JP2016111477A - Communication system and gateway - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve security in an on-vehicle LAN.SOLUTION: A communication system includes: a first apparatus for performing communication by following a CAN protocol; a second apparatus for performing communication by following the other protocol different from the CAN protocol; and a gateway for performing protocol translation between the CAN protocol and the other protocol and relaying a message between the first apparatus and the second apparatus. The gateway includes a control section for monitoring the voltage of a communication bus connecting the gateway to the first apparatus and/or the communication period of the first apparatus, and controlling the relay of a message to be transmitted by the first apparatus to the second apparatus on the basis of a monitoring result.SELECTED DRAWING: Figure 9

Description

  The present invention relates to a communication system.

  CAN (Controller Area Network) and LIN (Local Interconnect Network) are widely used as in-vehicle LAN (Local Area Network) standards for connecting electronic control units (ECUs) installed in vehicles. . On the other hand, next-generation in-vehicle LANs such as FlexRay, CAN FD (CAN with Flexible Data Rate), and in-vehicle Ethernet (Ethernet) are known.

  With the introduction of the next-generation in-vehicle LAN in the vehicle, the network to which the existing communication protocol such as CAN is applied (hereinafter referred to as “first network”) and the communication protocol for the next-generation in-vehicle LAN are applied. Network (hereinafter referred to as “second network”) is assumed to be mixed in the vehicle. A multi-protocol gateway (Multi-Protocol GW) is known as a gateway (GW) that relays messages between networks to which such different communication protocols are applied. When a multi-protocol gateway is introduced and data is relayed between networks to which different communication protocols are applied, the necessity of monitoring the status of each network becomes higher.

  As a technology for monitoring the network status, it is determined whether the data that is output in the shortest cycle among the data that each information processing means periodically outputs to the network, and whether the data that is output in the determined shortest cycle is output to the network A technique for detecting a communication abnormality of the in-vehicle communication system by monitoring the above is known (see, for example, Patent Document 1).

JP2013-236184A

  The frame structure of the next-generation in-vehicle LAN will expand the data area compared to the frame structure of the in-vehicle LAN so far. Therefore, security data such as authentication data can be attached to the extended data area in addition to control data in the next-generation in-vehicle LAN frame, so security measures can be taken inside the second network. it can.

  However, since it is difficult to attach security data to a data area in addition to control data in an existing in-vehicle LAN frame, it is difficult to take security measures inside the first network.

  If an illegal message is relayed from the first network to the second network by the multi-protocol gateway, it is processed inside the second network as a correct message being relayed. For this reason, although security measures can be taken inside the second network, there is a risk of being affected by an unauthorized message relayed from the first network.

  An object of the present invention is to improve security in an in-vehicle LAN.

A communication system according to an embodiment of the disclosure includes:
A first device that communicates according to the CAN protocol;
A second device that communicates according to another protocol different from the CAN protocol;
A gateway that performs protocol conversion between the CAN protocol and the other protocol, and relays a message between the first device and the second device;
The gateway is
Monitor the voltage of the communication bus connecting the gateway and the first device and / or the communication cycle of the first device, and based on the result of the monitoring, the first device A control unit that performs control of relaying a message to be transmitted to the second device;

  According to the disclosed embodiment, security in the in-vehicle LAN can be improved.

It is a figure which shows one Example of a communication system. It is a hardware block diagram which shows an example of ECU. It is a functional block diagram which shows an example of ECU. It is a figure which shows an example of a CAN frame. It is a figure which shows an example of a CAN FD frame. It is a figure which shows an example of a vehicle-mounted Ethernet frame. It is a figure which shows an example of a FlexRay frame. It is a figure which shows an example of an authentication information table. It is a hardware block diagram which shows one Example of GW ECU. It is a functional block diagram which shows one Example of GW ECU. It is a figure which shows an example of the table for ECU authentication. It is a figure which shows an example of the table for message authentication. It is a figure which shows an example of a relay destination table. It is a flowchart which shows one Example of operation | movement of a communication system. It is a hardware block diagram which shows the modification of GW ECU. It is a functional block diagram which shows one modification of GW ECU. It is a flowchart which shows one modification of operation | movement of a communication system.

Next, the form for implementing this invention is demonstrated, referring drawings based on the following Examples. Examples described below are merely examples, and embodiments to which the present invention is applied are not limited to the following examples.
In all the drawings for explaining the embodiments, the same reference numerals are used for those having the same function, and repeated explanation is omitted.

<Example>
<Communication system>
FIG. 1 is a schematic diagram of a communication system according to an embodiment of the present invention. First, the outline of the present embodiment will be described with reference to FIG.

  The communication system transmits a frame from the ECU of one network to the ECU of the other network via a gateway electronic control unit (GWECU). That is, the GW ECU relays the frame from the ECU of one network to the ECU of the other network.

  The communication system shown in FIG. 1 includes a plurality of ECUs (100aa, 100ab,..., 100dc) and a GWECU 200. In the present embodiment, when an arbitrary ECU is indicated among the ECUs (100aa, 100ab,..., 100dc), it is described as “ECU100”.

  ECU 100 transmits and receives a frame with control data attached to the payload portion of the frame. The payload portion of the frame can be accompanied by control data, or data different from control data such as authentication data can be attached.

  The ECUs (100aa, 100ab, 100ac) are connected to the GW ECU 200 via the first communication line 160a and constitute the first network 150a. An example of the first network 150a is a network to which an existing communication protocol such as CAN or LIN is applied. When CAN is applied, the first communication line 160a includes two communication lines (CAN bus) having a twisted pair configuration. One of the CAN bus twisted pair lines is a bus called CAN High (hereinafter referred to as CANH) and the other is referred to as CAN Low (hereinafter referred to as CANL). Termination resistors (not shown) are connected to both ends of the first communication line 160a. In FIG. 1, CANH and CANL are represented by a single solid line. The number of ECUs constituting the first network 150a is not limited to three, but may be 1-2, or may be four or more. In addition, the number of networks to which the existing communication protocol is applied is not limited to one, and may be two or more.

