JP2009118116A - Station side device of pon system and frame processing method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a station side device of a PON system capable of preventing a communication failure by a DoS attack while effectively taking a countermeasure against impersonation. <P>SOLUTION: The station side device 1 of the PON system has a frame processing part 11 for performing media access control using a control frame received from a house side device 2. The station side device 1 includes: a lookup table 15 in which both of a MAC address and an LLID corresponding to each house side device 2 are described; and a frame inspection part 11 which inspects the control frame before the control frame is input in a frame processing part 12, wherein the frame inspection part 11 discards the control frame when a MAC address and an LLID included in the control frame are not coincident with the ones described in the lookup table. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a station-side device of a PON system connected to a home-side device via an optical fiber, and a frame processing method in the station-side device.

In a PON system (Passive Optical Network System), one station side device (OLT: Optical Line Terminal) and a plurality of user side devices (ONU: Optical Network Unit) are connected via passive elements such as optical couplers. This is an optical fiber network system in the P2MP (Point To Multipoint) form (see Non-Patent Document 1).
Among these PON systems, GE-PON (Gigabit Ethernet-PON) is an economical implementation of a Gigabit class transmission system based on Ethernet (registered trademark) technology. This is one of the high-speed optical access methods standardized in June.

In the PON system, a TDM (Time Division Multiplexing) method is used for the downlink signal transmitted from the station-side device to each home-side device, in which signals for each home-side device are aligned and transmitted by broadcast. As for the upstream signal transmitted from the side apparatus to the station side apparatus, a TDMA (Time Division Multiple Access) system that transmits an optical signal at a correct timing so that the signals do not collide with each other is adopted.
Further, the upstream and downstream signals use light of different wavelengths, and the upstream and downstream signals do not collide.

  In the PON system, due to a DoS attack (Denial of Service Attack) from a malicious user, a frame is sent to the processor (frame processing unit) of the station side device at a high rate (a rate exceeding the maximum normal rate). In this case, the processor of the station-side device that has received this may be unable to perform media access control (discovery, uplink signal multiplexing control, etc.) that should be originally performed.

  Therefore, the present applicant counts received frames for each logical link, specifies a logical link (LLID) included in the frame when detecting a frame addressed to a high-rate processor, and has the specified logical link. If the reception of frames exceeds a certain amount, it has been proposed that a station-side device is determined to be a malicious source and the connection is disconnected (see Patent Document 1).

"FTTH Textbook" Co-authored by Yukihiro Fujimoto and Koichiro Seto, supervised by Yuki Aoyama, IDG Japan Co., Ltd. August 15, 2003 JP 2007-74553 A

  The station side device described in Patent Document 1 determines that it is a malicious transmission source (home side device) when the reception of a frame having the specified logical link exceeds a certain amount. Until then, the processing unit accepts a certain amount of illegal frames, which may cause an abnormal operation of the processing unit.

  In view of such circumstances, an object of the present invention is to provide a station apparatus and a frame processing method of a PON system that can prevent a communication failure due to a DoS attack while effectively taking measures against impersonation.

A station side apparatus according to the present invention (Claim 1) is a frame processing unit that is connected to a plurality of home side apparatuses via an optical fiber in a P2MP form and performs media access control using a control frame received from the home side apparatus A station device of a PON system having
A correspondence table in which both the MAC address and LLID corresponding to each home-side device are described, and a frame inspection unit that inspects the control frame before the control frame is input to the frame processing unit. The frame inspection unit discards the control frame when the MAC address and LLID included in the control frame do not match those described in the correspondence table.

  According to the above-mentioned station side device, since the frame inspection unit discards the control frame when the MAC address and LLID included in the control frame do not match those described in the correspondence table, spoofing and spoofing home side A DoS attack by a device can be effectively prevented.

In the station-side apparatus of the present invention, the frame inspection unit is one in which the control frame is a report frame, and the report frame has already been received from the home-side apparatus in the dynamic bandwidth allocation period by the frame processing unit. In this case, it is preferable that the report frame is discarded.
In this case, only the report frame received first time is passed to the frame processing unit as valid, and dynamic bandwidth allocation is performed, and subsequent report frames are ignored and never passed to the frame processing unit. Can be prevented, and a DoS attack by a malicious home-side device can be avoided.
A station-side device of this type of PON system usually includes a relay processing unit that relays a data frame received from the home-side device to a higher-order side.
Therefore, the frame inspection unit inspects the data frame before the data frame is input to the relay processing unit, and discards the data frame including an LLID other than the LLID to which the frame processing unit has assigned a bandwidth. It is preferable that it is a thing (Claim 3).
In this case, since only the data frame having the LLID to which the bandwidth is allocated is relayed and transmitted to the upper side, spoofing can be further reliably prevented.

