WO2012053109A1 - Communication control device, transmission device, reception device, communication system, and communication control method - Google Patents

Communication control device, transmission device, reception device, communication system, and communication control method Download PDF

Info

Publication number
WO2012053109A1
WO2012053109A1 PCT/JP2010/068742 JP2010068742W WO2012053109A1 WO 2012053109 A1 WO2012053109 A1 WO 2012053109A1 JP 2010068742 W JP2010068742 W JP 2010068742W WO 2012053109 A1 WO2012053109 A1 WO 2012053109A1
Authority
WO
WIPO (PCT)
Prior art keywords
frame
macsec
extended
transmission
unit
Prior art date
Application number
PCT/JP2010/068742
Other languages
French (fr)
Japanese (ja)
Inventor
佐藤 昌幸
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to JP2012539550A priority Critical patent/JP5465335B2/en
Priority to PCT/JP2010/068742 priority patent/WO2012053109A1/en
Publication of WO2012053109A1 publication Critical patent/WO2012053109A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects
    • H04Q11/0067Provisions for optical access or distribution networks, e.g. Gigabit Ethernet Passive Optical Network (GE-PON), ATM-based Passive Optical Network (A-PON), PON-Ring
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer

Definitions

  • the present invention relates to a communication control device, a transmission device, a reception device, a communication system, and a communication control method.
  • MACsec Media Access Control Security
  • Non-Patent Document 2 MAC-in-MAC method
  • IEEE802.1AH Provide Backbone Bridge
  • the original destination and the source MAC address are stored after the SecTAG area that stores information used in MACsec, and the pseudo MAC address is stored before the SecTAG area.
  • the pseudo MAC address is unnecessary and is deleted, and the original destination and the source MAC address stored after the SecTAG area are deleted. As the MAC address.
  • the original destination and the source MAC address are stored before the SecTAG area. Accordingly, when receiving a frame transmitted by the standard MAC method, the receiving device recognizes the original destination and the source MAC address stored before the SecTAG area as the destination and source MAC addresses.
  • Whether to use the extended MACsec method or the standard MACsec method is normally set by negotiation after connection between communication devices. However, if an error occurs during this negotiation, etc., there is a possibility that either the extended MACsec method or the standard MACsec method will be set incorrectly on the receiving side, or it may be set as unknown There is.
  • the receiving device cannot determine from the frame itself whether the frame is transmitted by the extended MACsec method or the standard MACsec method. For this reason, for example, when a reception process is performed on a frame transmitted by the standard MACsec method using the extended MACsec method, there is a problem that a normal (original) MAC address is deleted. Conversely, when a frame transmitted using the extended MACsec method is received using the standard MACsec method, there is a problem in that omission of deletion of a MAC address (pseudo MAC address) to be deleted occurs.
  • the present invention has been made in view of the above, and when a frame is received, if both the extended MACsec method and the standard MACsec method can be received, erroneous processing due to a method selection error is performed.
  • An object of the present invention is to obtain a communication control device, a transmission device, a reception device, a communication system, and a communication control method that can prevent problems caused by the implementation of.
  • the present invention provides a standard MACsec frame that is a frame encrypted by MACsec and an extended MACsec frame that is a frame encrypted by MACsec including the address of the destination and the transmission source.
  • Identification information for storing a predetermined value indicating an extended MACsec frame at a predetermined bit position of the transmission frame when the transmission frame is transmitted as an extended MACsec frame A provision unit.
  • a communication control device, a transmission device, a reception device, a communication system, and a communication control method according to the present invention are used when a reception process of both the extended MACsec method and the standard MACsec method can be performed when a frame is received. There is an effect that it is possible to prevent problems caused by erroneous processing due to selection errors.
  • FIG. 1 is a diagram illustrating a functional configuration example of a transmission control unit of the transmission apparatus according to the first embodiment.
  • FIG. 2 is a diagram illustrating a functional configuration example of the reception control unit of the receiving apparatus according to the first embodiment.
  • FIG. 3 is a diagram illustrating a functional configuration example of the communication apparatus according to the first embodiment.
  • FIG. 4 is a diagram illustrating a configuration example of the communication system according to the first embodiment.
  • FIG. 5 is a diagram showing the structure of a standard MACsec frame.
  • FIG. 6 is a diagram illustrating the configuration of an extended MACsec frame.
  • FIG. 7 is a flowchart illustrating an example of the receiving operation according to the first embodiment.
  • FIG. 1 is a diagram illustrating a functional configuration example of a transmission control unit of the transmission apparatus according to the first embodiment.
  • FIG. 2 is a diagram illustrating a functional configuration example of the reception control unit of the receiving apparatus according to the first embodiment.
  • FIG. 3 is a diagram illustrating
  • FIG. 8 is a diagram illustrating an example of a change in the frame format of the extended MACsec frame at the time of reception.
  • FIG. 9 is a diagram illustrating an example of a communication sequence in the communication system according to the first embodiment.
  • FIG. 10 is a flowchart illustrating an example of a receiving operation according to the second embodiment.
  • FIG. 11 is a flowchart illustrating an example of a receiving operation according to the third embodiment.
  • FIG. 12 is a flowchart illustrating an example of a receiving operation according to the fourth embodiment.
  • FIG. 13 is a diagram illustrating a functional configuration example of the reception control unit of the receiving apparatus according to the fifth embodiment.
  • FIG. 14 is a flowchart illustrating an example of a receiving operation according to the fifth embodiment.
  • FIG. 15 is a flowchart illustrating an example of a receiving operation according to the sixth embodiment.
  • FIG. 16 is a diagram illustrating a functional configuration example of a transmission control unit of the transmission apparatus according to the seventh embodiment.
  • FIG. 17 is a diagram illustrating a functional configuration example of the reception control unit of the receiving apparatus according to the seventh embodiment.
  • FIG. 18 is a flowchart illustrating an example of a standard MACsec frame reception operation according to the seventh embodiment.
  • FIG. 19 is a flowchart illustrating an example of an operation for receiving an extended MACsec frame according to the seventh embodiment.
  • FIG. 1 is a diagram illustrating a functional configuration example of a first embodiment of a transmission control unit of a transmission apparatus according to the present invention.
  • FIG. 2 is a figure which shows the function structural example of the reception control part of the receiver of this Embodiment.
  • a frame encrypted by the transmission device is transmitted to the reception device, and the frame received by the reception device is decrypted.
  • the transmission device and the reception device constitute a PON (Passive Optical Network) system, but any communication system may be configured without being limited to the PON system.
  • PON Passive Optical Network
  • the transmission control unit of the transmission apparatus includes a transmission frame generation unit 1, a Type encoding unit 2, a MACsec SecTAG encoding unit 3, a standard MACsec SecTAG generation unit 4, and an extended MACsec SecTAG generation unit. 5, packet number giving unit 6, extended MACSec preamble generation unit 7, key management unit 8, data encryption unit 9, ICV generation unit 10, pseudo MAC address generation unit 11, PON control unit 12, FCS addition unit 13 and preamble addition unit 14.
  • the reception control unit of the receiving apparatus includes a preamble check unit 101, an FCS check unit 102, a PON control unit 103, a received frame identification / decoded frame reconstruction unit 104, and a Type check unit.