  The ECUs (100ba, 100bb, 100bc) are connected to the GW ECU 200 via the second communication line 160b and constitute the second network 150b. An example of the second network 150b is a network to which a next-generation in-vehicle LAN communication protocol such as FlexRay, CAN FD, and in-vehicle Ethernet is applied. In the present embodiment, CAN FD is applied to the second network 150b. The number of ECUs constituting the second network 150b is not limited to three, but may be 1-2, or may be four or more.

  The ECUs (100ca, 100cb, 100cc) are connected to the GW ECU 200 via a third communication line 160c, and constitute a third network 150c. An example of the third network 150c is a network to which a next-generation in-vehicle LAN communication protocol such as FlexRay, CAN FD, and in-vehicle Ethernet is applied. In the present embodiment, in-vehicle Ethernet is applied to the third network 150c. The number of ECUs constituting the third network 150c is not limited to three, but may be 1-2, or may be four or more.

  The ECUs (100da, 100db, 100dc) are connected to the GW ECU 200 via a fourth communication line 160d, and constitute a fourth network 150d. An example of the fourth network 150d is a network to which a next-generation in-vehicle LAN communication protocol such as FlexRay, CAN FD, and in-vehicle Ethernet is applied. In the present embodiment, FlexRay is applied to the fourth network 150d. The number of ECUs constituting the fourth network 150d is not limited to three, but may be 1-2, or may be four or more.

  The number of networks to which the next-generation in-vehicle LAN communication protocol is applied is not limited to three, but may be 1-2, or may be four or more.

  In this embodiment, for convenience of explanation, the first network 150a is a network to which an existing in-vehicle LAN communication protocol is applied, and the second network 150b to the fourth network 150d are the next-generation in-vehicle LAN. A network to which a communication protocol is applied is assumed. The existing in-vehicle LAN communication protocol and the next-generation in-vehicle LAN communication protocol can be distinguished based on the payload length of the frame. Specifically, the payload length of the frame of the existing in-vehicle LAN communication protocol is prepared only for the number of bits that can be attached to the control data (8 bytes in the case of CAN). As the payload length of the communication protocol frame, the number of bits that can accompany control data and security data is prepared. In other words, the payload length of the frame of the communication protocol of the next-generation in-vehicle LAN is long and can be accompanied by control data and security data. Moreover, the payload length of the frame of the communication protocol of the existing in-vehicle LAN is short and can be attached with control data.

  In the present embodiment, the term “ECU 100a” is used when referring to any ECU configuring the first network 150a, and the term “ECU 100b” is used when indicating any ECU configuring the second network 150b. Describe. In addition, “ECU 100c” is used to indicate an arbitrary ECU configuring the third network 150c, and “ECU 100d” is illustrated to indicate an arbitrary ECU configuring the fourth network 150d. In addition, when an arbitrary network among the first network 150a, the second network 150b, the third network 150c, and the fourth network 150d is shown, it is referred to as “network 150”, and the first communication line 160a. (CAN bus), second communication line 160b (CAN FD bus), third communication line 160c (in-vehicle Ethernet bus), and fourth communication line 160d (FlexRay bus) When shown, it is described as “communication line 160”.

<Hardware Configuration of Embodiment>
Next, the hardware configuration of this embodiment will be described.

<Configuration of ECU 100>
FIG. 2 shows a hardware configuration of the ECU 100 according to the present embodiment. The ECU 100 is an automobile control computer and realizes various functions in a body system, a control system, an information system, and the like.

  The ECU 100 includes a microcontroller 102 and a transceiver 104. The microcontroller 102 is mounted with hardware such as a CPU that controls the entire ECU 100, a ROM that stores an ECU program executed by the CPU, and a RAM that is used as a work area of the CPU when the control of the ECU 100 is executed. The Two or more CPUs can be mounted on the microcontroller 102.

  The transceiver 104 is connected to the microcontroller 102 and the communication line 160, transmits a frame input from the microcontroller 102 to the communication line 160, and inputs a frame transferred by the communication line 160 to the microcontroller 102. The ECU 100 can include two or more transceivers, and the ECU 100 can include two or more microcontrollers.

<Function of ECU 100>
Next, each part of ECU100 is demonstrated in detail.

  FIG. 3 is a functional block diagram showing an embodiment of the function of the ECU 100. The functions represented by this functional block diagram are mainly executed by the microcontroller 102. The microcontroller 102 functions as a transmission / reception unit 112 and a control unit 114.

  The transmission / reception unit 112 of the ECU 100 transmits / receives various data (information) to / from the GWECU 200 or other ECUs via the transceiver 104.

  The control unit 114 of the ECU 100 creates a frame to be transmitted to the GW ECU 200 or another ECU via the transceiver 104. In addition, various controls are performed according to frames transmitted by the GWECU 200 received by the transmission / reception unit 112 or other ECUs.

  Frames created by the respective control units 114 of the ECU 100a constituting the first network 150a, the ECU 100b constituting the second network 150b, the ECU 100c constituting the third network 150c, and the ECU 100d constituting the fourth network 150d The configuration is different.

(1) Configuration of a frame created by the control unit 114 of the ECU 100a configuring the first network 150a The CAN protocol is applied to the first network 150a configured by the ECU 100a.

  FIG. 4 shows an example of a CAN frame. The CAN frame includes a start of frame (SOF) field, an ID (identifier) field, a remote transmission request (RTR) field, a data length code (DLC) field, It is composed of a Data field, a CRC slot field, an ACK (acknowledgement) slot field, and an end of frame (EOF). The numerical values described in each field in FIG. 4 indicate the number of bits constituting each field.

  The start of frame field indicates the beginning of the message and is indicated by a dominant (logic 0) bit. The ID field identifies the message and indicates the priority of the message. The ID may be represented by 11 bits (standard frame) or 29 bits (extended frame). The remote transmission request field is used to distinguish between a remote frame and a data frame. The dominant (logic 0) remote transmission request field indicates a data frame. The recessive (logic 1) remote transmission request bit indicates a remote frame. The data length code field indicates the number of bytes included in the data field. The Data field contains 0-8 bytes of data. The CRC field indicates a cyclic redundancy check. The CRC includes a 15-bit cyclic redundancy check code and a recessive delimiter bit. The CRC field is used for error detection. The ACK (acknowledge) field is transmitted at the end of the message when the message is correctly received.

(2) Configuration of a frame created by the control unit 114 of the ECU 100b configuring the second network 150b The CAN FD protocol is applied to the second network 150b configured by the ECU 100b.

