FTTH - ONT Authorisation - By Serial Number or more?

Hi All,
With a FTTH connection we have a BT Openreach provided ONT where the GPON fiber connects.

In the past I've asked if this ONT could be replaced, but it seems it could not.

Recently though, a few products have come on the market which may change this. From Mikrotik and Ubnt. The UBNT UFibre Nano G seems to have been made to work on many other FTTH infrastructures. The reason it can do this is it seems GPON "security" works based on the serial number of the device being used. The NanoG can have its serial number changed by script. (See UBNT forums).

My question therefore is: Do BT use the standard GPON ONT Serial Number as the only security method to allow the ONT to sync with the Exchange OLT?

If I change my NanoG's serial number to match the Openreach Huawei ONT's one would it work?

I know about the ISP PPPOE connection that is layered on top, but not interested in that at this stage.

Thanks in advance.
Marcus

First, surely it is Openreach kit? Secondly what difference would it make? Thirdly, who is going to fit it that is authorised to mess with the end of the fibre? Fourthly, where would it leave you if a fault or any other problem developed?

Fifthly, where would it leave you contractually and financially if the fitter made your end of the fibre useless?

I was specifically asking about the Openreach implementation of GPON in terms of serial number authentication, but will attempt to answer your questions...

1. No, I'd purchase the replacement ONT (I want a spare incase the BT provided on fails or for monitoring my connection as the BT provided ONT is totally locked down).

2. Don't understand the question - perhaps users may not want to use Huawei or wanted to actually see something about their FTTH connection?

3. It would be the homeowner etc - same as if we do anything with our home telephone system - as long as we are after the master socket back plate that is the demarcation point, although I know many people who have moved or replaced their master socket. The fibre terminates in a SC GPON connector that can be pulled out just like any plug/socket can.

4. If there was a fault the original device would need to be put back into place as the first step in fault fixing.

5. I would expect if someone damages the actual fibre or connector they would be liable to have it replaced (at their cost) by Openreach. I'm sure many cables have been damages over the years by pets / kids / hoovers etc...

Hi marcusjclifford

If you think you would not be breaking any T&C's by doing this, why don't you simply ask Openreach/ISP and see what they say and then report back to the forum.

Why would you want to change the Openreach CPE (ONT) when it does the job? In case you're unaware, doing so would put you in breach of your CP/Openreach's t&c's as the ONT is supposed to be left untouched.

But to answer your question & from a technical viewpoint, it would be pretty much impossible to use a third party ONT as the Openreach ONT won't be linked to their network just by its serial number - probably by its MAC, Product ID's and some other hidden info as well so I wouldn't bother going to all the trouble. You've probably got more chance of winning the lottery than 'spoofing' all that info onto a new ONT thus fooling Openreach into thinking you're still using their equipment.

This is on the back of my spare Openreach ONT and there's a few unique identifiers which are all likely be on their database & linked to your FTTP circuit:

https://i.postimg.cc/mD5j2f98/IMG-0359.jpg

Been discussed before. The opinion was it won't work.

http://forums.thinkbroadband.com/fibre/4582968-or-on...

I'd be amazed if the serial number was all that was used for authentication.

Nothing wrong with the OpenReach ONT anyway.

On your point 3 Openreach maintains and owns up to AND including the ONT. You can [censored] about with what is connected after this.

What are you hoping to monitor within the ONT ??

On point 4, so just leave the Openreach one insitu.

OK - thanks everyone for your replies.
There is lots of "should" and "may" but limited hard information.

On the UBNT forum there are multiple reports of successful usage of their ONT device on FTTH connections in other countries (Spain, Eastern Europe etc) so I was interested in the technical ability of it to work in the UK on the Openreach network.

It does seem that the default GPON implementation is authentication based on serial number alone, again I was wondering if BT follow this standard or not.

I just dislike having a) A single point of failure that I don't have a replacement for sitting ready to use and b) A device on my network that is a black box where I can get no information out of.

I suppose one day I may test this out, but the existing ONT is working as expected.

The next question though is a device like this on Amazon UK - being marketed for FTTH use - https://www.amazon.co.uk/TP-LINK-WiFi-Router-Fibra-G... - From what I am reading this would never work therefore should it be allowed to be sold?