  • 105 frame determination unit 106, SecTAG decoding unit 107, extended MACsec SecTAG check unit 108, standard MACsec SecTAG check unit 109, replay check unit 110, SC / AN confirmation unit 111, key management unit 112, data decoding unit 113, and normality
  • a confirmation (ICV check) unit 114 is provided.
  • FIG. 3 is a diagram illustrating a functional configuration example of the communication apparatus according to the present embodiment.
  • the communication device 200 shown in FIG. 3 is a communication device having both the function as the transmission device and the function as the reception device shown in FIG. 1, and is an OLT (Optical Line Terminal: station side communication device) in the PON system or It functions as an ONU (Optical Network Unit).
  • the communication apparatus 200 includes a WDM (Wavelength Division Multiplex) 201, an optical Tx (optical transmitter) 202, an optical Rx (optical receiver) 203, a PON-LSI (Large Scale Integration). ) 204 and an interface 205.
  • the communication device 200 is connected to the upper network 210.
  • the PON-LSI 204 that performs communication control is connected to a management apparatus 211 that manages apparatus operations. In some cases, it is connected to a terminal (user device) instead of the host network 210.
  • the PON-LSI 204 is a communication control device including a transmission control unit in the above-described transmission device and a reception control unit in the reception device.
  • the encryption unit 206 includes the transmission frame generation unit 1 of FIG. 1, the Type encoding unit 2, the MACsec SecTAG encoding unit 3, the standard MACsec SecTAG generation unit 4, the extended MACsec SecTAG generation unit 5, the packet number granting unit 6, and the extended MACSec preamble generation.
  • the decoding unit 207 includes a received frame identification / decoded frame reconstruction unit 104, a type check unit 105, a frame determination unit 106, a SecTAG decoding unit 107, an extended MACsec SecTAG check unit 108, a standard MACsec SecTAG check unit 109, a replay check.
  • Unit 110 SC / AN confirmation unit 111, key management unit 112, data decryption unit 113, and normality confirmation unit 114.
  • FIG. 4 is a diagram illustrating a configuration example of the communication system according to the present embodiment.
  • the communication system of the present embodiment is a PON system, and OLT 301 that is communication apparatus 200 shown in FIG. 3 and ONUs 302-1 to 302-N that are communication apparatuses 200 shown in FIG. (N is an integer of 1 or more).
  • the communication system shown in FIG. 4 includes a MACsec (standard MACsec) method defined by IEEE 802.1AE and an extended MACsec in which a MAC in MAC method is added to the standard MACsec method. It is possible to cope with both communication by a method. Accordingly, the OLT 301 has a function of performing both transmission and reception by the standard MACsec method and transmission and reception by the extended MACsec method. Note that the ONUs 302-1 to 302-N are configured so that both transmission / reception using the standard MACsec method and transmission / reception using the extended MACsec method can be performed here. It is good also as a structure which implements transmission / reception.
  • MACsec standard MACsec
  • FIG. 5 is a diagram showing a frame configuration in which a preamble area storing information used in the PON system is provided immediately before a MACsec (standard MACsec) frame defined by IEEE802.1AE.
  • FIG. 6 is a diagram showing a frame configuration in which a preamble area is also provided immediately before an extended MACsec frame. This preamble area is defined by IEEE 802.3.
  • the MACsec (standard MACsec) method frame defined by IEEE802.1AE is added to the preamble area as a standard MACsec frame, and the following description will be given.
  • the standard MACsec frame includes a preamble, DA (Destination Address: destination MAC address), SA (Source Address: source MAC address), SecTAG, Data, ICV, and FCS.
  • LLID Logical Link IDentifier
  • CRC Cyclic Redundancy Check
  • SecTAG is information used for MACsec.
  • Type which is Type information for identifying the type of frame
  • TCI TAG Control Information
  • AN Association
  • SA identification number in the same SC Secure Channel. Number
  • SL Short Length
  • PN Packet Number
  • SCI Secure Channel IDentifier
  • the TCI includes a V bit indicating the MACsec version, an ES (End Station) bit, an SC bit indicating the presence of an SCI field, an SCB (Single Copy Broadcast) bit, a C bit indicating information on the ICV, And an E bit indicating the presence or absence of encryption.
  • an extended MACsec frame (hereinafter referred to as an extended MACsec frame) to which a MAC in MAC method is added is also an extended MACsec frame including a preamble area, as shown in FIG. 6, and includes a preamble, pseudo DA, pseudo SA, and SecTAG. , DA, SA, Data, ICV and FCS.
  • DA destination MAC address
  • SA source MAC address
  • pseudo DA and pseudo SA are stored at the positions where DA (destination MAC address) and SA (source MAC address) are stored in the standard MACsec frame.
  • the transmission frame generation unit 1 of the transmission device receives transmission data from the upper network 210 (or a terminal or the like), and is information related to encryption regarding the transmission data from the management device 211.
  • Receive encryption information includes information indicating whether to perform encryption, information for determining whether to transmit as a standard MACsec frame or an extended MACsec frame, information used for encryption when performing encryption (encryption key) And the like) are included.
  • the transmission frame generation unit 1 notifies the encryption information to the type encoding unit 2.
  • the Type encoding unit 2 generates Type information based on the notified encryption information from the transmission frame generating unit 1 and notifies the MACsec SecTAG encoding unit 3 of the generated Type information.
  • “0x88E5” defined by IEEE802.1AE is generated as Type information when transmitting with a standard MACsec frame
  • “0x88E4” is generated when transmitting with an extended MACsec frame.
  • the Type information when transmitting in the extended MACsec frame is set to “0x88E4”.
  • the Type information is not limited to “0x88E4”, and any value that is not preliminarily defined by the standard or the like as Type information may be used. Any numerical value may be used.
  • the transmission frame generation unit 1 determines that the transmission is performed using the standard MACsec frame based on the encryption information, the transmission frame generation unit 1 instructs the standard MACsec SecTAG generation unit 4 to generate the SecTAG.
  • the standard MACsec SecTAG generation unit 4 When the standard MACsec SecTAG generation unit 4 is instructed by the transmission frame generation unit 1 to generate a SecTAG, the standard MACsec SecTAG generation unit 4 generates a SECTAG (SecTAG other than Type information) defined by IEEE802.1AE and notifies the MACsec SecTAG encoding unit 3 To do.
  • SECTAG SecTAG other than Type information
  • the transmission frame generation unit 1 determines to transmit in the extended MACsec frame based on the encryption information, the transmission frame generation unit 1 instructs the extended MACsec SecTAG generation unit 5 to generate a SecTAG.
  • the extended MACsec SecTAG generation unit 5 generates SecTAG (SecTAG other than Type information) defined in IEEE802.1AE and notifies the MACsec SecTAG encoding unit 3 To do.
  • the SecTAG (excluding Type information and PN) generated by the extended MACsec SecTAG generation unit 5 and the SecTAG (excluding Type information and PN) generated by the standard MACsec SecTAG generation unit 4 are the same.
  • the standard MACsec SecTAG generation unit 4 may have the function of the extended MACsec SecTAG generation unit 5 without including the extended MACsec SecTAG generation unit 5.