  FIG. 5 shows an example of a CAN FD frame. The CAN FD frame includes a start-of-frame field, an ID field, an extended data length (EDL) field, a bit rate switch (BRS) field, and an error state indicator (ESI). ) Field, a data length code field, a Data field, a CRC field, an ACK field, and an end-of-frame field. The numerical values described in each field in FIG. 5 indicate the number of bits constituting each field. In addition, a 4-bit configuration covering the extension of the data length is added as a data length code field, and any of 12, 16, 20, 24, 32, 48, 64 bytes is set using this additional part. To do.

  In the CAN FD frame, the EDL bit, BRS bit, and ESI bit are added to the CAN frame, and the Data field is expanded to 64 bytes. The EDL bit is a bit for identifying a CAN format frame and a CAN FD format frame, and is set to recessive in the CAN FD frame and dominant in the CAN frame. The BRS bit is a bit for identifying whether to switch the bit rate. When the BRS bit is recessive, the bit rate when transmitting the data field is switched at high speed. The ESI bit is used to identify CAN FD node error conditions.

(3) Configuration of a frame created by the control unit 114 of the ECU 100c configuring the third network 150c The in-vehicle Ethernet is applied to the third network 150c configured by the ECU 100c.

  FIG. 6 shows a frame configuration example of the in-vehicle Ethernet (1) DIX Ethernet, (2) IEEE 802.3, and (3) IEEE 802.3 (when using an optional VLAN tag header). The frame configuration of the in-vehicle Ethernet can be the Ethernet (registered trademark) frame configuration. Of these three types of frame configuration examples, the frame configuration used in the third network 150c can be set in advance.

  As shown in (1) of FIG. 6, the DIX Ethernet frame includes a preamble field, a destination address field, a source address field, a type field, a data field, and an FCS field.

  As shown in (2) of FIG. 6, the frame defined in IEEE 802.3 includes a preamble field, an SFD (Start Frame Delimiter) field, a destination address field, a source address field, and a length / type field. And a data / LLC (Logical Link Control) field and an FCS field. In the length / type field, whether to indicate length or type is interpreted according to a value attached to the field.

  As shown in (3) of FIG. 6, an Ethernet frame defined in IEEE 802.3 (when using an optional VLAN tag header) includes a preamble field, an SFD field, a destination address field, and a source address field. A TPID (Tag Protocol Identifier) field, a TCI (Tag Control Information) field, a length / type field, a data / LLC (Logical Link Control) field, and an FCS field. In the length / type field, whether to indicate length or type is interpreted according to a value attached to the field.

  The upper numerical values in (1), (2), and (3) of FIG. 6 indicate the size of each field.

(4) Configuration of a frame created by the control unit 114 of the ECU 100d configuring the fourth network 150d FlexRay is applied to the fourth network 150d configured by the ECU 100d.

  FIG. 7 shows an example of a FlexRay frame. A FlexRay frame is composed of a header segment, a payload segment, and a trailer segment. The header segment is composed of 40 bits, and reserve, payload preamble indicator, null frame indicator, synchronization frame indicator, and start-up frame indicator each composed of 1 bit are stored in the first 5 bits. The header segment stores the frame ID, payload length, header CRC, and cycle count. The payload segment is composed of 0 to 127 words (0 to 2032 bits) and stores data. The trailer segment is composed of 24 bits and stores a frame CRC.

  Returning to FIG. 3, the description will be continued. An authentication information table is stored in the control unit 114 of the ECU 100a constituting the first network 150a.

  FIG. 8 shows an example of the authentication information table. The authentication information table associates the authentication data attached to the authentication message transmitted by the GW ECU 200 with the response authentication data attached to the response authentication message that is a response message to the authentication message. The authentication data and the response authentication data can be set differently depending on each of the ECU 100aa, ECU 100ab, and ECU 100ac configuring the first network 150a. When the authentication data attached to the authentication message received by the transmission / reception unit 112 matches the authentication data in the authentication information table, the control unit 114 of the ECU 100a responds to the response authentication message associated with the authentication data. The data is attached and transmitted from the transmission / reception unit 112.

<Configuration of GW ECU 200>
FIG. 9 shows a hardware configuration of the GWECU 200 according to the present embodiment. The GWECU 200 is an automobile control computer and realizes various functions in a body system, a control system, an information system, and the like.

  The GWECU 200 includes a microcontroller 202, a first transceiver 204a, a second transceiver 204b, a third transceiver 204c, a fourth transceiver 204d, and a voltage monitoring device 206. The microcontroller 202 is mounted with hardware such as a CPU that controls the entire GW ECU 200, a ROM that stores a GW ECU program executed by the CPU, and a RAM that is used as a work area of the CPU when the GW ECU 200 is controlled. The Two or more CPUs can be mounted on the microcontroller 202.

  The first transceiver 204a is connected to the microcontroller 202 and the first communication line 160a, and is created in accordance with a next-generation in-vehicle LAN communication protocol such as CAN FD, in-vehicle Ethernet, and FlexRay input from the microcontroller 202. The frame that has been converted into the CAN frame by the microcontroller 202 is transferred to the first communication line 160a, and the CAN frame transferred by the first communication line 160a is input to the microcontroller 202.

  The second transceiver 204b is connected to the microcontroller 202 and the second communication line 160b, and is a frame created according to CAN and input from the microcontroller 202, and is converted into a CAN FD frame by the microcontroller 202. The converted frame is transferred to the second communication line 160 b, and the CAN FD frame transferred by the second communication line 160 b is input to the microcontroller 202.

  The third transceiver 204c is connected to the microcontroller 202 and the third communication line 160c, and is a frame created in accordance with CAN input from the microcontroller 202. The third transceiver 204c is converted into an in-vehicle Ethernet frame by the microcontroller 202. The converted frame is transferred to the third communication line 160c, and the in-vehicle Ethernet frame transferred by the third communication line 160c is input to the microcontroller 202.

  The fourth transceiver 204d is connected to the microcontroller 202 and the fourth communication line 160d, and is a frame created according to CAN input from the microcontroller 202 and converted into a FlexRay frame by the microcontroller 202. The frame thus transferred is transferred to the fourth communication line 160 d, and the FlexRay frame transferred by the fourth communication line 160 d is input to the microcontroller 202.

