JP2014131264A - Switching detection device, house side device, optical line encryption device, station side device, optical communication system, switching detection method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a switching detection device that is able to detect switching of an OSU at a station side device on the basis of a data frame including encrypted user data.SOLUTION: An ONU 202 functioning as a switching detection device detects switching from an OSU 12_1 to an OSU 12_N+1 performed at a station side device 101. The ONU 202 receives encrypted data and an SCI, which is a channel identifier associated with the encrypted data, from the OSU of the station side device. The switching detection device detects that the switching from the OSU 12_1 to the OSU 12_N+1 was performed at the station side device by detecting a change of the SCI.

Description

  The present invention relates to a switching detection device, a home-side device, an optical line encryption device, a station-side device, an optical communication system, a switching detection method, and a program, and in particular, a switching detection device in a communication system having a redundant configuration and a security function, and To control a home-side device, an optical line encryption device used in the station-side device, a station-side device, an optical communication system including the station-side device and the home-side device, a switching detection method in the home-side device, and the home-side device Related to the program.

  In recent years, the Internet has become widespread, and users can access various information on sites operated in various parts of the world and obtain the information. Along with this, devices capable of broadband access such as ADSL (Asymmetric Digital Subscriber Line) and FTTH (Fiber To The Home) are rapidly spreading.

  In IEEE Std 802.3ah (registered trademark) -2004 (non-patent document 1), a plurality of home side devices (ONU: Optical Network Unit) share an optical communication line, and a station side device (OLT: Optical Line Terminal). One method of a passive optical network (PON), which is a medium-sharing communication that performs data transmission with the network, is disclosed. That is, EPON (Ethernet (registered trademark) PON) in which all information is communicated in the form of an Ethernet (registered trademark) frame, including user information passing through the PON and control information for managing and operating the PON, and EPON An access control protocol (MPCP (Multi-Point Control Protocol)) and an OAM (Operations Administration and Maintenance) protocol are defined. By exchanging MPCP frames between the station side device and the home side device, the home side device joins and leaves, and uplink access multiplexing control is performed. Non-Patent Document 1 describes a registration method for a new home device, a report indicating a bandwidth allocation request, and a gate indicating a transmission instruction using an MPCP message.

  As a next-generation technology of GE-PON, which is an EPON that realizes a communication speed of 1 gigabit / second, 10G-EPON standardized as IEEE 802.3av (registered trademark) -2009, that is, a communication speed of 10 gigabit / Even in EPON equivalent to seconds, the access control protocol is predicated on MPCP.

  In PON, since an optical signal transmitted from a station side device basically reaches all subordinate ONUs, an encryption function is required to protect user data and the like. In addition, an optical function transmitted from the ONU also requires an encryption function to prevent spoofing and prevent communication contents from being exposed due to interception of reflected light. As an example of such an encryption function, for example, IEEE Std 802.1AE (registered trademark) -2006 (Non-Patent Document 2) includes a technique for encrypting user data using a SAK (Secure Association Key) or the like. It is disclosed.

  By the way, in general, in a network service for business, in order to provide a high quality service, it is essential to make a system redundant (redundant). Also, a highly reliable system can be provided by using a duplex system in an audio / video distribution service. In the redundant system, a redundant configuration is adopted in which each of the devices, components, and network has an active system and a standby system as required. When a failure occurs in a part of the operating system, it is possible to make the system stop time due to the failure as short as possible by performing redundant switching from the active system to the standby system. In this case, the ONU needs to detect that redundancy switching has been performed in the station side device.

IEEE Std 802.3ah-2004 IEEE Std 802.1AE-2006

  The station side device transmits a data frame (downlink data frame) including encrypted user data to the ONU. However, the conventional ONU cannot detect switching (for example, redundancy switching) of the optical line encryption device in the station side apparatus.

  When the encryption device is switched in the station-side apparatus, communication between the station-side apparatus and the ONU may be stopped. A longer communication suspension period results in lower communication quality.

  SUMMARY OF THE INVENTION The present invention has been made in view of the above problems, and an object of the present invention is to provide a switching detection device, a home side device, and an optical line encryption device that can detect the switching of the optical line encryption device in the station side device. An optical communication system, a switching detection method, and a program are provided.

  Another object of the present invention is to provide a station-side device, a home-side device capable of shortening the communication stop time between the station-side device and the home-side device as much as possible when the encryption device is switched in the station-side device. A side device and an optical communication system are provided.

  According to one aspect of the present invention, the switching detection device is a switching detection device for detecting switching from the encryption device of the first optical line to the encryption device of the second optical line performed in the station side device. The switch detection device receives a frame including information related to encrypted communication from the station side device, and detects a change in the state of encrypted communication using the information included in the frame, thereby the station side device Detecting means for detecting the switching at.

  According to another aspect of the present invention, the home side device detects switching from the encryption device of the first optical line to the encryption device of the second optical line performed in the station side device. The home-side device receives from the station-side device a frame including information related to encrypted communication, and detects a change in the state of the encrypted communication using the information included in the frame, whereby the station-side device Detecting means for detecting the switching at.

  According to still another aspect of the present invention, an optical line encryption device is used in a station-side device that performs optical communication with a home-side device. When the optical line encryption device functions as an active system, the optical line encryption device transmits a frame including at least one association number of a plurality of predetermined association numbers and a packet number to the home. Transmitting means for transmitting to the side device, storage means for storing the packet number of the frame including the association number and the encryption key in encrypted communication in association with each of the plurality of association numbers, and correspondence in the storage means Notification means for notifying the association number and the encryption key of the association number, encryption key and packet number stored in advance to the encryption device of the standby optical line in the station side device at a predetermined timing With.

  According to still another aspect of the present invention, the station side device includes a first optical line encryption device for performing encrypted communication with the home side device, and a second for performing encrypted communication with the home side device. And an optical line encryption device. When the home side device is linked up to the optical line to which the station side device is connected, the station side device executes a process for discovery related to encrypted communication with the home side device, while the first encryption device When switching from the first encryption device to the second encryption device, the station side device does not execute the discovery processing related to the encrypted communication with the home side device.

  According to still another aspect of the present invention, the optical communication system includes a home-side apparatus and a station-side apparatus that performs switching from the encryption device of the first optical line to the encryption device of the second optical line. The home-side device receives from the station-side device a frame including information related to encrypted communication, and detects a change in the state of the encrypted communication using the information included in the frame, whereby the station-side device Detecting means for detecting the switching at.

  According to still another aspect of the present invention, a switching detection method is provided for detecting a switching from a first optical line encryption device to a second optical line encryption device performed at a station side apparatus at a home side apparatus. Used. The switching detection method includes a step of receiving a frame including information related to encrypted communication from the station side device, and detecting a change in the state of encrypted communication using the information included in the frame. Detecting switching.

  According to still another aspect of the present invention, the program controls the switching detection device for detecting the switching from the encryption device of the first optical line to the encryption device of the second optical line performed in the station side device. . The program receives a frame including information related to encrypted communication from the station side device, and detects a change in the state of encrypted communication using the information included in the frame, thereby switching the station side device. The step of detecting is executed by the processor of the switching detection device.

  According to the present invention, it is possible to detect switching of an optical line encryption device in a station-side apparatus.

  Further, according to the present invention, when the encryption device is switched in the station-side device, the communication stop time between the station-side device and the home-side device can be shortened as much as possible.

It is a block diagram which shows schematic structure of the PON system which concerns on embodiment of this invention. It is a sequence chart for demonstrating the outline | summary of the process performed with the PON system which concerns on embodiment of this invention. It is a figure which shows the structure of OSU in a station side apparatus. It is a figure which shows the structure of ONU. It is a figure which shows the structure of the PON control part and encryption part in OSU. It is a figure for demonstrating an example of a structure of a downlink data frame. It is a figure which shows the structure of the control part and decoding part in ONU. It is a figure for demonstrating a some encryption path | route. It is a figure for demonstrating the data transfer from the active system OSU to the standby system OSU. 5 is a flowchart for explaining the flow of processing in an ONU 202. In IEEE802.1X, it is a figure explaining the procedure in the case of starting encryption communication by a certain secure channel (secure route). It is a figure for demonstrating the procedure which concerns on Embodiment 1 of this invention. 10 is a sequence chart for explaining an overview of processing according to Embodiment 2 performed in the PON system 302; It is a figure for demonstrating the frame format of an EAPOL-MKA frame defined by IEEE802.1X. It is the figure which showed the structure of Basic Parameter Set shown by FIG. 6 is a flowchart showing a flow of processing of an ONU 202 according to the second embodiment. 10 is a sequence chart for explaining an outline of processing according to Embodiment 3 performed in a PON system 302; It is a figure which shows the main structures of the decoding part 20 in ONU which concerns on Embodiment 4. FIG. It is the figure which showed the other structural example of the decoding part 20 of ONU202 which concerns on Embodiment 4. FIG. FIG. 10 is a diagram for illustrating a procedure according to the fifth embodiment. FIG. 10 is a diagram illustrating a configuration of a control unit 29 and a decoding unit 20 in an ONU 202 in the fifth embodiment. FIG. 10 is a diagram showing a configuration example of a decoding parameter management table according to the fifth embodiment. It is the figure which showed an example of registration of the key with respect to the decoding parameter management table 60b based on Embodiment 5. FIG. It is the figure which showed an example of the setting of PN in the decoding parameter management table 60b which concerns on Embodiment 5. FIG. It is the figure which showed an example of registration of the key with respect to the decoding parameter management table 60b based on Embodiment 6. FIG. It is the figure which showed an example of the setting of PN in the decoding parameter management table 6 which concerns on Embodiment 6. FIG.

[Description of Embodiment of Present Invention]
First, embodiments of the present invention will be listed and described.

  (1) According to the embodiment of the present invention, the switching detection apparatus detects the switching from the encryption device of the first optical line to the encryption device of the second optical line performed in the station side apparatus. It is. The switch detection device receives a frame including information related to encrypted communication from the station side device, and detects a change in the state of encrypted communication using the information included in the frame, thereby the station side device Detecting means for detecting the switching at.

  According to the above configuration, the switching detection device can detect switching of the encryption device of the optical line in the station side device. When the encryption device is switched, the state of the encrypted communication changes. As a result, the information related to the encrypted communication included in the frame also changes. By detecting this change, the switching detection device can detect the switching of the optical line encryption device in the station side device.

  Information related to encrypted communication is not limited to specific information. Further, the frame including the information is not limited to the frame including the encrypted data, and may be a control frame, for example.

  “Detecting a change in the state of encrypted communication using information included in the frame” is not limited to the meaning of checking the frame and detecting a change in the state of encrypted communication. For example, a frame may be used for the purpose of notifying information that changes with a change in the state of encrypted communication.

  The timing for detecting “switching in the station side device” is not limited. When switching in the station side device is scheduled, the detecting means may detect the switching in advance. Alternatively, the detecting means may detect the switching after the switching in the station side device is completed.

(2) Preferably, the information is a channel identifier.
According to said structure, based on the change of a channel identifier, it becomes possible to detect switching of an encryption device.

  (3) Preferably, the frame includes encrypted data and a channel identifier associated with the encrypted data. The detecting means detects switching in the station side device by detecting a change in the channel identifier of the frame.

  According to the above configuration, the switching detection apparatus can detect the switching of the optical line encryption device in the station side apparatus based on the data frame including the encrypted user data.

  (4) Preferably, the channel identifier includes a physical address unique to the encryption device of the optical line functioning as an operation system among the encryption device of the first optical line and the encryption device of the second optical line. The detecting means detects that the switching has been performed in the station side device by detecting a change in the physical address.

  According to the above configuration, the switching detection apparatus can detect the switching of the optical line encryption device in the station side apparatus by detecting the change of the physical address included in the channel identifier.

  (5) Preferably, the switching detection apparatus further includes storage means for storing a physical address unique to the encryption device of the first optical line and a physical address unique to the encryption device of the second optical line. The detection means is switched based on detecting that the physical address has changed from a physical address unique to the encryption device of the first optical line to a physical address unique to the encryption device of the second optical line. Detect that.

  According to the above configuration, the switching detection apparatus can detect switching of the encryption device of the optical line in the station side apparatus based on the stored physical address.

  (6) Preferably, the receiving means includes a plurality of ports including a port for receiving encrypted data and a channel identifier from an optical line encryption device functioning as an active system. The channel identifier further includes a port number used for communication of encrypted data. The detecting means detects switching based on a change in physical address for each port number.

  According to the above configuration, the switching detection apparatus can detect the switching of the optical line encryption device in the station side apparatus for each port.

  (7) Preferably, the frame is a control frame including a channel identifier. The detection means detects a change in the channel identifier by detecting a change in the channel identifier based on the control frame.

  According to the above configuration, the switching detection apparatus can detect switching of the encryption device of the optical line in the station side apparatus based on the control frame from the station side apparatus. Therefore, even when a frame containing encrypted user data does not contain a channel identifier (for example, when the security tag is a short tag), the switching detection device detects switching of the optical line encryption device in the station side device. can do.

  (8) Preferably, the switching detection apparatus acquires a channel identifier associated with each of the first cryptographic device and the second cryptographic device by a frame. The switching detection apparatus includes a first decryption unit that decrypts encrypted data based on a channel identifier corresponding to the first encryption device, and an encryption based on the channel identifier corresponding to the second encryption device. And second decoding means for decoding the processed data. The detecting means detects switching in the station side device by detecting that the decrypting means that has successfully decrypted the encrypted data changes between the first decrypting means and the second decrypting means.

