the other hand, GEM support is necessary for any GPON data transfer: "GON support Enable." The captured data also have a description of the signal's power level, however, only with the following levels:

After the OLT sends the "Assign ONU-ID" message, it consequently sends the "Ranging request" message using the specific ONU-ID. Consequently, the ONU is capable of using a single grant to transmit data. The OLT unit's response to the "Serial Number ONU" message is a PLOAM message, "Assign ONU-ID." This message already carries a unique identifier for the designated end unit. From the nature of PON technology, it is clear that each end unit receives all messages. Using the unique ONU-ID, also called a serial number (if ONU-ID is not assigned), ONUs decide which messages to process. In this case, the assignment of ONU-ID = 1, i.e., the first end unit has already been replied to. The serial number of the unit equals "0x5A544547C03B4EB4", the Psync field is fixed and does not change throughout the communication. This fact is evidenced by the other messages listed in **Table 1**. "Ident Superframe Counter: 499314877" specifies the order of the transmitted frame/s. The ONU endpoint activation process in the GPON network is based on the sending of specific messages three times in a row. The second copy of the message is left for the demonstration of the Superframe counter being incremented by 1. After that, the ONU responds with the "Serial number ONU" message using the maximum priority T-CONT class (i.e., urgent data). The OLT computes a new value for the equalization delay using the "Ranging Time" message sent by the ONU. In the initial ONU report, the unit generates a random delay of 82 μs. The control unit must virtually ensure the same distance for all ONU end units. Each unit is located at a different distance, different customer stores, and/or residential units or streets. Supporting up to 20 km in the distribution part allows for the entire housing estate to be connected. The OLT sends a "Ranging request" message to specify a unique ranging time for each ONU. For this particular message, ONUs are required to respond immediately with their ONU-IDs and serial numbers. The OLT unit repeats the "Ranging request" message three times in total. It is important to note the second response, where the ONU specifies the mandatory parameters such as ONU-ID, the serial number (now omitted), and adds information about the Urgent PLOAM waiting and Traffic waiting in type 2 T-CONTs. The individual T-CONTs represent the distribution of traffic according to their classification by importance. T-CONT 1 responds to urgent data, i.e., data with the highest priority (e.g., voice over Internet protocol—VoIP) and fixed bandwidth. TCONT2 + 3 transfer Internet protocol television (IPTV) data with guaranteed bandwidth, T-CONT 4 is commonly used for best-effort data, and the last T-CONT5 is a mixed type including all types of bandwidth and services. Based on the received OLT responses, the OLT unit evaluates the assigned delay for the given ONU and sends the delay value

*DOI: http://dx.doi.org/10.5772/intechopen.82679*

low/medium/high power.

To summarize, on the one hand, this work is interested in the analysis of user data and the activation process. However, on the other hand, the description of the activation process is omitted, as has already been described in our previous work [32]. Since the user plane and control plane data are transferred using GEM frames, it is not possible to use a common packet analyzer such as Wireshark. For this purpose, we used a GPONxpert analyzer in a standalone mode in which all data are transferred and saved to a hard drive. Therefore, to perform a deeper inspection or analysis, all the data must to be postprocessed. In general, the control plane data can be divided into signaling, OMCI. First, we focused on the signaling data analysis. When the connection is established, messages such as Assign ONU-ID, Configure Port-ID, Assign Alloc-ID, Encrypted Port-ID, Encryption\_key, key\_request\_message, and Key\_switching\_time are transmitted three times. This, as well as a com-

It can be seen that a physical layer operations, administrations and maintenance (PLOAM) message, specifically the "Serial number ONU," are transferred from the ONU to the OLT. This message holds information such as the vendor serial number, a list of supported data profiles, and the value of random delay of 82 μs [28]. The OLT uses these messages to extract the serial number and allocate the associated ONU-ID. Moreover, to minimize the impact of unequal distances among the ONUs and the OLT, it uses unique random delays for each of the ONUs that are based on the time between two successive "Serial number ONU" messages. As soon as the

plete GPON signalization, can be seen in **Figure 8**.