  In the example shown in FIG. 9, four transceivers are mounted on the GW ECU 200, but the number of transceivers is not limited to four, and in addition to the first transceiver 204a, 1-2 transceivers may be mounted. And more than 5 transceivers can be implemented. Further, two or more microcontrollers can be mounted on the GWECU 200.

  The microcontroller 202 converts the CAN frame input from the first transceiver 204a into a CAN FD frame and outputs the CAN frame to the second transceiver 204b. Further, the microcontroller 202 converts the CAN FD frame input from the second transceiver 204b into a CAN frame and outputs the CAN frame to the first transceiver 204a. In addition, the microcontroller 202 converts the CAN frame input from the first transceiver 204a into an in-vehicle Ethernet frame and outputs it to the third transceiver 204c. Further, the microcontroller 202 converts the in-vehicle Ethernet frame input from the third transceiver 204c into a CAN frame and outputs the CAN frame to the first transceiver 204a. In addition, the microcontroller 202 converts the CAN frame input from the first transceiver 204a into a FlexRay frame and outputs it to the fourth transceiver 204d. Further, the microcontroller 202 converts the FlexRay frame input from the fourth transceiver 204d into a CAN frame and outputs the CAN frame to the first transceiver 204a.

  The voltage monitoring device 206 is connected to the first communication line 160a and the microcontroller 202, monitors the difference voltage between CANH and CANL of the first communication line 160a, and sends the difference voltage information to the microcontroller 202. input.

<Functions of GW ECU 200>
Next, each part of GWECU200 is demonstrated in detail.

  FIG. 10 is a functional block diagram showing an example of the function of the GWECU 200. The GW ECU 200 functions as a transmission / reception unit 212, a communication cycle monitoring unit 214, a storage / reading processing unit 216, a storage unit 218, an ECU authentication processing unit 220, a message authentication processing unit 222, and a relay processing unit 224.

  The transmission / reception unit 212 of the GWECU 200 is executed by the instruction from the microcontroller 202 shown in FIG. 9, the first transceiver 204a, the second transceiver 204b, the third transceiver 206c, and the fourth transceiver 208d. The transmission / reception unit 212 transmits various data (information) transmitted / received between ECUs constituting different networks via the first transceiver 204a, the second transceiver 204b, the third transceiver 206c, and the fourth transceiver 208d. Send and receive.

  The storage / reading processing unit 216 of the GW ECU 200 is executed by instructions from the microcontroller 202 shown in FIG. 9 and ROM and RAM mounted on the microcontroller as an example, and stores various data in the storage unit 218. Then, a process of reading various data stored in the storage unit 218 is performed.

  The storage unit 218 of the GWECU 200 stores an ECU authentication management DB 226 used when authenticating the ECU 100, a message authentication management DB 228 used when authenticating a message, and a relay destination management DB 230 designating a message relay destination.

(ECU authentication table)
In the storage unit 218, an ECU authentication management DB 226 configured by an ECU authentication table as shown in FIG. 11 is constructed. In this ECU authentication table, for each of the ECUs 100a constituting the first network 150a, the authentication data attached to the authentication message transmitted from the GW ECU 200 and the response authentication message transmitted by the ECU 100a that has received the authentication message. Corresponding response authentication data is associated with each other and managed.

(Message authentication table)
In the storage unit 218, a message authentication management DB 228 configured by a message authentication table as shown in FIG. In this message authentication table, for each request message transmitted from the GW ECU 200, identification information such as CAN-ID attached to the request message and a response message that is a response message to the request message from the transmission of the request message are received. The specified time range until the time is associated and managed by being associated with each other.

(Relay destination table)
In the storage unit 218, a relay destination management DB 230 configured by a relay destination table as shown in FIG. 13 is constructed. In this relay destination table, each piece of identification information such as CAN-ID of the message is managed in association with the relay destination by associating it.

  Returning to FIG. The communication cycle monitoring unit 214 of the GW ECU 200 is executed by a command from the microcontroller 202 shown in FIG. 9 and the first transceiver 204a. The communication cycle monitoring unit 214 monitors the communication cycle of messages transmitted / received by each of the ECU 100aa, the ECU 100ab, and the ECU 100ac configuring the first network 150a, and notifies the relay processing unit 224 of the communication cycle.

  The ECU authentication processing unit 220 of the GW ECU 200 is executed by the instruction from the microcontroller 202 and the first transceiver 204a shown in FIG. When the relay processing unit 224 finds an abnormality in the first network 150a, the ECU authentication processing unit 220 confirms the legitimacy of the ECU 100a configuring the first network 150a in accordance with an instruction from the relay processing unit 224. Authenticate by Specifically, the ECU authentication processing unit 220 transmits an authentication message with the authentication data shown in FIG. 11 to the ECU 100aa, the ECU 100ab, and the ECU 100ac, and acquires a response authentication message that is a response message to the authentication message. . In the ECU authentication processing unit 220, the data attached to the Data field of the response authentication message transmitted by the ECU 100aa, ECU 100ab, and ECU 100ac is associated with each of the ECU 100aa, ECU 100ab, and ECU 100ac shown in FIG. If it matches the response authentication data, the ECU 100a that transmitted the response authentication message authenticates it as valid. The ECU authentication processing unit 220 notifies the relay processing unit 224 of an authentication result as to whether or not the ECU 100a configuring the first network 150a is valid. Here, the case where the ECU 100a is authenticated using the authentication data and the response authentication data will be described, but authentication is performed by applying challenge response authentication, a one-time password, or the like between the ECU 100a and the GW ECU 200 as an authentication method. You can also Accordingly, it can be determined whether any of the ECUs 100a configuring the first network 150a has been replaced with an unauthorized ECU.

  The message authentication processing unit 222 of the GW ECU 200 is executed by the instruction from the microcontroller 202 and the first transceiver 204a shown in FIG. When the relay processing unit 224 detects an abnormality in the first network 150a, the message authentication processing unit 222 transmits the request message to the ECU 100a configuring the first network 150a, thereby transmitting the request message. To determine whether the response time of the response message to the request message is valid based on the response time until receiving the response message that is a response message to the request message. Hereinafter, the process of determining whether the response time of the response message to the request message is valid is referred to as “message authentication”.

