General Discussion
  >> Fibre Broadband


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | 4 | 5 | [6] | 7 | 8 | 9 | 10 | 11 | (show all)   Print Thread
Standard User candlerb
(fountain of knowledge) Wed 09-Dec-20 08:14:33
Print Post

Re: BT FTTP With Digital Voice - Alternative to Smart Hub 2


[re: chrisu] [link to this post]
 
That's interesting. Could it be something in the PPPoE exchange that is different / missing? Or perhaps linediscovery tries to make an inbound connection *to* the SH2?
Standard User kitcat
(experienced) Wed 09-Dec-20 16:28:47
Print Post

Re: BT FTTP With Digital Voice - Alternative to Smart Hub 2


[re: chrisu] [link to this post]
 
Chrisu

I think Candleb has identified the issue, linediscovery.hub.bt.com is contacting the IP on the ASUS with an incoming connection and the ASUS doesn't know what to do with it so it all fails.

You are dealing with a service that is setup to be secure, non hackable and non mimicable.

It has to be designed this way to meet the Government standards for a public telephone system ( can't remember the official standard) as published. So that it can replace the PSTN.
Standard User candlerb
(fountain of knowledge) Wed 09-Dec-20 16:57:59
Print Post

Re: BT FTTP With Digital Voice - Alternative to Smart Hub 2


[re: kitcat] [link to this post]
 
In reply to a post by kitcat:
I think Candleb has identified the issue, linediscovery.hub.bt.com is contacting the IP on the ASUS with an incoming connection and the ASUS doesn't know what to do with it so it all fails.


If it's on a fixed port then I expect it can be port-forwarded.


Register (or login) on our website and you will not see this ad.

Standard User chrisu
(newbie) Wed 09-Dec-20 21:13:27
Print Post

Re: BT FTTP With Digital Voice - Alternative to Smart Hub 2


[re: candlerb] [link to this post]
 
It's the hub that's making the call to linediscovery.hub.bt.com. It's an https call, and it seems that there is some kind of web server running there, probably some kind of simple REST service as the amount of data sent in each direction is small. I'm guessing that it's sending some kind of credentials and then getting the SIP server details back. The hub then makes a call to imsee.bt.com which looks like the SIP server. The only time that data is incoming and not initiated by the hub is when UDP voice data is received on port 5050 when a call is made. Therefore port forwarding won't help here.

The data in the PPPoE discovery messages is pretty simple. The only real data are the IP addresses at the end of the PPP connection, and the access concentrator name. I made those the same as the real session, so the hub's view of the world when connected to my PPPoE server should be the same as when connected to the real one. There must be something subtly different that I can't see which means that it doesn't like the response it gets from linediscovery.hub.bt.com.
Standard User PianSomB
(learned) Wed 09-Dec-20 21:20:09
Print Post

Re: BT FTTP With Digital Voice - Alternative to Smart Hub 2


[re: chrisu] [link to this post]
 
Very interesting stuff, thanks for sharing.

Can your router spoof the MAC from your SH2, perhaps?

Standard User jpm
(member) Wed 09-Dec-20 21:29:57
Print Post

Re: BT FTTP With Digital Voice - Alternative to Smart Hub 2


[re: chrisu] [link to this post]
 
Could you packet sniff the whole PPPoE setup phase that the SH2 does over the WAN to BT (e.g. just the SH2, your FTTP ONT, and the mirrored switch in between)? The information about the subscriber is inserted into the PPPoE messages by Openreach, which is how you can factory default a hub and use default credentials but it still knows what account it's on. I'm wondering if this needs to be told to the SH2 somehow when the connection is dialled.

See 2.1.8 in this doc https://www.openreach.co.uk/orpg/home/helpandsupport...
Standard User chrisu
(newbie) Wed 09-Dec-20 22:45:52
Print Post

Re: BT FTTP With Digital Voice - Alternative to Smart Hub 2


[re: jpm] [link to this post]
 
That's an interesting document, I had wondered how it worked.

