Hi

I think it's just the serial number as I've seen reports where a ONT has been replaced and BT enter the new serial number into their kit to enable it.

The serial number authentication isn't so much about stopping you from using your own kit, but it's about only receiving your own data. Because GPON is a broadcast, with everyone's data received by everyone else on that single fibre split up to 32 people, the serial number ensures only your own data is received and decrypted by the ONT.

However I'm sure BT wouldn't look too kindly about people using their own kit, as it has the ability to break everyone else's connection on that fibre if it misbehaves or tries to work differently when uploading data. This is because all ONTs on the same fibre co-operate to send data back, with each getting their own time slot where it's only their laser sending data. Imagine if some different kit that doesn't play good with BTs version of GPON trying to transmit but out of time and causing problems for all the other ONTs sending data back as you have 2 lasers firing back.

BT may also be able to detect the different kit when it connects up and disable the account to protect their network.

There may come a time where BT have approved ONTs that can be connected allowing the end user to swap them out, perhaps going for an ONT/router in a single box etc. But in this early period they will not be happy about different kit being used.

Regards

Phil

I would tend to agree with you (although I don't know for sure) that its just the serial number of the ONT that is used.

I think most people like myself are still wondering why the OP wants to use his own kit rather than the Openreach supplied ONT as there appears to be no good reason or benefit.

I suspect the serial number is just a key to lookup the unit's embedded encryption key stored in some back-end database. Or a one-time password to allow a key exchange. The serials themselves are too short and predictable to make good keys.

In reply to a post by DougM:

The serials themselves are too short and predictable to make good keys.

They are 16 characters long, is that too short?

In reply to a post by DougM:

I suspect the serial number is just a key to lookup the unit's embedded encryption key stored in some back-end database. Or a one-time password to allow a key exchange. The serials themselves are too short and predictable to make good keys.

Pretty much this. It can be done dynamically but linking your line account to the fibre stream* that the ont should use can't be doing via any public facing portal in its current form.

*bad wording

You are worried about a �single point of failure� ?

Then fret about a single fibre feeding the ONT ....

https://support.huawei.com/enterprise/en/doc/EDOC100...

Huawei�s implementation of GPON uses AES-128 session keys (the standard allows AES up-to 256), and manages their rotation. The fact the keys are rotated means the serial (128 bits of data) is not a static encryption key, but an identifier for registration.

That�s good news, because a static 128-bit encryption key is terrible: like going back to WEP for WiFi! I consider AES-128 with short-lived session keys to be the minimum acceptable level of security to protect data from eavesdropping.

In reply to a post by marcusjclifford:

I just dislike having a) A single point of failure that I don't have a replacement for sitting ready to use and b) A device on my network that is a black box where I can get no information out of.

The ONT is not on your network, it's the demarcation of the Openreach network and happens to be within your home.

Every other node in the rest of the Internet connection is a black box.

In reply to a post by Zarjaz:

You are worried about a �single point of failure� ?

Then fret about a single fibre feeding the ONT ....

Or the single port at the OLT feeding the area. Or the single line card feeding that OLT port.

PON is a shared layer 1 network, it's not some point to point thing like xDSL where a screwy piece of kit can't impact other users. A malfunctioning / modified ONT can mess up the service received by others on the split.

I'm not aware of any cable company in the world that permits customers to bring their own hardware unless the law compels it for much the same reasons.

In reply to a post by marcusjclifford:

I just dislike having a) A single point of failure that I don't have a replacement for sitting ready to use and b) A device on my network that is a black box where I can get no information out of.

I think with a DSL connection it makes sense to have spare equipment to help eliminate the causes of problems. I have always done this. An FTTP connection should be much more reliable and the ONT will likely receive all the transmitted bits, so there is not the same need for spare equipment and connection statistics.