In reply to a post by marcusjclifford:

I just dislike having a) A single point of failure that I don't have a replacement for sitting ready to use and b) A device on my network that is a black box where I can get no information out of.

a) What makes you think your ONT is likely to go tits up anytime soon? If it did, couldn't you live without FTTP for a few days and use a backup (eg 4G) service instead? If you have a business where 24/7 connectivity is critical, why not take out a leased line where you can get a SLA fix time as low as 2hrs?

b) I'm not sure anything useful can be obtained from the ONT considering it just 'syncs' at the rate you have been provisoned at.

In reply to a post by marcusjclifford:

There is lots of "should" and "may" but limited hard information.

So why don't you ask Openreach and/or your CP for a definitive answer? Its clear no one on TBB has done it.

Edited by deleted (Wed 20-Feb-19 15:07:42)

Hi

I think it's just the serial number as I've seen reports where a ONT has been replaced and BT enter the new serial number into their kit to enable it.

The serial number authentication isn't so much about stopping you from using your own kit, but it's about only receiving your own data. Because GPON is a broadcast, with everyone's data received by everyone else on that single fibre split up to 32 people, the serial number ensures only your own data is received and decrypted by the ONT.

However I'm sure BT wouldn't look too kindly about people using their own kit, as it has the ability to break everyone else's connection on that fibre if it misbehaves or tries to work differently when uploading data. This is because all ONTs on the same fibre co-operate to send data back, with each getting their own time slot where it's only their laser sending data. Imagine if some different kit that doesn't play good with BTs version of GPON trying to transmit but out of time and causing problems for all the other ONTs sending data back as you have 2 lasers firing back.

BT may also be able to detect the different kit when it connects up and disable the account to protect their network.

There may come a time where BT have approved ONTs that can be connected allowing the end user to swap them out, perhaps going for an ONT/router in a single box etc. But in this early period they will not be happy about different kit being used.

Regards

Phil

I would tend to agree with you (although I don't know for sure) that its just the serial number of the ONT that is used.

I think most people like myself are still wondering why the OP wants to use his own kit rather than the Openreach supplied ONT as there appears to be no good reason or benefit.

I suspect the serial number is just a key to lookup the unit's embedded encryption key stored in some back-end database. Or a one-time password to allow a key exchange. The serials themselves are too short and predictable to make good keys.

In reply to a post by DougM:

The serials themselves are too short and predictable to make good keys.

They are 16 characters long, is that too short?

In reply to a post by DougM:

I suspect the serial number is just a key to lookup the unit's embedded encryption key stored in some back-end database. Or a one-time password to allow a key exchange. The serials themselves are too short and predictable to make good keys.

Pretty much this. It can be done dynamically but linking your line account to the fibre stream* that the ont should use can't be doing via any public facing portal in its current form.

*bad wording

You are worried about a �single point of failure� ?

Then fret about a single fibre feeding the ONT ....

https://support.huawei.com/enterprise/en/doc/EDOC100...

Huawei�s implementation of GPON uses AES-128 session keys (the standard allows AES up-to 256), and manages their rotation. The fact the keys are rotated means the serial (128 bits of data) is not a static encryption key, but an identifier for registration.

That�s good news, because a static 128-bit encryption key is terrible: like going back to WEP for WiFi! I consider AES-128 with short-lived session keys to be the minimum acceptable level of security to protect data from eavesdropping.

In reply to a post by marcusjclifford:

I just dislike having a) A single point of failure that I don't have a replacement for sitting ready to use and b) A device on my network that is a black box where I can get no information out of.

The ONT is not on your network, it's the demarcation of the Openreach network and happens to be within your home.

Every other node in the rest of the Internet connection is a black box.

In reply to a post by Zarjaz:

You are worried about a �single point of failure� ?

Then fret about a single fibre feeding the ONT ....

Or the single port at the OLT feeding the area. Or the single line card feeding that OLT port.

PON is a shared layer 1 network, it's not some point to point thing like xDSL where a screwy piece of kit can't impact other users. A malfunctioning / modified ONT can mess up the service received by others on the split.