  Specifically, the message authentication processing unit 222 transmits a request message accompanied by message identification information such as CAN-ID shown in FIG. 12 from the transmission / reception unit 212 to the ECU 100a, and transmits / receives a response message to the request message. From 212. The message authentication processing unit 222 determines whether or not the response time from when the request message is transmitted from the transmission / reception unit 212 to when the response message is received by the transmission / reception unit 212 is included in the specified time range shown in FIG. If the message authentication processing unit 222 is included in the specified time range, the message authentication processing unit 222 authenticates that the response time of the response message for the request message is valid. The message authentication processing unit 222 notifies the relay processing unit 224 of the determination result as to whether or not the message authentication is valid. This makes it possible to determine whether or not an unauthorized ECU has been added to the first network 150a. When an unauthorized ECU is added, the difference voltage between CANH and CANL is different from usual, and it is often impossible to receive a response message. That is, it is assumed that the message authentication processing unit 222 cannot receive a response message within a specified time range.

  The relay processing unit 224 of the GW ECU 200 is executed by the instruction from the microcontroller 202 shown in FIG. 9, the first transceiver 204a, the second transceiver 204b, the third transceiver 204c, and the fourth transceiver 204d. . The relay processing unit 224 determines whether there is an abnormality in the first network 150a based on the difference voltage information input by the voltage monitoring device 206. Specifically, for example, when an unauthorized ECU is added to the first network 150a, it is assumed that the differential voltage changes. The relay processing unit 224 determines that an abnormality has been detected when a change in the differential voltage equal to or greater than a predetermined threshold value can be detected.

  In addition, when the relay processing unit 224 detects a disturbance in a communication cycle such as a communication cycle different from the communication cycle of each ECU 100a of the first network 150a based on the communication cycle input by the communication cycle monitoring unit 214. It is determined that an abnormality has been detected.

  When the relay processing unit 224 determines that there is an abnormality in the differential voltage or the communication cycle, the relay processing unit 224 instructs the ECU authentication processing unit 220 to authenticate the ECU 100a configuring the first network 150a. The relay processing unit 224 refers to the relay destination management DB 230 of the storage unit 218 when the authentication result of the ECU 100a input from the ECU authentication processing unit 220 is valid, and from the ECU 100a configuring the first network 150a. Is relayed to one of the second network 150b, the third network 150c, or the fourth network 150d based on message identification information such as CAN-ID attached to the message.

  The relay processing unit 224 discards the message from the ECU 100a configuring the first network 150a when the ECU authentication result transmitted from the ECU authentication processing unit 220 indicates an abnormality. Then, the relay processing unit 224 increases a count value indicating the number of message discards. The relay processing unit 224 notifies the user when the number of discarded messages exceeds a predetermined threshold. For example, the relay processing unit 224 can notify that an abnormality has occurred in the center device, and the center device can notify that an abnormality has occurred in a portable information terminal such as a smartphone held by the user. Also, the relay processing unit 224 can notify the user by displaying that an abnormality has occurred on a display device such as a meter of a vehicle on which the communication system is mounted.

  When the relay processing unit 224 determines that both the differential voltage and the communication cycle are abnormal, the relay processing unit 224 instructs the ECU authentication processing unit 220 to authenticate the ECU 100a configuring the first network 150a. The relay processing unit 224 discards the message from the ECU 100a configuring the first network 150a when the authentication result of the ECU 100a input from the ECU authentication processing unit 220 indicates an abnormality. The relay processing unit 224 notifies the user when the number of discarded messages exceeds a predetermined threshold.

  The relay processing unit 224 instructs the message authentication processing unit 222 to perform message authentication when the ECU authentication result transmitted from the ECU authentication processing unit 220 indicates normal. When the authentication result of the message transmitted from the message authentication processing unit 222 indicates an abnormality, the relay processing unit 224 discards the message from the ECU 100a configuring the first network 150a. The relay processing unit 224 notifies the user when the number of discarded messages exceeds a predetermined threshold.

  When the authentication result of the message transmitted from the message authentication processing unit 222 indicates normal, the relay processing unit 224 refers to the relay destination management DB 230 of the storage unit 218 and from the ECU 100a configuring the first network 150a. Is relayed to one of the second network 150b, the third network 150c, or the fourth network 150d based on message identification information such as CAN-ID attached to the message.

<Operation of communication system>
FIG. 14 shows an example of the operation of the communication system according to the present embodiment. In the example shown in FIG. 14, when a message is transmitted from any of ECU 100aa, ECU 100ab, and ECU 100ac configuring first network 150a to any of ECU 100ba, ECU 100bb, and ECU 100bc configuring second network 150b. The process performed based on the communication period of the message transmitted / received by ECU100a and the difference voltage of the 1st communication line 160a is shown. Processing can also be performed based on one of the communication cycle of messages transmitted and received by the ECU 100a and the differential voltage of the first communication line 160a.

  The flowchart shown in FIG. 14 is also applicable when a message is transmitted from any of the ECU 100aa, the ECU 100ab, and the ECU 100ac constituting the first network 150a to any of the ECU 100ca, the ECU 100cb, and the ECU 100cc constituting the third network 150c. Applicable. In the flowchart shown in FIG. 14, a message is transmitted from any one of the ECU 100aa, the ECU 100ab, and the ECU 100ac constituting the first network 150a to any one of the ECU 100da, the ECU 100db, and the ECU 100dc constituting the fourth network 150d. It can also be applied to.

  In step S1402, the relay processing unit 224 of the GW ECU 200 determines whether the vehicle speed is higher than 0 km / h. This process is realized by inputting vehicle speed information of the vehicle to the GWECU 200.

  In step S1404, when it is determined that the vehicle speed is equal to or less than 0 km / h, the relay processing unit 224 of the GWECU 200 determines whether a message is transmitted to the first communication line 160a. If it is determined that a message has not been transmitted to the first communication line 160a, the process returns to step S1402, and steps S1402 to S1404 are repeated until a message is transmitted to the first communication line 160a. This is because when the vehicle speed is assumed to be 0 km / h or less and the vehicle is assumed to be stopped and no message is transmitted to the first communication line 160a, it is assumed that security is high. is there.