  According to the above configuration, even when the frame including the encrypted user data does not include the channel identifier (for example, when the security tag is a short tag), the switching detection device can detect the optical line in the station side device. Switching between cryptographic devices can be detected.

  (9) Preferably, the information is an association number. The frame includes encrypted data and an association number. The detecting means detects that the switching has been performed in the station side device by detecting a change in the association number.

  According to the above configuration, even when the frame including the encrypted user data does not include the channel identifier (for example, when the security tag is a short tag), the switching detection device can detect the optical line in the station side device. Switching between cryptographic devices can be detected.

  (10) Preferably, the receiving means receives a frame including encrypted data, a channel identifier, and a packet number. The switching detection apparatus further includes a discarding unit that discards a frame including the packet number when the packet number does not satisfy a predetermined criterion. The discarding unit does not discard the frame regardless of the packet number of the frame including the channel identifier in which the change is detected when the detection unit detects the switching of the encryption device of the station side device.

  According to the above configuration, the switching detection device does not discard the frame including the encrypted data when detecting the switching of the optical line encryption device in the station side device. Therefore, the switching detection apparatus can efficiently perform data transmission with the station side apparatus.

  (11) Preferably, the switching detection device communicates with the station side device through a plurality of encryption paths. The discarding unit determines whether to discard the frame for each encryption path with the station side device.

  According to the above configuration, the switching detection apparatus can determine whether to discard a frame for each encryption path. Therefore, the switching detection apparatus can efficiently perform data transmission with the station side apparatus as compared with the configuration in which the frame is not discarded for each encryption path.

(12) Preferably, the above switching is redundant switching.
According to the above configuration, it is possible to detect redundancy switching of the optical line encryption device in the station side apparatus.

  (13) According to another embodiment of the present invention, the home side device detects switching from the encryption device of the first optical line to the encryption device of the second optical line performed in the station side device. The home-side device receives from the station-side device a frame including information related to encrypted communication, and detects a change in the state of the encrypted communication using the information included in the frame, whereby the station-side device Detecting means for detecting the switching at.

  According to the above configuration, the home apparatus can detect the switching of the optical line encryption device in the station apparatus. Thereby, the home side apparatus can perform the encryption communication corresponding to switching of an encryption device. Therefore, even when the encryption device is switched in the station side device, it is possible to shorten the stop time of the encrypted communication between the station side device and the home side device as much as possible.

  (14) Preferably, the information is a channel identifier. The detecting means detects switching in the station side device by detecting a change in the channel identifier. The home-side apparatus stores, as channel identifiers, a first channel identifier associated with the first optical line encryption device and a second channel identifier associated with the second optical line encryption device. Until the switching is detected by the means and the detecting means, the encrypted data from the station side device is decrypted using the first channel identifier, and when the switching is detected by the detecting means, the station side device And decryption means for decrypting the encrypted data from the second data using the second channel identifier.

  According to the above configuration, the home apparatus can select an appropriate channel identifier in accordance with the switching of the optical line encryption device in the station apparatus. As a result, the home apparatus can smoothly execute encrypted communication in response to switching of the encryption device.

  (15) Preferably, the information is an association number. The detecting means detects a change in the station number by detecting a change in the association number. The home side apparatus stores a first channel identifier associated with the encryption device of the first optical line and a second channel identifier associated with the encryption device of the second optical line, and detection Until the switching is detected by the means, the encrypted data from the station side device is decrypted using the first channel identifier, and when the switching is detected by the detection means, the encryption from the station side device is performed. And decoding means for decoding the processed data using the second channel identifier.

  According to the above configuration, even when the frame including the encrypted user data does not include the channel identifier (for example, when the security tag is a short tag), the home-side device can connect the optical line in the station-side device. An appropriate channel identifier can be selected by detecting the switching of the cryptographic device. As a result, the home apparatus can smoothly execute encrypted communication in response to switching of the encryption device. In addition, the method for a house side apparatus to acquire a 1st channel identifier and a 2nd channel identifier is not specifically limited, Arbitrary appropriate methods are employable.

  (16) Preferably, when the home-side device is linked up to the optical line to which the station-side device is connected, the home-side device and the station-side device perform discovery related to encrypted communication (typically MKA discovery). ) Is executed. On the other hand, when switching by the detecting unit is detected in the station side device, the home side device does not execute the discovery processing related to the encrypted communication with the station side device.

  According to the above configuration, even when the encryption device is switched in the station-side apparatus, it is possible to shorten the encryption communication stop time associated with the switching.

  (17) Preferably, the receiving means receives a frame including encrypted data, a channel identifier, and a packet number. The home apparatus further includes discarding means for discarding a frame including the packet number when the packet number does not satisfy a predetermined standard. The discarding unit does not discard the frame regardless of the packet number of the frame including the channel identifier in which the change is detected when the detection unit detects the switching of the encryption device of the station side device.

  According to the above configuration, the switching detection device does not discard the frame including the encrypted data when detecting the switching of the optical line encryption device in the station side device. Therefore, the switching detection apparatus can efficiently perform data transmission with the station side apparatus.

  (18) According to still another embodiment of the present invention, an optical line encryption device is used in a station-side device that performs optical communication with a home-side device. When the optical line encryption device functions as an active system, the optical line encryption device transmits a frame including at least one association number of a plurality of predetermined association numbers and a packet number to the home. Transmitting means for transmitting to the side device, storage means for storing the packet number of the frame including the association number and the encryption key in encrypted communication in association with each of the plurality of association numbers, and correspondence in the storage means Notification means for notifying the association number and the encryption key of the association number, encryption key and packet number stored in advance to the encryption device of the standby optical line in the station side device at a predetermined timing With.

  According to the above configuration, the encryption device of the optical line transmits the association key and the encryption key in the encryption key, the association number, and the packet number that are stored in association with each other in the storage unit at a predetermined timing. The encryption device of the standby optical line in the apparatus is notified. Therefore, the encryption device of the standby optical line can acquire the associated association number and encryption key from the encryption device of the active optical line.

  Further, the encryption device for the active optical line does not need to notify the packet number. Therefore, it is possible to reduce the amount of data communication between the encryption device of the active optical line and the encryption device of the standby optical line. As a result, quick switching is possible.

  (19) According to still another embodiment of the present invention, the station side device performs encrypted communication with the home side device and the first optical line encryption device for performing encrypted communication with the home side device and the home side device. And a second optical line encryption device. When the home side device is linked up to the optical line to which the station side device is connected, the station side device executes a process for discovery related to encrypted communication with the home side device, while the first encryption device When switching from the first encryption device to the second encryption device, the station side device does not execute the discovery processing related to the encrypted communication with the home side device.

  According to the above configuration, even when the encryption device is switched in the station-side apparatus, it is possible to shorten the encryption communication stop time associated with the switching.

  (20) According to still another embodiment of the present invention, an optical communication system includes a home-side apparatus, and a station-side apparatus that switches from a first optical line encryption device to a second optical line encryption device. Is provided. The home-side device receives from the station-side device a frame including information related to encrypted communication, and detects a change in the state of the encrypted communication using the information included in the frame, whereby the station-side device Detecting means for detecting the switching at.

  According to said structure, the switching detection apparatus of an optical communication system can detect switching of the encryption device of the optical line in a station side apparatus. Thereby, the home side apparatus can perform the encryption communication corresponding to switching of an encryption device. Therefore, even when the encryption device is switched in the station side device, it is possible to shorten the stop time of the encrypted communication between the station side device and the home side device as much as possible.

(21) Preferably, the information is a channel identifier.
According to said structure, based on the change of a channel identifier, it becomes possible to detect switching of an encryption device.

  (22) Preferably, the frame includes encrypted data and a channel identifier associated with the encrypted data. The detecting means detects switching in the station side device by detecting a change in the channel identifier of the frame.

  According to the above configuration, the home side apparatus can detect the switching of the optical line encryption device in the station side apparatus based on the data frame including the encrypted user data.

  (23) Preferably, the channel identifier associated with the encrypted data is a channel identifier used for encrypted communication. Before the switching from the encryption device of the first optical line to the encryption device of the second optical line is performed, the encryption device of the second optical line performs encrypted communication of the encryption device of the second optical line. The channel identifier to be used is transmitted to the home device.

  According to the above configuration, the home side apparatus can know the channel identifier of the encryption device of the standby optical line before the redundancy switching.

  (24) Preferably, the station side device transmits a physical address unique to the encryption device of the switching destination optical line to the home side device using the extended maintenance monitoring function. The home side apparatus stores a physical address unique to the encryption device of the switching destination optical line. The channel identifier includes a physical address unique to the encryption device of the optical line functioning as the operating system among the encryption device of the first optical line and the encryption device of the second optical line. The detecting means detects that the switching is performed based on the detection that the physical address has changed to a physical address unique to the encryption device of the switching destination optical line.

  According to the above configuration, the home apparatus can know the physical address of the encryption device of the standby optical line before the redundancy switching. Therefore, the home device can detect that the redundant switching to the encryption device of the second optical line has been performed based on the physical address.

  (25) Preferably, the frame is a control frame including a channel identifier. When switching from the encryption device of the first optical line to the encryption device of the second optical line occurs, the encryption device of the second optical line uses the channel used for encrypted communication of the encryption device of the second optical line. The identifier is transmitted to the home device. The detecting means of the home side device detects the switching in the station side device by detecting the change of the channel identifier based on the control frame.

  According to the above configuration, even when the frame including the encrypted user data does not include the channel identifier (for example, when the security tag is a short tag), the home-side device can connect the optical line in the station-side device. Switching between cryptographic devices can be detected.

  (26) Preferably, the frame is a control frame including a channel identifier. Before the switching from the encryption device of the first optical line to the encryption device of the second optical line is completed, the encryption device of the first optical line encrypts the encryption device of the second optical line. A control frame including a channel identifier used for communication is transmitted to the home device. The detecting means of the home side device detects the switching in the station side device by detecting the change of the channel identifier based on the control frame.

  According to the above configuration, even when the frame including the encrypted user data does not include the channel identifier (for example, when the security tag is a short tag), the home-side device can connect the optical line in the station-side device. Switching between cryptographic devices can be detected.

  (27) Preferably, the home side apparatus acquires a channel identifier associated with each of the first cryptographic device and the second cryptographic device by a frame. The home-side apparatus encrypts the first decryption means for decrypting the encrypted data based on the channel identifier corresponding to the first encryption device and the channel identifier corresponding to the second encryption device. And second decoding means for decoding the processed data. The detecting means detects switching in the station side device by detecting that the decrypting means that has successfully decrypted the encrypted data changes between the first decrypting means and the second decrypting means.

  According to the above configuration, even when the frame including the encrypted user data does not include the channel identifier (for example, when the security tag is a short tag), the home-side device can connect the optical line in the station-side device. Switching between cryptographic devices can be detected.

  (28) Preferably, the information is an association number. The frame includes encrypted data and an association number. The detecting means of the home side device detects the switching in the station side device by detecting the change of the association number.

  According to the above configuration, even when the frame including the encrypted user data does not include the channel identifier (for example, when the security tag is a short tag), the home-side device can connect the optical line in the station-side device. Switching between cryptographic devices can be detected.

  (29) When the home-side device is linked up to the optical line to which the station-side device is connected, the station-side device and the home-side device are for discovery related to encrypted communication (typically MKA discovery). Execute the process. On the other hand, when the switching is detected by the detection means, the station side device and the home side device do not execute the process for discovery discovery related to the encrypted communication.

  According to the above configuration, even when the encryption device is switched in the station-side apparatus, it is possible to shorten the encryption communication stop time associated with the switching.

  (30) Preferably, the receiving means receives a frame including encrypted data, a channel identifier, and a packet number. The home apparatus further includes discarding means for discarding a frame including the packet number when the packet number does not satisfy a predetermined standard. The discarding unit does not discard the frame regardless of the packet number of the frame including the channel identifier in which the change is detected when the detection unit detects the switching of the encryption device of the station side device.

  According to the above configuration, the switching detection device does not discard the frame including the encrypted data when detecting the switching of the optical line encryption device in the station side device. Therefore, the switching detection apparatus can efficiently perform data transmission with the station side apparatus.

  (31) According to still another embodiment of the present invention, in the switching detection method, the switching from the first optical line encryption device to the second optical line encryption device performed in the station side apparatus is performed in the home side apparatus. Used to detect. The switching detection method includes a step of receiving a frame including information related to encrypted communication from the station side device, and detecting a change in the state of encrypted communication using the information included in the frame. Detecting switching.

  According to the above configuration, the home apparatus can detect the switching of the optical line encryption device in the station apparatus.

  (32) According to still another embodiment of the present invention, the program detects switching for detecting switching from the encryption device of the first optical line to the encryption device of the second optical line performed in the station side device. Control the device. The program receives a frame including information related to encrypted communication from the station side device, and detects a change in the state of encrypted communication using the information included in the frame, thereby switching the station side device. The step of detecting is executed by the processor of the switching detection device.

  According to the above configuration, the switching detection device can detect switching of the encryption device of the optical line in the station side device.

[Details of the embodiment of the present invention]
Hereinafter, embodiments of the present invention will be described with reference to the drawings. In the drawings, the same or corresponding parts are denoted by the same reference numerals and description thereof will not be repeated.

