JP6544250B2 - Relay device - Google Patents

Description

  The present invention relates to a technique for relaying data.

  Conventionally, techniques for mutually communicating between communication devices connected to communication lines are well known. In addition, there is known a technology in which a plurality of groups in which several devices of these communication devices are combined are set in advance, and communication can be performed only between communication devices belonging to the same group.

  Patent Document 1 discloses a technology that enables communication only between communication devices belonging to the same group using a port-based VLAN function by a switching hub, that is, a technology for dividing a network into groups. It is done.

Patent No. 3714238 gazette

  For example, also in a vehicle, mutual communication is performed between electronic control units ("Electronic Control Unit", hereinafter referred to as "ECU") mounted in the vehicle and connected to a communication line. An external tool, which is a communication device outside the vehicle, can be connected to the communication line, and the external tool can be used to perform communication with the on-vehicle ECU.

  The operations that can be performed by communicating with the on-board ECU using an external tool should not be performed by persons other than authorized workers, such as setting and reading of vehicle control information, program rewriting processing, etc. Operation is also included. For example, when an external tool (a non-regular external tool) is connected to a communication line by a non-regular worker, there is a possibility that such information or program may be illegally obtained or rewritten. For this reason, it is desirable that the network connected to the external tool be separated from the network connected to the on-vehicle ECUs.

  However, when the switching hub using the technology of port-based VLAN described in Patent Document 1 is applied to the configuration in the above-described vehicle, the network connected with the external tool and the network connected with the on-vehicle ECUs are completely It is separated. For this reason, in order to realize communication between the external tool and the on-board ECU, for example, a new device is needed which once records data from the external tool and transmits the recorded data to the on-board ECU. There was a possibility that it might become a complicated configuration.

  The present invention has been made in view of these problems, and when communicating with a plurality of communication devices connected to a communication line, the communication with a non-regular communication device is suppressed with a simple configuration. The purpose is to provide

  A relay device (30) according to the present invention is a device which is connected to a plurality of communication lines and relays data between the plurality of communication lines, and includes a correspondence acquisition unit (S120) and a data acquisition unit (S100). And a communication line identification unit (S110), a coincidence determination unit (S125), and a relay execution unit (S150, S155). The correspondence acquisition unit acquires correspondence information, which is information representing, for each of the communication lines, the correspondence between the communication line and the device connected to the communication line.

  The data acquisition unit acquires, as acquisition data, data including transmission source information which is information for identifying a transmission source of data from any one of the plurality of communication lines. The communication line identification unit identifies the communication line from which the acquired data is acquired as the acquired communication line. The coincidence determination unit is connected to the acquired communication line among the transmission source apparatus indicated by the transmission source information included in the acquired data and the corresponding apparatus corresponding to the apparatus connected to the communication line in the correspondence information. It is determined whether or not the devices except the specified device match.

  The relay execution unit (S150, S155) relays the acquired data between the plurality of communication lines when it is determined by the match determination unit that they do not match, and that the match determination unit matches. If determined, the acquired data is not relayed.

  That is, if an unauthorized communication device that has become one of the supported devices is connected to the communication line, the transmission source indicated by the transmission source information included in the data acquired from this communication line (acquisition communication line) The relay device does not relay the acquired data because the device matches any of the devices excluding the device connected to the acquisition communication line among the corresponding devices.

  According to such a configuration, when performing communication between a plurality of communication devices connected to the communication line, communication with a non-regular communication device with a simple configuration without requiring a new device Can be suppressed.

  In addition, the reference numerals in the parentheses described in this column and the claims indicate the correspondence with specific means described in the embodiment described later as one aspect, and the technical scope of the present invention It is not limited.

BRIEF DESCRIPTION OF THE DRAWINGS The block diagram which shows the structure of the communication system and switching hub of embodiment. The figure explaining the composition of a frame. 5 is a flowchart showing switching hub processing. FIG. 2 is a diagram showing an example of a routing table in the configuration of FIG. 1; The figure which shows an example of a routing table when the power supply of a switching hub is turned on. The figure which shows an example of a routing table when ECU10a and ECU10b are registered. The block diagram which shows the structure of the communication system in case the illegitimate external apparatus which spoofed ECU10b is connected. A figure showing an example of a routing table when correspondence is registered about all of ECU10 in in-vehicle network. The figure which shows an example of a routing table when the irregular external device is connected previously. FIG. 10 is a view showing an example of a routing table to which a correspondence for a communication line L2 is added in FIG. 9; The flowchart of ECU reception processing. FIG. 5 is a sequence diagram for explaining communication between the ECUs 10; The sequence diagram explaining communication with ECU10 and a regular external device. The sequence diagram explaining communication with ECU10 and an irregular regular device.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[1. Constitution]
The communication system 1 illustrated in FIG. 1 is a communication system using, for example, UDP among protocols in Ethernet, and includes three ECUs 10 a to 10 c and one normal external device 20 as nodes. Furthermore, the communication system 1 includes a switching hub 30 as a relay device. Ethernet is a registered trademark. UDP is an abbreviation of "User Datagram Protocol".

  The ECUs 10a to 10c are connected to the switching hub 30 by the communication lines L1 to L3. The switching hub 30 is connected to the normal external device 20 by a communication line L4. For example, the frame transmitted from the ECU 10 a is transmitted to one of the other EUCs 10 b to 10 c and the authorized external device 20 via the switching hub 2. Further, the frame transmitted from the normal external device 20 is transmitted to any of the ECUs 10a to 10c via the switching hub 30.