  In step S1406, if it is determined in step S1402 that the vehicle speed is higher than 0 km / h, or if it is determined in step S1404 that a message has been transmitted to the first communication line 160a, the relay processing unit 224 performs communication cycle monitoring. From unit 214, a monitor value of a communication cycle of messages transmitted and received by ECU 100aa, ECU 100ab, and ECU 100ac is acquired. Even when it is assumed that the vehicle is stopped due to the vehicle speed being 0 km / h or less, it is also assumed that an unauthorized message is transmitted to the first communication line 160a. Therefore, when the vehicle speed is 0 km / h or less and a message is transmitted to the first communication line 160a, the same processing as when the vehicle speed is higher than 0 km / h, that is, when the vehicle is traveling. I do. As a result, even if the vehicle is stopped, the influence can be reduced when an unauthorized message is transmitted.

  In step S1408, the relay processing unit 224 acquires the monitored value of the differential voltage of the first communication line 160a from the voltage monitoring device 206.

  In step S1410, the relay processing unit 224 determines whether both the monitor value of the communication cycle of the message acquired in step S1406 and the monitor value of the differential voltage acquired in step S1408 are normal. It is possible to determine whether or not an unauthorized message is transmitted by determining whether or not the monitoring value of the communication cycle is normal, and it is possible to determine whether or not an illegal message is transmitted by determining whether the monitored value of the differential voltage is normal. It can be determined whether the ECU is not included in the first network 150a.

  In step S1412, when it is determined that both monitor values are normal, the relay processing unit 224 transmits a message transmitted by the ECU 100a to the second communication line 160b. This is because when both monitor values are normal, it is assumed that an unauthorized message has not been transmitted to the first network 150a, and an unauthorized ECU is not included in the first network 150a. .

  In step S1414, if it is not determined in step S1410 that both monitor values are normal, the relay processing unit 224 determines whether one of the monitor values is normal.

  If it is determined in step S1416 that one of the monitor values is normal, ECU authentication processing unit 220 transmits an authentication message from transmission / reception unit 212 to ECU 100aa, ECU 100ab, and ECU 100ac.

  In step S1418, ECU authentication processing unit 220 determines whether or not an authentication response message accompanied with correct response authentication data has been received from ECU 100aa, ECU 100ab, and ECU 100ac. Accordingly, since it is possible to determine whether or not the ECU 100aa, ECU 100ab, and ECU 100ac that constitute the first network 150a are valid, any of the ECU 100aa, ECU 100ab, and ECU 100ac that constitute the first network 150a is an unauthorized ECU. It can be determined whether or not it has been replaced.

  In step S1420, when it is determined that a response authentication message accompanied with correct response authentication data is received, the relay processing unit 224 relays the message transmitted by the ECU 100a from the transmission / reception unit 212 to the second communication line 160b.

  In step S <b> 1422, when it is not determined that a response authentication message accompanied with correct response authentication data has been received, the relay processing unit 224 discards the message transmitted by the ECU 100 a. Then, the relay processing unit 224 increases a count value indicating the number of message discards.

  In step S1424, the relay processing unit 224 determines whether or not the message transmitted by the ECU 100a has been discarded a certain number of times. If it is determined that the message has not been discarded a certain number of times, the process returns to step S1402.

  If it is determined in step S1426 that the message has been discarded a certain number of times, the relay processing unit 224 gives a warning by notifying the user.

  In step S1428, if it is determined in step S1414 that one of the monitor values is not normal, that is, if it is determined that both monitor values are abnormal, the ECU authentication processing unit 220 transmits the ECU 100aa, ECU 100ab, and An authentication message is transmitted to ECU 100ac.

  In step S1430, ECU authentication processing unit 220 determines whether an authentication response message accompanied with correct response authentication data has been received from ECU 100aa, ECU 100ab, and ECU 100ac.

  In step S1432, if it is not determined that a response authentication message attached with correct response authentication data is received, the relay processing unit 224 discards the message. Then, the relay processing unit 224 increases a count value indicating the number of message discards.

  In step S1434, it is determined whether or not the message has been discarded a certain number of times. If it is determined that the message has not been discarded a certain number of times, the process returns to step S1402.

  If it is determined in step S1436 that the message has been discarded a certain number of times, the relay processing unit 224 gives a warning by notifying the user.

  In step S1438, when it is determined in step S1430 that a response authentication message accompanied with correct response authentication data has been received, the message authentication processing unit 222 transmits a request message to the ECU 100aa, the ECU 100ab, and the ECU 100ac from the transmission / reception unit 212. The transmission / reception unit 212 monitors the response time until the response message is received. Since the ECU 100a can determine that the response authentication message with the correct response authentication data is valid, the response time from when the request message is transmitted until the response message is received by the transmission / reception unit 212 is monitored. Thus, it is determined whether or not an unauthorized ECU is added to the first network 150a.

  In step S1440, the message authentication processing unit 222 determines whether or not the response time from when the request message is transmitted until the response message is received is within the specified time range shown in FIG.

  In step S1442, when it is determined that the response time from when the request message is transmitted until the response message is received is within the specified time range, the relay processing unit 224 transmits the message transmitted by the ECU 100a from the transmission / reception unit 212. Relay to second communication line 160b. When an unauthorized ECU is added, the difference voltage between CANH and CANL is different from usual, and it is often impossible to receive a response message. That is, it is assumed that the message authentication processing unit 222 cannot receive a response message within a specified time range. When a response message is received within the specified time range, it is determined that an unauthorized ECU has not been added.

  In step S1444, when it is determined that the response time from when the request message is transmitted until the response message is received is not within the specified time range, the relay processing unit 224 discards the message transmitted by the ECU 100a. Then, the relay processing unit 224 increases a count value indicating the number of message discards.

  In step S1446, it is determined whether or not the message has been discarded a certain number of times. If it is determined that the message has not been discarded a certain number of times, the process returns to step S1402.

  If it is determined in step S1448 that the message has been discarded a certain number of times, the relay processing unit 224 gives a warning by notifying the user.

  The flow shown in FIG. 14 can be executed regularly or irregularly. Further, the flow shown in FIG. 14 can be executed by a predetermined operation performed by the user.

