PTP 650/670/700 provide effective protection against accidentally establishing a PTP link to the wrong remote unit using a choice of two access methods:
- Link Access
- Link Name Access
In an earlier Community message, we described how Access Method is configured, and we discussed the benefits of these options. See here for more on this: Link Name Access avoids an additional truck roll.
Whilst Access Method provides effective protection against honest configuration errors, it does not necessarily protect against a malicious attack by a determined and knowledgeable attacker.
In PTP670-02-00 and PTP700-02-50, we provide three wireless encryption algorithms with cryptographically-secure device authentication, namely:
- TLS-PSK 128-bit
- TLS-PSK 256-bit
Link Access is compatible with TLS-RSA, TLS-PSK 128-bit and TLS-PSK 256-bit
Link Name Access is compatible with only TLS-PSK 128-bit and TLS-PSK 256-bit
Definition of terms
It’s probably worth defining these terms: Authentication is the process of verifying the identity of the remote unit that is attempting to form a connection. Authorization is the check that takes place to confirm that a unit with the authenticated identity is permitted to connect. For example, a genuine unit that is not under the control of the operator might be authenticated, but not authorized.
Authentication using TLS-RSA
All PTP 670/700 ODUs have factory-installed RSA device certificates. These certificates identify the ODU MAC address.
TLS-RSA uses the bidirectional exchange and verification of RSA device certificates to determine the authentic identity of both ODUs. The ODU will not connect a wireless link if the encryption algorithm is TLS RSA and the certificate of the remote unit cannot be verified.
Authorization using TLS-RSA
The ODU authorizes a remote device in a PTP link using TLS-RSA by checking the authenticated MAC address of the remote unit against the configured Target MAC Address attribute. The ODU will not form a wireless link if the address does not match.
Authentication and authorization using TLS-PSK
In the TLS-PSK option, both ends of the link are configured with the same 128-bit or 256-bit pre-shared key (PSK) as a master secret. Authentication and authorization occur as a single step, based on the secret PSK. Both ends of the link must be configured for the same key size. Each unit will connect only to a remote unit that shares the same secret. Obviously, you need to use the same PSK on both ends of each link, and a different PSK on other links.
Note that the classic 128-bit and 256-bit AES options from earlier releases are not supported from 670-02-00 and 700-02-50 onwards. However, the TLS-PSK options are an improved replacement, configured in a similar way and with an equivalent level of security. PTP 700 links already configured with the classic AES encryption will be automatically migrated to the appropriate TLS-PSK option on upgrade to 700-02-50.
Licensing of secure device authentication
Just like the classic AES encryption in earlier releases, the TLS-PSK encryption algorithms are not available unless the ODU has the optional AES license. TLS-PSK 256-bit requires the 256-bit AES license.
The TLS-RSA algorithm can be used to provide secure authentication and authorization without the AES license. However, TLS-RSA stops at authentication and authorization, and will not go on to provide AES encryption for privacy in the wireless link, unless the ODU has the optional AES license.
We describe similar information for the HCMP topology here: Device Authentication in HCMP topology for PTP 700