*GPON activation process with encryption channel establishment messages [29].*

**76**

**Figure 8.**

OLT receives the ONU-ID, it sends the PLOAM message: "Assign ONU-ID." At this point, even though the OLT is aware of the assigned ONU-ID, it is not able to use unicast addressing because the ONU itself still cannot recognize the ONU-ID as its own, and therefore, broadcast addressing needs to be used (the ONU serial number is taken as the identifier) [29]. This means that every ONU receives this message; however, based on the comparison of the incoming and internal serial numbers, only the targeted ONU processes the message. In **Table 1**, it can also be seen that ZTE company is the final unit manufacturer. Based on hard-defined bytes in the MAC address, the manufacturer can be checked directly using its unique label: "0xC03B4EB4." GPON networks supported the transfer of ATM cells; however, in the last review in 2014, this support completely disappeared as these networks did not find their real application. For this reason, "ATM support Disable" can also be observed in the captured data. On the other hand, GEM support is necessary for any GPON data transfer: "GON support Enable." The captured data also have a description of the signal's power level, however, only with the following levels: low/medium/high power.

After the OLT sends the "Assign ONU-ID" message, it consequently sends the "Ranging request" message using the specific ONU-ID. Consequently, the ONU is capable of using a single grant to transmit data. The OLT unit's response to the "Serial Number ONU" message is a PLOAM message, "Assign ONU-ID." This message already carries a unique identifier for the designated end unit. From the nature of PON technology, it is clear that each end unit receives all messages. Using the unique ONU-ID, also called a serial number (if ONU-ID is not assigned), ONUs decide which messages to process. In this case, the assignment of ONU-ID = 1, i.e., the first end unit has already been replied to. The serial number of the unit equals "0x5A544547C03B4EB4", the Psync field is fixed and does not change throughout the communication. This fact is evidenced by the other messages listed in **Table 1**. "Ident Superframe Counter: 499314877" specifies the order of the transmitted frame/s. The ONU endpoint activation process in the GPON network is based on the sending of specific messages three times in a row. The second copy of the message is left for the demonstration of the Superframe counter being incremented by 1. After that, the ONU responds with the "Serial number ONU" message using the maximum priority T-CONT class (i.e., urgent data). The OLT computes a new value for the equalization delay using the "Ranging Time" message sent by the ONU. In the initial ONU report, the unit generates a random delay of 82 μs. The control unit must virtually ensure the same distance for all ONU end units. Each unit is located at a different distance, different customer stores, and/or residential units or streets. Supporting up to 20 km in the distribution part allows for the entire housing estate to be connected. The OLT sends a "Ranging request" message to specify a unique ranging time for each ONU. For this particular message, ONUs are required to respond immediately with their ONU-IDs and serial numbers. The OLT unit repeats the "Ranging request" message three times in total. It is important to note the second response, where the ONU specifies the mandatory parameters such as ONU-ID, the serial number (now omitted), and adds information about the Urgent PLOAM waiting and Traffic waiting in type 2 T-CONTs. The individual T-CONTs represent the distribution of traffic according to their classification by importance. T-CONT 1 responds to urgent data, i.e., data with the highest priority (e.g., voice over Internet protocol—VoIP) and fixed bandwidth. TCONT2 + 3 transfer Internet protocol television (IPTV) data with guaranteed bandwidth, T-CONT 4 is commonly used for best-effort data, and the last T-CONT5 is a mixed type including all types of bandwidth and services. Based on the received OLT responses, the OLT unit evaluates the assigned delay for the given ONU and sends the delay value


**79**

not use Port-ID encryption.