  According to the communication system according to the present embodiment, the CAN is connected to the gateway that connects the first communication line to which CAN is applied and the second communication line to which a communication protocol different from CAN is applied. A function for confirming the security state of a network configured by connecting an ECU to an applied communication line is provided. Furthermore, according to the communication system according to the present embodiment, it is possible to determine whether or not an ECU constituting the network has been replaced with an unauthorized ECU, and whether or not an unauthorized ECU has been added to the network. Thereby, the security of the entire communication system can be improved without applying security measures to the CAN signal itself transmitted through the first communication line.

<Modification>
1 can be applied to a communication system according to a modification of the present invention, and FIGS. 2 and 3 can be applied to the ECU 100. FIG.

  FIG. 15 shows a hardware configuration of the GW ECU 300 according to this modification. The GWECU 300 is a vehicle control computer and realizes various functions in a body system, a control system, an information system, and the like. The GWECU 300 differs from the GWECU 200 described with reference to FIG. 9 in that the voltage monitoring device 206 is not provided.

  FIG. 16 is a functional block diagram showing a GW ECU 300 according to this modification. The GW ECU 300 functions as a transmission / reception unit 212, a storage / read processing unit 216, a storage unit 218, an ECU authentication processing unit 220, a message authentication processing unit 222, and a relay processing unit 232. It differs from the GW ECU 300 described with reference to FIG. 10 in that the communication cycle monitor unit 214 is not provided. The above-described embodiments can be applied to the transmission / reception unit 212, the storage / reading processing unit 216, the storage unit 218, the ECU authentication processing unit 220, and the message authentication processing unit 222.

  The relay processing unit 232 of the GW ECU 300 is executed by the instruction from the microcontroller 202 shown in FIG. 15, the first transceiver 204a, the second transceiver 204b, the third transceiver 204c, and the fourth transceiver 204d. . The relay processing unit 232 instructs the ECU authentication processing unit 220 to authenticate the ECU 100a configuring the first network 150a.

  The relay processing unit 232 discards the message from the ECU 100a configuring the first network 150a when the ECU authentication result transmitted from the ECU authentication processing unit 220 indicates an abnormality. Then, the relay processing unit 232 increases the count value indicating the number of message discards. The relay processing unit 232 notifies the user when the number of discarded messages exceeds a predetermined threshold. For example, the relay processing unit 232 can notify that an abnormality has occurred in the center device, and the center device can notify that an abnormality has occurred in a portable information terminal such as a smartphone held by the user. In addition, the relay processing unit 232 can notify the user by displaying that an abnormality has occurred on a display device such as a meter of a vehicle on which the communication system is mounted.

  The relay processing unit 232 instructs the message authentication processing unit 222 to perform message authentication when the ECU authentication result input from the ECU authentication processing unit 220 indicates that it is valid. When the authentication result of the message transmitted from the message authentication processing unit 222 indicates an abnormality, the relay processing unit 232 discards the message from the ECU 100a configuring the first network 150a. Then, the relay processing unit 232 increases the count value indicating the number of message discards. The relay processing unit 232 notifies the user when the number of discarded messages exceeds a predetermined threshold.

  When the authentication result of the message transmitted from the message authentication processing unit 222 indicates normal, the relay processing unit 232 refers to the relay destination management DB 230 of the storage unit 218, and from the ECU 100a configuring the first network 150a. Is relayed to one of the second network 150b, the third network 150c, or the fourth network 150d based on message identification information such as CAN-ID attached to the message.

<Operation of communication system>
FIG. 17 shows an example of the operation of the communication system according to the present embodiment. In the example shown in FIG. 17, when a message is transmitted from any of ECU 100aa, ECU 100ab, and ECU 100ac constituting first network 150a to any one of ECU 100ba, ECU 100bb, and ECU 100bc constituting second network 150b. Shows the processing performed.

  The flowchart shown in FIG. 17 is also applicable when a message is transmitted from any of the ECU 100aa, ECU 100ab, and ECU 100ac constituting the first network 150a to any one of the ECU 100ca, ECU 100cb, and ECU 100cc constituting the third network 150c. Applicable. In the flowchart shown in FIG. 17, a message is transmitted from any one of the ECU 100aa, the ECU 100ab, and the ECU 100ac constituting the first network 150a to any one of the ECU 100da, the ECU 100db, and the ECU 100dc constituting the fourth network 150d. It can also be applied to.

  In step S1702, the relay processing unit 232 of the GW ECU 300 determines whether the vehicle speed is higher than 0 km / h. This process is realized by inputting vehicle speed information of the vehicle to the GWECU 300.

  In step S1704, when it is determined that the vehicle speed is 0 km / h or less, the relay processing unit 232 of the GW ECU 300 determines whether a message is transmitted to the first communication line 160a. If it is determined that the message is not transmitted to the first communication line 160a, the process returns to step S1702, and the processes of steps S1702 to S1704 are repeated until the message is transmitted to the first communication line 160a. This is because when the vehicle speed is 0 km / h or less and the vehicle is assumed to be stopped and the message is not transmitted to the first communication line 160a, it is assumed that the safety is high.

  In step S1706, if it is determined in step S1702 that the vehicle speed is higher than 0 km / h, or if it is determined in step S1704 that a message has been transmitted to the first communication line 160a, the ECU authentication processing unit 220 transmits and receives An authentication message is transmitted from 212 to ECU 100aa, ECU 100ab, and ECU 100ac. Even when it is assumed that the vehicle is stopped due to the vehicle speed being 0 km / h or less, it is also assumed that an unauthorized message is transmitted to the first communication line 160a. Therefore, when the vehicle speed is 0 km / h or less and a message is transmitted to the first communication line 160a, the same processing as when the vehicle speed is higher than 0 km / h, that is, when the vehicle is traveling. I do. As a result, even if the vehicle is stopped, the influence can be reduced when an unauthorized message is transmitted.

  In step S1708, the ECU authentication processing unit 220 determines whether or not an authentication response message accompanied with correct response authentication data has been received from the ECU 100aa, the ECU 100ab, and the ECU 100ac. Accordingly, since it is possible to determine whether or not the ECU 100aa, ECU 100ab, and ECU 100ac that constitute the first network 150a are valid, any of the ECU 100aa, ECU 100ab, and ECU 100ac that constitute the first network 150a is an unauthorized ECU. It can be determined whether or not it has been replaced.