The frame processing method of the present invention (Claim 4) is a frame processing method in which the station side device performs media access control using the control frame received from the home side device,
Before processing the control frame for media access control, it checks whether both the MAC address and LLID included in the control frame match those of the home side device, and the MAC address and LLID. Control frames other than the control frame that coincide with each other are excluded from frame processing targets.

  According to the frame processing method, if the MAC address and LLID included in the control frame do not match those of the home device, the control frame is discarded before frame processing for media access control. Spoofing and DoS attacks by spoofed home devices can be effectively prevented.

  As described above, according to the present invention, since only the control frame whose MAC address and LLID match those described in the correspondence table is frame-processed at the station side device, spoofing and DoS attack by the spoofed home side device can be prevented. It can be effectively prevented.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[Overall system configuration]
FIG. 1 is a schematic configuration diagram of a PON system having a station side device of the present invention.
In FIG. 1, a station side device (OLT) 1 is installed in a telephone office or the like as an aggregation station for a plurality of home side devices (ONUs) 2, 2,..., And each home side device 2 has a PON system. It is installed at the subscriber's home.

One optical fiber (main line) 3 is connected to the station side apparatus 1. The optical fiber 3 is branched into a plurality of optical fibers (branch lines) 5, 5,... Via an optical coupler 4, thereby forming an optical fiber network 6.
The home-side apparatus 2 is connected to the end of each branched optical fiber 5. Further, the station side device 1 is connected to the host network 7, and each home side device 2 is connected to each user network 8.

In FIG. 1, for the sake of simplicity, a topology in which three home devices 2, 2, and 2 are connected is illustrated. However, in practice, 32 branches from one optical coupler 4 are branched. It is possible to connect the device 2.
FIG. 1 illustrates a topology with only one optical coupler 4, but by arranging a plurality of optical couplers 4 with a small number of branches in a column, home-side devices 2 distributed over a wide area. Can be connected to the station side device 1 with a short optical fiber.

In this PON system, wavelength division multiplexing (WDM) is performed by dividing the downstream optical wavelength and the upstream optical wavelength.
That is, a laser beam having a single wavelength λ1 is used for upstream communication between the station side device 1 and the home side device 24, and a laser beam having a single wavelength λ2 different from the wavelength λ1 is used for downstream communication. in use.

Accordingly, a WDM filter is provided between the media (optical fibers 3 and 5) of the PON system and the transceivers of the station side device 1 and each home side device 2, and only the wavelength component to be received is received by the receiver. The optical signal transmitted and output from the transmitter is multiplexed with the received light through the WDM filter and transmitted to the optical fibers 3 and 5.
The wavelengths λ1 and λ2 can be selected in the range of 1260 nm ≦ λ1 ≦ 1360 and 1480 nm ≦ λ2 ≦ 1500 according to Clause 60 of IEEE 802.3ah-2004.

[Basic functions of GE-PON]
The PON system of this embodiment is based on a 1 Gbps GE-PON, and the media access control for the station side device 1 and the home side device 2 is basically based on the GE-PON standard (IEEE Std 802.3ah). It is done in accordance.
Hereinafter, various basic functions on this standard will be described.

[Identification function by LLID]
In the GE-PON system, there is an RS (Reconciliation Sublayer) that acts as a mediator between the MAC (Media Access Control) layer and the physical layer, and identifies an Ethernet (registered trademark) frame between the station side device 1 and the home side device 2. Therefore, an identifier is embedded in a part of the preamble defined by the RS.

That is, in the GE-PON system, since the same downstream signal reaches all the home side devices 2 in a broadcast format, each home side device 2 determines whether or not the frame received by the home side device 2 is destined for itself and makes a selection. There is a need to do.
Therefore, in the GE-PON system, this determination is performed using an identifier called LLID (Logical Link ID). This LLID is accommodated in the preamble of the Ethernet frame as described above. Note that the value of the LLID is determined by the station-side device 1 when the home-side device 2 is registered, and the station-side device 1 manages the LLID so that duplication does not occur in the home-side device 2 under its control.

Here, in downlink communication (communication from the OLT to the ONU direction), the station-side device 1 determines which home-side device 2 transmits for each transmission frame, and transmits the LLID for the home-side device 2 to the transmission frame. Embedded in and sent to the home device 2.
The home side device 2 compares the LLID of the received frame with its own LLID notified from the station side device 1 in advance. If they match, the home side device 2 determines that the received frame is addressed and fetches the received frame. The received frame is discarded.