  The ECUs 10a to 10c are ECUs that perform various controls of the vehicle. For example, the ECU 10a may be an ECU that controls a transmission, the ECU 10b may be an ECU that controls a steering device, and the ECU 10c may be an ECU that controls a brake device. However, the control executed by the ECUs 10a to 10c is not limited to these. In the following, when describing matters common to individual components such as the ECUs 10a to 10c, suffixes after reference numerals are omitted and described, such as the ECU 10.

  The regular external device 20 is a communication device outside the vehicle, and is connected to the ECU 10 mounted on the vehicle via the switching hub 30 to communicate with the connected ECU 10 to obtain vehicle control information It is a device for realizing functions such as setting and reading and program rewriting processing.

  The switching hub 30 is a relay device to which a plurality of communication lines are connected and which relays a frame between the plurality of communication lines. In the present embodiment, the switching hub 30 includes four terminals P1 to P4, the communication line L1 is connected via the terminal P1, the communication line L2 is connected via the terminal P2, and the communication line via the terminal P3. L3 is connected, and the communication line L4 is connected via the terminal P4.

The terminal P4 and the communication line L4 are detachably connected by a connector (not shown). That is, the normal external device 20 is detachably connected to the switching hub 30.
The frames transmitted from the ECU 10 and the authorized external device 20 may be frames transmitted to a specific device, or may be multicast frames transmitted simultaneously to a plurality of devices other than the device of the transmission source. The broadcast frame may be transmitted simultaneously to all devices other than the device of the transmission source.

  The frame communicated in the communication system 1 is an Ethernet frame shown in FIG. This Ethernet frame comprises areas of destination MAC address, source MAC address, type, data part, and FCS. FCS is an abbreviation of "Frame Check Sequence". The destination MAC address is a MAC address of a device serving as a frame destination (hereinafter referred to as a destination device), and the transmission source MAC address is a MAC address of a device serving as a frame transmission source (hereinafter referred to as a transmission source device) . The MAC address is an address unique to the device.

  Also, although not shown in FIG. 2, UDP packets are encapsulated and included in the data part of the frame. In the present embodiment, as for the port number in the UDP packet, “50000” is used for communication between the ECUs 10a to 10c (hereinafter, referred to as vehicle control), and “13400” is diagnosed by the authorized external device 20 or program rewrite It is used for communication (hereinafter referred to as diagnosis) for performing

  In the case of transmitting a frame to a specific device, for example, in the case of transmitting the ECU 10 a as a destination, the destination MAC address may be a value indicating that the ECU 10 a is a destination. In the case of a multicast frame, for example, in the case of a multicast frame whose destination is the ECUs 10a to 10c, the destination MAC address may be a value indicating that the ECUs 10a to 0c are the destinations. Also, for example, in the case of a broadcast frame, all bits of the destination MAC address may be "1".

  Returning to FIG. 1, the explanation will be continued. The switching hub 30 includes a relay control unit 31 that controls the operation of the switching hub 30. The operation of the switching hub 30 is realized by the processing operation of the relay control unit 31.

  The relay control unit 31 mainly includes a well-known microcomputer (hereinafter, referred to as a microcomputer) including a CPU 51 and a semiconductor memory (hereinafter, referred to as a memory) 52 such as a RAM, a ROM, and a flash memory. The function of the relay control unit 31, that is, the function of the switching hub 30 is realized by the CPU 51 of the relay control unit 31 executing a program stored in the non-transitional tangible recording medium.

  For example, the ROM corresponds to a non-transitional tangible storage medium storing a program. Also, by executing this program, a method corresponding to the program is executed. The number of microcomputers constituting the relay control unit 31 may be one or more. The method for realizing the function of the relay control unit 31 is not limited to software, and part or all of the function may be realized using hardware combining a logic circuit, an analog circuit, and the like.

  Further, each of the ECUs 10a to 10c also includes in-vehicle control units 11a to 11c that control the operation of the ECUs 10a to 10c. The operations of the ECUs 10a to 10c are realized by the processing operations of the onboard control units 11a to 11c. In addition, the normal external device 20 also includes a normal control unit 21 that controls the operation of the normal external device 20. The operation of the normal external device 20 is realized by the processing operation of the normal control unit 21. What has been described regarding the relay control unit 31 of the switching hub 30 is the same for the on-vehicle control units 11a to 11c of the ECUs 10a to 10c and the normal control unit 21 of the normal external device 20.

[2. processing]
[2-1. Switching hub processing]
Next, the switching hub process performed by the relay control unit 31 of the switching hub 30 will be described with reference to the flowchart of FIG. The switching hub process is a process for relaying the received frame. The relay control unit 31 executes switching hub processing each time a frame is received from the ECU 10 or the normal external device 20. In the following description, when the subject is omitted, the relay control unit 31 is taken as the subject.

  First, in S100, the relay control unit 31 acquires a received frame (hereinafter, also referred to as a reception frame) from any one of the plurality of communication lines L1 to L4. The reception frame includes a transmission source MAC address which is information for identifying a transmission source of the frame, and a destination MAC address which is information for identifying a transmission destination of the frame.

  In S110, the relay control unit 31 identifies the communication line from which the received frame is acquired as the acquired communication line. Specifically, for example, when the reception frame is acquired via the terminal P1, the communication line L1 is specified as an acquisition communication line, and when the reception frame is acquired via the terminal P4, the communication line L4 is acquired. Identify as a line.