I'm not aware of any cable company in the world that permits customers to bring their own hardware unless the law compels it for much the same reasons.

In reply to a post by marcusjclifford:

I just dislike having a) A single point of failure that I don't have a replacement for sitting ready to use and b) A device on my network that is a black box where I can get no information out of.

I think with a DSL connection it makes sense to have spare equipment to help eliminate the causes of problems. I have always done this. An FTTP connection should be much more reliable and the ONT will likely receive all the transmitted bits, so there is not the same need for spare equipment and connection statistics.

In reply to a post by baby_frogmella:

Why would you want to change the Openreach CPE (ONT) when it does the job? In case you're unaware, doing so would put you in breach of your CP/Openreach's t&c's as the ONT is supposed to be left untouched.

I can think of a whole slew of reasons why one might want to change the ONT. That said they mostly revolve around wanting an ONT in an SFP form factor.

But to answer your question & from a technical viewpoint, it would be pretty much impossible to use a third party ONT as the Openreach ONT won't be linked to their network just by its serial number - probably by its MAC, Product ID's and some other hidden info as well so I wouldn't bother going to all the trouble. You've probably got more chance of winning the lottery than 'spoofing' all that info onto a new ONT thus fooling Openreach into thinking you're still using their equipment.

One of the methods in the GPON standard is to authenticate via serial number and given that installers are busy scanning the serial number bar code it is a pretty good bet that they are just using the serial number.

So for example the Ubiquiti ONT's are compatible with a range of Huawei OLT's

https://help.ubnt.com/hc/en-us/articles/115009335068

You can also if you so wish change the serial number

https://blog.onedefence.com/changing-the-gpon-serial...

Note the MAC address on the back of the Openreach ONT will be the consumer side MAC, you will be able to double check that very easily if you want.

Though I would be wary of replacing the ONT myself. It would be a big improvement however if Openreach offered an ONT in an SFP form factor.

In reply to a post by jabuzzard:

Though I would be wary of replacing the ONT myself. It would be a big improvement however if Openreach offered an ONT in an SFP form factor.

What are your thoughts on the proportion of users that might be wanting the Openreach product with routers that take SFPs and the desire to use them?

https://blog.onedefence.com/changing-the-gpon-serial...

Kinda ensures that Openreach don't want customers going anywhere near terminating FTTP on their own kit for much the same reasons cable companies either outright reject allowing customers to bring their own kit or, where they are required to by law, they insist on managing the modems themselves.

I'll not reiterate what has been said but having gone from ADSL to FTTP and having had to swap filters, cables and routers when I've had issues I'd say it's better that the ONT is actually part of the access network and that all I have to be concerned with is the batteries in the backup unit. the ethernet cable to my router and my router itself.

If the ONT gives up the ghost it's over to them.

In fact, had putting the ADSL modem into OR's hands been an option when I was on ADSL I'd have probably opted to do it on the basis that I had a few wasted days off waiting for them.

The SFP is the ONT. Then assuming you have a suitable router you just plug the SFP into the router of your choice, plug the fibre into the SFP and bobs your uncle.

Basically instead of the ONT turning it into a 1000BaseT connection and then your router turning the 1000BaseT back into SGMII to connect to the router, the SFP based ONT just pits out an SGMII signal that goes straight into the router of your choice. That is assuming the router of your choice has a SFP cage.

Huawei even do one

https://www.huawei.com/ucmf/groups/public/documents/...

Saves an extra box and cables, several watts and some latency.

I'm sure this post will please those who were complaining about over using acronyms with no explanation.

I understood about half this post

In reply to a post by j0hn83:

I'm sure this post will please those who were complaining about over using acronyms with no explanation.

I understood about half this post

Holds hand up.

In reply to a post by j0hn83:

I'm sure this post will please those who were complaining about over using acronyms with no explanation.

I understood about half this post

There must be a competition that I don't know about, winner is the one with most acronyms with no explanations

In reply to a post by jabuzzard:

The SFP is the ONT. Then assuming you have a suitable router you just plug the SFP into the router of your choice, plug the fibre into the SFP and bobs your uncle.