[Embodiment 1]
<A. PON system schematic configuration>
FIG. 1 is a block diagram showing a schematic configuration of a PON system according to an embodiment of the present invention. Referring to FIG. 1, a PON system 302 includes a station-side device 101, N PON lines 203_1 to 203_N that are optical fibers, N optical couplers 204_1 to 204_N, and a plurality of home-side devices (ONUs). 202. The station apparatus 101 performs overall control of the optical line encryption device (hereinafter also referred to as OSU (Optical Subscriber Unit)) 12_1 to 12_N + 1, the concentrator 13, the optical switch 14, and the station apparatus 101. And a control unit 11. Here, N is an integer of 1 or more. In addition, a direction from the home side device to the host network (hereinafter also referred to as “uplink”) is referred to as an uplink direction, and a direction from the uplink to the home side device is referred to as a downlink direction.

  Here, in the PON system 302, each PON line corresponds to 10G-EPON which is an EPON that realizes a communication speed of 10 gigabits / second, and the uplink is Ethernet (registered) that realizes a communication speed of 10 gigabits / second. The description will be made on the assumption that it corresponds to the trademark. Further, description will be made on the assumption that ONU registration, withdrawal, bandwidth allocation to the ONU, and bandwidth request from the ONU are performed by the MPCP frame.

  The station apparatus 101 accommodates a plurality of PON lines corresponding to 10G-EPON. One or a plurality of ONUs are connected to one PON line. The station side apparatus 101 multiplexes data from these PON lines to an uplink having one or a plurality of communication lines. Further, the station side apparatus 101 distributes data from the uplink and transmits it to each ONU in each PON line. Further, the station apparatus 101 allocates the upstream band and downstream band of the PON line to each ONU. For example, the upstream optical signal from each ONU to the station apparatus 101 is a burst signal, and the downstream optical signal from the station apparatus 101 to each ONU is a continuous signal. In the PON system 302, optical signals from each ONU to the station side apparatus 101 are time-division multiplexed.

  Specifically, the station apparatus 101 is connected to N PON lines 203_1 to 203_N and terminates the N PON lines. The OSU is a structural unit of the station side apparatus 101, and terminates the PON line by, for example, one integrated circuit. In the present embodiment, each OSU is provided corresponding to a PON line, and transmits / receives a frame to / from one or more ONUs connected to the corresponding PON line. The PON lines 203_1 to 203_N are connected to the optical couplers 204_1 to 204_N, respectively, and are connected to the respective ONUs 202 through these optical couplers.

  The station side device 101 has, for example, an N: 1 redundant configuration. That is, in one aspect, out of N + 1 OSUs, N OSUs 12_1 to 12_N function as active (active) OSUs, and OSU12_N + 1 functions as a standby (standby) OSU. The station apparatus 101 may include two or more standby OSUs.

  The overall control unit 11 performs switching control for switching the OSU 12 that should transmit / receive a frame to / from the ONU 202 between the active OSU 12 and the standby OSU 12.

  The optical switch 14 switches communication paths between the N + 1 OSUs 12_1 to 12_N + 1 and the N PON lines 203-1 to 203-N in accordance with instructions from the overall control unit 11.

  The concentrator 13 transmits the uplink frame received from each ONU via the plurality of OSUs to the uplink. Specifically, the concentrator 13 multiplexes the uplink frames from the OSUs 12_1 to 12_N + 1 and transmits them to the uplink, and performs a process of distributing the downlink frames received from the uplink to appropriate OSUs.

  In the following, an OSU functioning as an active OSU is referred to as an “active OSU”, and an OSU functioning as a standby OSU is referred to as a “standby OSU”.

  In the PON system 302, user data is encrypted in order to protect user data included in the downlink data frame. Encryption of the PON system 302 is defined by IEEE 802.1AE (“Media Access Control (MAC) Security”). IEEE 802.1AE is called “MACsec”.

  In addition, IEEE 802.1AE supports Replay Protection. Replay protection can also be invalidated by configuration. “Replay Protection” is a function for preventing a playback attack (a copy attack is made by copying a frame or a processing load is increased by sending a large number of copy frames). Specifically, “Replay Protection” increases (increments) a predetermined value each time a transmission side device (OSU) transmits a downlink data frame in which a user data portion is encrypted. This is a function that allows a receiving side device (ONU) to detect an illegally copied downlink data frame and to discard the downlink data frame by giving a packet number (PN). . The criteria for determining whether or not to discard the downstream data frame will be described later.

<B. Outline of Processing in PON System 302>
FIG. 2 is a sequence chart for explaining an outline of processing performed in the PON system 302. Specifically, FIG. 2 is a diagram illustrating an aspect in which redundancy switching is performed between OSU 12_1 and OSU 12_N + 1.

  Referring to FIG. 2, in sequence SQ2, OSU 12_N + 1 starts to function as a standby OSU. In sequence SQ4, the OSU 12_1 starts to function as the active OSU. In sequence SQ6, the OUS12_1 transmits a downlink data frame to the ONU 202. Although details will be described later, the downlink data frame includes at least encrypted user data and an SCI (Secure Channel Identifier) which is a channel identifier used for encrypted communication (FIG. 6).

  In sequence SQ8, redundancy switching is performed between OSU 12_1 and OSU 12_N + 1 based on the occurrence of an event for which redundancy switching should be performed. As a result, in sequence SQ10, OSU12_N + 1 starts to function as the active OSU. In the sequence SQ12, the OSU 12_1 starts to function as the standby OSU. As a result, in the sequence SQ14, the OSU 12_N + 1 transmits a downlink data frame to the ONU 202 instead of the OSU 12_1.

  In sequence SQ <b> 16, the ONU 202 detects that the redundancy switching has been performed in the station side device 101 based on the change of the SCI included in the downlink data frame. Specifically, the ONU 202 monitors the change of the SCI in the downlink data frame, and determines that the redundancy switching has been performed in the station side device 101 when the SCI changes.

  In this way, the ONU 202 functions as a switching detection device for detecting redundant switching from the active OSU to the standby OSU performed in the station apparatus 101. The ONU 202 receives a downstream frame including encrypted data and a channel identifier (specifically, SCI) associated with the encrypted data from the station side device 101. The ONU 202 detects that the redundancy switching has been performed in the station side device 101 by detecting the change of the channel identifier. Therefore, the ONU 202 can detect redundancy switching based on a downlink data frame including encrypted user data. In this case, the ONU 202 determines that redundancy switching to the OSU 12 specified by the changed channel identifier has been performed in the station-side apparatus 101.

  Below, the concrete structure of the station | side apparatus 101 and ONU202 for implement | achieving the above processes is demonstrated. Furthermore, in the following, processes other than the above processes, which are performed by the station apparatus 101 and the ONU 202, will be described as appropriate.

<C. Configuration of OSU 12 in station apparatus 101>
FIG. 3 is a diagram showing the configuration of the OSU 12 in the station side device. Referring to FIG. 3, OSU 12 includes encryption unit 30, line concentration IF (Interface) unit 31, control IF unit 32, reception processing unit 33, transmission processing unit 34, PON transmission / reception unit 35, and PON control. The unit 36 includes a FIFO 37 that accumulates upstream frames, and a FIFO 38 that accumulates downstream frames. The PON transmission / reception unit 35 and the transmission processing unit 34 constitute a transmission unit of the OSU 12. The PON control unit 36 and the control IF unit 32 constitute a notification unit of the OSU 12.

  In the station apparatus 101, a clock for operating each unit in the OSU 12 is generated. The OSU 12 generates time information, that is, a time stamp according to the timing of this clock, and transmits / receives a frame according to the time stamp. The OSU 12 also includes a time stamp in the control frame and transmits it to each subordinate ONU 202. The ONU 202 operates according to the time stamp, and adjusts its own time stamp based on the time stamp included in the control frame from the OSU 12.

  The PON transmission / reception unit 35 is connected to one optical fiber, which is a PON line, via the optical switch 14 as a master station side starting point of the PON line. The PON transmitter / receiver 35 receives an upstream optical signal of a specific wavelength, for example, a 1310 nm band, and converts it into an electrical signal so that bidirectional communication can be performed with each ONU via the optical fiber, and then converts it into an electrical signal. In addition to outputting, the electrical signal received from the transmission processing unit 34 is converted into a downstream optical signal of another wavelength and transmitted. For example, the PON transmission / reception unit 35 converts a 10 Gbps electrical signal received from the transmission processing unit 34 into a downstream optical signal in the 1570 nm band and transmits the converted signal.

  The reception processing unit 33 reconstructs a frame from the electrical signal received from the PON transmission / reception unit 35 and distributes the frame to the PON control unit 36 or the FIFO 37 according to the type of the frame. Specifically, the data frame is output to the FIFO 37 and the control frame is output to the PON control unit 36.

  Further, the reception processing unit 33 may receive grant information indicating when to receive a frame from which logical link from the transmission processing unit 34 and output a control signal for supporting burst reception to the PON transmission / reception unit 35. Good. Further, the reception processing unit 33 may receive this grant information and filter, that is, discard, a received frame that is not indicated in the grant information.

  The concentrating IF unit 31 outputs the upstream frame received from the FIFO 37 to the concentrating unit 13. When receiving the control frame from the PON control unit 36, the concentration IF unit 31 outputs the control frame to the concentration unit 13 with priority over the frame from the FIFO 37 between the frame sequences from the FIFO 37.

  Further, when receiving the frame from the line concentrator 13, the line concentrator IF 31 outputs it to the FIFO 38 when the frame is a normal data frame, and outputs it to the PON controller 36 when the frame is a control frame. To do.

  The encryption unit 30 encrypts the data frame received from the FIFO 38. The encryption unit 30 outputs the encrypted data frame and the control frame received from the PON control unit 36 to the transmission processing unit 34.

  The transmission processing unit 34 receives the data frame and the control frame output from the encryption unit 30 according to the priority order, and outputs them to the PON transmission / reception unit 35.

  The PON control unit 36 performs station-side processing related to control and management of the PON line such as MPCP and OAM. In other words, by exchanging MPCP messages and OAM messages with each ONU connected to the PON line, including ONU registration, leaving, and uplink access control including bandwidth allocation, downlink access control, and sleep instruction to the ONU Manages ONU operations.

  For example, the PON control unit 36 allocates the upstream bandwidth in the PON line to each ONU 202 based on the upstream bandwidth allocation request in the PON line received from each ONU 202. Specifically, the PON control unit 36 allocates a bandwidth in the PON line to the ONU 202 based on a report frame indicating a bandwidth allocation request in the PON line received from the ONU 202, that is, transmits a gate frame in which a grant is written to the ONU 202. To do. The PON control unit 36 notifies the ONU 202 of the transmission start timing and the transmittable data length to the ONU 202 using the gate frame.

  Based on an instruction from the overall control unit 11, the control IF unit 32 performs settings in the concentrating IF unit 31, the reception processing unit 33, the transmission processing unit 34, and the PON control unit 36, and sets the status of each unit as a whole. Notify the control unit 11. Further, when an abnormality occurs in each of these units, the state of the unit in which the abnormality has occurred is notified to the overall control unit 11 without depending on an instruction from the overall control unit 11. The overall control unit 11 performs redundant switching of the OSU 12 based on such information, for example. Setting and status notification for the PON transceiver 35 are performed via the reception processor 33. The setting and status notification for the encryption unit 30 is performed via the PON control unit 36.

<D. Configuration of ONU 202>
FIG. 4 is a diagram showing the configuration of the ONU 202. Referring to FIG. 4, the ONU 202 includes a decoding unit 20, a PON port 21, an optical reception processing unit 22, a buffer memory 23, a transmission processing unit 24, a UNI (User Network Interface) port 25, and a reception process. Unit 26, buffer memory 27, optical transmission processing unit 28, and control unit 29. The PON port 21 and the optical reception processing unit 22 constitute a reception unit.

  The receiving unit receives various frames transmitted from the station side device 101. For example, the receiving unit receives a frame including encrypted data obtained by encrypting user data and a secure tag of the encrypted data. More specifically, the PON port 21 receives a downstream optical signal transmitted from the station side device 101. The optical reception processing unit 22 converts the downstream optical signal received via the PON port 21 into an electrical signal, reconstructs a frame from the electrical signal, and outputs the frame.

  The decoding unit 20 decodes the frame received from the optical reception processing unit 22. The decoding unit 20 distributes the frame to the control unit 29 or the transmission processing unit 24 according to the type of frame. Specifically, the decoding unit 20 outputs the decoded data frame to the transmission processing unit 24 via the buffer memory 23, and outputs the control frame received from the optical reception processing unit 22 to the control unit 29.

  The transmission processing unit 24 transmits the data frame received from the decoding unit 20 to a user terminal such as a personal computer (not shown) via the UNI port 25.

  The reception processing unit 26 outputs the data frame received from the user terminal via the UNI port 25 to the optical transmission processing unit 28 via the buffer memory 27.

  The control unit 29 performs home-side processing related to control and management of the PON line such as MPCP, OAM, and MKA. That is, various controls such as access control are performed by exchanging MPCP messages, OAM messages, and MKA messages with the station side apparatus 101 connected to the PON line. The control unit 29 generates a control frame including various control information and outputs it to the optical transmission processing unit 28 via the buffer memory 27.

  The optical transmission processing unit 28 converts the data frame received from the reception processing unit 26 and the control frame received from the control unit 29 into an optical signal, and transmits the optical signal to the station apparatus 101 via the PON port 21.

<E. Configuration of Main Part of OSU 12 in Station-side Device 101>
FIG. 5 is a diagram illustrating the configuration of the PON control unit 36 and the encryption unit 30 in the OSU 12. Referring to FIG. 5, PON control unit 36 includes a frame creation unit 71, a key update unit 72, an SCI creation unit 73, and a switching processing unit 74. The encryption unit 30 includes a frame type identification unit 61, a storage unit 62, an encryptor 63, a multiplexer 64, a key selection unit 65, and an SCI selection unit 66.