  At S115, the relay control unit 31 identifies the transmission source device. The transmission source device is a device indicated by the transmission source MAC address included in the received frame. In the present embodiment, as shown in FIG. 1, the MAC addresses of the ECUs 10a to 10c are represented by X, Y, Z, respectively, and the MAC address of the normal external device 20 is represented by Q. For example, when the transmission source MAC address included in the reception frame is Y, the relay control unit 31 specifies the ECU 10b as the transmission source device, and when the transmission source MAC address included in the reception frame is Q, the relay external device Identify 20 as the source device.

  In S120, the relay control unit 31 acquires the routing table 521. The routing table 521 is information representing the correspondence between the communication lines L1 to L4 and the devices connected to the communication lines L1 to L4 for each communication line. The correspondence relationship refers to the connection between the communication line and the device, which device is connected to which communication line. For example, in the case of the communication system 1 shown in FIG. 1, as shown in FIG. 4 as an example, in the routing table 521, the communication lines L1 to L4, the devices ECUs 10a to 10c connected to the communication lines L1 to L4, and the regular outside The correspondence with the device 20 is represented for each of the communication lines L1 to L4. The routing table 521 is stored in the memory 52.

  The routing table 521 indicates the correspondence between the terminals P1 to P4 and the devices connected to the terminals for each of the terminals P1 to P4 connecting the communication lines L1 to L4 as shown in () in FIG. 4. It may be one.

  The routing table 521 is not necessarily stored in the memory in a state where the correspondence as shown in FIG. 4 is represented in advance. When the switching hub 30 is powered on, as shown in FIG. 5, in the routing table 521, the correspondence between the communication lines L1 to L4 and the devices connected to the communication lines is in an unregistered state.

  Here, registration of the correspondence in the routing table 521 will be briefly described. When the relay control unit 31 receives a frame from a communication line after the switching hub 30 is powered on, the communication line uses the transmission source MAC address of the frame as the MAC address representing the device connected to the communication line. The correspondence between the device and the device is registered in the routing table 521.

  At this time, when the destination MAC address included in the received frame is not registered in the routing table 521, the relay control unit 31 transmits the received frame as a broadcast frame, and communication is performed based on the response to the transmitted frame. The correspondence between the lines L1 to L4 and the MAC address of the transmission source device corresponding to the communication line is learned. The relay control unit 31 records the learned correspondence in the routing table 521 (hereinafter referred to as a routing function).

  The relay control unit 31 learns the correspondence in this manner, and records the routing table 521 representing the correspondence as shown in FIG. 4 in the memory 52. Such learning (hereinafter referred to as registration processing) is well known, and thus further description is omitted.

  In the present embodiment, the routing table 521 further includes information indicating a predetermined order for each of the communication lines L1 to L4. The rank is represented by one of two ranks, a low rank and a high rank higher than the low rank. Specifically, the communication lines L1 to L3 are represented in the high order, and the communication line L4 is represented in the low order.

  In S125, the relay control unit 31 determines whether or not the transmission source device and the devices other than the devices connected to the acquired communication line among the corresponding devices match. The relay control unit 31 shifts the processing to S140 when they match, and shifts the processing to S130 when they do not match. The corresponding device is a device recorded in the routing table 521 in association with a communication line, that is, a device connected to the communication line. The term "coincidence" as used herein means that information for identifying a device, such as a MAC address, is the same.

  As an example in which the relay control unit 31 shifts the process to S130, the following case can be considered. For example, in the case where a received frame including “Y” as a transmission source MAC address is acquired from the communication line L2 in S100, and the routing table 521 shown in FIG. 6 is acquired in S120 (hereinafter referred to as “example 1)”. is there. The routing table 521 shown in FIG. 6 as an example is acquired as the progress of the registration process, and ECUs 10a and 10c, which are devices represented by MAC addresses "X" and "Z", and communication lines L1 and L3. Only the correspondence of is registered. The ECUs 10a and 10c that are devices represented by the MAC addresses "X" and "Z" correspond to the corresponding devices.

  In this case, the relay control unit 31 uses the communication line L2 as an acquisition communication line, and a device represented by the MAC address "Y" which is a transmission source device, and a device connected to L2 which is an acquisition communication line among corresponding devices. Since the devices represented by the MAC addresses “X” and “Z” which are the remaining devices excluding the (unregistered device) do not match, the processing is shifted to S130.

  In S130, the relay control unit 31 determines whether the correspondence relationship between the acquired communication line and the corresponding device corresponding to the acquired communication line, that is, the device connected to the acquired communication line is registered in the routing table 521. to decide. The relay control unit 31 shifts the processing to S150 when the correspondence is registered, and shifts the processing to S135 when the correspondence is not registered.

  For example, in the case of (Example 1), the relay control unit 31 performs processing because the correspondence between the communication line L2 which is the acquired communication line and the corresponding device corresponding to the communication line L2 is unregistered as shown in FIG. To step S135.

  In S135, the relay control unit 31 records the correspondence between the acquired communication line and the corresponding device corresponding to the acquired communication line in the routing table 521, and shifts the processing to S150. The process in this step corresponds to part of the above-described registration process.

  For example, in the case of (Example 1), the relay control unit 31 registers, in the routing table 521, a correspondence indicating that the communication line L2 and the device represented by the MAC address “Y” are connected. Thereby, as shown in FIG. 8, the routing table 521 to which the correspondence for the communication line L2 is added is recorded in the memory 52.