  • the packet number giving unit 6 generates a packet number and notifies the generated packet number (PN) to the MACsec SecTAG encoding unit 3.
  • the MACsec SecTAG encoding unit 3 provides the type information notified from the type encoding unit 2, the SecTAG (excluding type information and PN) notified from the standard MACsec SecTAG generation unit 4 or the extended MACsec SecTAG generation unit 5, and packet number assignment.
  • the PN notified from the unit 6 is encoded and notified to the transmission frame generating unit 1 as an encoded SecTAG.
  • the transmission frame generation unit 1 determines to perform encryption based on the encryption information
  • the transmission frame generation unit 1 notifies the key management unit 8 and the data encryption unit 9 to that effect.
  • the transmission frame generation unit 1 notifies the key management unit 8 and the data encryption unit 9 of information used for encryption included in the encryption information.
  • the transmission frame generation unit 1 outputs transmission data to the data encryption unit 9.
  • the key management unit 8 uses information necessary for selecting an encryption key (LLID, MAC address, SCI, etc.) out of information used for encryption from an encryption key held in advance according to IEEE 802.1AE regulations. And the data encryption unit 9 is notified of the selected encryption key.
  • the data encryption unit 9 uses the transmission data output from the transmission frame generation unit 1 and the encryption key notified from the key management unit 8 to generate encrypted data obtained by encrypting the transmission data in accordance with the IEEE 802.1AE regulations.
  • the encrypted data is output to the transmission frame generation unit 1 and the ICV generation unit 10.
  • the transmission frame generation unit 1 passes the MAC address of the destination and the transmission source together with the transmission data to the data encryption unit 9, and the data encryption unit 9 transmits the transmission destination MAC address and the MAC address of the transmission source. Encrypt data.
  • the ICV generation unit 10 generates an ICV (Integrity Check Value) according to the IEEE802.1AE standard using the encrypted data, and notifies the transmission frame generation unit 1 of the ICV.
  • the transmission frame generation unit 1 determines to transmit in the extended MACsec based on the encryption information
  • the transmission frame generation unit 1 instructs the extended MACsec preamble generation unit 7 to generate a preamble.
  • the extended MACsec preamble generation unit 7 generates a preamble based on an instruction from the transmission frame generation unit 1 and notifies the preamble addition unit 14 of the generated preamble.
  • the extended MACsec preamble generation unit 7 generates a preamble similar to the preamble in the case of a standard MACsec frame in order to generate a preamble compliant with the IEEE standard. Therefore, the extended MACsec preamble generation unit 7 may not be provided.
  • the transmission frame generation unit 1 determines to transmit in extended MACsec based on the encryption information
  • the transmission frame generation unit 1 instructs the pseudo MAC address generation unit 11 to generate a pseudo MAC address.
  • the pseudo MAC address generation unit 11 When receiving a pseudo MAC address generation instruction from the transmission frame generation unit 1, the pseudo MAC address generation unit 11 generates a pseudo MAC address (pseudo DA, pseudo SA) and notifies the transmission frame generation unit 1 of the pseudo MAC address.
  • the pseudo MAC address generation unit 11 can generate an arbitrary pseudo MAC address.
  • the transmission frame generation unit 1 When transmitting the transmission data as an extended MACsec frame, the transmission frame generation unit 1 encodes the SecTAG notified from the MACsec SecTAG encoding unit 3, the encrypted data received from the data encryption unit 9, and the ICV generation unit.
  • the transmission frame excluding the FCS and the preamble part is generated in the format shown in FIG. 6 using the ICV notified from 10 and the pseudo MAC address notified from the pseudo MAC address generation unit 11.
  • the transmission frame generation unit 1 encodes the coded SecTAG notified from the MACsec SecTAG encoding unit 3, the encrypted data received from the data encryption unit 9, Using the ICV notified from the ICV generation unit 10, a transmission frame excluding the FCS and the preamble portion is generated in the format shown in FIG. 5 and output to the PON control unit 12.
  • the PON control unit 12 is a function for performing transmission timing control by the PON architecture, and outputs a transmission frame to the FCS adding unit 13 by transmission control corresponding to the PON architecture.
  • the transmission timing to each ONU downlink transmission timing
  • the transmission timing from each ONU uplink transmission timing
  • a transmission frame is output based on the downlink transmission timing to be performed.
  • a transmission frame is output based on the downlink transmission timing assigned to the own device notified from the OLT 301.
  • the FCS appending unit 13 calculates the FCS of the transmission frame, appends the calculated FCS to the transmission frame, and outputs the transmitted transmission frame to the preamble appending unit 14.
  • the preamble assigning unit 14 assigns a preamble to the received transmission frame and outputs it to the optical Tx 202.
  • the preamble assigning unit 14 assigns the notified preamble when the preamble is notified from the extended MACsec preamble generating unit 7, and assigns the IEEE802.3-compliant preamble otherwise.
  • the transmission frame after the preamble is added is converted into an optical signal by the optical Tx 202, multiplexed by the WDM 201, and transmitted to the destination.
  • FIG. 7 is a flowchart illustrating an example of a reception operation according to this embodiment.
  • the preamble check unit 101 confirms the normality of the preamble according to IEEE 802.3 (step S2).
  • the received frame from which the preamble part is deleted is output to the FCS check unit 102.
  • the FCS check unit 102 performs an FCS check based on the received frame (step S3), and outputs the received frame from which the FCS has been deleted to the PON control unit 103. Further, the PON control unit 103 performs reception timing control by the PON architecture and identification of a frame addressed to the own receiver, and outputs a received frame addressed to the own device to the received frame identification / decoded frame reconstruction unit 104 (step S4).
  • the PON control unit 103 can determine whether the received frame is addressed to the own apparatus based on the SA and DA after the preamble.
  • pseudo SA and pseudo DA are stored after the preamble. Therefore, when determining whether or not the received frame is addressed to the own apparatus by the pseudo SA and pseudo DA, when generating the pseudo SA and pseudo DA in the transmitting apparatus, for example, based on the LLID as the pseudo SA and pseudo DA.
  • Such information is stored as information that can be used to determine whether the received frame is addressed to the own apparatus.
  • the preamble check unit 101 determines whether the received frame is addressed to the own device based on the LLID included in the preamble, and determines whether the received frame is addressed to the own device in the PON control unit 103. The determination may not be performed.
  • the received frame identification / decoded frame reconstruction unit 104 extracts type information from the received frame and notifies the type information to the type check unit 105.
  • the type check unit 105 determines whether or not the type information is “0x88E5” (step S5). If the type information is “0x88E5”, the type check unit 105 determines that the received frame is a standard MACsec frame, and determines that frame. Notification to the unit 106.
  • the frame determination unit 106 When it is notified from the type check unit 105 that the received frame is a standard MACsec frame, the frame determination unit 106 notifies the received frame identification / decoded frame reconstruction unit 104 to that effect.
  • the received frame identifying / decoded frame reconstructing unit 104 instructs the SecTAG decoding unit 107 to start decoding and extracts and outputs the SecTAG from the received frame.
