Re: Anyone running C-Data OLTs?

[Mark Tinka]

On 13/Jul/20 17:33, Mike Hammett wrote:
> Fiscal and logistic reasons, would be my guess.

Nick was being facetious :-).

Mark.

Re: Anyone running C-Data OLTs?

[Mike Hammett]

Fiscal and logistic reasons, would be my guess. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Nick Hilliard"  
To: "Mark Tinka"  
Cc: nanog@nanog.org 
Sent: Monday, July 13, 2020 10:25:20 AM 
Subject: Re: Anyone running C-Data OLTs? 

Mark Tinka wrote on 13/07/2020 16:03: 
> Still don't know what "third world" means (of course I do...), but 

Obviously he means countries like Sweden, Ireland and Switzerland. 

> https://en.wikipedia.org/wiki/Third_World#/media/File:Cold_War_alliances_mid-1975.svg
>  

It's not clear why there's any relationship between third world status 
and the choice of PON/active FTTP equipment used in 2020. Or maybe 
there's some subtlety that being lost here. Hard to tell. 

Nick 

Re: Anyone running C-Data OLTs?

[Mark Tinka]

On 13/Jul/20 17:25, Nick Hilliard wrote:

>
> Obviously he means countries like Sweden, Ireland and Switzerland.
>
>> https://en.wikipedia.org/wiki/Third_World#/media/File:Cold_War_alliances_mid-1975.svg
>>
>
> It's not clear why there's any relationship between third world status
> and the choice of PON/active FTTP equipment used in 2020.  Or maybe
> there's some subtlety that being lost here.  Hard to tell.

:-).

Mark.

Re: Anyone running C-Data OLTs?

[Nick Hilliard]

Mark Tinka wrote on 13/07/2020 16:03:

Still don't know what "third world" means (of course I do...), but


Obviously he means countries like Sweden, Ireland and Switzerland.


https://en.wikipedia.org/wiki/Third_World#/media/File:Cold_War_alliances_mid-1975.svg


It's not clear why there's any relationship between third world status 
and the choice of PON/active FTTP equipment used in 2020.  Or maybe 
there's some subtlety that being lost here.  Hard to tell.


Nick

Re: Anyone running C-Data OLTs?

[Mark Tinka]

On 12/Jul/20 23:43, J. Hellenthal via NANOG wrote:
> Almost no surprise they are all third world, still scary in a sense.
> Might just have to rethink a blacklist strategy for traffic
> originating behind those locations.

Still don't know what "third world" means (of course I do...), but
looking at what the guy in the top seat in America is doing, we are as
equally concerned about kit coming out of there as we are coming out of
anywhere else.

I will say that where we once had confidence that the traditional
vendors had us in their best interests, that trust level is not
automatically the same in 2020.

Mark.

Re: Anyone running C-Data OLTs?

[Mark Tinka]

On 11/Jul/20 02:16, Brandon Martin wrote:
>  
> All of the part numbers I was able to find a description of (after
> sifting through the numerous pages copying the vulnerability
> disclosure) appeared to be low-cost, low- to mid-density pizza-box
> EPON OLTs.  I didn't see any ONUs, but then I also didn't find data on
> everything.
>
> I know a low of EPON deployments go for all-in-ones with the ONU,
> router, WLAN, etc. integrated into a single box presumably because
> it's cheaper for initial deployment than separate boxes for ONU and
> CPE router/AP.  No indication of those being affected in this notice,
> at least that I could find.

A number of vendors, these days, implement Active-E and GPON in the same
chassis, and you can decide what you want to run it as.

I recall Cisco picked up some company back around 2014 that gave them
this style of box in the ME4600. Not sure how it's doing nowadays.

Tejas do the same with their Ethernet boxes.

Mark.

Re: Anyone running C-Data OLTs?

[Mark Tinka]

On 11/Jul/20 00:22, Alexander Neilson wrote:
>
> For these to be internet exposed presumably they must be including a
> router function and not simply doing some bridging of customer traffic.

Well, if the attacker were able to find a way into your bastion host...

Mark.

Re: Anyone running C-Data OLTs?

[Mark Tinka]

On 10/Jul/20 18:58, Owen DeLong wrote:
> https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devices-from-chinese-vendor-c-data/?ftag=TRE-03-10aaa6b&bhid=29077120342825113007211255328545&mid=12920625&cid=2211510872
>
>
> Wow… Just wow.