  In S140, if the relay control unit 31 determines that there is a match in S125 (S125; YES), the relay control unit 31 identifies the match rank and the acquisition rank by referring to the routing table 521, and matches the acquisition rank. Compare with the ranks. The acquisition order is the order of the acquired communication lines, and the match order is the order of the matching communication lines. The matching communication line refers to a communication line to which the matching device is connected with a device matching the transmission source device among the corresponding devices as the matching device.

  The relay control unit 31 shifts the processing to S145 when it is determined that the acquisition rank is equal to or higher than the coincidence rank, and shifts the processing to S155 when it is determined that the acquisition rank is lower than the coincidence rank.

  Specifically, as an example in which the relay control unit 31 shifts the process to S140, the following case can be considered. That is, as shown in FIG. 7, a non-regular external device 40 spoofed as the ECU 10 b is connected to the communication line L 4 in place of the normal external device 20.

  The non-regular external device 40 is a device connected to the terminal P4 by a non-regular worker, and means a device for illegally obtaining or rewriting vehicle control information and a program. In addition, the non-regular external device 40 becomes the ECU 10b, that is, the non-regular external device 40 illegally obtains the MAC address "Y" of the ECU 10b and sets the MAC address "Y" as the MAC address of the non-regular external device 40. It means to use.

  For example, when the relay control unit 31 acquires a reception frame including “Y” as a transmission source MAC address from the communication line L4 in S100 and acquires the routing table 521 illustrated in FIG. Example 2)) Let communication line L4 be an acquisition communication line. Then, the relay control unit 31 removes the device (communication line L2) excluding the device represented by “Y” that is the transmission source device and the device (unregistered device) connected to L4 that is the acquired communication line among the corresponding devices. Processing matches with the device connected to (1), and the process proceeds to S140.

  Also, for example, when the relay control unit 31 acquires a reception frame including “Y” as a transmission source MAC address from the communication line L2 in S100, and acquires the routing table 521 illustrated in FIG. , (Example 3)), let the communication line L2 be an acquisition communication line. Then, relay control unit 31 is a device (a device connected to communication line L4 except a device represented by “Y” that is a transmission source device and a device connected to L2 that is an acquisition communication line among the corresponding devices. And the process shifts to S140.

  Here, in the case of (Example 2), as illustrated in FIG. 8, the relay control unit 31 performs communication matching on the communication line L2 to which the matching device represented by the same MAC address "Y" as the transmission source device is connected. As the line, since the acquisition order, which is the order of the acquired communication line L4, is lower than the matching order, which is the order of the matching communication line, the process proceeds to S155. The fact that the acquisition order is lower than the coincidence order means that the acquisition order is lower than the coincidence order.

  On the other hand, in the case of (Example 3), as shown in FIG. 9, the relay control unit 31 sets the communication line L4 connected to the matching device represented by the same MAC address "Y" as the transmission source device to the matching communication line. Since the acquisition order, which is the order of the acquired communication line L2, is higher than that of the coincident communication line L4, the processing is shifted to S145. If the acquisition order is higher than or equal to the coincidence order, it is said that the acquisition order is equal to or higher than the coincidence order.

  In S145, when it is determined in S140 that the acquisition order is equal to or higher than the coincidence order, the relay control unit 31 records the transmission source device as an apparatus corresponding to the acquired communication line in the routing table 521. That is, in the case of (example 3), as shown in FIG. 10, in the case of (example 3), the relay control unit 31 sets the device whose MAC address is represented by “Y” in the routing table 521 as a device corresponding to L2 which is an acquired communication line. Record.

  In S150, if the relay control unit 31 determines that the transmission source device does not match any device other than the device connected to the acquired communication line of the corresponding devices, or if it matches, the acquisition order Is determined to be equal to or higher than the matching order, the received frame is relayed. Specifically, by referring to the routing table 521, the relay control unit 31 identifies a communication line to which a device matching the device represented by the destination MAC address included in the received frame is connected, and uses the identified communication line. , Output received frame. Then, the switching hub process ends.

In the following, it is said that the matching condition is established for the transmission source device that the transmission source device matches the device other than the device connected to the acquisition communication line among the corresponding devices.
In S155, the relay control unit 31 relays the received frame when it is determined that the matching condition is established for the transmission source device, and when it is determined that the acquisition order is less than the coincidence order. Without shifting the process to S160.

  In S160, the relay control unit 31 deletes from the routing table 521 the correspondence between the device corresponding to the acquired communication line in the routing table 521 and the acquired communication line. Then, the switching hub process ends. That is, in the case of (Example 2), the relay control unit 31 deletes from the routing table 521 the correspondence between the acquired communication line L4 and the device whose MAC address is represented by “Y”.

That is, the switching hub 30 operates as follows by performing the switching hub process.
(1) The switching hub 30 relays the received frame when the matching condition for the transmission source device is not satisfied.

  (2) The switching hub 30 does not relay the received frame when the matching condition for the transmission source device is satisfied and the acquisition order is less than the coincidence order. Further, even if the matching condition for the transmission source device is satisfied, the switching hub 30 relays the received frame if the acquisition order is equal to or higher than the coincidence order.

  For example, the routing table 521 when the switching hub 30 is powered on is as shown in FIG. After the power is turned on, the routing table 521 is as shown in FIG. 8 when the correspondence relationship with respect to the regular devices, ECUs 10a to 10c, is registered by the routing function.