  Part or all of the units in the PON control unit 36 and the encryption unit 30 are realized by, for example, one integrated circuit as the station-side control unit. This integrated circuit may further include units other than the PON control unit 36 and the encryption unit 30 in the OSU 12. The storage unit 62 may be included in the PON control unit 36, or the storage area may be divided and included in the encryption unit 30 and the PON control unit 36.

  In the encryption unit 30, the storage unit 62 stores an encryption key that is an encryption key used before redundant switching between the active OSU and the standby OSU. More specifically, the storage unit 62 stores encryption information such as the key management table 70 and SCI for each logical link identifier (LLID). In this embodiment, since LLID is used as a port number to be described later, it can be said that the storage unit 62 is configured to store encryption information such as the key management table 70 and SCI for each port number.

  In the PON control unit 36, the key update unit 72 acquires an encryption key necessary for encrypted communication with each ONU 202 under its own OSU 12, for example, for each LLID, and stores the acquired encryption key in the storage unit 62. To do. Note that not only one ONU 202 corresponds to one LLID, but one ONU 202 may correspond to a plurality of LLIDs.

  More specifically, the key update unit 72 creates a key management table 70 indicating a correspondence relationship between a secure communication identification number (Secure Association Number) and an encryption key such as SAK for each LLID, and stores it in the storage unit 62. To do. In the key management table 70, a protected communication identification number (AN), an encryption key such as SAK, and a packet number (PN) are registered.

  Here, the protected communication identification number is, for example, an association number (AN) in Non-Patent Document 2. The association number is 2-bit data, and it is possible to register protected communication corresponding to four different keys for one LLID.

  Further, the present invention can be applied not only when the key is a unicast key but also when the key is a broadcast key and a multicast key.

  The SCI creation unit 73 creates channel information based on the identification information of the own OSU 12 and the identification information of the ONU 202 that is the transmission destination of the frame. For example, the SCI creation unit 73 creates an SCI (Secure Channel Identifier) in Non-Patent Document 2 as channel information.

  The SCI is composed of a system identifier and a port number. Specifically, the system identifier is a MAC (Medium Access Control) address (unique physical address) unique in the world of the encryption source of the frame, and the port number is a number that is not duplicated in the system, for example, LLID. The SCI creation unit 73 creates an SCI for each LLID and stores it in the storage unit 62.

  The frame creation unit 71 creates and outputs control frames such as MPCP frames such as gate frames, OAM frames, extended MAC frames, and MKA frames.

  In the encryption unit 30, the frame type identification unit 61 confirms the contents of the type field in the frame received from the FIFO 38 and the frame creation unit 71 and determines the frame to be encrypted. Specifically, for example, the frame type identification unit 61 outputs a data frame to the encryptor 63 and outputs a control frame to the multiplexer 64.

  The encryptor 63 encrypts the user data included in the data frame received from the frame type identifying unit 61 using an encryption key and SCI according to a method described in Non-Patent Document 2, for example.

  The multiplexer 64 multiplexes the data frame encrypted by the encryptor 63 and the control frame received from the frame type identification unit 61 and outputs the multiplexed data frame to the transmission processing unit 34.

  In the PON control unit 36, the switching processing unit 74 displays, for example, switching control information indicating the timing of OSU redundancy switching and whether the own OSU 12 is a switching source or a switching destination via the control IF unit 32. Get from. In the switching source OSU 12, the switching control information further includes the MAC address of the switching destination OSU 12. Then, the switching processing unit 74 outputs the switching control information to the key selection unit 65, the SCI selection unit 66, the encryptor 63, and the frame creation unit 71.

  The frame creation unit 71 in the switching source OSU 12 generates a control frame for notifying the MAC address indicated by the switching control information received from the switching processing unit 74 and destined for the ONU 202 in communication with its own OSU 12. The data is output to the type identification unit 61. This control frame is, for example, an MKA frame or an extended OAM frame.

  Based on the switching control information received from the switching processing unit 74, the key selection unit 65 in the switching destination OSU 12 selects an association number to be included in the data frame, and selects an encryption key corresponding to the selected association number for key management. Obtained from the table 70, the association number and the encryption key are output to the encryptor 63.

  The SCI selection unit 66 selects an association number to be included in the data frame based on the switching control information received from the switching processing unit 74, acquires the SCI corresponding to the selected association number from the key management table 70, and The association number and the SCI are output to the encryptor 63.

<F. Downlink data frame configuration>
FIG. 6 is a diagram for explaining an example of a configuration of a downlink data frame. FIG. 6A shows an Ethernet frame format before applying MACsec. FIG. 6B is a diagram showing an Ethernet frame format after applying MACsec. That is, FIG. 6B is a diagram showing the format of the downlink data frame. More specifically, FIG. 6B is a diagram for explaining the format of the secure tag in the downlink data frame. FIG. 6C is a diagram for mainly explaining the configuration of the SCI.

  Referring to FIG. 6A, in the Ether frame format before applying MACsec, a field into which a transmission destination address (DA) is inserted, a field into which a transmission source address (SA) is inserted, and user data are inserted. Field.

  Referring to FIG. 6B, in the downlink data frame, a field into which a transmission destination address (DA) is inserted, a field into which a transmission source address (SA) is inserted, and a security tag (secure tag) are inserted. A field into which encrypted data obtained by encrypting user data is inserted, and a field into which ICV (Integrity Check Value) is inserted.

  The secure tag includes a field in which MACsec Ethertype is inserted, a field in which TCI (TAG control information) is inserted, a field in which SL (Short length) is inserted, and a field in which AN (Association Number) is inserted. And a field into which a PN (Packet Number) is inserted and a field into which the SCI is inserted.

  MACsec Ethertype is a 2-octet field indicating that MACsec is used. The TCI is a 6-bit field including a V bit indicating the MACsec version, an SC bit indicating the presence of the SCI field, an E bit indicating the presence / absence of encryption, and the like. AN is a 2-bit field for identifying SA in the same SC. That is, the SC is composed of a maximum of four SAs.

  In SL, when the length of encrypted data (secure data) is less than 48 octets, the length (octet) is entered. In the case of 48 octets or more, 0 is entered in SL. The PN is a 4-octet field in which a unique ID for identifying a packet transmitted with the same SA is entered. The SCI is an 8-octet field that exists when the SC bit of the TCI is 1. The SCI is used to identify the SC.

  When the E bit of the TCI field is 1, user data is encrypted. DA, SA, secure tag, and encrypted data are within the range of message authentication.

  Referring to FIG. 5 again, the encryptor 63 sets the association number received from the key selection unit 65 or the SCI selection unit 66 and the SCI received from the SCI selection unit 66 in the security tag, and the packet number in the security tag. Set. In addition, the encryptor 63 encrypts the user data included in the data frame received from the frame type identification unit 61 using the encryption key received from the key selection unit 65 and the SCI received from the SCI selection unit 66.

  The encryptor 63 performs an operation of transmitting a tag (long tag) including the SCI as a secure tag in addition to the association number (AN) and the packet number (PN).

  Referring to FIG. 6C, SAI (Secure Association Number) includes SCI and AN. As described above, the SCI includes a system identifier (System Identifier) and a port number (Port Number). The field into which the system identifier is inserted is a 6-octet field. The field into which the port number is inserted is a 2 octet field.

  Although details will be described later in the present embodiment, the home unit (ONU) 202 only detects that the redundancy switching has been performed in the station side device 101 by detecting a change in the SCI in the control frame. Rather, it is detected that the redundancy switching has been performed in the station side device 101 by detecting the change of the SCI in the downlink data frame.

  The MAC address is different for each OSU 12 (each encryption device). The MAC address is a component of SCI. When redundancy switching occurs between the active OSU and the standby OSU, the SCI in the downlink data frame changes. Therefore, the ONU 202 can detect that the redundancy switching has been performed in the station side device 101 by detecting the change of the SCI in the downlink data frame.

<G. Configuration of Main Parts of ONU 202>
FIG. 7 is a diagram illustrating the configuration of the control unit 29 and the decoding unit 20 in the ONU 202. Referring to FIG. 7, decoding unit 20 includes a decoder 51, a storage unit 52, an SCI selection unit 53, a key selection unit 54, an association number extraction unit 55, and a frame type identification unit 57. The control unit 29 includes a key update unit 81, an SCI creation unit 82, a switching processing unit 83, a MAC address update unit 84, a control frame processing unit 85, and a data frame processing unit 86. The data frame processing unit 86 includes a redundancy switching detection unit 861 and a data frame discarding unit 862.

  A part or all of the units in the control unit 29 and the decoding unit 20 are realized by, for example, one integrated circuit as a home-side control unit. This integrated circuit may further include units other than the control unit 29 and the decoding unit 20 in the ONU 202. The storage unit 52 may be included in the control unit 29, or the storage area may be divided and included in the control unit 29 and the decoding unit 20.

  In the decryption unit 20, the storage unit 52 stores a decryption key that is a decryption key used before redundant switching between the active OSU and the standby OSU. More specifically, the storage unit 52 stores encryption information such as a key management table 60, a port number, and a switching destination MAC address. Here, the “switching destination MAC address” is the MAC address d1 of the active OSU and the MAC address d2 of the standby OSU.

  In the control unit 29, the key update unit 81 acquires a decryption key necessary for encrypted communication with the OSU 12 and stores the acquired decryption key in the storage unit 52.

  The SCI creation unit 82 creates channel information based on the identification information of its own ONU 202 and the identification information of the OSU 12 that is the encryption source of the frame. For example, the SCI creation unit 82 creates an SCI (Secure Channel Identifier) in Non-Patent Document 2 as channel information and stores it in the storage unit 52. In this case, as described above, the identification information of the own ONU 202 is the LLID, and the identification information of the OSU 12 that is the encryption source of the frame is the MAC address.

  The key update unit 81 and the SCI creation unit 82 create a key management table 60 indicating the correspondence between the protected communication identification number, the decryption key such as SAK, and the SCI, and store the key management table 60 in the storage unit 52. For example, the key management table 60 includes a protected communication identification number (AN), an encryption key such as SAK, a packet number (PN), and an SCI used before redundant switching between the active OSU and the standby OSU. Is registered.

  In the decoding unit 20, the frame type identification unit 57 confirms the contents of the type field in the frame received from the optical reception processing unit 22 and determines the frame to be decoded. Specifically, for example, the frame type identification unit 57 outputs the data frame to the data frame processing unit 86 and the association number extraction unit 55, and outputs the control frame to the control unit 29.

  Although the details will be described later, the data frame processing unit 86 performs processing based on the content of the secure tag in the downstream data frame. The data frame processing unit 86 outputs a downlink data frame that satisfies a predetermined criterion to the decoder 51. The “predetermined standard” will be described later.

  The decryptor 51 decrypts the user data included in the data frame received from the data frame processing unit 86 using the decryption key and the SCI, for example, according to the method described in Non-Patent Document 2, and outputs the decrypted data to the buffer memory 23. .

  More specifically, the decryptor 51 refers to the key management table 60 by the key selection unit 54 to obtain a decryption key corresponding to the protected communication identification number extracted by the association number extraction unit 55. The decrypted key is used for decrypting the data frame.

  More specifically, the association number extraction unit 55 extracts the association number included in the data frame received from the frame type identification unit 57 and outputs the extracted association number to the SCI selection unit 53 and the key selection unit 54. Further, the association number extraction unit 55 detects a change in the association number in the security tag of the data frame, and notifies the switching processing unit 83 of the detection result.

  The key selection unit 54 acquires the decryption key corresponding to the association number received from the association number extraction unit 55 from the key management table 60, and outputs the association number and the decryption key to the decoder 51.

  The SCI selection unit 53 acquires the SCI corresponding to the association number received from the association number extraction unit 55 from the key management table 60, and outputs the association number and the SCI to the decoder 51.

  The decoder 51 uses the decryption key received from the key selection unit 54 and the SCI received from the SCI selection unit 53 to decode the user data included in the data frame received from the frame type identification unit 57, and the buffer memory 23. Output to.

  In the control unit 29, the control frame processing unit 85 analyzes the control frame received from the frame type identification unit 57, and performs various controls such as access control based on the analysis result.

  When the MAC address update unit 84 receives a notification of the MAC address of the switching destination OSU 12 from the OSU 12 communicating with its own ONU 202 via the control frame processing unit 85, the MAC address in the storage unit 52 is notified of the MAC address notified. Rewrite to

(G1: detection of redundant switching by the switching processing unit 83)
The switching processing unit 83 detects OSU redundancy switching by various methods. For example, the switching processing unit 83 detects OSU redundancy switching based on information received from the control frame processing unit 85 or the optical reception processing unit 22.

  Specifically, the optical reception processing unit 22 notifies the switching processing unit 83 of a loss of signal (LoS), that is, when the ONU 202 cannot detect a downstream optical signal transmitted from the station side device 101 for a predetermined time or more. To do. Upon receiving this notification, the switching processing unit 83 determines that OSU redundancy switching has occurred. That is, the switching processing unit 83 detects the interruption of the downstream optical signal from the station side device 101 as the occurrence of redundant switching.

  Further, the switching processing unit 83 detects the occurrence of redundant switching based on the difference between the time stamp from the OSU 12 and the time stamp of its own ONU 202.