On the other hand, in uplink communication (communication from the ONU to the OLT direction), the home apparatus 2 embeds the LLID assigned to itself in a transmission frame and sends it to the station apparatus 1. The station-side device 1 determines which home-side device 2 has transmitted the frame based on the LLID value of the received frame.
As described above, when identification is performed using LLID, communication in the P2P (Point to Point) form is logically performed even in the GE-PON topology form that is physically P2MP (Point to Multipoint). This function is sometimes called P2PE (Point to Point Emulation).

  As an exception to P2PE, a special LLID called broadcast LLID may be defined for downlink communication. In this case, when the received frame has a broadcast LLID, the home side apparatus 2 takes in the frame unconditionally.

[Time synchronization function]
In GE-PON, in order to time-division multiplex the upstream signal of each home-side device 2, it is necessary to synchronize the time between the station-side device 1 and each home-side device 2.
Therefore, in the synchronization method proposed in the standard, the station side device 1 uses the time stamp embedded in the Kate frame issued to the home side device 2 for permission of transmission. Stay synchronized.

That is, the station side device 1 transmits the current value of the master counter of its own station to the home side device 2 as time stamp information, and the home side device 2 sets the master counter value of its own station according to the received time stamp value. It is supposed to be updated.
With this method, the home device 2 can operate in an independent synchronization method. This eliminates the need for a high-accuracy PLL required for the slave synchronization device, which can contribute to cost reduction.

[MPCP function]
In the GE-PON system, a multipoint MAC control sublayer including MPCP (Multi-point Control Protocol) which is a control protocol between the station side device 1 and the home side device 2 is adopted.
The MPCP function includes the following functions 1) to 3).

1) The station-side device 1 recognizes a plurality of home-side devices 2 connected to the PON, and performs RTT measurement and LLID assignment necessary for communication between each home-side device 2 and the station-side device 1 Discovery function to be performed 2) Uplink signal multiplexing control function for assigning a time slot to each home device 2 and multiplexing the upstream signal from each home device 2 on the time axis,
3) Time synchronization function

[Discovery function]
In the GE-PON system, when the home device 2 is connected to the PON, the station device 1 automatically finds the home device 2 and automatically assigns a communication link by giving the home device 2 an LLID. To establish. This is the discovery function.
Specifically, the station side device 1 measures RTT (Round Trip Time) with the corresponding home side device 2 during the period of P2MP discovery, and at this time, the home side device 2 Performs time synchronization with the station apparatus 1.

  The time is expressed by a counter incremented every 16 ns by the station side device 1 and each home side device 2 and is synchronized in the PON system. However, the RTT measurement and the time synchronization are periodically performed. If a time lag occurs, it is corrected as needed.

[Uplink signal multiplexing control function]
Since the GE-PON uplink signals are merged by the optical coupler 4, it is necessary to control the uplink signals from the respective home devices 2 so that they do not collide after being merged.
In the GE-PON system, the station-side device 1 serves as a control tower for the upstream signal control, and notifies each home-side device 2 of transmission permission, whereby the upstream signal from each home-side device 2 is temporally transmitted. To avoid collisions.

FIG. 2 is a sequence diagram illustrating an uplink signal multiplexing control function by the station-side device 1.
As shown in FIG. 2, when each home-side device (ONU) 2 receives upstream data from its own user network 8, it once accumulates the data in its own queue and reports the amount of data accumulated in the queue (Report ) Write the frame and send it to the station side device 1.
The station side device (OLT) 1 that has received the report frame determines the uplink data transmission amount to be allocated to the home side device 2 and the transmission start time from the data amount of the report frame and the use band of the other home side device 2. It calculates (dynamic bandwidth allocation), writes the calculated value in a Gate frame, and transmits it to the home device 2.

The home apparatus 2 that has received the gate frame transmits uplink data at a designated transmission start time in accordance with the instruction of the gate frame.
When transmitting the uplink data, the home side apparatus 2 may transmit a report frame for notifying the amount of uplink data accumulated in the queue together with the next bandwidth allocation. In the report frame, the amount of data to be sent to the station side device 1 is expressed in units of 2 bytes. In the gate frame, the transmission permission length and the transmission start time are expressed in units of 2 bytes.

  By repeating the above procedure, the station side device 1 can appropriately allocate the bandwidth while knowing the state of the upstream traffic in each home side device 2.

[Dynamic bandwidth allocation function]
The station-side device 1 of the GE-PON system uses the report frame and the gate frame to assign a use band to each subordinate home-side device 2. Is out of range.