  In step S1710, when it is not determined that a response authentication message accompanied with correct response authentication data is received, the relay processing unit 232 discards the message. Then, the relay processing unit 232 increases the count value indicating the number of message discards.

  In step S1712, the relay processing unit 232 determines whether or not the message has been discarded a certain number of times. If it is determined that the message is not discarded a certain number of times, the process returns to step S1702.

  If it is determined in step S1714 that the message has been discarded a certain number of times, the relay processing unit 232 gives a warning by notifying the user.

  In step S1716, when it is determined in step S1708 that a response authentication message accompanied by correct response authentication data has been received, the message authentication processing unit 222 transmits a request message from the transmission / reception unit 212 to the ECU 100aa, the ECU 100ab, and the ECU 100ac. The transmission / reception unit 212 monitors the response time until the response message is received. Since the ECU 100a can determine that the response authentication message with the correct response authentication data is valid, the response time from when the request message is transmitted until the response message is received by the transmission / reception unit 212 is monitored. Thus, it is determined whether or not an unauthorized ECU is added to the first network 150a.

  In step S1718, the message authentication processing unit 222 determines whether or not the response time from when the request message is transmitted until the response message is received is within the specified time range shown in FIG.

  In step S1720, when it is determined that the response time from the transmission of the request message to the reception of the response message is within the specified time range, the relay processing unit 232 transmits the message transmitted by the ECU 100a from the transmission / reception unit 212. Relay to second communication line 160b. When an unauthorized ECU is added, the difference voltage between CANH and CANL is different from usual, and it is often impossible to receive a response message. That is, it is assumed that the message authentication processing unit 222 cannot receive a response message within a specified time range. When a response message is received within the specified time range, it is determined that an unauthorized ECU has not been added.

  In step S1722, when it is determined that the response time from when the request message is transmitted until the response message is received is not within the specified time range, the relay processing unit 232 discards the message transmitted by the ECU 100a. Then, the relay processing unit 232 increases the count value indicating the number of message discards.

  In step S1724, the relay processing unit 232 determines whether or not the message has been discarded a certain number of times. If it is determined that the message is not discarded a certain number of times, the process returns to step S1702.

  If it is determined in step S1726 that the message has been discarded a certain number of times, the relay processing unit 232 gives a warning by notifying the user.

  The flow shown in FIG. 17 can be executed regularly or irregularly. Further, the flow shown in FIG. 14 can be executed by a predetermined operation performed by the user.

  According to the communication system according to this modification, CAN is applied to a gateway that connects a first communication line to which CAN is applied and a second communication line to which a communication protocol different from CAN is applied. Whether or not the ECU constituting the network has been replaced by an unauthorized ECU without providing a function for confirming the security state of the network configured by connecting the ECU to the communication line It is determined whether a new ECU has been added. Thereby, the security of the entire communication system can be improved without applying security measures to the CAN signal itself transmitted through the first communication line.

  Compared with the above-described embodiment by determining whether the ECU constituting the network has not been replaced by an unauthorized ECU, and whether an unauthorized ECU has been added to the network, regardless of the security status of the network. Thus, processing for monitoring the differential voltage and monitoring the communication cycle can be omitted, so that the processing load can be reduced.

  The multi-protocol gateway is an example of a gateway, the ECU configuring the first network is an example of a first device, and the ECU configuring the second, third, or fourth network is an example of a second device. It is.

  Although the present invention has been described above with reference to specific embodiments and modifications, each embodiment and modification is merely illustrative, and those skilled in the art will recognize various modifications, modifications, alternatives, and substitutions. You will understand examples. For convenience of explanation, an apparatus according to an embodiment of the present invention has been described using a functional block diagram, but such an apparatus may be implemented in hardware, software, or a combination thereof. The present invention is not limited to the above-described embodiments, and various variations, modifications, alternatives, substitutions, and the like are included without departing from the spirit of the present invention.

100 (aa, ab, ac, ba, bb, bc, ca, cb, cc, da, db, dc) ECU
102 Microcontroller 104 Transceiver 112 Transmission / reception unit 114 Control unit 150a First network 150b Second network 150c Third network 150d Fourth network 160 Communication line 160a First communication line 160b Second communication line 160c Third network Communication line 160d Fourth communication line 200, 300 GW ECU
202 Microcontroller 204a 1st transceiver 204b 2nd transceiver 204c 3rd transceiver 204d 4th transceiver 206 Voltage monitor device 212 Transmission / reception unit 214 Communication cycle monitoring unit 216 Storage / reading processing unit 218 Storage unit 220 ECU authentication processing unit 222 Message authentication processing unit 224, 232 Relay processing unit 226 ECU authentication management DB
228 Message Authentication Management DB
230 Relay destination management DB

Claims (5)

A first device that communicates according to the CAN protocol;
A second device that communicates according to another protocol different from the CAN protocol;
A gateway that performs protocol conversion between the CAN protocol and the other protocol, and relays a message between the first device and the second device;
The gateway is
Monitor the voltage of the communication bus connecting the gateway and the first device and / or the communication cycle of the first device, and based on the result of the monitoring, the first device A communication system including a control unit that performs control to relay a message to be transmitted to the second device.   The communication system according to claim 1, wherein a payload length of a frame transmitted by the first device is shorter than a payload length of a frame transmitted by the second device.   The said control part judges the correctness of the said 1st apparatus, when the result of the said monitoring of either the voltage of the said communication bus | bath and the said communication period is abnormal. Communication system.   When the monitoring result of both the voltage of the communication bus and the communication cycle is abnormal, the control unit determines the validity of the first device and sends a message to the first device. The communication system according to claim 1, wherein a response time from transmission to reception of a response to the message is verified. A gateway that relays messages between a first device that communicates according to a CAN protocol and a second device that communicates according to another protocol different from the CAN protocol,
A voltage monitoring unit for monitoring a voltage of a communication bus connecting between the gateway and the first device;
A microcontroller that performs protocol conversion between the CAN protocol and the other protocol and relays a message between the first device and the second device;
The microcontroller is
Both or one of the voltage and the communication cycle of the first device is monitored, and based on the result of the monitoring, control is performed to relay a message transmitted by the first device to the second device. A gateway having a control unit.

Images