*Deployment of PON in Europe and Deep Data Analysis of GPON*

to the "Ranging time" message. GPON networks support so-called backup paths and link recovery systems when an alternative route is available. The message contains two fields: "Path EqD Descriptor: Main Path EqD" identifying the primary path and the backup path (the backup path was not available at the time of testing; therefore, it is not included in the message). The delay value specifies the delay for the end unit in "Delay: 265409," but this value does not match the value in μs. These steps set the basic communication parameters, the assigned ONU-ID, and the equalization delay. During the measurement, secure communication was enabled. The definition of reached states in which communication security can be performed and the prerequisites for negotiating the key are given in [33–35]. The entire process is started with the PLOAM message, "request password" containing "Ident Superframe Counter: 499318309." This message requires the end unit to respond with the same message with a password three times in a row. The captured data contain two fields: "Password (Hex): 0x47433033423445423400" and "Password (ASCII): GC03B4EB4." Next, the "Request Key" message is sent, the content of the message is not fully defined in this case; it is necessary to respond to this message with the Encryption Key message. The "Encryption Key" message consists of "Key Index: 0," "Fragment Index: 0" and "Key Bytes: 0x681A055363E86213." The sequence of these messages is followed and sent three times in a row. In our case, a single message is not enough to deliver the key, so another three messages are used to deliver the remaining part of it. This fact is illustrated by the following: "Fragment Index entry: 1," and "Key Bytes: 0x62677982F890BA9C." The next "Key Switching Time" message should define the start time when a new key is used that was not reached because the tool did not detect these fields. It only detected "Superframe Counter field: 499321133." The start time field contents must confirm the end unit using the "Acknowledge" message. The "Acknowledge" message contains the "Downstream Message Id: Key switching Time" field, confirming the previous message. Next, the OLT sends the "Configure Port-ID" message to the ONU specified by the ONU-ID. In the context of data transmission, the ONU-ID is used for the data flow allocation in a GEM frame. The ONU had to send the acknowledgement (ACK) messages three times (one for each of the received messages). As visualized in **Table 1**, the downstream message identification (DM\_ID) contains a "Configure Port-ID" field that holds the confirmed message's name, and an ONU ID equaling the ONU-ID of the end unit (in our case 1). Subsequently, the OLT checks whether the Port-ID is encrypted. If it is not (i.e., the ONU remains in the registration process), the ONU sends the ACK message as a response to each correctly received message. Next, the OLT sends a "BER" (Bit Error Rate) message to specify an accumulation interval for each of the ONUs (number of downstream frames per ONU) that is used to count the number of downstream bit errors [29]. At this point, the ONU knows the Port-ID. However, to establish bidirectional data communication, the Alloc-ID is required to identify a traffic-bearing entity (e.g., T-CONT), which represents the recipient of the upstream data allocated during the BWmap procedure [29]. It is important to note that each ONU requires at least a single Alloc-ID that is equal to the ONU-ID and that is not transmitted by the OLT in the "Assign Alloc-ID" message. In this work, the following Alloc-ID was provided by the OLT: 1. The end unit must always contain at least one ONU-ID identifier, but it may contain several Alloc-IDs. Often, the initial Alloc-ID corresponds to the assigned ONU-ID, which also occurred in this case. The ONU acknowledges each of the PLOAM messages. After that, the encryption of the Port-IDs is rechecked. Nevertheless, it should be mentioned that data encryption is optional, and in reality, many ISPs do

*DOI: http://dx.doi.org/10.5772/intechopen.82679*

**Table 1.**

*Activation process details in captured data in real GPON networks.*

Serial number ONU

Assign ONU-ID

Assign ONU-ID

request

ONU

request

ONU

password

1 1 Password Password (Hex):

key

key

time

Port-ID

Port-ID/VPI

Alloc-ID

*Activation process details in captured data in real GPON networks.*

16 1 Acknowledge DM\_ID: encrypted port-ID/VPI; ONU

122 1 Ranging time Path EqD descriptor: main path EqD;

2 Unassigned ONU ID

117 Broadcast message

118 Broadcast message

120 1 Ranging

121 1 Ranging

125 1 Request

4 1 Encryption

7 1 Encryption

127 1 Key switching

130 1 Configure

133 1 Encrypted

142 1 Assign

1 1 Serial number

2 1 Serial number

**ID ONU-ID Message type Message type**

Vendor ID: ZTEG, Vendor SN:

ONU ID: 1; serial number: 0x5A544547C03B4EB4; Psync: 0xB6AB31E0; Ident Superframe Counter:

499314877; PLOAM CRC: 142

0xC03B4EB4; random delay: 0

2, 3, 4, 5 T-CONTs: 0

(ASCII): GC03B4EB4

0x62677982F890BA9C

delay: 265409

126 1 Request key Psync: 0xB6AB31E0 PLOAM

10 1 Acknowledge DM\_ID: key switching time PLOAM

13 1 Acknowledge DM\_ID: configure port-ID PLOAM

ID: 1

136 1 BER interval BER interval: 40000 PLOAM 19 1 Acknowledge DM\_ID: BER interval PLOAM

22 1 Acknowledge DM\_ID: assign Alloc-ID PLOAM

0xC03B4EB4, Random Delay: 82 μs, ATM Support: Disable, GEM support: Enable, ONU TX power level: high power

Psync: 0xB6AB31E0; Ident FEC Indicator: 1; Ident Superframe Counter: 499315777

ONU ID: 1; vendor ID: ZTEG; vendor SN:

Psync: 0xB6AB31E0; Ident FEC Indicator: 1; Ident Superframe Counter: 499315777

Delimiter: 0xAB5983; ONU ID: 1; Urgent PLOAM waiting: 1; Traffic waiting in type

0x47433033423445423400; password

Key index: 0; fragment index: 0; key bytes: 0x681A055363E86213

Key index: 0; fragment index: 1; key bytes:

Ident superframe counter: 499314878 PLOAM

Ident Superframe Counter: 499318309 PLOAM

Superframe counter: 499321133 PLOAM

Activate: enable; port-ID: 1 PLOAM

Port-ID: 1 PLOAM

Alloc-ID: 1; Alloc-ID: Type GEM payload PLOAM

PLOAM

PLOAM

BWmap

PLOAM

BWmap

PLOAM

BWmap

PLOAM

PLOAM

PLOAM

PLOAM

**78**

**Table 1.**

to the "Ranging time" message. GPON networks support so-called backup paths and link recovery systems when an alternative route is available. The message contains two fields: "Path EqD Descriptor: Main Path EqD" identifying the primary path and the backup path (the backup path was not available at the time of testing; therefore, it is not included in the message). The delay value specifies the delay for the end unit in "Delay: 265409," but this value does not match the value in μs. These steps set the basic communication parameters, the assigned ONU-ID, and the equalization delay. During the measurement, secure communication was enabled. The definition of reached states in which communication security can be performed and the prerequisites for negotiating the key are given in [33–35]. The entire process is started with the PLOAM message, "request password" containing "Ident Superframe Counter: 499318309." This message requires the end unit to respond with the same message with a password three times in a row. The captured data contain two fields: "Password (Hex): 0x47433033423445423400" and "Password (ASCII): GC03B4EB4." Next, the "Request Key" message is sent, the content of the message is not fully defined in this case; it is necessary to respond to this message with the Encryption Key message. The "Encryption Key" message consists of "Key Index: 0," "Fragment Index: 0" and "Key Bytes: 0x681A055363E86213." The sequence of these messages is followed and sent three times in a row. In our case, a single message is not enough to deliver the key, so another three messages are used to deliver the remaining part of it. This fact is illustrated by the following: "Fragment Index entry: 1," and "Key Bytes: 0x62677982F890BA9C." The next "Key Switching Time" message should define the start time when a new key is used that was not reached because the tool did not detect these fields. It only detected "Superframe Counter field: 499321133." The start time field contents must confirm the end unit using the "Acknowledge" message. The "Acknowledge" message contains the "Downstream Message Id: Key switching Time" field, confirming the previous message. Next, the OLT sends the "Configure Port-ID" message to the ONU specified by the ONU-ID. In the context of data transmission, the ONU-ID is used for the data flow allocation in a GEM frame. The ONU had to send the acknowledgement (ACK) messages three times (one for each of the received messages). As visualized in **Table 1**, the downstream message identification (DM\_ID) contains a "Configure Port-ID" field that holds the confirmed message's name, and an ONU ID equaling the ONU-ID of the end unit (in our case 1). Subsequently, the OLT checks whether the Port-ID is encrypted. If it is not (i.e., the ONU remains in the registration process), the ONU sends the ACK message as a response to each correctly received message. Next, the OLT sends a "BER" (Bit Error Rate) message to specify an accumulation interval for each of the ONUs (number of downstream frames per ONU) that is used to count the number of downstream bit errors [29]. At this point, the ONU knows the Port-ID. However, to establish bidirectional data communication, the Alloc-ID is required to identify a traffic-bearing entity (e.g., T-CONT), which represents the recipient of the upstream data allocated during the BWmap procedure [29]. It is important to note that each ONU requires at least a single Alloc-ID that is equal to the ONU-ID and that is not transmitted by the OLT in the "Assign Alloc-ID" message. In this work, the following Alloc-ID was provided by the OLT: 1. The end unit must always contain at least one ONU-ID identifier, but it may contain several Alloc-IDs. Often, the initial Alloc-ID corresponds to the assigned ONU-ID, which also occurred in this case. The ONU acknowledges each of the PLOAM messages. After that, the encryption of the Port-IDs is rechecked. Nevertheless, it should be mentioned that data encryption is optional, and in reality, many ISPs do not use Port-ID encryption.