[OAM function]
Since the GE-PON system is a kind of Ethernet (registered trademark), it has an OAM (Operations, Administration and Maintenance) function according to the Ethernet standard. Here, OAM refers to maintenance monitoring control of devices and lines in a communication network.
In the GE-PON standard (IEEE Std 802.3ah), an OAM sublayer is newly defined. In this sublayer, a frame structure of an OAM frame and a control function using this frame are defined.

In the GE-PON system, the OAM frame is used between the station-side device 1 and the home-side device 2, and main functions using the OAM frame include failure notification, loopback test, link monitoring, and the like.
However, in addition to the functions defined in the standard, the system developer can also expand the OAM functions that are lacking as necessary.

[Receiving function part of station side device]
FIG. 3 is a block diagram showing a reception function part of the station side device 1.
As shown in FIG. 3, the station side device 1 of the present embodiment has a PON side receiving unit 10, a frame inspection unit 12, and a frame processing unit 12 as receiving function parts related to reception of an upstream frame from the home side device 2. A relay processing unit 13, a higher-level transmission unit 14, and a correspondence table (hereinafter simply referred to as a correspondence table) 15 describing the correspondence between the MAC address of the home-side device 2 and the LLID.

The correspondence table 15 is stored in a temporary storage area (memory) of the station-side device 1, and the frame inspection unit 11 and the frame processing unit 12 correspond to the correspondence between the MAC address and LLID registered in the correspondence table 15, respectively. A predetermined process is performed with reference to FIG.
The PON side receiving unit 10 includes a photoelectric conversion element such as an avalanche photodiode that converts an optical signal into an electric signal, an amplifier that amplifies the converted electric signal, and a timing component (clock) in synchronization with the amplified electric signal. ) And a clock data regenerator for reproducing data, a data decoding unit for decoding the code of the reproduced data, and a frame reproducing unit for detecting a frame boundary from the decoded data and restoring an Ethernet frame Yes.

The frame inspecting unit 11 reads the header portion of the Ethernet frame restored by the PON side receiving unit 10, and the type of the frame is a data frame, a report frame, other MPCP frames, OAM frames, etc. A processing processor (CPU) having a determination function for determining whether to belong to the network and an inspection function for determining whether to discard the Ethernet frame or to pass to the frame processing unit 12 or the relay processing unit 13 based on the determination result ).
The specific processing contents performed by the frame inspection unit 11 will be described later.

The frame processing unit 12 is a processing processor (CPU) that performs the discovery, uplink signal multiplexing control, dynamic bandwidth allocation, OAM processing, and the like based on the description content of the control frame such as a report frame received from the frame inspection unit 11 It becomes more.
The frame processing unit 12 associates the LLID assigned to the home device 2 with the MAC address of the home device 2 when assigning a new LLID to the home device 2 in discovery. Register in the correspondence table 15.

  The relay processing unit 13 performs predetermined relay processing such as change of header information of the data frame received from the frame inspection unit 11 and transmission control for the upper side transmission unit 14, and the processed frame is the upper side. The data is transmitted from the transmission unit 14 to the upper network 7.

FIG. 4 is a diagram showing a format of an Ethernet frame.
This Ethernet frame has a plurality of fields, which are transmitted in order from the top of the figure. For example, the fourth field from the top is a field indicating a preamble (synchronization establishment), SFD (frame start), DA (destination address), and SA (source address) in order from the top. Next to SA, there are an Ethernet type field and an IP protocol field.

[Processing contents of the frame inspection unit]
Next, with reference to FIG. 5, the contents of frame processing performed by the frame inspection unit 11 of the station side device 1 will be described.
First, the frame inspection unit 11 starts operation by receiving an Ethernet frame from the PON side receiving unit 10 (step S1), and determines the type of the frame based on the type field included in the Ethernet frame (step S2). ).

Next, when the received frame is a data frame, the frame inspection unit 11 determines whether the frame has an LLID assumed by the frame (the LLID to which the frame processing unit 12 has allocated a band at a predetermined allocation time). Is determined based on the correspondence table 15 (step S3).
Then, if the data frame is an unexpected data frame, that is, if the data frame includes a LLID other than the LLID to which the frame processing unit 12 has assigned a band, the frame inspection unit 11 discards the frame (step S4). If the data frame is assumed, the frame is sent to the relay processing unit 13 (step S5). The data frame sent to the relay processing unit 13 is transmitted to the upper network via the upper side transmission unit 14 after being subjected to predetermined relay processing.