  Here, after the routing table 521 is registered as shown in FIG. 8, for example, as shown in FIG. 7, it is assumed that the unauthorized external device 40 spoofing the ECU 10b is connected to the communication line L4.

  In such a case, even if an unauthorized frame whose source MAC address is "Y" is received from the non-regular external device 40 connected to the communication line L4, the routing table 521 matches as shown in FIG. Since the device exists and the acquisition order of the communication line L4 which is an acquisition communication line is lower than the matching order of the communication line L2 which is a coincident communication line, the switching hub 30 does not relay the frame.

  Further, for example, as illustrated in FIG. 7, it is assumed that the power of the switching hub 30 is turned on after the non-regular external device 40 spoofing the ECU 10 b is connected. In this case, the routing table 521 immediately after power-on is as shown in FIG. 5, and thereafter, the correspondence relationship between the non-regular external device 40 and the communication line L4 that spoofed the ECU 10b before the ECU 10b is registered, and the ECU 10a , 10c are registered, the routing table 521 is as shown in FIG.

  Here, if an invalid frame whose source MAC address is "Y" is temporarily received from the non-regular external device 40 connected to the communication line L4, the ECU 10b corresponding to the communication line L4 is unregistered, so the routing table There are no matching devices in 521. Therefore, the switching hub 30 relays the frame. Then, the switching hub 30 registers, in the routing table 521, a correspondence relationship indicating that the communication line L4 and the device represented by the MAC address "Y" are connected, as shown in FIG.

Thus, depending on the registration status of the routing table 521, the frame from the non-regular external device 40 may be relayed for the first time (first time).
However, after the routing table 521 shown in FIG. 10 is registered, when the frame is received again from the unauthorized external device 40 connected to the communication line L4 (the second time), the switching hub 30 relays the frame. Not performed. This is because a matching device exists in the routing table 521 shown in FIG. 10, and the acquisition order of the communication line L4, which is an acquired communication line, is lower than the coincidence order of the communication line L2, which is a coincidence communication line.

  Then, the switching hub 30 deletes the correspondence relationship between the communication line L4 and the device represented by the MAC address “Y” from the routing table 521. The routing table 521 is as shown in FIG. 8, and after the routing table 521 shown in FIG. 8 is registered, even if the unauthorized external device 40 impersonating the ECU 10b is connected to the communication line L4, (2) As described in, the switching hub 30 does not relay the frame from the non-regular external device 40.

  On the other hand, when the frame is received from the regular ECU 10b connected to the communication line L2 after the routing table 521 shown in FIG. 9 is registered, the switching hub 30 relays the frame. The matching device exists in the routing table 521, but the acquisition order of the communication line L2 which is an acquisition communication line is higher than the matching order of the communication line L4 which is a coincidence communication line.

  Note that a table (hereinafter referred to as an initial table) in which correspondence relationships (see FIG. 8) between the communication lines L1 to L3 and devices represented by MAC addresses “X”, “Y”, and “Z” are recorded It may be recorded in a non-volatile memory such as a ROM of 52. Then, after the switching hub 30 is powered on, the correspondence represented by the initial table may be registered as the correspondence of the routing table 521 before enabling the routing function, and then the routing function may be validated.

According to this, unlike the above-mentioned, it can suppress that the frame transmitted from the irregular external device 40 for the first time is relayed.
[2-2. ECU reception processing]
Next, ECU reception processing executed by the on-board control units 11a to 11c of the ECUs 10a to 10c will be described using the flowchart of FIG. The on-board control units 11a to 11c execute the same processing, and therefore, hereinafter, the ECUs 10a to 10c are simply referred to as the ECU 10, and the on-board control units 11a to 11c are simply referred to as the on-vehicle control unit 11.

  The ECU reception process is a process for preventing the reception frame from being received from an ECU other than the authorized ECU for which the authentication has been established. The in-vehicle control unit 11 executes an ECU reception process each time a frame is received. In addition, when the subject is abbreviate | omitted by the following description, the vehicle-mounted control part 11 is made into a subject.

  In S200, the in-vehicle control unit 11 determines whether the received frame is for vehicle control. Specifically, when the port number included in the reception frame is 50000, it is determined that it is for vehicle control, and when the port number is 13400, it is determined that it is for diagnosis rather than for vehicle control. The on-vehicle control unit 11 shifts the process to S210 when the received frame is for vehicle control, and shifts the process to S250 when the received frame is for diagnosis.

  In S210, it is determined whether the source MAC address included in the received frame is registered in the authentication table. The authentication table is a table in which a MAC address representing a device for which authentication has been completed is registered. The authentication table is stored in a memory included in the on-vehicle control unit 11. The on-vehicle control unit 11 shifts the process to S250 when the transmission source MAC address included in the received frame is registered in the authentication table, and shifts the process to S220 when it is not registered.

  In S220, the in-vehicle control unit 11 executes an authentication process. In the present embodiment, as an example, the data portion in the vehicle control frame includes data representing various information such as a control command or response, and an authentication code for the data, for example. . The authentication code is a calculation result obtained by calculating data according to a predetermined algorithm common to the ECUs 10 using the predetermined public key common to the ECUs 10. The public key is a predetermined code, and is stored in a memory included in the on-vehicle control unit 11.

  In this step, the on-vehicle control unit 11 compares the result of calculating the data included in the received frame according to the above-described algorithm using the public key with the authentication code included in the received frame, and determines whether they match And record the determination result in the memory.