And unlike routers, switches (and OLT's) don't seem to get as much love
re: vulnerability software upgrades with operators, despite the vendors
putting our code often enough (C-Data notwithstanding, of course).

Mark.

Re: Anyone running C-Data OLTs?

[J. Hellenthal via NANOG]

Almost no surprise they are all third world, still scary in a sense. Might just 
have to rethink a blacklist strategy for traffic originating behind those 
locations.

-- 
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

> On Jul 10, 2020, at 15:30, blakan...@gmail.com wrote:
> 
>  Well here are a couple hundred:
> 
> https://www.shodan.io/search?query=Command+Line+Interface+for+EPON+System
> 
> -Keith
> 
> Mel Beckman wrote on 7/10/2020 1:07 PM:
> 
>> Perhaps you’re confusing OLT with ONT? An OLT is a “curbside” distribution 
>> node, the ONT is the CPE. The vulnerability is in the distribution node, not 
>> the CPE. No provider with any sense exposes their distribution node admin 
>> interface to the Internet. 
>> 
>> -mel via cell
>> 
>>> On Jul 10, 2020, at 1:01 PM, m...@beckman.org wrote:
>>> 
>>> The “WAN” port of an OLT _is_ it’s management port. Data, IPTV, and VoIP 
>>> traffic pass on VLANs, typically encrypted. These are passive optical 
>>> network (PON) devices, where all CPE in a group of, say, 32 premises 
>>> receive the same light via an optical splitter. Thus network partitioning 
>>> is a requirement of the architecture. There is no concept of a traditional 
>>> “WAN” port facing the Internet. 
>>> 
>>> -mel via cell
>>> 
 On Jul 10, 2020, at 12:21 PM, Owen DeLong  wrote:
 
 
 Um, from the article it appears that this isn’t on the Management 
 interface, but the WAN port of the OLT.
 
 Owen
 
 
> On Jul 10, 2020, at 11:01 , Mel Beckman  wrote:
> 
> But who, who I ask, opens their management interface to the public 
> Internet?!?!
> 
> Maybe this is vulnerability if you have a compromised management network, 
> but anybody who opens CPE up to the Internet is just barking mad :-)
> 
> -mel via cell
> 
>> On Jul 10, 2020, at 10:00 AM, Owen DeLong  wrote:
>> 
>>  
>> https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devices-from-chinese-vendor-c-data/?ftag=TRE-03-10aaa6b&bhid=29077120342825113007211255328545&mid=12920625&cid=2211510872
>> 
>> Wow… Just wow.
>> 
>> Owen
>> 
 
> 


smime.p7s
Description: S/MIME cryptographic signature

Re: Anyone running C-Data OLTs?

[Baldur Norddahl]

On Fri, Jul 10, 2020 at 9:22 PM Owen DeLong  wrote:

> Um, from the article it appears that this isn’t on the Management
> interface, but the WAN port of the OLT.
>
>
>From the original at
https://pierrekim.github.io/blog/2020-07-07-cdata-olt-0day-vulnerabilities.html
it
is very clear that we are talking about the OLT.

However any sane deployment would not be exposing the management to the
internet. You would have that stuff on a vlan separate from customer
traffic. I realise there are plenty of not so sane deployments out there.

Regards,

Baldur

Re: Anyone running C-Data OLTs?

[Brandon Martin]

On 7/10/20 6:22 PM, Alexander Neilson wrote:
I haven’t checked (on mobile) but those affected model numbers could 
confirm if it’s OLT, ONT, or both. Possibly the confusion could come 
from the bug affecting both.


All of the part numbers I was able to find a description of (after 
sifting through the numerous pages copying the vulnerability disclosure) 
appeared to be low-cost, low- to mid-density pizza-box EPON OLTs.  I 
didn't see any ONUs, but then I also didn't find data on everything.


I know a low of EPON deployments go for all-in-ones with the ONU, 
router, WLAN, etc. integrated into a single box presumably because it's 
cheaper for initial deployment than separate boxes for ONU and CPE 
router/AP.  No indication of those being affected in this notice, at 
least that I could find.


--
Brandon Martin

Re: Anyone running C-Data OLTs?

[Alexander Neilson]

I think the article may also be confusing OLT and ONT. 