On the other hand, when the type of the received frame is a report frame, the frame inspection unit 11 determines whether or not the report frame has been received by the frame processing unit 12 at the current dynamic bandwidth allocation cycle. If it has been received (step S6), the report frame is discarded (step S7).
If the above-mentioned report frame is not already received by the frame processing unit 12 in the current dynamic bandwidth allocation cycle (No in step S6), that is, the report frame is the first one in the dynamic bandwidth allocation cycle. If there is, the frame inspection unit 11 further determines whether or not the LLID and MAC address included in the report frame match the combination described in the correspondence table 15 (step S8). .

The frame inspection unit 11 discards the report frame if the determination is inconsistent (step S9), and passes the report frame to the frame processing unit 12 if it matches (step S10).
Upon receiving the report frame, the frame processing unit 12 calculates the uplink data transmission amount and transmission start time described in the frame based on a predetermined dynamic band allocation algorithm, and describes the calculated value. A frame is generated, and the gate frame is transmitted from the PON side transmission unit to the home side apparatus 2.

  In addition, when the received frame is a control frame not related to dynamic bandwidth allocation, such as an MPCP frame other than an OAM frame or a report frame, the frame inspection unit 11 includes an LLID and a MAC address included in the control frame. Is matched with the combination described in the correspondence table 15 (step S11).

If the determination does not match, the frame inspection unit 11 discards the report frame (step S12), and if it matches, passes the report frame to the frame processing unit 12 (step S13).
When the control frame is an OAM frame, the frame processing unit 12 performs predetermined OAM processing such as a loopback test based on the frame, and the control frame is an MPCP frame other than the report frame, for example, for discovery In the case of the registration request frame, the frame processing unit 12 generates a discovery gate frame and transmits it to the home device 2 via the PON side transmission unit.

As described above, according to the station side device 1 of the present embodiment, the frame inspection unit 11 determines whether both the MAC address and the LLID of the home side device 2 match, and the control frame that does not match is framed. Since it is discarded before the processing unit 12, even if a control frame is received from an unauthorized home-side device 2 such as impersonation, control processing based on the control frame is not performed and communication is not established.
Therefore, even if report frames and other control frames are sent from the spoofed home device 2 many times, the control processing for the legitimate home device 2 is not delayed and a communication failure occurs due to a DoS attack. Can be prevented in advance.

  Further, according to the station side apparatus 1 of the present embodiment, the frame inspection unit 11 discards the report frame that has already been received by the frame processing unit 12 in the current dynamic band allocation cycle before the frame processing unit 12. Therefore, by receiving a plurality of report frames, useless dynamic bandwidth allocation calculation processing is not repeated, and confusion in dynamic bandwidth allocation can be prevented. Therefore, also in this respect, communication failure due to a DoS attack can be prevented in advance.

It is a schematic block diagram of the PON system which has a station side apparatus of this invention. It is a sequence diagram which shows the multiplexing control function of the upstream signal by the station side apparatus. It is a block diagram which shows the reception function part of a station side apparatus. It is a figure which shows the frame format of Ethernet (trademark). It is a flowchart which shows the processing content which a flame | frame test | inspection part performs.

Explanation of symbols

1 Station side equipment (OLT)
2 Home unit (ONU)
DESCRIPTION OF SYMBOLS 3 Optical fiber 4 Optical coupler 5 Optical fiber 6 Optical fiber network 7 Host network 8 Unit network 10 PON side receiving part 11 Frame inspection part 12 Frame processing part 13 Relay processing part 14 Upper side transmission part 15 Correspondence table

Claims (4)

A station-side device of a PON system, which is connected to a plurality of home-side devices in a P2MP form via an optical fiber and has a frame processing unit that performs media access control using a control frame received from the home-side device,
A correspondence table in which both the MAC address and LLID corresponding to each home-side device are described, and a frame inspection unit that inspects the control frame before the control frame is input to the frame processing unit. ,
The station side apparatus of the PON system, wherein the frame inspection unit discards the control frame when the MAC address and LLID included in the control frame do not match those described in the correspondence table.   The frame inspection unit discards the report frame when the control frame is a report frame and the report frame has already been received from the home side device in the dynamic bandwidth allocation period by the frame processing unit. The station apparatus of the PON system according to claim 1. A relay processing unit that relays the data frame received from the home side device to the upper side;
The frame inspection unit inspects the data frame before the data frame is input to the relay processing unit, and discards the data frame including an LLID other than the LLID to which the frame processing unit has assigned a bandwidth. The station apparatus of the PON system according to 2. A frame processing method in which a station side device performs media access control using a control frame received from a home side device,
Before processing the control frame for media access control, it checks whether both the MAC address and LLID included in the control frame match those of the home side device, and the MAC address and LLID. A frame processing method characterized in that control frames other than the control frame that coincide with each other are excluded from frame processing targets.

Images