I know what SFPs are, my point was asking how many people do and how many service providers are knocking on Openreach's door indicating their customers are wanting to connect arbitrary kit to the FTTP network rather than an Ethernet presentation?

The product is GEA FTTP - the GEA bit stands for 'Generic Ethernet Access'. The plan was supposed to be to present the same interface regardless of the technology connecting customer to headend.

On a point to point network absolutely fine. When the security standards are more mature and cryptographic authentication is stronger absolutely fine. Allowing the bloke next door to plug whatever he wants into the network having flashed it with custom firmware and impersonate my ONT doesn't appeal.

In reply to a post by Ignitionnet:

On a point to point network absolutely fine. When the security standards are more mature and cryptographic authentication is stronger absolutely fine. Allowing the bloke next door to plug whatever he wants into the network having flashed it with custom firmware and impersonate my ONT doesn't appeal.

Well GPON uses AES so unless you have knowledge that it is broken it's not something to worry about. Also unless your neighbour is able to gain entry to your house and read the serial number of the back of the ONT it won't help. Even then they would need to disconnect your ONT, you can't have two ONT's authenticated at the same time (unless Openreach are really dumb). Also knowing your serial number won't help them snoop on your established connection. I would like this to any DOCISS connection.

Finally nothing is stopping a bad actor flashing some custom firmware on their ONT and impersonating your ONT today. It's all largely standards compliant stuff and if it where a problem it would have been a problem for years with all those DOCISS cable connections.

In reply to a post by baby_frogmella:

In reply to a post by marcusjclifford:

There is lots of "should" and "may" but limited hard information.

So why don't you ask Openreach and/or your CP for a definitive answer? Its clear no one on TBB has done it.

Ask who?
There are hardly any any resources left. Those few who stayed have no time on educating users.
The mantra is: tickets, tickets. Close as many tickets as possible otherwise managers will not get their bonuses.

In reply to a post by AdamCBG:

Ask who?
There are hardly any any resources left. Those few who stayed have no time on educating users.
The mantra is: tickets, tickets. Close as many tickets as possible otherwise managers will not get their bonuses.

Welcome.....maybe you should have saved your very first post for something that was worthy.

Just an update for anyone wondering about whether this is actually possible because a lot of doubt has been cast in various threads (and so I'm adding a note to all the ones that confused me):

It works. I was able to connect to my ISP through Openreach using an SFP ONT I bought online. The original ONT provided by Openreach was a Nokia G-010G-Q so I purchased what seemed to be the closest equivalent, the Nokia G-010S-A (G,S = GigEth,SFP and Q,A is just the manufacturer).

At first when plugging the SFP ONT and fibre in nothing really seemed to be working, however this is obviously expected as I hadn't matched anything from the provided ONT. This was easily fixed by using the information over at https://hack-gpon.org (a great resource documenting configuring ONT hardware) to copy as much of the information on the stickers on the outside of the original ONT (MfrID+SN, HardwareVersion, ICS, Mnemonic, MAC) onto the SFP one. While I was at it I also upgraded to the latest known firmware.

Once all that stuff was copied over it was plain sailing. I was able to use PPPoE (without vlan 101) to authenticate with my ISP (Plusnet), get an IP and route traffic. Everything seems to be extremely stable and I am happy with how things are working. I've not seen any benefit in switching the ONT over to 2.5G mode, however I've left it on anyway as I'm not getting any adverse effect either. It's really nice to just have the fibre from Openreach go straight into my router now.

Obviously, this is all at my own risk and I've kept the old ONT on hand for if problems happen.

In reply to a post by marcusjclifford:

I just dislike having a) A single point of failure that I don't have a replacement for sitting ready to use

I once did a contract at a major online bank. They seemed to have a similar view to yours, so next door there was a spare facility, identical to the one where I was working.

I never saw inside, but I was told that it was all complete and set up for a failover.

To me, it seemed daft. I'd have had the spare 50 miles away, not 150 metres.

But I guess it was better than nothing.

If your broadband goes down, can't you just move to your spare house?