  More specifically, the control frame processing unit 85 monitors the time stamp value of the MPCP frame received from the OSU 12, and if the difference between the time stamp value and the time stamp value of its own ONU 202 exceeds a predetermined threshold value, The switching processing unit 83 is notified that time stamp drift has occurred. The switching processing unit 83 receives a notification that a time stamp drift has occurred from the control frame processing unit 85, and determines that OSU redundancy switching has occurred.

  Further, the MAC address of the transmitting MAC device, that is, the OSU 12 is stored in the transmission source address field of the downlink control frame transmitted by the OSU 12. Since different MAC devices cannot use the same MAC address, the value of the source address field changes before and after OSU redundancy switching.

  Therefore, the switching processing unit 83 detects a change in the transmission source address of the control frame from the station side device 101 as the occurrence of OSU redundancy switching.

  More specifically, when receiving a notification from the control frame processing unit 85 that the transmission source address of the PON control frame has changed, the switching processing unit 83 determines that OSU redundancy switching has occurred.

  As a result, even when LoS cannot be detected, or even when the time stamp deviation of the control frame is small before and after redundancy switching, the switching processing unit 83 can detect the occurrence of OSU redundancy switching.

  However, with these methods, it is not possible to accurately detect which cipher frame is switched between which cipher frame. Therefore, in this embodiment, a redundancy switching detection unit 861 is provided.

(G2. Redundancy switching detection by the redundancy switching detection unit 861)
Hereinafter, processing of the redundancy switching detection unit 861 in the data frame processing unit 86 will be described. In order to simplify the description, description will be given focusing on one encryption path (secure path) between the OSU 12 and the ONU 202.

  The redundancy switching detection unit 861 detects that the redundancy switching has been performed in the station side device 101 by detecting a change in the channel identifier in the SCI. Specifically, since the channel identifier includes a MAC address that is a physical address unique to the OSU functioning as the active OSU, the redundancy switching detection unit 861 detects the change in the MAC address, thereby performing redundancy switching. It detects what has been done in the station apparatus 101.

  More specifically, the ONU 202 stores the MAC address of the active OSU and the MAC address of the standby OSU in advance, and the redundancy switching detection unit 861 determines the MAC address of the standby OSU from the MAC address of the active OSU 12. Based on detecting that the address has been changed, it is detected that redundancy switching has been performed.

  As described above, the ONU 202 detects the occurrence of redundancy switching by detecting a change in a channel identifier (channel identifier used for encrypted communication) associated with encrypted data obtained by encrypting user data. . Specifically, the ONU 202 detects the occurrence of redundancy switching by detecting a change in SCI included in the downlink data frame. More specifically, the ONU 202 detects the occurrence of redundancy switching by detecting a change in the system identifier included in the SCI. More specifically, since a MAC address is used as a system identifier in the PON system 302, the ONU 202 detects the occurrence of redundant switching by detecting a change in the MAC address included in the SCI.

(G3. Data frame discarding by the data frame discarding unit 862)
Hereinafter, processing in the data frame discarding unit 862 in the data frame processing unit 86 will be described. The data frame discarding unit 862 executes the “Replay Protection” described above. Further, “predetermined reference” means that “the packet number of the received downlink data frame is not smaller than the packet number of the downlink data frame received immediately before” by a threshold value or more. In other words, the “predetermined criterion” means that the difference (absolute value) between the packet number and the packet number of the downlink data frame received immediately before the downlink data frame including the packet number is equal to or less than the threshold value. Say.

(1) Principle rule of discard processing The data frame discarding unit 862 determines that the packet number of the received downlink data frame F_new is smaller than the threshold by a packet number of the downlink data frame F_old received immediately before the downlink data frame F_new. The downstream data frame F_new is discarded. For example, when the threshold is “10” and the packet number of the downlink data frame F_old received immediately before is “100”, the data frame discarding unit 862 determines that the packet number of the received downlink data frame F_new is “90” or less. The downstream data frame F_new is discarded. In other words, the data frame discarding unit 862 selects the latest downlink data frame when the received downlink data frame does not satisfy a predetermined standard in relation to the downlink data frame received immediately before the downlink data frame. Discard.

  In this way, the data frame discarding unit 862 discards the downlink data frame including the packet number when the packet number does not satisfy the predetermined standard.

(2) Exception rule for disposal (allowance of PN jump due to redundancy switching)
The data frame discarding unit 862 discards the downlink data frame first transmitted from the OSU 12 newly functioning as the active OSU 12 regardless of the packet number when redundancy switching is performed in the station side device 101. Not subject to That is, when a change in the MAC address is detected, the data frame discarding unit 862 does not discard the downlink data frame regardless of the packet number of the downlink data frame including the MAC address where the change is detected. In other words, the data frame discarding unit 862 disables “Replay Protection” and prevents the downstream data frame from being discarded when redundancy switching occurs in the station side device 101. The reason why such processing is performed is that, when redundancy switching is performed, the packet number of the downlink data frame before and after the redundancy switching may greatly change (jump).

  However, when the downlink data frame including the SCI in which the change is detected is not discarded, the data frame discarding unit 862 selects the downlink data frame received next after the downlink data frame received next to the downlink data frame. Whether or not to discard the packet is determined based on the difference between the packet number and the packet number of the downlink data frame including the SCI in which the change is detected. That is, the data frame discarding unit 862 does not allow PN jumps unless further redundancy switching is performed.

<H. Processing per port>
In the description of the redundancy switching detection process and the data frame discarding process performed by the redundancy switching detection unit 861, the description has been given focusing on one encryption path in order to simplify the description. Below, the case where the said detection process and discard process are applied to a some encryption path | route is demonstrated.

  Each of the OSU 12 and the ONU 202 has a plurality of ports as described above. That is, the OSU 12 and the ONU 202 have a plurality of encryption paths in order to communicate with each other. For example, the OSU 12 and the ONU 202 have an encryption path for performing unicast communication and an encryption path for performing multicast communication.

  FIG. 8 is a diagram for explaining a plurality of encryption paths. Referring to FIG. 8, each of the active OSU 12 and the standby OSU has a unicast communication port 1201 and a multicast communication port 1202. The ONU 202 has a port 2021 for unicast communication and a port 2022 for multicast communication.

  The encryption path 401A is an encryption path for unicast communication constituted by a unicast communication port 1201 of the active OSU 12 and a unicast communication port 2021 of the ONU 202. The encryption path 402A is a multicast communication encryption path composed of a multicast communication port 1202 of the active OSU 12, and the ONU 202 is a multicast communication port 2022.

  When the redundancy switching is performed and the standby OSU 12 in FIG. 8 is switched to the active OSU, the encryption path 401B is used for unicast communication, and the encryption path 402B is used for multicast communication.

  The ONU 202 unicast communication port 2021 and multicast communication port 2022 receive the downlink data frame transmitted from the active OSU 12. The ONU 201 performs the above-described redundancy switching detection process by the redundancy switching detection unit 861 and the data frame discarding process by the data frame discarding unit 862 for each encryption path. This will be specifically described below.

  The SCI includes the port number as described above (FIG. 6C). Therefore, when the ONU 202 receives the downlink data frame, the redundancy switching detection unit 861 monitors not only the change of the MAC address (that is, the change of the system identifier) included in the downlink data frame but also the port number.

  For each port number, the redundancy switching detection unit 861 performs detection of redundancy switching based on the change of the MAC address and the above-described downlink data frame discarding process. This is due to the following reason. In the PON system 302, as described above, there are an encryption path for unicast communication and an encryption path for multicast communication. For this reason, when redundancy switching is performed in the station-side apparatus 101, the ONU 202 cannot distinguish the encrypted path only by detecting a change in the MAC address. However, the ONU 202 can distinguish ports 2021 and 2022 (in this case, ports on the decoding side) by port numbers. Therefore, the redundancy switching detection unit 861 of the ONU 202 can detect the redundancy switching of the encryption source device (that is, the OSU 12) for each of the decryption ports 2021 and 2022 by monitoring the change of the MAC address for each port number.

  FIG. 9 is a diagram for explaining data transfer from the active OSU to the standby OSU. Referring to FIG. 9, the notification unit (PON control unit 36 and control IF unit 32) of active OSU 12 determines the AN and the key management table 70 described in FIG. 5 for each port number (that is, for each LLID). The key is transferred to the standby OSU 12. For example, the active OSU 12 transfers the key management table 70 to the standby OSU 12 when the key management table 70 of the active OSU 12 is updated. Note that the transfer timing is not particularly limited. As described above, the active OSU 12 stores the AN and the key among the AN, the key, and the PN stored in association with each other in the key management table 70 of the storage unit 62 at a predetermined timing. The standby OSU 12 at 101 is notified. That is, the active OSU 12 does not notify the standby OSU 12 about the PN.

  The standby OSU 12 updates the key management table 70 stored in advance using the AN and key for each port number received from the active OSU 12 for each port number. That is, the standby OSU 12 takes over the encryption with the AN key used by the active OSU 12 immediately before the redundancy switching. Note that when the standby OSU 12 switches to the active OSU 12, the PN uses an arbitrary value. This is because the standby OSU 12 does not need to take over the PN from the active OSU 12 because the ONU 202 allows the PN jump associated with redundancy switching as described above.

  As a result, even when redundancy switching from the active OSU 12 to the standby OSU 12 is performed, since the AN and key have already been transferred to the standby OSU 12, rapid redundancy switching can be performed. Further, since the standby OSU 12 does not need to take over the PN, the time required for the redundancy switching can be shortened compared to the case where the PN is taken over.

<I. Control structure in ONU 202>
FIG. 10 is a flowchart for explaining the flow of processing in the ONU 202. Referring to FIG. 10, in step S2, ONU 202 determines whether or not a downlink data frame has been received. If the ONU 202 determines that it has been received (YES in step S2), it determines in step S4 whether the port number included in the downlink data frame is the number of its own port. If the ONU 202 determines that it has not been received (NO in step S2), the process returns to step S2.

  If the ONU 202 determines that it is the number of its own port (YES in step S4), whether or not the AN in the secure tag has been changed in the comparison with the downlink data frame addressed to its own port received last time in step S6. Determine whether. When the ONU 202 determines that it is not the number of its own port (NO in step S4), the process proceeds to step S20.

  When the ONU 202 determines that the AN has been changed (YES in step S6), the ONU 202 updates the PN using the PN included in the received downlink data frame in step S14. In step S16, the ONU 202 performs a decryption process using a key (SAK) associated with a new AN (changed AN).

  When the ONU 202 determines that the AN has not been changed (NO in step S6), the ONU 202 determines whether there is a change in the system identifier in step S8. Specifically, in step S8, the ONU 202 detects whether or not there is a change in the MAC address in comparison with the downlink data frame addressed to the own port received last time. That is, the ONU 202 determines whether or not redundancy switching has been performed in the station side device 101 based on the system identifier (MAC address in the present embodiment) included in the SCI of the downlink data frame.

  When the ONU 202 detects a change in the system identifier (YES in step S8), the ONU 202 updates the PN using the PN included in the received downlink data frame in step S10. In step S12, the ONU 202 decodes the downlink frame data.

  If the ONU 202 does not detect a change in system identifier (NO in step S8), the ONU 202 is included in the received downlink data frame to determine whether or not to discard the received downlink frame data in step S18. It is determined whether the PN is appropriate in relation to the PN included in the downlink data frame received last time. That is, in step S18, it is determined whether or not the PN included in the received downlink data frame satisfies the above-described predetermined criterion.

  When the ONU 202 determines that it is appropriate (YES in step S18), the process proceeds to step S10. If the ONU 202 determines that it is not appropriate (NO in step S18), the ONU 202 detects that a Replay Attack has been detected, and discards the received downlink data frame in step S20. In this case, the downlink data frame is not sent to the decoder 51.

  As described above, if there is a change in the system identifier, the ONU 202 assumes that redundancy switching has been performed in the station side device 101 and has already stored the PN without determining whether or not the PN satisfies a predetermined criterion. The received PN is updated using the PN of the received downlink data frame. On the other hand, if there is no change in the system identifier, the ONU 202 determines that the received downlink data frame is a frame such as impersonation, and discards the downlink data frame by the replay protection.

  FIG. 11 is a diagram for explaining a procedure for starting encrypted communication on a certain secure channel (secure route) in IEEE 802.1X. For comparison with the first embodiment, the same reference numerals as those in FIG. 2 are used as the reference numerals for indicating the sequences. Referring to FIG. 11, first, discovery (MKA Discovery) for finding a partner to perform secure communication on the channel is performed using the identifier (SCI) of the secure channel. Using the SCI, a key is distributed from the station side device to the ONU, and then encrypted communication is started.

  More specifically, first, the ONU is connected to the PON line (links up). The OSU 12_1 executes MKA Discovery and finds a communication partner, that is, the ONU 202, using the SCI of a certain secure channel (this is referred to as “SCI_1”). That is, discovery is executed by the OSU 12_1 and the ONU 202.

  Next, the OSU 12_1 distributes a key (referred to as “Key_1”) to the ONU 202 using the SCI (SCI_1). Thus, encrypted communication is started, and the ONU 202 can decrypt the data encrypted in the OSU 12_1.

  Due to the redundancy switching, the OSU 12_N + 1 starts to function as the active OSU. In this case, the OSU 12_1 starts to function as a standby OSU. The encryption device is also switched by switching the OSU.

  In the standard (IEEE 802.1X), the switched cryptographic device (OSU12_N + 1) executes MKA Discovery and finds a communication partner, that is, the ONU 202, using the new secure channel SCI (this is referred to as “SCI_2”). . That is, discovery is executed by the OSU 12_N + 1 and the ONU 202.

