Packet over SONet/SDH (POS) experience?

Ran Atkinson rja at
Mon Oct 20 16:32:54 UTC 1997

On Oct 19  8:12, William Allen Simpson wrote:

% There has been a recent bit of scare mongering from Lucent about PPP
% over SONet/SDH over on the IETF-PPP list.

% Has anyone (that has deployed) been having incident reports?
>-- End of excerpt from William Allen Simpson


	There are known operational incidents where an adversary sent
an IP packet designed to set the SONET scrambling algorithm ["f(x)"]
to all zeros.  This caused the SONET device to lose communications
syncronisation and the circuit to go down, requiring a manual reset.
Truly an ugly situation.

I've known about this issue ever since the PPP/SONET spec was
published, but have withheld public comment until someone else
mentioned the issue on a public list.

Cisco originally was going to implement a scrambler in its PPP/SONET
implementation (IOS folks like gmc definitely understood the issue),
but the cisco hardware types would not accept free clue and didn't
include the scrambler.  Basically all the PPP/SONET implementations
I know about can be taken out with a single well-known (and
easily calculated) IP datagram.


I have not seen the Lucent proposal myself, so I'm not sure what
it looks like.

>From time to time I've talked with a couple of folks at a small
networking startup in Mountain View about this issue.  My suggestions
to them have been of the form below:

	Add a scrambler algorithm to the PPP/SONET spec.
A reasonable approach to that scrambler might be something of
the general form:
	X^^A + X^^B + C

	^^ is the exponentiation operator
	A,B are prime numbers with O(10) or larger.
	(A > B)
	C is a prime number other than 1.

Adding additional exponential terms might generally strengthen
the algorithm, but intuitively I believe that the above form
is a reasonable tradeoff between implementation complexity and
strength.  It is crucial that the selected algorithm be checked
against the SONET scrambler.  An early proposal for ATM-layer
scrambling (since fixed) had the property that it fought with the
SONET-layer scrambler.

At this point, an implementation would want to retain backward
compatibility with the deployed systems.  Hence, I'd suggest
that implementers put in a knob letting administrators select
either "no PPP scrambling" or "PPP scrambling".  Clearly *I* don't
want to buy products that have the vulnerability noted at the top.

rja at

PS: I'm not on the PPP or PPPSDH lists, so if folks on those lists
  want me to see any followups, those folks will need to Cc: me

PPS:  The followups list definitely will need trimming.  Please
  edit appropriately if you followup...

More information about the NANOG mailing list