In reply to a post by rhysperry111:

Just an update for anyone wondering about whether this is actually possible because a lot of doubt has been cast in various threads (and so I'm adding a note to all the ones that confused me):

It works. I was able to connect to my ISP through Openreach using an SFP ONT I bought online. The original ONT provided by Openreach was a Nokia G-010G-Q so I purchased what seemed to be the closest equivalent, the Nokia G-010S-A (G,S = GigEth,SFP and Q,A is just the manufacturer).

At first when plugging the SFP ONT and fibre in nothing really seemed to be working, however this is obviously expected as I hadn't matched anything from the provided ONT. This was easily fixed by using the information over at https://hack-gpon.org (a great resource documenting configuring ONT hardware) to copy as much of the information on the stickers on the outside of the original ONT (MfrID+SN, HardwareVersion, ICS, Mnemonic, MAC) onto the SFP one. While I was at it I also upgraded to the latest known firmware.

Once all that stuff was copied over it was plain sailing. I was able to use PPPoE (without vlan 101) to authenticate with my ISP (Plusnet), get an IP and route traffic. Everything seems to be extremely stable and I am happy with how things are working. I've not seen any benefit in switching the ONT over to 2.5G mode, however I've left it on anyway as I'm not getting any adverse effect either. It's really nice to just have the fibre from Openreach go straight into my router now.

Obviously, this is all at my own risk and I've kept the old ONT on hand for if problems happen.

Great to hear it worked.

I think the main issue with changing or messing about with the ONT is that the fibre isn't just our connection but connected together with up to 30 other properties, so a new ONT, if something wasn't right, could bring down the connection or cause intermittent problems for up to 30 other properties. GPON is a bit like a party line of old, only this time shared with 30 or so properties. This will be why Openreach is only wanting its own approved ONTs connected.

In reply to a post by E300:

Great to hear it worked.

I think the main issue with changing or messing about with the ONT is that the fibre isn't just our connection but connected together with up to 30 other properties, so a new ONT, if something wasn't right, could bring down the connection or cause intermittent problems for up to 30 other properties. GPON is a bit like a party line of old, only this time shared with 30 or so properties. This will be why Openreach is only wanting its own approved ONTs connected.

I agree. One of the side effects of ADSL is that we were all on our knees peering into an NTE and tweaking and tweaking because there was likely something to be gained from so doing. And ISPs were doing their bit, peering from their side beyond the NTE into the router. And some were locking down our routers and evend dictating how we configured our LANs.

With fibre we now have something of a truce. The ONT is not ours and the router is [should be] ours. It should be a truce. The ethernet between the ONT and the router should be noman's land. We should leave the ONT alone, really we should, because if we don't, the ISP's will come and take over our routers again. Much though I would want to play with the ONT, there is nothing I expect to be able to do to improve anything and besides that, I am happy that I am getting the spec I pay for and I don't have an ISP inside my router. That's how I want it and I want it to stay that way.

Unless you are on BT and need their version of digital voice when you have to use the BT hub and they have full access to that.... Not quite there with your utopia yet.

Hi,

In reply to a post by E300:

In reply to a post by rhysperry111:

Just an update for anyone wondering about whether this is actually possible because a lot of doubt has been cast in various threads (and so I'm adding a note to all the ones that confused me):

It works. I was able to connect to my ISP through Openreach using an SFP ONT I bought online. The original ONT provided by Openreach was a Nokia G-010G-Q so I purchased what seemed to be the closest equivalent, the Nokia G-010S-A (G,S = GigEth,SFP and Q,A is just the manufacturer).

At first when plugging the SFP ONT and fibre in nothing really seemed to be working, however this is obviously expected as I hadn't matched anything from the provided ONT. This was easily fixed by using the information over at https://hack-gpon.org (a great resource documenting configuring ONT hardware) to copy as much of the information on the stickers on the outside of the original ONT (MfrID+SN, HardwareVersion, ICS, Mnemonic, MAC) onto the SFP one. While I was at it I also upgraded to the latest known firmware.

Once all that stuff was copied over it was plain sailing. I was able to use PPPoE (without vlan 101) to authenticate with my ISP (Plusnet), get an IP and route traffic. Everything seems to be extremely stable and I am happy with how things are working. I've not seen any benefit in switching the ONT over to 2.5G mode, however I've left it on anyway as I'm not getting any adverse effect either. It's really nice to just have the fibre from Openreach go straight into my router now.