  The OSU 12_N + 1 distributes a key (referred to as “Key_2”) to the ONU 202 using the SCI (SCI_2). As a result, encrypted communication is started, and the ONU 202 can decrypt the data encrypted in the OSU 12_N + 1.

  However, after the OSU redundancy switching, the MKA Discovery and the key distribution are performed, so that the encrypted communication is temporarily stopped. When the period during which communication is stopped becomes longer, a problem of communication quality degradation occurs.

  FIG. 12 is a diagram for explaining the procedure according to the first embodiment of the present invention. Referring to FIG. 12, in the first embodiment, the ONU holds the SCI used after redundancy switching. When the encryption device is switched in the station side device, the decryption can be started immediately using the key used in the secure channel before switching and the SCI after switching prepared in advance.

  According to the first embodiment, when an ONU is connected to a PON line (linked up), discovery is performed between the OSU and the ONU, and the channel identifier is switched even if the channel identifier is switched after redundancy switching. Do not perform discovery associated with. Therefore, according to the first embodiment, the encryption communication stop period due to redundancy switching of the station side device is shortened. Therefore, communication quality can be improved. Note that such control of the station side device may be executed by, for example, the PON control unit 36 of the OSU 12 or may be executed by the overall control unit 11 of the station side device 101.

<J. Modification>
(J1) The OSU 12 may be configured to notify the ONU 202 of the identifier (SCI) used for the encrypted communication of the standby OSU 12 before the redundant switching to the standby OSU 12. That is, the PON system 302 may be configured such that the standby OSU 12 directly sets a channel identifier (SCI) used for encrypted communication to the ONU 202.

  Specifically, before the redundant switching from the active OSU 12 to the standby OSU is performed, the standby OSU 12 transmits a channel identifier (SCI) used for encrypted communication of the standby OSU 12 to the ONU 202. The PON system 302 may be configured.

  (J2) The station-side apparatus 101 may be configured to transmit the MAC address of the standby OSU 12 to the ONU 202 using EAPOL-MKA or extended OAM (extended maintenance monitoring function). In this case, the ONU 202 may store the MAC address of the standby OSU 12 sent from the station side device 101.

  (J3) The redundancy switching detection unit 861 may be formed into a chip, and the redundancy switching detection unit 861 may function as a switching detection device that detects redundancy switching in the station side device 101 instead of the ONU 202. Alternatively, the data frame processing unit 86 may be formed as a chip so that the data frame processing unit 86 functions as a switching detection device instead of the ONU 202. That is, the switching detection device may be a single device or a collection of a plurality of devices included in the ONU 202 instead of the entire ONU 202.

  (J4) In the above description, the presence / absence of occurrence of redundant switching is detected based on the change in the MAC address. However, if the ONU 202 is a value based on the MAC address (for example, the MAC address and LLID), the presence / absence of occurrence of redundant switching is detected. Can be detected.

  (J5) In the above description, the detection of redundant switching from the active OSU 12 to the standby OSU 12 has been described as an example, but the present invention is not limited to this. The above-described processes can be applied to switching from one OSU 12 to another OSU 12 that occurs in addition to redundant switching.

  Examples of such switching other than redundancy switching include switching for distributing communication paths for load leveling during service, and switching for collecting communication paths for power saving during service. It is done. That is, switching other than redundant switching occurs when increasing or decreasing the number of activated MAC chips due to the amount of communication.

  (J6) In the above description, the case where the optical line encryption device is an OSU has been described as an example. However, the present invention is not limited to this. The encryption device for the optical line may be a MAC chip mounted (incorporated) in the OSU, not the OSU itself. Further, in the case of an OSU including a plurality of MAC chips and a configuration in which the plurality of MAC chips share the same optical transceiver, the switching method described above is also applied to switching between the plurality of MAC chips. it can.

  Next, another embodiment of the present invention will be described. The schematic configuration of the PON system is the same as the configuration shown in FIG. The configuration of the OSU 12 in the station side device 101 is the same as the configuration shown in FIG. Furthermore, the configuration of the ONU 202 is the same as the configuration shown in FIG. Therefore, in the following, detailed description of the configurations of the PON system, the station side device (including the OSU), and the home side device will not be repeated.

  Similarly to the first embodiment, in the following embodiment, when the ONU is connected to the PON line (link-up), discovery is executed between the station side device and the ONU. Even when the channel identifier is switched, discovery associated with the switching of the channel identifier is not executed between the station apparatus 101 and the ONU 202. Therefore, according to the following embodiment, since the suspension period of the encrypted communication accompanying the redundancy switching of the station side device is shortened, the communication quality can be improved.

  Furthermore, also in the following embodiments, the detection process and the frame discard process described in “<H. Processing for Each Port>” can be applied to a plurality of encryption paths. However, in order to simplify the description, the following description will be given focusing on one encryption path.

[Embodiment 2]
When the security tag (Sec TAG) attached to the encryption frame is a long tag, the security tag includes SCI. In the first embodiment, it is possible to detect the switching of the encryption device in the station side device by detecting the switching of the SCI included in the security tag.

  Security tags include AN and PN (see FIG. 6), but SCI is optional. Accordingly, there is a possibility that a security tag (short tag) that does not include the SCI is attached to the encryption frame.

  When the short tag is selected, the SCI cannot be discriminated directly from the encryption frame. In the second embodiment, even in such a case, the ONU can detect the switching of the encryption device in the station side device. Hereinafter, detection of the switching of the cryptographic device according to the second embodiment will be described in detail. The other points of the ONU 202 are the same as those of the first embodiment. For example, the description of “<G. Configuration of essential parts of the ONU 202>” can be applied, and therefore, detailed description thereof will not be repeated.

  FIG. 13 is a sequence chart for explaining an outline of the processing according to the second embodiment performed in the PON system 302. Referring to FIG. 13, the process according to the second embodiment is different from the process according to the first embodiment (see FIG. 12) in that sequences SQ13 and SQ13A are added.

  The switching destination OSU (OSU12_N + 1) transmits an EAPOL-MKA frame to the ONU 202 in sequence SQ13. The EAPOL-MKA frame is a security control frame defined by IEEE 802.1X. The ONU 202 receives the EAPOL-MKA frame from the switching destination OSU (OSU12_N + 1). In the sequence SQ13A, the ONU 202 detects that the cipher device has been switched in the station side device 101 based on the change of the SCI included in the EAPOL-MKA frame. In sequence SQ14, the OSU 12_N + 1 transmits a downlink data frame to the ONU 202 instead of the OSU 12_1.

  In the second embodiment, as in the first embodiment, the same key is used before and after the encryption device is switched. Further, in both the station side apparatus 101 and the ONU 202, the information before switching of the cryptographic device is taken over for information other than the SCI. Therefore, according to the second embodiment, it is possible to shorten the period during which encrypted communication is stopped due to redundant switching of the station side device, so that communication quality can be improved.

  FIG. 14 is a diagram for explaining the frame format of the EAPOL-MKA frame defined by IEEE 802.1X. Referring to FIG. 14, the MAC address of the PON control device is entered in the MAC SA field. It is also possible to use a MAC address different from the MAC address of the PON control device as the SCI System ID. In this case, however, it is appropriate that the MAC address of the PON control device is entered in the MAC SA field.

  Packet Body is a variable-length field, and can store a plurality of parameter sets (Parameter Set). Here, Basic Parameter is an essential parameter set.

  FIG. 15 is a diagram showing the structure of the Basic Parameter Set shown in FIG. Referring to FIG. 15, Basic Parameter Set includes an SCI field in which SCI is stored.

  FIG. 16 is a flowchart showing a process flow of the ONU 202 according to the second embodiment. In FIG. 16, processing relating to detection of SCI switching will be described in particular. Referring to FIG. 16, in step S22, ONU 202 determines whether an EAPOL-MKA frame has been received. When the ONU 202 determines that an EAPOL-MKA frame has been received (YES in step S22), it detects a change in system identifier in step S24. When determining that the EAPOL-MKA frame has not been received (NO in step S22), the ONU 202 returns the process to step S22.

  In step S26, the ONU 202 determines whether or not a downlink data frame has been received. When determining that the downlink data frame has been received (YES in step S26), the ONU 202 updates the PN using the PN included in the received downlink data frame in step S28. On the other hand, when determining that the downlink data frame has not been received (NO in step S26), the ONU 202 returns the process to step S26. In step S30, the ONU 202 decodes the downlink frame data.

  As described above, according to the second embodiment, even when the security tag (Sec TAG) attached to the encryption frame is a short tag, the ONU 202 detects the switching of the SCI by the EAPOL-MKA frame. Thereby, the ONU 202 can detect the switching of the encryption device in the station side device.

[Embodiment 3]
In the third embodiment, as in the second embodiment, an EAPOL-MKA frame is transmitted from the station side device to the ONU. However, the third embodiment differs from the second embodiment in terms of the timing at which the EAPOL-MKA frame is transmitted. The other points of the ONU 202 are the same as those of the first embodiment. For example, the description of “<G. Configuration of essential parts of the ONU 202>” can be applied, and therefore, detailed description thereof will not be repeated.

  FIG. 17 is a sequence chart for explaining the outline of the processing according to the third embodiment performed in the PON system 302. Referring to FIG. 13 and FIG. 17, the process according to the third embodiment is different from the process according to the second embodiment in that a process of sequence SQ7 is added instead of the process of sequence SQ13.

  Sequence SQ7 shows processing executed before redundancy switching (sequence SQ8). In sequence SQ7, the switching source OSU (OSU12_1) transmits the EAPOL-MKA frame to the ONU 202. The EAPOL-MKA frame includes SCI used after OSU redundancy switching. In sequence SQ13A, the ONU 202 receives the EAPOL-MKA frame, and acquires the SCI used after the encryption device is switched.

  The EAPOL-MKA frame is transmitted to the ONU 202 prior to the encryption device switching at the station side device 101. Therefore, the ONU 202 can detect the switching of the encryption device in the station side apparatus 101 by receiving the EAPOL-MKA frame. The ONU 202 can detect the switching of the cryptographic device if the switching of the cryptographic device has occurred, and may be performed before the switching of the cryptographic device, during the switching of the cryptographic device, or after the switching of the cryptographic device. .

  In the third embodiment, the same key is used before and after the encryption device switching, as in the first and second embodiments. Further, in both the station side apparatus 101 and the ONU 202, the information before switching of the cryptographic device is taken over for information other than the SCI. Therefore, according to the third embodiment, it is possible to shorten the suspension period of the encrypted communication that accompanies the redundant switching of the station side device, so that the communication quality can be improved.

  In the second and third embodiments, the ONU 202 detects the switching of the encryption device based on the EAPOL-MKA frame sent from the station side device. However, the frame used for detecting the switching of the cryptographic device is not limited to the EAPOL-MKA frame. The station apparatus may transmit an arbitrary PON control frame whose MAC SA matches the MAC address of the encryption device. When the MAC SA included in the PON control frame matches the MAC address of the switching destination cryptographic device that is a part of the SCI, the ONU may detect the switching of the cryptographic device in the station side apparatus. The transmission timing of the PON control frame may be before the OSU (encryption device) is switched or after the OSU (encryption device) is switched.

[Embodiment 4]
In the fourth embodiment, similar to the second and third embodiments, even when a security tag (short tag) that does not include the SCI is attached to the encryption frame, the ONU 202 switches the encryption device in the station side device. Can be detected.

  FIG. 18 is a diagram illustrating a main configuration of the decoding unit 20 in the ONU according to the fourth embodiment. Referring to FIG. 18, decryption unit 20 includes decoders 51_1 and 51_2, storage unit 52, SCI selection units 53_1 and 53_2, key selection unit 54, and selector 58.

  A frame including encrypted data (shown as “encrypted frame” in FIG. 18) is input to both the decryptor 51_1 and the decryptor 51_2. The decryptor 51_1 decrypts the cipher frame using the SCI selected by the SCI selection unit 53_1 (referred to as SCI_1) and the key (Key_1) selected by the key selection unit 54. The decryptor 51_2 decrypts the cipher frame using the SCI (referred to as SCI_2) selected by the SCI selection unit 53_2 and the key (Key_1) selected by the key selection unit 54.

  The storage unit 52 stores a parameter management table 60a in advance. The parameter management table 60a includes a decryption key Key_1 for decrypting an encryption frame, an SCI (SCI_1) associated with the switching source encryption device, and an SCI (SCI_2) associated with the switching destination encryption device. Stored. These SCIs are included in a frame sent in advance from the station side apparatus 101, for example. The ONU 202 can acquire the SCI by receiving the frame.

  The SCI selection unit 53_1 selects SCI_1 from the parameter management table 60a, and transmits SCI_1 to the decoder 51_1. The SCI selection unit 53_2 selects SCI_2 from the parameter management table 60a, and transmits SCI_2 to the decoder 51_2.

  The selector 58 transfers, to the buffer memory, the plaintext frame output from the decoder that has successfully decrypted the encrypted frame among the decoders 51_1 and 51_2. In order to select the plaintext data from the decoder that has been successfully decrypted, for example, each of the decryptors 51_1 and 51_2 may send a signal indicating whether or not the decryption of the encrypted frame has been successful to the selector 58. The operation of the selector 58 indicates the change of the decoder that has successfully decrypted the encrypted frame. Therefore, the selector 58 realizes a function of detecting the switching of the encryption device in the station side device 101.