They are talking about how the “OLT” that is vulnerable is the device that 
translates the fibre into the copper Ethernet connected to customers equipment 
which may indicate these are actually ONT’s being talked about or the article 
authors got their explanation confused. 

For these to be internet exposed presumably they must be including a router 
function and not simply doing some bridging of customer traffic. 

I haven’t checked (on mobile) but those affected model numbers could confirm if 
it’s OLT, ONT, or both. Possibly the confusion could come from the bug 
affecting both. 

Regards
Alexander

Alexander Neilson
Neilson Productions Limited
021 329 681
alexan...@neilson.net.nz

> On 11/07/2020, at 08:04, Mel Beckman  wrote:
> 
>  The “WAN” port of an OLT _is_ it’s management port. Data, IPTV, and VoIP 
> traffic pass on VLANs, typically encrypted. These are passive optical network 
> (PON) devices, where all CPE in a group of, say, 32 premises receive the same 
> light via an optical splitter. Thus network partitioning is a requirement of 
> the architecture. There is no concept of a traditional “WAN” port facing the 
> Internet. 
> 
> -mel via cell
> 
>>> On Jul 10, 2020, at 12:21 PM, Owen DeLong  wrote:
>>> 
>> 
>> Um, from the article it appears that this isn’t on the Management interface, 
>> but the WAN port of the OLT.
>> 
>> Owen
>> 
>> 
>>> On Jul 10, 2020, at 11:01 , Mel Beckman  wrote:
>>> 
>>> But who, who I ask, opens their management interface to the public 
>>> Internet?!?!
>>> 
>>> Maybe this is vulnerability if you have a compromised management network, 
>>> but anybody who opens CPE up to the Internet is just barking mad :-)
>>> 
>>> -mel via cell
>>> 
 On Jul 10, 2020, at 10:00 AM, Owen DeLong  wrote:
 
  
 https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devices-from-chinese-vendor-c-data/?ftag=TRE-03-10aaa6b&bhid=29077120342825113007211255328545&mid=12920625&cid=2211510872
 
 Wow… Just wow.
 
 Owen
 
>> 

Re: Anyone running C-Data OLTs?

[blakangel]

Well here are a couple hundred:

https://www.shodan.io/search?query=Command+Line+Interface+for+EPON+System

-Keith

Mel Beckman wrote on 7/10/2020 1:07 PM:

Perhaps you’re confusing OLT with ONT? An OLT is a “curbside” 
distribution node, the ONT is the CPE. The vulnerability is in the 
distribution node, not the CPE. No provider with any sense exposes 
their distribution node admin interface to the Internet.


-mel via cell


On Jul 10, 2020, at 1:01 PM, m...@beckman.org wrote:

The “WAN” port of an OLT _is_ it’s management port. Data, IPTV, and 
VoIP traffic pass on VLANs, typically encrypted. These are passive 
optical network (PON) devices, where all CPE in a group of, say, 32 
premises receive the same light via an optical splitter. Thus network 
partitioning is a requirement of the architecture. There is no 
concept of a traditional “WAN” port facing the Internet.


-mel via cell


On Jul 10, 2020, at 12:21 PM, Owen DeLong  wrote:


Um, from the article it appears that this isn’t on the Management 
interface, but the WAN port of the OLT.


Owen


On Jul 10, 2020, at 11:01 , Mel Beckman > wrote:


But who, who I ask, opens their management interface to the public 
Internet?!?!


Maybe this is vulnerability if you have a compromised management 
network, but anybody who opens CPE up to the Internet is just 
barking mad :-)


-mel via cell

On Jul 10, 2020, at 10:00 AM, Owen DeLong > wrote:


 
https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devices-from-chinese-vendor-c-data/?ftag=TRE-03-10aaa6b&bhid=29077120342825113007211255328545&mid=12920625&cid=2211510872 



Wow… Just wow.

Owen

Re: Anyone running C-Data OLTs?

[Mel Beckman]

Perhaps you’re confusing OLT with ONT? An OLT is a “curbside” distribution 
node, the ONT is the CPE. The vulnerability is in the distribution node, not 
the CPE. No provider with any sense exposes their distribution node admin 
interface to the Internet.

