FTTH is somewhat open in Canada. You don't have to use their router, but you do have to use their SFP. (Why? I'm not entirely sure. AFAIK it doesn't send anything back to them)
If it’s GPON, the SFP is actually an entire computer that does a handshake with the upstream OLT and has a MAC address as well as an authentication key. It’s not a normal, dumb layer-1 SFP.
I'm confident the actual auth/crypto is terrible, so a dedicated attacker can do this even with GPON (through a rooted conventional GPON ONT).
The security is mostly provided by the fact that most internet is cheap enough that the mere price of acquiring an SFP or GPON ONT + the time it takes to reverse-engineer and hack isn't worth it. Also, breaking into unterminated fibre itself requires a fusion splicer that will set you back a couple grand, which is enough to pay for 1+ years of internet in most places.
Same with DOCSIS, the security is mostly obscurity/annoyance but anyone dedicated will easily bypass it.
GPON SFPs are a thing - it could be that the ISP is using those even with their official router, handing off all the GPON auth to the SFP and the router just sees this as a normal WAN port.
It's actually quite a good setup, as it allows power users to swap the router with anything SFP-capable and provides a standard interface across the demarcation line.
the new Greek regulation has those exemptions on fibre too, handoff is past a SFP. They gave their arguments on why they'd prefer it to be at the passive equipment at https://fsfe.org/news/2022/news-20220628-01
This is great news for consumers. Here in France, it’s a major pain in the ass to directly use your own router, thought not impossible. I did it with Open WRT on a Netgear Archer. It suddenly stopped working, and I suspect the VLAN config needed modification, but I gave up trying to bypass my ISP. I have their junk box again — to get something with Wifi 6 or meshing would be much more expensive. At least the fiber modem is integrated, so there’s a little less latency. I’m not a power user so the reward for patching together my own solution wasn’t high enough to teach myself networking, but the thing I absolutely cannot stand is the hardcoded DNS addresses.
It is a major privacy invasion for me. I use a VPN for a lot, but certain things can’t be done with VPNs, and it disturbs me that my partially state-owned ISP can gather that much more data on my online activity.
Living in France too, what I ended up doing is setting my ISP (SFR) router in DMZ mode and forward everything to my own OPNSense router. Since I did that, I never had to interact with the ISP router again. I only need to use my router to manage my network.
Then, on OPNSense you may choose your DNS and it bypasses the one on the ISP router. Problem solved !
That’s what I used, but it requires creating VLAN configurations, or it did when I tried this a couple years ago. I had to get help and just don’t have time to futz around with it anymore.
We do similar things in the US. AT&T doesn’t allow you to use you own modem and neither does Comcast on certain plans. Most allow a “bridge” mode but I’ve had to do with a DMZ before.
Just be aware that sometimes your isp will "helpfully" blow away all the configuration you set on their box in your home remotely from their end.
Had that happen to me a few times before I caught on to what was happening. So after that I set their box to dmz mode and all my real configurations are on my own box. If they do it again it's just one thing I have to set back. But they don't seem to be doing it as much now. Probably because their underprovisioned hardware is still able to keep up with a simple dmz setup but anything more complicated and it falls over.
I'm annoyed the router freedom isn't a thing, especially in the EU.
EU went to great lengths to explain why networks, equipments and services should never ever be run by a single company. They said that consumers should be able to choose each component for a free market (blah blah blah).
Railway ? The company that runs a station, the company that runs tracks, the company that operate trains should all be different.
Power ? The company that make electricity, the company that retails electricity, and the company that *provide you with the power meter* (the equivalent of a modem for power) should all be different
Telco ? It's a private company, they can give you both your phone number, internet access, TV and equipments, they don't care.