  • the received frame identification / decoded frame reconstruction unit 104 also notifies the SecTAG decoding unit 107 that the received frame is a standard MACsec frame.
  • the SecTAG decoding unit 107 decodes the SecTAG output from the received frame identification / decoded frame reconstruction unit 104, and outputs the decoded SecTAG to the standard MACsec SecTAG check unit 109, the replay check unit 110, and the SC / AN confirmation unit 111 (step S6). ).
  • the standard MACsec SecTAG check unit 109 performs a SECTAG confirmation process defined in IEEE 802.1AE, and notifies the frame determination unit 106 of the determination result (step S7).
  • the replay check unit 110 performs a replay protection check defined by IEEE802.1AE based on the PN in the SecTAG, and notifies the frame determination unit 106 of the check result (step S8).
  • SC / AN confirmation unit 111 confirms SC and AN, and notifies SC and AN to key management unit 112 (step S9).
  • the key management unit 112 selects an encryption key based on SC and AN from among the encryption keys held in advance, and notifies the data decryption unit 113 of the selected encryption key (step S10).
  • the data decryption unit 113 acquires the reception frame from the reception frame identification / decryption frame reconstruction unit 104, decrypts the reception frame using the encryption key notified from the key management unit 112, and normalizes the decrypted data. It outputs to the confirmation part 114 (step S11).
  • the normality confirmation unit 114 performs an ICV check (normality confirmation) based on the ICV acquired from the received frame identification / decoded frame reconstruction unit 104 and the decoded data output from the data decoding unit 113 (step S12). ), And notifies the frame determination unit 106 of the check result.
  • step S12 If the check result is normal (Yes in step S12), the frame determination unit 106 notifies the reception frame identification / decoded frame reconstruction unit 104 to that effect, and the reception frame identification / decoded frame reconstruction unit 104 When the notification is received, the standard MACsec frame is reconstructed (step S13), and the frame reception is completed (step S15).
  • step S12 when the check result notified from the normality confirmation unit 114 is not normal (No in step S12), the frame determination unit 106 re-receives the received frame identification / decoded frame so that the frame is discarded.
  • the configuration unit 104 is instructed, and the process ends (step S14).
  • Step S5 determines whether or not the Type information is “0x88E4” (Ste S16).
  • Step S16 determines whether or not the Type information is “0x88E4” (Ste S16).
  • the Type check unit 105 determines that the received frame is an extended MACsec frame and notifies the frame determination unit 106 to that effect.
  • the frame determination unit 106 When it is notified from the type check unit 105 that the received frame is an extended quasi-MACsec frame, the frame determination unit 106 notifies the received frame identification / decoded frame reconstruction unit 104 to that effect.
  • the received frame identifying / decoded frame reconstructing unit 104 instructs the SecTAG decoding unit 107 to start decoding and extracts and outputs the SecTAG from the received frame.
  • the received frame identification / decoded frame reconstruction unit 104 also notifies the SecTAG decoding unit 107 that the received frame is an extended MACsec frame.
  • the SecTAG decoding unit 107 decodes the SecTAG output from the received frame identification / decoded frame reconstruction unit 104 and outputs the decoded SecTAG to the extended MACsec SecTAG check unit 108, the replay check unit 110, and the SC / AN confirmation unit 111 (step S17). ).
  • the extended MACsec SecTAG check unit 108 performs a SECTAG confirmation process defined by IEEE 802.1AE and notifies the frame determination unit 106 of the determination result (step S18).
  • the extended MACsec SecTAG check unit 108 is not provided.
  • the standard MACsec SecTAG check unit 109 may have a function as the extended MACsec SecTAG check unit 108.
  • Steps S19 to S23 are performed in the same manner as Steps S8 to S12. If the check result notified from the normality confirmation unit 114 is not normal in step S23 (No in step S23), the frame determination unit 106 receives the frame identification / decoded frame reconstruction unit 104 so as to discard the frame. To terminate the process (step S25).
  • the frame determination unit 106 notifies the reception frame identification / decoded frame reconstruction unit 104 to that effect, and receives the frame identification / decoded frame reconstruction unit. Upon receiving the notification, 104 reconstructs the extended MACsec frame (step S24), and completes frame reception (step S15).
  • the Type check unit 105 determines that the received frame is an unencrypted frame (not a standard MACsec frame or an extended MACsec frame). Then, the fact is notified to the frame determination unit 106. The frame determination unit 106 reconstructs the received frame as an unencrypted frame (step S26), and completes frame reception (step S15).
  • the received frame reconstructed by the received frame identifying / decoding frame reconstructing unit 104 by the above processing is transmitted to the upper network 210 (or terminal) via the interface 205.
  • the operations of the transmission device and the reception device described above are merely examples, and the order of individual processes may be different as long as the same processing results can be obtained.
  • the Type encoding unit 2 of the transmission device functions as an identification information adding unit that stores a value indicating that it is an extended MACsec frame in the Type information.
  • the type check unit 105 functions as an identification unit that identifies whether the frame is an extended MACsec frame based on the type information.
  • FIG. 8 is a diagram illustrating an example of a change in the frame format of the extended MACsec frame at the time of reception.
  • the Data portion is encrypted ciphertext
  • the received frame has the format shown in FIG. It is.
  • the preamble is deleted as shown in FIG.
  • FCS check unit 102 Furthermore, at the time of output from the FCS check unit 102, the FCS is deleted as shown in FIG.
  • the portion of the ciphertext becomes a plaintext with the decrypted MAC (MAC address: SA, DA), and the received frame identification / decoded frame reconstruction unit 104 reconstructs it.
  • a frame having the format shown in FIG. 8 (4) is output as a frame.
  • 8 (1) and 8 (2) are FCSs from the pseudo MAC to ICV in FIG. 8 (1), and the FCS in FIG. 8 (4) is shown in FIG. 8 (4).
  • FCS for MAC and plain text are shown in FIG. 8 (4).
  • FIG. 9 is a diagram illustrating an example of a communication sequence in the communication system according to the present embodiment.
  • the communication system shown in FIG. 4 is assumed.
  • any one of the ONUs 302-1 to 302-N is a standard MACsec operation ONU # 1 that transmits / receives a standard MACsec frame
  • any one of the ONUs 302-1 to 302-N other than the ONU # 1 is an extension.
  • the extended MACsec operation ONU # 2 transmits and receives a MACsec frame.
  • the OLT 301 has a function as a receiving apparatus according to the present embodiment
  • the ONU # 1 and ONU # 2 have a function as a transmitting apparatus according to the present embodiment.
  • ONU # 1 when ONU # 1 receives the Discovery Gate transmitted from OLT 301 (step S31), it transmits Register Request (# 1) to OLT 301 (step S32).
  • the Discovery Gate is a message periodically transmitted by the OLT 301
  • the Register Request is a message that the ONU # 1 requests the OLT 301 to register.
  • the OLT 301 When the OLT 301 receives the Register Request from the ONU # 1, the OLT 301 transmits a Register (# 1) indicating that the ONU # 1 has been registered (step S33). When ONU # 1 receives Register (# 1), ONU # 1 transmits Register Ack (# 1) as a response to OLT 301 (step S34).