  Note that the selector 58 is not limited to receiving signals from the decoders 51_1 and 51_2 directly. FIG. 19 is a diagram illustrating another configuration example of the decoding unit 20 of the ONU 202 according to the fourth embodiment. As shown in FIG. 19, a control unit 59 for controlling the selector 58 may be provided in the decoding unit 20. The control unit 59 controls the selector 58 in response to a signal indicating whether or not the decoding is successful from each of the decoders 51_1 and 51_2. In this configuration, the control unit 59 realizes a function of detecting switching of the encryption device in the station side apparatus 101.

  Further, instead of the control unit 59, the control unit 29 (see FIG. 4) of the ONU 202 receives a signal indicating whether or not the decoding is successful from each of the decoders 51_1 and 51_2, and controls the selector 58. Also good. In this case, the control unit 29 realizes a function of detecting the switching of the encryption device in the station side apparatus 101.

  In the configuration shown in FIGS. 18 and 19, the decoders 53_1 and 53_2 are provided in parallel, and the encrypted frame is duplicated. However, the decryptors 53_1 and 53_2 may be arranged in series so that the encryption frame is not duplicated. Since the other points of the ONU 202 are the same as those of the first, second, and third embodiments, the following description will not be repeated.

  In the fourth embodiment, the same key is used before and after the encryption device switching, as in the first to third embodiments. Further, in both the station side apparatus 101 and the ONU 202, the information before switching of the cryptographic device is taken over for information other than the SCI. Therefore, according to the fourth embodiment, the communication stop time can be shortened due to the redundant switching of the station side device, so that the communication quality can be improved.

[Embodiment 5]
In the fifth embodiment, as in the second to fourth embodiments, even when a security tag (short tag) that does not include the SCI is attached to the encryption frame, the ONU 202 switches the encryption device in the station side device. Can be detected. Since the points other than those described below are the same as those in the first embodiment, detailed description thereof will not be repeated.

  FIG. 20 is a diagram for explaining the procedure according to the fifth embodiment. 2 and 20, in the fifth embodiment, in sequence SQ16, ONU 202 changes the association number (AN shown in FIG. 6B) included in the encryption frame transmitted from station side apparatus 101. By detecting this, switching of the encryption device is detected. In this respect, the fifth embodiment is different from the first embodiment.

  The ONU 202 identifies the key (SAK) to be used for decryption of the encrypted frame and the lower limit value of the PN to be assigned to the frame (the value obtained by subtracting the threshold from the PN of the previously received frame) by the AN of the SEC TAG. To do. Replay protection is not applied across ANs.

  Therefore, if the AN is changed before and after the encryption device is switched, it is possible to avoid discarding the frame by the replay protection (see “(1) Principle rule of discard processing” in the first embodiment). The reason is that the lower limit value of the PN to be attached to the frame is not set for the encryption frame received by the ONU 202 first after the AN is renewed.

  Here, according to IEEE 802.1AE, the security relationship (the relationship between members performing protected communication) is maintained without interruption while performing key exchange. This security relationship is established when a security relationship (secure association) protected by one key is replaced without interruption by key exchange. The number that identifies each secure association that forms this seamless security relationship is AN. That is, AN is a number for identifying a security relationship in a period during which a certain key is used.

  Therefore, according to IEEE 802.1AE, it is synonymous with switching an AN and exchanging keys. However, when the key is exchanged, a period for stopping the encrypted communication occurs. On the other hand, in this embodiment, the AN is changed but the key is not exchanged. Therefore, smooth encrypted communication can be continued.

  Next, the fifth embodiment will be specifically described. FIG. 21 is a diagram illustrating configurations of the control unit 29 and the decoding unit 20 in the ONU 202 according to the fifth embodiment. Referring to FIG. 21, decoding unit 20 is different from the configuration shown in FIG. 7 in that it further includes a PN selecting unit 56. The storage unit 52 stores a decoding parameter management table 60b. The configuration of the decryption parameter management table 60b is basically the same as the configuration of the key management table 60 shown in FIG.

  The control unit 29 is different from the configuration shown in FIG. 7 in that it further includes a PN setting unit 87. The PN setting unit 87 sets a PN value in the decryption parameter management table 60b.

  FIG. 22 is a diagram illustrating a configuration example of a decoding parameter management table according to the fifth embodiment. Referring to FIGS. 21 and 22, the decryption parameter management table 60b is a table for managing AN, key (encryption key), minimum allowable PN, and SCI. When the ONU 202 receives the encryption frame (see FIG. 6B), the ONU 202 acquires the value of the AN stored in the Sec TAG of the received encryption frame. For example, the association number extraction unit 55 extracts the AN value from the encryption frame. The key selection unit 54 refers to the decryption parameter management table 60b and acquires a key associated with the AN acquired by the association number extraction unit 55. Further, the PN selection unit 56 refers to the decryption parameter management table 60b, and acquires the PN (minimum allowable PN) associated with the acquired AN by the association number extraction unit 55.

  In addition, when using a short tag for a security tag (Sec TAG), SCI used for decoding is also acquired from this table. On the other hand, when a long tag is used for SecTAG, the value of SCI in SecTAG can be used for decoding.

  FIG. 23 is a diagram showing an example of key registration for the decryption parameter management table 60b according to the fifth embodiment. Referring to FIG. 23, when ONU 202 is distributed with a key from station side apparatus 101, ONU 202 (for example, key update unit 81 of control unit 29) sets the same key for the next AN.

  When a short tag is used for the Sec TAG, the SCI field in the designated AN row of the decryption parameter management table 60b stores the SCI stored in the control frame for key distribution (for example, the EAPOL-MKA frame). The value of is registered. The SCI value prepared in advance, that is, the SCI after switching of the cryptographic device is registered in the SCI column of the next AN row. As a method for preparing the SCI after switching of the cryptographic device, for example, any method of the methods in the first to third embodiments can be used.

  FIG. 23 shows a state where the key Key_1 is distributed to the ONU 202 by specifying AN = 0 from the OSU of the station side device as an example. In this case, the SCI value included in the control frame (for example, the EAPOL-MKA frame) for distribution of the key Key_1 is registered in the SCI column of the row of AN = 0. The SCI value prepared in advance is registered in the SCI field of the next AN (AN = 1) line.

  For example, when AN = 3 is designated, the key and the SCI are registered in the line AN = 3 and the line AN = 0.

  Next, the switching source OSU (for example, OSU 12_1) of the station side apparatus 101 sets the AN of the frame encrypted using the key Key_1 to 0, and transmits the encrypted frame to the ONU 202. The ONU 202 receives the encryption frame from the station side device 101 and confirms the PN. At this time, the ONU 202 updates the PN column of the decryption parameter management table 60b as necessary.

  FIG. 24 is a diagram showing an example of PN setting in the decoding parameter management table 60b according to the fifth embodiment. Referring to FIG. 24, for example, assume that ONU 202 receives an encryption frame with PN = 1000 and the threshold is 100. In this case, the ONU 202 (for example, the PN setting unit 87) sets 900 (= 1000-100) in the PN column of the row of AN = 0.

  Assume that the ONU 202 has received an encryption frame of PN = 100 with the decryption parameter management table 60b registered as shown in FIG. In this case, the ONU executes Replay Protection, and discards the frame (encrypted frame of PN = 100) according to “(1) Principle of discarding process” (see Embodiment 1). In this case, the value of the PN registered in the decryption parameter management table 60b is not updated.

  Next, redundant switching of OSU occurs in the station side device 101 (see sequence SQ8 in FIG. 20). The switching destination OSU (for example, OSU12_N + 1) takes over Key_1 and encrypts the frame. The value of AN stored in the Sec TAG of the encryption frame is set to 1. The switching destination OSU transmits the encrypted frame to the ONU 202.

  The ONU 202 can decrypt the encrypted frame using a key (for example, Key_1) and SCI (in the case of a short tag) registered in the decryption parameter management table 60b. Further, since the minimum allowable PN (the lower limit value of PN) is initially set to 0, no frame is discarded by the replay protection. Therefore, according to the fifth embodiment, as in the first to fourth embodiments, smooth encrypted communication can be continued even if the encryption device is switched.

  Note that the OSU to be switched to may start the PN value of the encryption frame from 1 or an appropriate value other than 1. For example, the switching destination OSU may take over an appropriate value of PN from the switching source OSU. For example, the PN before the FIFO 38 of the switching source OSU (the queue for storing downstream frames shown in FIG. 3) becomes empty may be taken over by the switching destination OSU. The PN value taken over by the switching destination OSU is not an accurate value because it is a value before the queue for storing the downstream frames becomes empty. However, since the switching destination OSU changes the AN, the frame discarding by the replay protection in the ONU is not performed. In addition, before the queue for storing the downstream frames becomes empty, the switching source OSU can notify the switching destination OSU of the PN value. Therefore, the time required for switching can be shortened compared to the case where the PN value is notified to the switching destination OSU after waiting for the queue to become empty in the switching source OSU. That is, smooth redundancy switching is possible. Thereby, since the communication stop time accompanying switching of the encryption device can be further shortened, higher quality communication can be realized.

  Further, by starting the PN value from an appropriate value as described above, it is possible to improve the safety of communication. According to IEEE 802.1AE, a threshold is set for the number of frames to be encrypted with the same key in order to ensure safety. Therefore, the number of frames encrypted with one key may be managed by the PN value. If the PN exceeds the threshold, the station side device 101 may distribute the next key to the ONU 202. In this embodiment, the switching destination OSU takes over from the switching source OSU. Therefore, the switching destination OSU takes over the PN of an appropriate size from the switching source OSU (for example, the value before the queue for storing the downstream frames is emptied), so that the switching destination OSU However, the next new key can be distributed to the ONU 202 at roughly the right time.

[Embodiment 6]
In the sixth embodiment, as in the second to fifth embodiments, even when a security tag (short tag) that does not include the SCI is attached to the encryption frame, the ONU 202 switches the encryption device in the station side device. Can be detected. Specifically, as in the fifth embodiment, in the sixth embodiment, the ONU 202 detects the change of the association number (AN) included in the encryption frame transmitted from the station side apparatus 101, thereby Switching is detected (see FIG. 20).

  In the fifth embodiment, the switching destination OSU takes over the key for encryption from the switching source OSU, but does not take over the SCI. In the sixth embodiment, the switching destination OSU does not inherit both the encryption key and the SCI from the switching source OSU. In this respect, the sixth embodiment is different from the fifth embodiment. Since the points other than those described below are the same as those in the first embodiment, detailed description thereof will not be repeated.

  The configurations of the control unit 29 and the decoding unit 20 in the ONU 202 are the same as those shown in FIG. Furthermore, with respect to the configuration of the decoding parameter management table 60b, the configuration shown in FIG. 22 can be adopted in the sixth embodiment. Also in the sixth embodiment, when a short tag is used for the security tag (SecTAG), the SCI used for decryption is also acquired from this table. On the other hand, when a long tag is used for SecTAG, the value of SCI in SecTAG can be used for decoding.

  FIG. 25 is a diagram showing an example of key registration for the decryption parameter management table 60b according to the sixth embodiment. Referring to FIG. 25, when ONU 202 is distributed a key from station side apparatus 101, ONU 202 (for example, key update unit 81 of control unit 29) sends a key (Key_2) prepared in advance to the next AN by an appropriate method. ) Is set. The key Key_2 may be, for example, a key obtained by bit-inverting the key distributed from the station side device 101.

  When a short tag is used for the Sec TAG, the SCI field in the designated AN row of the decryption parameter management table 60b stores the SCI stored in the control frame for key distribution (for example, the EAPOL-MKA frame). The value of is registered. The SCI value prepared in advance, that is, the SCI after switching of the cryptographic device is registered in the SCI column of the next AN row. As a method for preparing the SCI after switching of the cryptographic device, for example, any method of the methods in the first to third embodiments can be used.

  FIG. 25 shows a state in which the key Key_1 is distributed to the ONU 202 by specifying AN = 0 from the OSU of the station side device as an example. In this case, the SCI value included in the control frame (for example, the EAPOL-MKA frame) for distribution of the key Key_1 is registered in the SCI column of the row of AN = 0. Key_2 is registered in the key column of the next AN (AN = 1) row. The key Key_2 is, for example, a key obtained by bit-inverting the key Key_1. The SCI value prepared in advance is registered in the SCI column in the row of AN = 1.

  Next, the switching source OSU (for example, OSU 12_1) of the station side apparatus 101 sets the AN of the frame encrypted using the key Key_1 to 0, and transmits the encrypted frame to the ONU 202. The ONU 202 receives the encryption frame from the station side device 101 and confirms the PN. At this time, the ONU 202 updates the PN column of the decryption parameter management table 60b as necessary.

  FIG. 26 is a diagram showing an example of PN settings in the decryption parameter management table 60b according to the sixth embodiment. Referring to FIG. 26, for example, assume that ONU 202 receives an encryption frame with PN = 1000 and the threshold is 100. In this case, the ONU 202 (for example, the PN setting unit 87) sets 900 (= 1000-100) in the PN column of the row of AN = 0.

  Next, redundant switching of OSU occurs in the station side device 101 (see sequence SQ8 in FIG. 20). The switching destination OSU (for example, OSU12_N + 1) uses Key_2 to encrypt the frame. The value of AN stored in the Sec TAG of the encryption frame is set to 1. The switching destination OSU transmits the encrypted frame to the ONU 202.