  In S230, the in-vehicle control unit 11 determines whether or not the authentication is established. Specifically, the on-vehicle control unit 11 determines that the authentication is established when the determination result in S220 indicates a match. The in-vehicle control unit 11 shifts the process to S240 when the authentication is established, and ends the present ECU reception process when the authentication is not established.

In S240, the in-vehicle control unit 11 adds the transmission source MAC address included in the received frame to the authentication table and records the same.
In S250, the in-vehicle control unit 11 acquires data included in the received frame, and executes a response to the data.

In this manner, the on-vehicle control unit 11 can prevent the reception frame from the ECUs other than the authenticated ECUs from being received by the ECU reception process.
[3. Operation example]
An operation example of the communication system 1 configured as described above will be described with reference to FIGS. 12 to 14.

  (3a) FIG. 12 is a diagram for explaining an example in which the ECU 10b transmits a frame for vehicle control including data for controlling the vehicle to the ECUs 10a and 10c multiple times via the communication line L2. In the frame for vehicle control, the port number is set to 50000.

  Here, first, in the routing table 521, the ECU 10a whose MAC address is represented by X is connected to the communication line L1, and the ECU 10c whose MAC address is represented by Z is connected to the communication line L3. It is assumed that the relationship has already been recorded, and the correspondences for the communication line L2 and the communication line L4, that is, the corresponding devices have not been recorded yet (see FIG. 6). Further, in the ECUs 10a and 10c, it is assumed that the authentication of the ECU 10b has not been established yet.

  12, in the first transmission, the ECU 10b (vehicle-mounted control unit 11b) transmits a vehicle control frame including an authentication code to the ECUs 10a and 10c as a destination (S310).

  The switching hub 30 (relay control unit 31) receives a frame from the communication line L2 via the terminal P2 and refers to the routing table 521 to determine whether the matching condition for the transmission source device is satisfied (S125) And based on whether or not the acquisition order is less than the coincidence order (S140), it is determined whether to relay the frame.

  When it is determined that the switching hub 30 may relay (S125: NO, or S125; YES and S140; NO), the ECUs 10a and 10c, which are transmission destination devices represented by the destination MAC address included in the frame, are connected. The communication lines L1 and L3 are identified with reference to the routing table 521, and the reception frame is relayed to the identified communication lines L1 and L3 (S320).

  The ECU 10a (in-vehicle control unit 11a) and the ECU 10c (in-vehicle control unit 11c) execute the authentication process, record the MAC address of the ECU 10b as the transmission source device in the authentication table, and execute the process corresponding to the received frame (S330) , S340).

The ECU 10b transmits a frame not including the authentication code in the second and subsequent transmissions after the authentication is established (S310).
Since the MAC address representing the ECU 10b is already recorded in the authentication table, the ECU 10a and the ECU 10c execute the process according to the received frame without executing the authentication process (S370, S380).

  As described above, in transmission and reception of a frame for vehicle control between the ECUs 10 of the present embodiment, after the authentication process is performed once, the transmission source device can transmit the frame without including the authentication code. The destination device can receive the frame without performing the authentication process again.

  (3b) FIG. 13 is a diagram for explaining an example in which the normal external device 20 transmits a diagnostic frame to the ECU 10a via the communication line L4. In the diagnostic frame, the port number is set to 13400. Here, initially, as shown in FIG. 8, the correspondence between the communication lines L1 to L3 and the ECUs 10a to 10c is already recorded in the routing table 521, and the correspondence for the communication line L4 is not yet recorded. It shall be.

In FIG. 13, the normal external device 20 (the normal control unit 21) transmits a diagnostic frame with the ECU 10a as a destination (410).
When the switching hub 30 (relay control unit 31) determines that the received frame may be relayed, the device represented by the source MAC address "Q" included in the received frame as shown in FIG. It records in the routing table 521 as a corresponding device of L4, identifies the communication line L1 to which the ECU 10a which is the transmission destination device represented by the destination MAC address is connected according to the routing table 521, and relays the received frame to the identified communication line L1. (S420).

  The ECU 10a (in-vehicle control unit 11a) determines that the received frame is a diagnostic frame based on the port number (S430), and uses the response data as a destination device for diagnosis. Frame is generated, and the frame is transmitted (S440).

  The switching hub 30 identifies that the communication line to be transmitted is the communication line L4 according to the transmission source MAC address and the routing table 521, and relays the frame received from the communication line L1 to the communication line L4 (S450) .

  Thereby, the regular external device 20 can acquire diagnostic data from the ECU 10a (S460). Further, the ECU 10a can transmit response data without performing authentication with the normal external device 20.

  (3c) In FIG. 14, after the authentication between the ECU 10b and the ECUs 10a and 10c is established, the unauthorized external device 40 spoofing the ECU 10b is connected to the terminal P4, and the unauthorized external device 40 spoofs the ECU 10b to transmit a frame. It is a figure explaining an example.

S510 to S540 in FIG. 14 are the same as S310 to S340 in FIG.
In FIG. 14, after authentication of the ECU 10 b is established, the unauthorized external device 40 is connected to the terminal P 4, and spoofs the ECU 10 b to transmit an illegal vehicle control frame with the ECUs 10 a and 10 b as transmission destination devices. (S550). At this time, the non-regular external device 40 sets the port number of the frame to 50000.

  In the switching hub 30, the MAC address "Y" representing the transmission source device is identical to the device connected to the communication line L2, and the communication line L4 is an acquisition communication line and the communication line L2 is a coincidence communication line, Based on the fact that the acquisition order is less than the coincidence order, it is determined that the frame is not to be relayed (S125; YES, S140; YES), and the reception frame is not relayed (S560).