  • Steps S35 to S38 are also performed between the OLT 301 and the ONU # 2 as in the case between the OLT 301 and the ONU # 1.
  • the OLT 301 transmits an inquiry about the MACsec operation (whether or not the extended MACsec operation is supported) to the ONU # 1 (step S39), and the ONU # 1 supports the extended MACsec operation as an answer to the inquiry. (Step S40).
  • the OLT 301 determines that the extended MACsec operation is to be performed with the ONU # 1 based on the received answer, and instructs the extended MACsec operation to be set as the MACsec operation setting (step S41).
  • ONU # 1 sets itself to perform the extended MACsec operation based on the instruction, and notifies the OLT 301 of the completion of the MACsec operation setting (step S42).
  • the OLT 301 transmits an inquiry about the MACsec operation to the ONU # 2 (step S43), and the ONU # 2 notifies the inquiry that the extended MACsec operation is not supported (step S44).
  • the OLT 301 determines that the standard MACsec operation is to be performed with the ONU # 2 based on the received answer, and instructs the standard MACsec operation to be set as the MACsec operation setting (step S45).
  • the ONU # 2 sets itself to perform the standard MACsec operation based on the instruction, and notifies the OLT 301 of the completion of the MACsec operation setting (step S46).
  • ONU # 1 generates an extended MACsec frame 401 by extended MACsec processing (processing when the above-described transmission apparatus transmits an extended MACsec frame) (step S47), and the OLT 301 extends the extended MACsec frame 401.
  • Reception processing processing when the above-described receiving apparatus receives an extended MACsec frame is performed by MACsec processing (step S48).
  • the ONU # 2 generates a standard MACsec frame 402 by standard MACsec processing (processing when the above-described transmission device transmits a standard MACsec frame) (step S49), and the OLT 301 is standard with respect to the standard MACsec frame 402.
  • Reception processing processing when the above-described receiving apparatus receives a standard MACsec frame is performed by MACsec processing (step S50).
  • the communication sequence described above is merely an example, and is not limited to this. Whether the extended MACsec operation or the standard MACsec operation is performed before data transmission / reception between the OLT 301 and the ONUs 302-1 to 302-N. Any sequence may be used as long as an agreement such as (or not to perform encryption) can be agreed.
  • the OLT 301 sets the type of the received frame (whether it is a standard MACsec frame or an extended MACsec frame) or the type becomes indefinite.
  • a normal (original) MAC address is erroneously deleted, or a MAC address (pseudo MAC address) to be deleted is omitted.
  • the transmitting apparatus transmits an extended MACsec frame
  • a value indicating that it is an extended MACsec frame is stored as Type information
  • the receiving apparatus uses an extended MACsec frame based on the Type information. Judgment whether or not there is. Therefore, when receiving a frame, it is possible to correctly identify whether the frame is transmitted by the extended MACsec method or the standard MACsec method. Therefore, it is possible to prevent problems caused by erroneous processing due to a method selection error such as the erroneous deletion of the MAC address or the deletion omission of the MAC address to be deleted.
  • Embodiment 2 a transmitting apparatus and a receiving apparatus according to the second embodiment of the present invention will be described.
  • the configuration of the transmission device and the reception device of the present embodiment is the same as the configuration of the transmission device and the reception device of the first embodiment.
  • Components having functions similar to those of the first embodiment are denoted by the same reference numerals as those of the first embodiment.
  • the description which overlaps with Embodiment 1 is abbreviate
  • the Type encoding unit 2 generates the same Type information as that of the standard MACsec frame even when the extended MACsec frame is transmitted. Then, the extended MACsec SecTAG generation unit 5 sets the SECTAG V (V bit) to “1”. Further, the standard MACsec SecTAG generation unit 4 sets the V bit of the SecTAG to a value (“0”) defined by IEEE 802.1AE.
  • the operations of the transmitting apparatus other than those described above are the same as those in the first embodiment.
  • FIG. 10 is a flowchart illustrating an example of a reception operation according to this embodiment.
  • Steps S1 to S6 are the same as steps S1 to S6 of the first embodiment.
  • the SECTAG decoding process is performed in either frame without determining whether the frame is a standard MACsec frame or an extended MACsec frame.
  • the extended MACsec SecTAG check unit 108 determines whether or not the SECTAG V bit is 0 (or the value of the standard MACsec frame) (step S30). When it is determined that the V bit is 0 (Yes in step S30), the extended MACsec SecTAG check unit 108 determines that the received frame is a standard MACsec frame, and notifies the frame determination unit 106 of the determination result. The frame determination unit 106 notifies the reception frame identification / decoded frame reconstruction unit 104 of the determination result.
  • step S7 as in step S1 of the first embodiment, the standard MACsec SecTAG check unit 109 confirms SecTAG (step S7). However, in this embodiment, since the V bit has been confirmed in step S30, the confirmation of the V bit may be omitted.
  • the subsequent steps S8 to S15 are the same as in the first embodiment.
  • the extended MACsec SecTAG check unit 108 determines that the received frame is an extended MACsec frame, and notifies the frame determination unit 106 of the determination result.
  • the frame determination unit 106 notifies the reception frame identification / decoded frame reconstruction unit 104 of the determination result.
  • the subsequent step S18 is the same as that in the first embodiment.
  • step S18 as in step S18 of the first embodiment, the extended MACsec SecTAG check unit 108 confirms SecTAG (step S18). However, in this embodiment, since the V bit is different from the standard, it is confirmed whether or not it is “1”.
  • the subsequent steps S19 to S25 are the same as in the first embodiment. Step S26 is also the same as that in the first embodiment.
  • the extended MACsec SecTAG generating unit 5 of the transmission device functions as an identification information adding unit that stores a value indicating that an extended MACsec frame is in the V bit.
  • the extended MACsec SecTAG check unit 108 functions as an identification unit that identifies whether the frame is an extended MACsec frame based on the V bit.
  • the transmitting apparatus transmits an extended MACsec frame
  • the value “1” indicating the extended MACsec frame is stored as the V bit of the Sec TAG
  • the receiving apparatus V Whether or not the frame is an extended MACsec frame is determined based on the bit. Therefore, when receiving a frame, it is possible to correctly identify whether the frame is transmitted by the extended MACsec method or the standard MACsec method. Therefore, it is possible to prevent problems caused by erroneous processing due to a method selection error such as the above-described erroneous deletion of the MAC address or omission of deletion of the MAC address to be deleted.
  • Embodiment 3 a transmitting apparatus and a receiving apparatus according to the third embodiment of the present invention will be described.
  • the configuration of the transmission device and the reception device of the present embodiment is the same as the configuration of the transmission device and the reception device of the first embodiment.
  • Components having functions similar to those of the first embodiment are denoted by the same reference numerals as those of the first embodiment.
  • the description which overlaps with Embodiment 1 is abbreviate
  • the Type encoding unit 2 generates the same Type information as that of the standard MACsec frame even when the extended MACsec frame is transmitted. Then, the extended MACsec SecTAG generation unit 5 sets the upper 2 bits of SL (SL byte) of SecTAG to “11”. Further, the standard MACsec SecTAG generation unit 4 sets the upper 2 bits of the SecTAG SL byte to “00”. The operations of the transmitting apparatus other than those described above are the same as those in the first embodiment.