-mel via cell

On Jul 10, 2020, at 1:01 PM, m...@beckman.org wrote:

The “WAN” port of an OLT _is_ it’s management port. Data, IPTV, and VoIP 
traffic pass on VLANs, typically encrypted. These are passive optical network 
(PON) devices, where all CPE in a group of, say, 32 premises receive the same 
light via an optical splitter. Thus network partitioning is a requirement of 
the architecture. There is no concept of a traditional “WAN” port facing the 
Internet.

-mel via cell

On Jul 10, 2020, at 12:21 PM, Owen DeLong  wrote:


Um, from the article it appears that this isn’t on the Management interface, 
but the WAN port of the OLT.

Owen


On Jul 10, 2020, at 11:01 , Mel Beckman 
mailto:m...@beckman.org>> wrote:

But who, who I ask, opens their management interface to the public Internet?!?!

Maybe this is vulnerability if you have a compromised management network, but 
anybody who opens CPE up to the Internet is just barking mad :-)

-mel via cell

On Jul 10, 2020, at 10:00 AM, Owen DeLong 
mailto:o...@delong.com>> wrote:

 
https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devices-from-chinese-vendor-c-data/?ftag=TRE-03-10aaa6b&bhid=29077120342825113007211255328545&mid=12920625&cid=2211510872

Wow… Just wow.

Owen

Re: Anyone running C-Data OLTs?

[Mel Beckman]

The “WAN” port of an OLT _is_ it’s management port. Data, IPTV, and VoIP 
traffic pass on VLANs, typically encrypted. These are passive optical network 
(PON) devices, where all CPE in a group of, say, 32 premises receive the same 
light via an optical splitter. Thus network partitioning is a requirement of 
the architecture. There is no concept of a traditional “WAN” port facing the 
Internet.

-mel via cell

On Jul 10, 2020, at 12:21 PM, Owen DeLong  wrote:


Um, from the article it appears that this isn’t on the Management interface, 
but the WAN port of the OLT.

Owen


On Jul 10, 2020, at 11:01 , Mel Beckman 
mailto:m...@beckman.org>> wrote:

But who, who I ask, opens their management interface to the public Internet?!?!

Maybe this is vulnerability if you have a compromised management network, but 
anybody who opens CPE up to the Internet is just barking mad :-)

-mel via cell

On Jul 10, 2020, at 10:00 AM, Owen DeLong 
mailto:o...@delong.com>> wrote:

 
https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devices-from-chinese-vendor-c-data/?ftag=TRE-03-10aaa6b&bhid=29077120342825113007211255328545&mid=12920625&cid=2211510872

Wow… Just wow.

Owen

Re: Anyone running C-Data OLTs?

[Owen DeLong]

Um, from the article it appears that this isn’t on the Management interface, 
but the WAN port of the OLT.

Owen


> On Jul 10, 2020, at 11:01 , Mel Beckman  wrote:
> 
> But who, who I ask, opens their management interface to the public 
> Internet?!?!
> 
> Maybe this is vulnerability if you have a compromised management network, but 
> anybody who opens CPE up to the Internet is just barking mad :-)
> 
> -mel via cell
> 
>> On Jul 10, 2020, at 10:00 AM, Owen DeLong  wrote:
>> 
>>  
>> https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devices-from-chinese-vendor-c-data/?ftag=TRE-03-10aaa6b&bhid=29077120342825113007211255328545&mid=12920625&cid=2211510872
>>  
>> 
>> 
>> Wow… Just wow.
>> 
>> Owen
>> 

Re: Anyone running C-Data OLTs?

[Mel Beckman]

But who, who I ask, opens their management interface to the public Internet?!?!

Maybe this is vulnerability if you have a compromised management network, but 
anybody who opens CPE up to the Internet is just barking mad :-)

-mel via cell

On Jul 10, 2020, at 10:00 AM, Owen DeLong  wrote:

 
https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devices-from-chinese-vendor-c-data/?ftag=TRE-03-10aaa6b&bhid=29077120342825113007211255328545&mid=12920625&cid=2211510872

Wow… Just wow.

Owen

Anyone running C-Data OLTs?

[Owen DeLong]

https://www.zdnet.com/article/backdoor-accounts-discovered-in-29-ftth-devices-from-chinese-vendor-c-data/?ftag=TRE-03-10aaa6b&bhid=29077120342825113007211255328545&mid=12920625&cid=2211510872
 


Wow… Just wow.

Owen