  As a result, even if the non-regular external device 40, which has become the switching hub 30 in one of the ECUs 10a to 10c in the in-vehicle network, is connected to the communication line L4, the frame from the non-regular external device 40 is not relayed. Can be

[4. effect]
According to the embodiment described above, the following effects can be obtained.
(4a) The switching hub 30 (relay control unit 31) is a relay device connected to the plurality of communication lines L1 to L4 and relaying a frame between the plurality of communication lines L1 to L4.

  The relay control unit 31 acquires the routing table 521, which is information representing the correspondence between the communication lines L1 to L4 and the devices connected to the communication lines L1 to L4 for each of the communication lines L1 to L4 (S120). The relay control unit 31 acquires a frame including a transmission source MAC address, which is information for identifying a transmission source of a frame, from any one of the plurality of communication lines L1 to L4 as a reception frame (S100). The relay control unit 31 specifies the communication lines L1 to L4 from which the received frame is acquired as the acquired communication lines L1 to L4 (S110).

  The relay control unit 31 acquires communication among the corresponding devices that are devices associated with the transmission source device indicated by the transmission source MAC address included in the reception frame and the devices connected to the communication lines L1 to L4 in the routing table 521. It is determined whether the devices excluding the devices connected to the lines L1 to L4 match (S125).

  The relay control unit 31 relays the received frame between the plurality of communication lines L1 to L4 when it is determined that they do not match in S125, and when it is determined that they match in S125, the relay frame is received. Do not relay. (S150, S155).

  In other words, if a non-regular communication device, which has become a one of the corresponding devices, is connected to a communication line, the switching hub is a source MAC included in data acquired from this communication line (acquisition communication line). Since the transmission source device indicated by the address (transmission source information) matches one of the devices excluding the device connected to the acquired communication line among the supported devices, the acquired data is not relayed. According to this, when mutually communicating between a plurality of devices connected to the communication line, the communication with the unauthorized communication device is suppressed with a simple configuration without requiring a new device. Can.

  (4b) The routing table 521 includes a predetermined order for each of the communication lines L1 to L4. If the relay control unit 31 determines in step S125 that there is a match (S125; YES), the communication line L1 to which the matching device is connected, with the device matching the transmission source device among the corresponding devices as the matching device. The identification order representing the order of the matching communication lines L1 to L4 and the acquisition order representing the order of the acquisition communication lines L1 to L4, which are ~ L4, is specified by referring to the routing table 521, and the acquisition order and the coincidence order Are compared (S140).

The relay control unit 31 relays the received frame when it is determined in S150 that the acquisition order is equal to or higher than the coincidence order in S150.
According to this, if a device having a possibility of impersonating an on-vehicle device such as the non-regular external device 40 is connected to the low-order communication line, the non-regular external device 40 is preliminarily transmitted to the low-order communication line. Even if the unauthorized external device 40 is spoofed as one of the on-vehicle devices (corresponding devices), data from the spoofed legitimate device can be relayed.

  (4c) The relay control unit 31 records the transmission source device as a device corresponding to the acquired communication lines L1 to L4 in the routing table 521 when it is determined that the acquisition order is equal to or higher than the coincidence order in S140 (S145) .

  According to this, since the routing table 521 is updated to the correct correspondence relationship, after updating, it is possible to relay the frame based on the correct routing table 521.

  (4d) If the relay control unit 31 determines that the acquisition order is lower than the coincidence order in S140, the relay control unit 31 corresponds to the apparatus corresponding to the acquired communication lines L1 to L4 in the routing table 521, and the acquired communication lines L1 to L4. Is deleted from the routing table 521 (S160).

  According to this, since the incorrect correspondence relationship is deleted from the routing table 521, it is possible to relay data based on the correct routing table 521 after the deletion.

(4e) The order determined in advance for each of the communication lines L1 to L4 is represented by one of the low order and the high order of two higher than the low order.
According to this, since it is sufficient to connect an external device which may be spoofed to the communication line classified into the low order, the communication system 1 can be configured easily.

  (4f) In S100, the relay control unit 31 acquires a frame further including a destination MAC address, which is information for identifying the transmission destination of the frame, from any one of the plurality of communication lines L1 to L4 as a reception frame. Do. In S150, when relaying a received frame, the relay control unit 31 identifies the communication lines L1 to L4 to which the device matching the device represented by the destination MAC address is connected by referring to the routing table 521, and identifies The received frame is output to the communication lines L1 to L4.

According to this, by referring to the routing table 521, it is possible to relay a frame to a device whose destination is specified.
In the above embodiment, the relay control unit 31 corresponds to an example as a data acquisition unit, a communication line identification unit, a correspondence acquisition unit, a rank determination unit, an update unit, a relay execution unit, and a deletion unit. Also, S100 corresponds to an example of processing as a data acquisition unit, S110 corresponds to an example of processing as a communication line identification unit, S120 corresponds to an example of processing as a correspondence acquisition unit, and S140 is a rank determination unit. It corresponds to an example of processing as.

  Further, S145 corresponds to an example of processing as an update unit, S150 and S155 correspond to an example of processing as a relay execution unit, and S160 corresponds to an example of processing as a deletion unit. Also, the reception frame corresponds to an example of acquired data, the transmission source MAC address corresponds to an example of transmission source information, and the destination MAC address corresponds to an example of transmission destination information. The routing table 521 corresponds to an example of the correspondence information.