  • the SecTAG SL defined by IEEE 802.1AE is an area for identifying whether the frame is shorter than 64 bytes defined as the shortest Ethernet (registered trademark) frame. If the length between the last octet of the SECTAG and the first octet of the ICV is shorter than 48 bytes (64 bytes minus the MAC address), the number of octets in the Secure Data area (Data portion in FIG. 5) is set. In case of zero is set.
  • the original MAC address is included in the Secure Data area (DA, SA, and Data portions in FIG. 6). Therefore, instead of the above 48 bytes, Secure Data is used as a reference. The number of octets in the region or zero is set.
  • FIG. 11 is a flowchart illustrating an example of the reception operation according to the present embodiment.
  • Steps S1 to S6 are the same as steps S1 to S6 of the first embodiment.
  • the SECTAG decoding process is performed in either frame without determining whether the frame is a standard MACsec frame or an extended MACsec frame.
  • the extended MACsec SecTAG check unit 108 determines whether the upper 2 bits of the SecTAG SL byte are “00” (step S40). When it is determined that the upper 2 bits of the SL byte are “00” (Yes in step S40), the extended MACsec SecTAG check unit 108 determines that the received frame is a standard MACsec frame, and the determination result is the frame determination unit 106. To notify. The frame determination unit 106 notifies the reception frame identification / decoded frame reconstruction unit 104 of the determination result.
  • step S7 as in step S1 of the first embodiment, the standard MACsec SecTAG check unit 109 confirms SecTAG (step S7). However, in this embodiment, since the MACsec Sec upper bit is set to “00” for the SL byte, the confirmation is performed in consideration thereof.
  • the subsequent steps S8 to S15 are the same as in the first embodiment.
  • the extended MACsec SecTAG check unit 108 determines that the received frame is an extended MACsec frame, and the determination result is a frame determination unit. 106 is notified. The frame determination unit 106 notifies the reception frame identification / decoded frame reconstruction unit 104 of the determination result.
  • the subsequent step S18 is the same as that in the first embodiment.
  • step S18 as in step S18 of the first embodiment, the extended MACsec SecTAG check unit 108 confirms SecTAG (step S18).
  • the upper 2 bits of the SL bit are set to “11”, and therefore the SL bit is checked in consideration of this.
  • the subsequent steps S19 to S25 are the same as in the first embodiment.
  • Step S26 is also the same as that in the first embodiment.
  • the extended MACsec SecTAG generating unit 5 of the transmission device functions as an identification information adding unit that stores a value indicating that it is an extended MACsec frame in the SL byte.
  • the extended MACsec SecTAG check unit 108 functions as an identification unit that identifies whether the MAC MAC frame is an extended MACsec frame based on the SL byte.
  • the transmitting apparatus transmits an extended MACsec frame
  • the upper 2 bits of the SL byte of the Sec TAG are set to a value “11” indicating that it is an extended MACsec frame
  • the receiving apparatus Whether or not the frame is an extended MACsec frame is determined based on the SL byte. Therefore, when receiving a frame, it is possible to correctly identify whether the frame is transmitted by the extended MACsec method or the standard MACsec method. Therefore, it is possible to prevent problems caused by erroneous processing due to a method selection error such as the erroneous deletion of the MAC address or the deletion omission of the MAC address to be deleted.
  • Embodiment 4 FIG. Next, a transmitting apparatus and a receiving apparatus according to the fourth embodiment of the present invention are described.
  • the configuration of the transmission device and the reception device of the present embodiment is the same as the configuration of the transmission device and the reception device of the first embodiment.
  • Components having functions similar to those of the first embodiment are denoted by the same reference numerals as those of the first embodiment.
  • the description which overlaps with Embodiment 1 is abbreviate
  • the Type encoding unit 2 generates the same Type information as that of the standard MACsec frame even when the extended MACsec frame is transmitted. Then, the extended MACsec preamble generation unit 7 sets the value of the fifth byte of the preamble (preamble fifth byte 500 in FIG. 6) to “0xAA”, and sets the other values to the values specified in IEEE 802.3. A preamble is generated and output to the preamble adding unit 14. The preamble adding unit 14 adds the input preamble when the preamble is input from the extended MACsec preamble generation unit 7, and adds the preamble defined by IEEE 802.3 otherwise. The operations of the transmitting apparatus other than those described above are the same as those in the first embodiment.
  • FIG. 12 is a flowchart illustrating an example of the reception operation according to the present embodiment. Steps S1 and S2 are the same as steps S1 and S2 in the first embodiment. However, in the present embodiment, in step S2, other than the fifth byte of the preamble is checked.
  • the preamble check unit 101 determines whether or not the fifth byte of the preamble is “0xAA” (step S50). If the preamble check unit 101 determines that the fifth byte of the preamble is not “0xAA” (No in step S50), the preamble check unit 101 determines that the preamble is not an extended MACsec frame, passes through the FCS check unit 102 and the PON control unit 103, or The received frame identification / decoded frame reconstruction unit 104 is notified of the determination result via the frame determination unit 106. Thereafter, similarly to the first embodiment, steps S3 to S15 are performed.
  • step S50 determines that the fifth byte of the preamble is “0xAA” (step S50 Yes)
  • the preamble check unit 101 determines that it is an extended MACsec frame, and the FCS check unit 102 and the PON The determination result is notified to the received frame identification / decoded frame reconstruction unit 104 via the control unit 103 or the frame determination unit 106.
  • Steps S3 to S5 are performed as in the first embodiment. If the Type information is “0x88E5” in Step S5 (Yes in Step S5), Steps S17 to S5 are performed as in the first embodiment. Step S25 is performed.
  • Step S26 similar to that in Embodiment 1 is performed.
  • the preamble check unit 101 determines whether or not the fifth byte of the preamble is “0xAA”, but instead determines whether or not the fifth byte of the preamble is “0xAA”. You may make it provide the extended preamble check part to judge.
  • the extended MACsec preamble generation unit 7 of the transmission device functions as an identification information adding unit that stores a value indicating that it is an extended MACsec frame in the preamble.
  • the preamble check unit 101 functions as an identification unit that identifies whether the preamble is an extended MACsec frame based on the preamble.
  • the fifth byte of the preamble is set to “0xAA”.
  • the value to be set is not limited to “0xAA”, and any value other than those specified in the standard MACsec frame or other frames may be used. Any numerical value may be used.
  • a value indicating an extended MACsec frame may be stored in another position in the preamble.
  • the transmitting apparatus when transmitting an extended MACsec frame, sets the fifth byte of the preamble to a value “0xAA” indicating that it is an extended MACsec frame, and the receiving apparatus sets the fifth byte of the preamble. Whether or not the frame is an extended MACsec frame is determined. Therefore, when receiving a frame, it is possible to correctly identify whether the frame is transmitted by the extended MACsec method or the standard MACsec method. Therefore, it is possible to prevent problems caused by erroneous processing due to a method selection error such as the above-described erroneous deletion of the MAC address or omission of deletion of the MAC address to be deleted.