To follow EU's logic that was applied to break down public services :
- network infrastructure should be run by a single company, for everyone, like for the rail tracks, the roads or the power networks, to allow any entrepreneur to do their ISP
- the company offering your an access to the IP network (residency on an Autonomous system, if you really need a specific one + IP address + data caps) should do just that
- the company offering you cloud services (phone number, VoIP, VoLTE, VoWifi, emails, TV over IP,...) should do just that
- the companies selling you equipments should do just that
Personally, I feel bad about choosing a telco. Illiad has a really wonderful modem, that does all the network services you can dream off (VPN server, home server, VM server) with expendable RAM and HDD. But they are cheap when it comes to peering, and you can't browse YouTube properly with your 10G-EPON plan.
On the other hand, Orange has a wonderful internet experience. You don't know what peering is when you're a customer at them. But they have a trash dumb modem. (and for some reason, they send you the bill through the postal services, even when the monthly payment is automatically debited)
And you're just fully committed to either company, for better of for worse
You are very right there, how do we get the EU to start applying that to networking?
Here in AU, we almost have the model you propose (one govt-owned national last-mile network provider), but the services/devices layers are often bundled into the ISP.
In NZ there are multiple companies running network infra, but rules that they can't sell to consumers, they have to wholesale to ISPs. They have a much better network in NZ than AU though.
20 comments
[ 3.0 ms ] story [ 56.4 ms ] threadThe security is mostly provided by the fact that most internet is cheap enough that the mere price of acquiring an SFP or GPON ONT + the time it takes to reverse-engineer and hack isn't worth it. Also, breaking into unterminated fibre itself requires a fusion splicer that will set you back a couple grand, which is enough to pay for 1+ years of internet in most places.
Same with DOCSIS, the security is mostly obscurity/annoyance but anyone dedicated will easily bypass it.
It's actually quite a good setup, as it allows power users to swap the router with anything SFP-capable and provides a standard interface across the demarcation line.
It is a major privacy invasion for me. I use a VPN for a lot, but certain things can’t be done with VPNs, and it disturbs me that my partially state-owned ISP can gather that much more data on my online activity.
Then, on OPNSense you may choose your DNS and it bypasses the one on the ISP router. Problem solved !
lafibre.info/
Had that happen to me a few times before I caught on to what was happening. So after that I set their box to dmz mode and all my real configurations are on my own box. If they do it again it's just one thing I have to set back. But they don't seem to be doing it as much now. Probably because their underprovisioned hardware is still able to keep up with a simple dmz setup but anything more complicated and it falls over.
EU went to great lengths to explain why networks, equipments and services should never ever be run by a single company. They said that consumers should be able to choose each component for a free market (blah blah blah).
Railway ? The company that runs a station, the company that runs tracks, the company that operate trains should all be different.
Power ? The company that make electricity, the company that retails electricity, and the company that *provide you with the power meter* (the equivalent of a modem for power) should all be different
Telco ? It's a private company, they can give you both your phone number, internet access, TV and equipments, they don't care.
To follow EU's logic that was applied to break down public services :
- network infrastructure should be run by a single company, for everyone, like for the rail tracks, the roads or the power networks, to allow any entrepreneur to do their ISP
- the company offering your an access to the IP network (residency on an Autonomous system, if you really need a specific one + IP address + data caps) should do just that
- the company offering you cloud services (phone number, VoIP, VoLTE, VoWifi, emails, TV over IP,...) should do just that
- the companies selling you equipments should do just that
Personally, I feel bad about choosing a telco. Illiad has a really wonderful modem, that does all the network services you can dream off (VPN server, home server, VM server) with expendable RAM and HDD. But they are cheap when it comes to peering, and you can't browse YouTube properly with your 10G-EPON plan.
On the other hand, Orange has a wonderful internet experience. You don't know what peering is when you're a customer at them. But they have a trash dumb modem. (and for some reason, they send you the bill through the postal services, even when the monthly payment is automatically debited)
And you're just fully committed to either company, for better of for worse
Do you want a free market, anyone ?
Here in AU, we almost have the model you propose (one govt-owned national last-mile network provider), but the services/devices layers are often bundled into the ISP.
In NZ there are multiple companies running network infra, but rules that they can't sell to consumers, they have to wholesale to ISPs. They have a much better network in NZ than AU though.