Obviously, this is all at my own risk and I've kept the old ONT on hand for if problems happen.

Great to hear it worked.

I think the main issue with changing or messing about with the ONT is that the fibre isn't just our connection but connected together with up to 30 other properties, so a new ONT, if something wasn't right, could bring down the connection or cause intermittent problems for up to 30 other properties. GPON is a bit like a party line of old, only this time shared with 30 or so properties. This will be why Openreach is only wanting its own approved ONTs connected.

I actually think that this will ultimately lead to the death of passive networks in favour of point to point. All it would take is for an attacker to get control of a small percentage of ONTs in a network and they can bring all of it down. That makes ONTs a tempting target for attack.

I give PONs 20-30 years before a security incident makes them non-preferred amongst most suppliers.

In reply to a post by dsergeant:

Unless you are on BT and need their version of digital voice when you have to use the BT hub and they have full access to that.... Not quite there with your utopia yet.

I think only Virgin Media have this right where their router handles the coax to Ethernet and also voice (where purchased), but can be put in "modem mode" and then the public IP is available to your own router but voice still works! Everyone else I know whom wants to use their own router has to sacrifice any voice service, BT Retail's Digital Voice, Sky's Sky Talk, or Vodafone's voice, etc.

Long term I wonder what the outcome will be, either voice will be hardly purchased, or people will tolerate using the ISP router more than they do today. Neither is good. A "modem" or "bridge" mode in the ISP routers would be one step forward.

(ONT not mentioned as this issue affects FTTC, ADSL, and FTTP users).

Edited by jchamier (Tue 09-Apr-24 10:58:54)

In reply to a post by dsergeant:

Unless you are on BT and need their version of digital voice when you have to use the BT hub and they have full access to that.... Not quite there with your utopia yet.

Good reason to ditch BT. In the world of VoIP, they are effectively non standards compliant.

In reply to a post by jchamier:

In reply to a post by dsergeant:

Unless you are on BT and need their version of digital voice when you have to use the BT hub and they have full access to that.... Not quite there with your utopia yet.

I think only Virgin Media have this right where their router handles the coax to Ethernet and also voice (where purchased), but can be put in "modem mode" and then the public IP is available to your own router but voice still works! Everyone else I know whom wants to use their own router has to sacrifice any voice service, BT Retail's Digital Voice, Sky's Sky Talk, or Vodafone's voice, etc.

Long term I wonder what the outcome will be, either voice will be hardly purchased, or people will tolerate using the ISP router more than they do today. Neither is good. A "modem" or "bridge" mode in the ISP routers would be one step forward.

(ONT not mentioned as this issue affects FTTC, ADSL, and FTTP users).

Not necessarily a problem for DV. I have Zen via CityFibre (probably no different with OR) and their supplied 7530 AX router does have a FON port for connecting an analogue phone to Zen's DV. However it's perfectly possible to set up Zen DV as any other VoIP provider, to use an IP phone connected to the router via Ethernet.

If you have the appropriate connection data this may also work with other DVs.

This is unlikely to be acceptable to the mass market until the SIP/VoIP setup is simpler and preferably automated, it's especially unhelpful when a large supplier like BT insists on having a proprietary DV service as that is not the right way to automate these installations as it's effectively revenue protection.

In reply to a post by DFScale:

Good reason to ditch BT. In the world of VoIP, they are effectively non standards compliant.

Its a closed user group, not traversing the open internet, so you have disadvantage of non-interoperability, but the advantage of QoS. Most networking aware people will reject, but I suspect the majority of BT’s retail customers will just go with it. 😂

In reply to a post by rippedcotton:

This is unlikely to be acceptable to the mass market until the SIP/VoIP setup is simpler and preferably automated, it's especially unhelpful when a large supplier like BT insists on having a proprietary DV service as that is not the right way to automate these installations as it's effectively revenue protection.

They’re all doing it, Virgin Media, BT/EE, Vodafone broadband, Sky, and others. At least you can reject at purchase stage. The problem is when you are migrated and then find you can no longer change the router, that is where Advertising Standards and Ofcom need to ensure consumers are aware before purchase.