Having re-checked the PPPoE discovery messages when the SH2 is connected directly to the ONT, I can see there's a PPPoE tag called 'AC-Cookie' in the PADO message, which looks like some kind of 16 byte token. I would guess that the SH2 passes this value in the call to the https call to linediscovery.hub.bt.com and then it receives the SIP details in response. The PPPoE server I have created (https://dianne.skoll.ca/projects/rp-pppoe/ running on a linux server) does not have this PPPoE tag, and so the SH2 won't be able to pass it and which is probably the reason it doesn't work. It is likely that the only way of getting this to work is if I can get the AC-Cookie tag from the ASUS router and make my PPPoE server pass it to the SH2 in the PADO message. I don't know if this is possible as I can't see the Asus router logging out the PPPoE tags anywhere.
Standard User tdw42
(member) Thu 10-Dec-20 01:55:43
Print Post

Re: BT FTTP With Digital Voice - Alternative to Smart Hub 2


[re: chrisu] [link to this post]
 
AC-Cookie is a standard, albeit optional, tag. See RFC 2516 Appendix A (page 10) and the first couple of paragraphs of section 9 (page 8).

It was intended to mitigate against some DoS attacks, I suppose BT Retail could be abusing it for other purposes but I wouldn't expect them to have access to or be able to manipulate the PPPoE discovery phase in the Openreach network.
Standard User chrisu
(newbie) Thu 10-Dec-20 10:58:38
Print Post

Re: BT FTTP With Digital Voice - Alternative to Smart Hub 2


[re: tdw42] [link to this post]
 
Yes, I agree, it's probably not being done by AC-Cookie as that's to prevent DoS, more likely this:

1. The SH2 sends the PPPoE PADI message. The OLT adds some extra tags as per the above openreach document, that identify your line.
2. The PPPoE server in openreach receives the PADI message along with the tag that the OLT added, and sends a PADO message which will contain the AC-Name tag. The AC-Name tag will identify the AC in your telephone exchange, and I can see it contains the code of my exchange. The OLT removes the tag that it added to the PADI message.
3. The SH2 responds with a PADR message.
4. The PPPoE server responds with a PADS message and the PPP session is established. The message contains the 16 bit session ID.

So at any point in time, AC-Name and Session ID are unique within openreach and can identify your line, and both SH2 and openreach know these 2 values. Openreach could pass these to BT, and then the SH2 could make an https call to linediscovery.hub.bt.com and pass them, and BT would know who you are and so can return your SIP details. Hopefully the Host-Uniq tag would also be sent as this is known by both sides, otherwise you could have a guess at the PPP session ID and have a 1 in 65536 chance of taking over one of your neighbours phone lines.

The AC-Name doesn't change, but presumably it could in the future if openreach add more PPPoE servers in your local exchange, but the Session ID does change. The Host-Uniq tag is probably unique for each SH2. I can see it and can make my Asus router send the SH2 Host-Uniq value in that tag.

If it does work like this, then the only way to be able to get the SH2 to work behind your router with your own PPPoE server on your LAN, is for your router to log the PPPoE AC-Name and Session ID so your PPPoE server could retrieve them and pass the same values to the SH2. My router doesn't log these values and I doubt most consumer routers do, so I don't think I'm going to be able to make this work with the router I have.
Standard User candlerb
(fountain of knowledge) Thu 10-Dec-20 11:54:28
Print Post

Re: BT FTTP With Digital Voice - Alternative to Smart Hub 2


[re: chrisu] [link to this post]
 
That's really interesting.

It might be made to work if you put a small managed switch between your router and ONT, with a mirror port to capture the PPPoE traffic. Or if your router was something like pfSense, then you could just capture the packets in software.

Not that this is something you'd actually want to deploy, but having got this far I expect you'd like to prove it's possible smile
Pages in this thread: 1 | 2 | 3 | 4 | 5 | [6] | 7 | 8 | 9 | 10 | 11 | (show all)   Print Thread

Jump to