  • FIG. FIG. 13 is a figure which shows the function structural example of the reception control part of the receiver of Embodiment 5 concerning this invention.
  • the receiving apparatus according to the present embodiment is the same as the receiving apparatus according to the first embodiment except that an extended MACsec MAC address check unit 115 is added.
  • the configuration of the transmission device is the same as the configuration of the transmission device of the first embodiment. Components having functions similar to those of the first embodiment are denoted by the same reference numerals as those of the first embodiment.
  • the description which overlaps with Embodiment 1 is abbreviate
  • the Type encoding unit 2 generates the same Type information as that of the standard MACsec frame even when the extended MACsec frame is transmitted.
  • the pseudo MAC address generation unit 11 generates a pseudo MAC address (pseudo DA, pseudo SA) as “0x01-80-C2-00-00-09” in the case of an extended MACsec frame. Since the pseudo MAC address is unnecessary, it is generated as “Null” having no value.
  • the operations of the transmitting apparatus other than those described above are the same as those in the first embodiment.
  • 0x01-80-C2-00-00-09 is an example, and for example, an address reserved in the own communication system among group addresses defined by IEEE can be used.
  • FIG. 14 is a flowchart illustrating an example of a reception operation according to the present embodiment. Steps S1 to S4 are the same as steps S1 to S4 of the first embodiment. After step S4, the extended MACsec MAC address check unit 115 determines whether or not the pseudo MAC address (pseudo DA, pseudo SA) is “0x01-80-C2-00-00-09” (step S60). .
  • pseudo MAC address pseudo MAC address
  • the extended MACsec MAC address check unit 115 determines that the received frame is an extended MACsec frame. Is determined, and the determination result is notified to the frame determination unit 106.
  • the frame determination unit 106 notifies the reception frame identification / decoded frame reconstruction unit 104 of the determination result. Thereafter, similarly to the first embodiment, steps S5 to S15 are performed.
  • step S60 when it is determined that the pseudo MAC address (pseudo DA, pseudo SA) is “0x01-80-C2-00-00-09” (Yes in step S60), the extended MACsec MAC address check unit 115 determines that the received frame is It is determined that the frame is an extended MACsec frame, and the determination result is notified to the frame determination unit 106.
  • the frame determination unit 106 notifies the reception frame identification / decoded frame reconstruction unit 104 of the determination result.
  • step S5 is performed as in the first embodiment, and when it is determined in step S5 that the Type information is “0x88E5” (step S5, Yes), steps S17 to S25 are performed as in the first embodiment. carry out.
  • Step S5 when it is determined that the Type information is not “0x88E5” (No in Step S5), Step S26 similar to that in Embodiment 1 is performed.
  • the pseudo MAC address is described.
  • a value indicating an extended MACsec frame is set in one of the pseudo transmission destination MAC address (MAC destination address) and the pseudo transmission source MAC address (MAC source address). It may be set.
  • a value indicating an extended MACsec frame may be set with both the pseudo transmission destination MAC address and the pseudo transmission source MAC address being the same value or different values.
  • the pseudo MAC address generation unit 11 of the transmission device functions as an identification information adding unit that stores a value indicating an extended MACsec frame in the pseudo MAC address.
  • the extended MACsec MAC address check unit 115 functions as an identification unit that identifies whether the MAC frame is an extended MACsec frame based on the pseudo MAC address.
  • the transmitting apparatus transmits an extended MACsec frame
  • a value indicating the extended MACsec frame is set in the pseudo MAC address
  • the receiving apparatus uses the extended MACsec frame based on the pseudo MAC address. Judgment whether or not there is. Therefore, when receiving a frame, it is possible to correctly identify whether the frame is transmitted by the extended MACsec method or the standard MACsec method. Therefore, it is possible to prevent problems caused by erroneous processing due to a method selection error such as the erroneous deletion of the MAC address or the deletion omission of the MAC address to be deleted.
  • Embodiment 6 FIG. Next, a transmitting apparatus and a receiving apparatus according to the sixth embodiment of the present invention will be described.
  • the configurations of the transmission device and the reception device of the present embodiment are the same as the configurations of the transmission device and the reception device of the fifth embodiment.
  • Components having the same functions as those in the first embodiment or the sixth embodiment are denoted by the same reference numerals as those in the first or sixth embodiment.
  • the description which overlaps with Embodiment 1 or Embodiment 6 is abbreviate
  • the pseudo MAC address generation unit 11 generates the MAC address of the OLT 301 or the MAC addresses of the ONUs 302-1 to 302-N as the pseudo MAC address when transmitting the extended MACsec frame, and the pseudo MAC address generation unit 11 transmits the standard MACsec frame. Since the MAC address is unnecessary, “Null” having no value is generated.
  • the transmission device can grasp the MAC address of the OLT 301 or the MAC addresses of the ONUs 302-1 to 302-N as the pseudo MAC address at the start of communication.
  • the MAC address of the OLT 301 and the MAC addresses of the ONUs 302-1 to 302-N communicating with the OLT 301 are defined by IEEE 802.3 that is performed at the time of startup.
  • the PON control unit 103 recognizes the detected discovery sequence.
  • the PON control unit 103 notifies the extended MACsec MAC address check unit 115 of the recognized MAC address of the OLT 301 and the MAC addresses of the ONUs 302-1 to 302-N communicating with the OLT 301.
  • the operations of the transmitting apparatus of the present embodiment other than those described above are the same as those in the fifth embodiment.
  • either one of the pseudo DA and the pseudo SA may be set as the pseudo DA, and the MAC address of the destination OLT 301 and the MAC addresses of the ONUs 302-1 to 302-N communicating with the OLT 301 may be set.
  • each of the pseudo DA and the pseudo SA may be either the MAC address of the OLT 301 or the MAC addresses of the ONUs 302-1 to 302-N that communicate with the OLT 301.
  • a MAC address is set, and the MAC address of the OLT 301 is set as a pseudo SA. If a rule is defined in advance, conversely, the MAC address of the OLT 301 may be set as the pseudo DA, and the MAC address of the destination ONU may be set as the pseudo SA.
  • FIG. 15 is a flowchart illustrating an example of a reception operation according to this embodiment.
  • Steps S1 to S4 are the same as steps S1 to S4 of the first embodiment.
  • the extended MACsec MAC address check unit 115 determines whether the pseudo MAC address (pseudo DA, pseudo SA) is not the MAC address of the ONUs 302-1 to 302-N communicating with the OLT 301 or the OLT 301 (step S4). S70).
  • the extended MACsec MAC address check unit 115 It is determined that the frame is not an extended MACsec frame, and the determination result is notified to the frame determination unit 106.
  • the frame determination unit 106 notifies the reception frame identification / decoded frame reconstruction unit 104 of the determination result. Thereafter, similarly to the first embodiment, steps S5 to S15 are performed.
  • step S5 is performed as in the first embodiment, and when it is determined in step S5 that the Type information is “0x88E5” (step S5, Yes), steps S17 to S25 are performed as in the first embodiment. carry out.
  • Step S5 when it is determined that the Type information is not “0x88E5” (No in Step S5), Step S26 similar to that in Embodiment 1 is performed.
  • the PON system has been described as an example.