[5. Other embodiments]
As mentioned above, although the form for implementing this invention was demonstrated, this invention can be variously deformed and implemented, without being limited to the above-mentioned embodiment.

  (5a) In the above embodiment, in the switching hub process, in the switching hub process, when the matching condition for the transmission source device is not satisfied, or even if the matching condition is satisfied, the acquisition order is the same. When it is determined that the above is true, the received frame is relayed, but it is not limited to this.

  For example, the relay control unit 31 may be configured to relay the frame when the coincidence condition is not satisfied, and not to relay the frame when the coincidence condition is satisfied. In this case, S140 to S145 may be deleted from the switching hub process shown in FIG. According to this, at least the ECUs 10a to 10c, which are in-vehicle devices connected to the communication line L4 and connected to other communication lines other than the communication line L4, do not relay the frame from the non-regular external device 40 can do.

  (5b) In the above embodiment, the order of the communication lines is divided into two types, high and low, but the invention is not limited to this. The order of the communication lines may be divided into three or more types. In this case, by using the communication line with the lowest rank as a communication line to which an external device that may perform impersonation is connected, the same effect as that of the above embodiment can be obtained.

  (5c) In the above embodiment, the communication system 1 is a communication system using, for example, UDP among protocols in Ethernet, but the present invention is not limited to this. For example, the communication system 1 may be a communication system using TCP among protocols in Ethernet.

  (5d) In the above embodiment, the routing table 521 is mentioned as an example of the correspondence information, but the present invention is not limited to this. Correspondence information refers to information representing, for each communication line, the correspondence between the communication line and the devices connected to the communication line. The correspondence information may include, for example, the remaining part of the routing table 521 from which the order for each communication line has been deleted, that is, the correspondence between the communication line and the device connected to the communication line.

  (5e) The multiple functions of one component in the above embodiment may be realized by multiple components, or one function of one component may be realized by multiple components. . Also, a plurality of functions possessed by a plurality of components may be realized by one component, or one function realized by a plurality of components may be realized by one component. In addition, part of the configuration of the above embodiment may be omitted. In addition, at least a part of the configuration of the above-described embodiment may be added to or replaced with the configuration of the other above-described embodiment. In addition, all the aspects contained in the technical thought specified only by the words described in the claim are an embodiment of the present invention.

  (5f) In addition to the relay control unit 31, the switching hub 30, and the communication system 1, a program for causing the relay control unit 31 to function, a non-transitional real recording medium such as a semiconductor memory having the program recorded, relay The invention can also be realized in various forms, such as a method.

  1 communication system, 30 switching hub, 31 relay control unit, 51 CPU 51.

Claims (5)

A relay apparatus to which a plurality of communication lines are connected and which relays data between the plurality of communication lines,
Corresponding acquisition unit that acquires the correspondence information corresponding relationship is information representing for each of the communication line between the connected communication line and to said communication line device and (S120),
A data acquisition unit (S100) for acquiring, as acquisition data, data including transmission source information that is information for identifying a transmission source of data from any one of the plurality of communication lines;
A communication line identification unit (S110) for specifying the communication line from which the acquired data is acquired as the acquired communication line;
The transmission source apparatus indicated by the transmission source information included in the acquired data, and the apparatus connected to the acquired communication line among the corresponding apparatuses corresponding to the apparatus connected to the communication line in the correspondence information are excluded. A match determination unit (S125) that determines whether or not the devices match;
The acquisition data is relayed between the plurality of communication lines when it is judged by the coincidence judgment unit that they do not coincide, and when the coincidence judgment unit judges that they coincide, the acquired data is turned A relay execution unit (S150, S155) not relaying,
Equipped with
The correspondence information includes a predetermined order for each communication line,
When it is determined by the match determination unit that the match is determined (S125; YES), the communication device is a communication line to which the match device is connected with a device matching the transmission source device among the corresponding devices as the match device. A rank determination unit that identifies a match rank representing the rank of the matching communication line and an acquisition rank representing the rank of the acquired communication line by referring to the correspondence information, and comparing the acquisition rank with the match rank S140)
And further
The relay execution unit (S150) relays the acquired data when the order determination unit determines that the acquisition order is equal to or higher than the coincidence order.
Relay device. The relay apparatus according to claim 1 , wherein
The updating unit (S145), which causes the transmission source device to be recorded as a device corresponding to the acquired communication line in the correspondence information, when it is determined by the rank determination unit that the acquisition rank is equal to or higher than the match rank.
The relay apparatus further comprising The relay apparatus according to claim 1 or 2 ,
When the order determining unit determines that the acquisition order is lower than the matching order, the correspondence between the device corresponding to the acquired communication line in the correspondence information and the acquired communication line is deleted from the correspondence information. Delete part (S160)
The relay apparatus further comprising A repeater apparatus according to any one of claims 1 to 3,
The predetermined order for each communication line is represented by one of two levels, a low order and a high order higher than the low order.
Relay device. The relay apparatus according to any one of claims 1 to 4 , wherein
The data acquisition unit acquires, as the acquired data, data further including transmission destination information, which is information for identifying a transmission destination of the data, from any one of the plurality of communication lines.
When relaying the acquired data, the relay execution unit refers to the correspondence information to identify a communication line to which a device matching the device represented by the transmission destination information is connected, to the identified communication line. Output the acquired data,
Relay device.

Images