  The ONU 202 can decrypt the encrypted frame using a key (for example, Key_2) and SCI (in the case of a short tag) registered in the decryption parameter management table 60b. Further, since the minimum allowable PN (the lower limit value of PN) is initially set to 0, no frame is discarded by the replay protection. Therefore, according to the sixth embodiment, as in the first to fifth embodiments, smooth encrypted communication can be continued even when the encryption device is switched.

  As in the fifth embodiment, the switching destination OSU may start the PN value of the encryption frame from 1 or an appropriate value other than 1. When starting the PN value of the encryption frame from an appropriate value other than 1, for example, the switching destination OSU may take over the appropriate PN value from the switching source OSU. As an example, the PN before the FIFO 38 of the switching source OSU (the queue for storing downstream frames shown in FIG. 3) becomes empty may be taken over by the switching destination OSU. Also in this case, the time required for switching can be shortened compared to the case where the PN value is notified to the switching destination OSU after waiting for the queue to become empty in the switching source OSU. That is, smooth redundancy switching is possible. Thereby, since the communication stop time accompanying switching of the encryption device can be further shortened, higher quality communication can be realized.

  Furthermore, communication safety can be improved by starting the PN value from an appropriate value. In the sixth embodiment, a key prepared in advance and not based on formal key exchange is used. Therefore, the PN value is set to a larger value in the OSU, and the number of frames to be encrypted is limited so that the number of frames encrypted with the key is reduced before the next key exchange. May be. As a result, the OSU that is the switching destination can perform more secure encrypted communication with the ONU 202.

  Note that the switching detection device according to the embodiment of the present invention is not limited to that realized by a dedicated hardware device. The function of the switching detection device may be realized by installing a program from the outside in a memory and having the computer read the program from the memory and execute it. In this case, the program may include, for example, each step of the flowchart of FIG. 10 and each step of the flowchart of FIG. Alternatively, the program may include a step of executing the process of sequence SQ16 shown in FIG. 20, for example.

  The embodiment disclosed this time is an exemplification, and the present invention is not limited to the above contents. The scope of the present invention is defined by the terms of the claims, and is intended to include any modifications within the scope and meaning equivalent to the terms of the claims.

  DESCRIPTION OF SYMBOLS 11 Overall control part, 12 OSU, 13 Concentration part, 14 Optical switch, 20 Decoding part, 21 PON port, 25 UNI port, 22 Optical reception process part, 23, 27 Buffer memory, 24, 34 Transmission process part, 26, 33 Reception processing unit, 28 optical transmission processing unit, 29, 36, 59 control unit, 30 encryption unit, 31 concentrator IF unit, 32 control IF unit, 35 transmission / reception unit, 51, 51_1, 51_2 decoder, 52, 62 storage unit, 53, 66 SCI selection unit, 54, 65 Key selection unit, 55 Association number extraction unit, 56 PN selection unit, 57, 61 Frame type identification unit, 58 selector, 60, 70 Key management table, 60a Parameter management table, 60b Decryption parameter management table, 63 encryptor, 64 multiplexer, 71 frame creation unit 72, 81 Key update unit, 73, 82 SCI creation unit, 74, 83 switching processing unit, 84 address update unit, 85 control frame processing unit, 86 data frame processing unit, 87 PN setting unit, 101 station side device, 202 ONU , 203 PON line, 204 optical coupler, 302 PON system, 401A, 401B, 402A, 402B encryption path, 861 redundancy switching detection unit, 862 data frame discard unit, 1201, 2021 unicast communication port, 1202, 2022 multicast A port for communication.

Claims (32)

A switching detection device for detecting switching from a first optical line encryption device to a second optical line encryption device performed in a station side device,
Receiving means for receiving a frame containing information related to encrypted communication from the station side device;
A switching detection apparatus comprising: a detecting unit configured to detect the switching in the station side apparatus by detecting a change in the state of the encrypted communication using the information included in the frame.   The switching detection apparatus according to claim 1, wherein the information is a channel identifier. The frame includes encrypted data and the channel identifier associated with the encrypted data;
The switching detection apparatus according to claim 2, wherein the detection unit detects the switching in the station-side apparatus by detecting a change in the channel identifier of the frame. The channel identifier includes a physical address unique to the encryption device of the optical line functioning as an operating system among the encryption device of the first optical line and the encryption device of the second optical line,
The switching detection device according to claim 2 or 3, wherein the detection unit detects that the switching has been performed in the station side device by detecting a change in the physical address. Storage means for storing a physical address unique to the cryptographic device of the first optical line and a physical address unique to the cryptographic device of the second optical line;
The detecting means is based on detecting that the physical address has changed from a physical address unique to the cryptographic device of the first optical line to a physical address unique to the cryptographic device of the second optical line. The switching detection apparatus according to claim 4, wherein the switching detection apparatus detects that switching has been performed. The receiving means includes a plurality of ports including a port for receiving the encrypted data and the channel identifier from an optical line encryption device functioning as the operation system,
The channel identifier further includes a port number used for communication of the encrypted data,
The switching detection apparatus according to claim 4, wherein the detection unit detects the switching based on a change in the physical address for each port number. The frame is a control frame including the channel identifier;
The switching detection apparatus according to claim 2, wherein the detection unit detects the switching in the station side apparatus by detecting a change in the channel identifier based on the control frame. The switching detection device includes:
Obtaining the channel identifier associated with each of the first cryptographic device and the second cryptographic device by the frame;
First decryption means for decrypting the encrypted data based on a channel identifier corresponding to the first encryption device;
Second decryption means for decrypting the encrypted data based on a channel identifier corresponding to the second encryption device;
The detecting means detects in the station side apparatus by detecting that a decoding means that has successfully decoded the encrypted data changes between the first decoding means and the second decoding means. The switching detection device according to claim 2, wherein the switching is detected. The information is an association number;
The frame includes encrypted data and the association number;
The switching detection apparatus according to claim 1, wherein the detection unit detects the switching in the station-side apparatus by detecting a change in the association number. The receiving means receives a frame including the encrypted data and a packet number;
The switching detection device further includes a discarding unit that discards a frame including the packet number when the packet number does not satisfy a predetermined criterion,
The discarding unit does not discard the frame regardless of a packet number of a frame including a channel identifier in which the change is detected when the switching of the station side device is detected by the detecting unit. The switching detection apparatus according to any one of claims 1 to 9. The switching detection device communicates with the station side device through a plurality of encrypted paths,
The switching detection apparatus according to claim 10, wherein the discarding unit determines whether to discard the frame for each encryption path with the station-side apparatus.   The switching detection apparatus according to claim 1, wherein the switching is redundant switching. A home-side device that detects switching from a first optical line encryption device to a second optical line encryption device performed in a station-side device;
Receiving means for receiving a frame containing information related to encrypted communication from the station side device;
A home-side apparatus comprising: a detecting unit that detects the change in the station-side apparatus by detecting a change in the state of the encrypted communication using the information included in the frame. The information is a channel identifier;
The detection means detects the switching in the station side device by detecting a change in the channel identifier,
The home device is
Storage means for storing, as the channel identifier, a first channel identifier associated with the encryption device of the first optical line and a second channel identifier associated with the encryption device of the second optical line; ,
Until the switching is detected by the detection means, the encrypted data from the station side device is decrypted using the first channel identifier, and when the switching is detected by the detection means, The home-side apparatus according to claim 13, further comprising decryption means for decrypting the encrypted data from the station-side apparatus using the second channel identifier. The information is an association number;
The detection means detects the switching in the station side device by detecting a change in the association number,
The home device is
Storage means for storing a first channel identifier associated with the encryption device of the first optical line and a second channel identifier associated with the encryption device of the second optical line;
Until the switching is detected by the detection means, the encrypted data from the station side device is decrypted using the first channel identifier, and when the switching is detected by the detection means, The home-side apparatus according to claim 13, further comprising decryption means for decrypting the encrypted data from the station-side apparatus using the second channel identifier.   When the home-side device is linked up to the optical line to which the station-side device is connected, the home-side device executes processing for discovery related to encrypted communication with the station-side device, 16. The device according to claim 13, wherein when the switching in the station side device is detected by the detection unit, the home side device does not execute the process for the discovery. Home device. The receiving means receives a frame including the encrypted data and a packet number;
The home device further includes a discarding unit that discards a frame including the packet number when the packet number does not satisfy a predetermined criterion,
The discarding unit does not discard the frame regardless of a packet number of a frame including a channel identifier in which the change is detected when the switching of the station side device is detected by the detecting unit. The home side apparatus of any one of Claims 13-16. An optical line encryption device used in a station side device that performs optical communication with a home side device,
When the optical line encryption device functions as an active system, a frame including at least one association number among a plurality of predetermined association numbers and a packet number is transmitted to the home device. A transmission means;
Storage means for storing a packet number of a frame including the association number and an encryption key in the encrypted communication in association with each of the plurality of association numbers;
Of the association number, encryption key, and packet number stored in association in the storage means, the association number and the encryption key are set at a predetermined timing of the standby optical line in the station side device. An optical line encryption device comprising: notification means for notifying the encryption device. A station side device,
A first optical line encryption device for performing encrypted communication with the home side device;
A second optical line encryption device for performing the encrypted communication with the home side device,
When the home side device is linked up to the optical line to which the station side device is connected, the station side device executes a process for discovery related to encrypted communication with the home side device, while When switching from the first cryptographic device to the second cryptographic device is performed, the station side device does not execute a process for discovery relating to the encrypted communication with the home side device. apparatus. An optical communication system comprising a home-side apparatus and a station-side apparatus that switches from a first optical line encryption device to a second optical line encryption device,
The home device is
Receiving means for receiving a frame containing information related to encrypted communication from the station side device;
An optical communication system comprising: detecting means for detecting the switching in the station side device by detecting a change in the state of the encrypted communication using the information included in the frame.   The optical communication system according to claim 20, wherein the information is a channel identifier. The frame includes encrypted data and the channel identifier associated with the encrypted data;
The optical communication system according to claim 21, wherein the detection unit detects the switching in the station side device by detecting a change in the channel identifier of the frame. The channel identifier associated with the encrypted data is a channel identifier used for encrypted communication,
Before switching from the encryption device of the first optical line to the encryption device of the second optical line, the encryption device of the second optical line is encrypted by the encryption device of the second optical line. 23. The optical communication system according to claim 22, wherein a channel identifier used for an encrypted communication is transmitted to the home device. The station side device transmits a physical address unique to the encryption device of the switching destination optical line to the home side device using an extended maintenance monitoring function,
The home device stores a physical address unique to the encryption device of the switching destination optical line,
The channel identifier includes a physical address unique to the encryption device of the optical line functioning as an operating system among the encryption device of the first optical line and the encryption device of the second optical line,
The detection unit according to claim 22, wherein the detection unit detects that the switching is performed based on the detection that the physical address has changed to a physical address unique to the encryption device of the switching destination optical line. Optical communication system. The frame is a control frame including the channel identifier;
When switching from the encryption device of the first optical line to the encryption device of the second optical line occurs, the encryption device of the second optical line transmits encrypted communication of the encryption device of the second optical line. The channel identifier used for the transmission is transmitted to the home device,
The optical communication system according to claim 21, wherein the detection unit of the home side device detects the switching in the station side device by detecting a change in the channel identifier based on the control frame. The frame is a control frame including the channel identifier;
Before the switching from the encryption device of the first optical line to the encryption device of the second optical line is completed, the encryption device of the first optical line is the encryption device of the second optical line. Transmitting the control frame including the channel identifier used for the encrypted communication to the home device,
The optical communication system according to claim 21, wherein the detection unit of the home side device detects the switching in the station side device by detecting a change in the channel identifier based on the control frame. The home device is
Obtaining the channel identifier associated with each of the first cryptographic device and the second cryptographic device by the frame;
First decryption means for decrypting the encrypted data based on a channel identifier corresponding to the first encryption device;
Second decryption means for decrypting the encrypted data based on a channel identifier corresponding to the second encryption device;
The detection means detects that the decryption means that succeeded in decrypting the encrypted data changes between the first decryption means and the second decryption means, so that the switching is performed by the station. The optical communication system according to claim 21, wherein the optical communication system detects what has been done in the side device. The information is an association number;
The frame includes encrypted data and the association number;
21. The optical communication system according to claim 20, wherein the detection unit of the home side device detects the switching in the station side device by detecting a change in the association number.   When the home-side device is linked up to the optical line to which the station-side device is connected, the station-side device and the home-side device execute processing for discovery related to encrypted communication, 29. The device according to any one of claims 20 to 28, wherein when the switching is detected by the detection unit, the station side device and the home side device do not execute a process for discovery related to the encrypted communication. 2. An optical communication system according to item 1. The receiving means receives a frame including the encrypted data and a packet number;
The home device further includes a discarding unit that discards a frame including the packet number when the packet number does not satisfy a predetermined criterion,
The discarding unit does not discard the frame regardless of a packet number of a frame including a channel identifier in which the change is detected when the switching of the station side device is detected by the detecting unit. 30. The optical communication system according to any one of claims 20 to 29. A switching detection method for detecting, in a home side device, switching from a first optical line encryption device to a second optical line encryption device performed in a station side device,
Receiving a frame containing information related to encrypted communication from the station side device;
Detecting a change in the state of the encrypted communication by using the information included in the frame to detect the change in the station side device. A program for controlling a switching detection device for detecting switching from a first optical line encryption device to a second optical line encryption device performed in a station side device,
Receiving a frame containing information related to encrypted communication from the station side device;
Detecting a change in the state of the encrypted communication by using the information included in the frame, and causing the processor of the switching detection device to execute the step of detecting the switching in the station side device. .

Images