  • the transmission apparatus and the reception apparatus relay communication between the destination apparatus and the transmission source apparatus other than the PON system, they communicate with the OLT 301 or the OLT 301.
  • the address of the transmission device or the reception device may be set as a pseudo MAC address.
  • the pseudo MAC address generation unit 11 of the transmission device functions as an identification information adding unit that stores a value indicating an extended MACsec frame in the pseudo MAC address.
  • the extended MACsec MAC address check unit 115 functions as an identification unit that identifies whether the MAC frame is an extended MACsec frame based on the pseudo MAC address.
  • the transmitting apparatus transmits an extended MACsec frame
  • the MAC address of the OLT 301 or the ONUs 302-1 to 302-N is set in the pseudo MAC address, and the receiving apparatus sets the pseudo MAC address. Based on this, it is determined whether the frame is an extended MACsec frame. Therefore, when receiving a frame, it is possible to correctly identify whether the frame is transmitted by the extended MACsec method or the standard MACsec method. Therefore, it is possible to prevent problems caused by erroneous processing due to a method selection error such as the erroneous deletion of the MAC address or the deletion omission of the MAC address to be deleted.
  • FIG. 16 is a diagram illustrating a functional configuration example of the transmission control unit of the transmission apparatus according to the seventh embodiment of the present invention.
  • FIG. 17 is a diagram illustrating a functional configuration example of the reception control unit of the receiving apparatus according to the seventh embodiment of the present invention.
  • the transmission apparatus according to the present embodiment is the same as the transmission apparatus according to the first embodiment except that an ICV inverting unit 15 is added.
  • the configuration of the receiving apparatus according to the present embodiment is the same as that of the receiving apparatus according to the first embodiment except that ICV inversion unit 116 is added.
  • Components having functions similar to those of the first embodiment are denoted by the same reference numerals as those of the first embodiment.
  • the description which overlaps with Embodiment 1 is abbreviate
  • the Type encoding unit 2 generates the same Type information as that of the standard MACsec frame even when the extended MACsec frame is transmitted.
  • the ICV generation unit 10 generates the ICV and outputs the ICV to the ICV inversion unit 15.
  • the ICV inversion unit 15 inverts the ICV in the case of transmission of the extended MACsec frame and outputs the inverted frame to the transmission frame generation unit 1.
  • the ICV inversion unit 15 inverts the ICV without inversion. Output to 1.
  • the transmission frame generation unit 1 instructs the ICV inversion unit 15 to determine whether the transmission frame is a standard MACsec frame or an extended MACsec frame.
  • the operations of the transmitting apparatus of the present embodiment other than those described above are the same as those of the first embodiment.
  • the receiving device it is not possible to determine whether the received frame is an extended MACsec frame that is a standard MACsec frame based on the received frame itself.
  • the receiving process of the standard MACsec frame and the receiving process of the extended MACsec frame It can be identified that the frame type is correct.
  • either the standard MACsec frame reception process or the extended MACsec frame is performed on the received frame.
  • the standard MACsec operation is agreed, and based on the agreement, the received frame identification / decoded frame reconstruction unit 104 performs the reception process of the standard MACsec frame or the extended MACsec frame. Select what to do.
  • FIG. 18 and 19 are flowcharts showing an example of the reception operation of the present embodiment.
  • FIG. 18 shows a standard MACsec frame reception operation
  • FIG. 19 shows an extended MACsec frame reception operation.
  • the reception operation of the standard MACsec frame shown in FIG. 18 is the same as step S1 to step S15 of the first embodiment (operation when the standard MACsec frame of the first embodiment is received).
  • the received frame processed as the standard MACsec frame is an extended MACsec frame obtained by inverting ICV
  • the frame determination unit 106 Instructs the received frame identification / decoded frame reconstruction unit 104 to discard the frame, and ends the process (step S14).
  • the extended MACsec frame cannot be reconstructed, but it can be prevented from being processed as a standard MACsec frame without causing an error.
  • Step S22 the received frame identification / decoded frame reconstruction unit 104 outputs the ICV of the received frame to the ICV inversion unit 116, and the ICV inversion unit 116 inverts the received ICV and outputs it to the normality confirmation unit 114.
  • Step S80 The ICV performs normality confirmation processing based on the ICV received from the ICV inversion unit 116 and the decrypted data in the same manner as in the first embodiment (step S23).
  • the processing after step S23 is the same as that in the first embodiment.
  • the ICV inversion unit 15 of the transmission apparatus functions as an identification information adding unit that stores a value indicating an extended MACsec frame in the ICV by inverting the ICV.
  • the normality confirmation unit 114 and the ICV inversion unit 116 function as an identification unit that identifies whether the recognition of the frame type is correct based on the ICV.
  • the transmitting device transmits an extended MACsec frame
  • the MAC address of the OLT 301 or the ONUs 302-1 to 302-N is set in the pseudo MAC address, and the receiving device sets the pseudo MAC address. Based on this, it is determined whether it is an extended MACsec frame. For this reason, even when the reception processing method for the received frame is wrong, the erroneous received frame can be discarded, and problems caused by performing the incorrect process can be prevented.
  • the communication control device, the transmission device, the reception device, the communication system, and the communication control method according to the present invention are useful for a communication system that supports both standard MACsec and extended MACsec frames. It is suitable for the communication system which comprises.

Abstract

This communication control device is in a transmission device that transmits standard MACsec frames that are frames that have been encrypted by means of MACsec, and expanded MACsec frames that are frames that have been encrypted by means of MACsec including the addresses of the destination and transmission source, and is provided with a type encoding unit (2) that, when transmitting transmission frames as expanded MACsec frames, stores predetermined values, which indicate that the transmission frames are expanded MACsec frames, as type information of the transmission frames.

Description

通信制御装置、送信装置、受信装置、通信システムおよび通信制御方法COMMUNICATION CONTROL DEVICE, TRANSMISSION DEVICE, RECEPTION DEVICE, COMMUNICATION SYSTEM, AND COMMUNICATION CONTROL METHOD
 本発明は、通信制御装置、送信装置、受信装置、通信システムおよび通信制御方法に関する。 The present invention relates to a communication control device, a transmission device, a reception device, a communication system, and a communication control method.
 通信を暗号化する技術としてIEEE802.1AEにて規定されるMACsec(MAC(Media Access Control) Security)がある(下記非特許文献1参照)が、MACsecではフレーム内のMACアドレスは暗号化できない。 There is MACsec (MAC (Media Access Control) Security) defined in IEEE802.1AE as a technology for encrypting communication (see Non-Patent Document 1 below), but MACsec cannot encrypt a MAC address in a frame.
 そこで、MACsecに対して、IEEE802.1AH(Provider Backbone Bridge)にて規定されているフレームをカプセル化するMAC in MACという方式(下記非特許文献2参照)を追加することにより、MACアドレスまで暗号化できるようにする方式が検討されている。以下、この方式を拡張MACsec方式という。 Therefore, by adding a MAC-in-MAC method (see Non-Patent Document 2 below) that encapsulates frames specified in IEEE802.1AH (Provider Backbone Bridge) to MACsec, encryption is performed up to the MAC address. A method to make it possible is being studied. Hereinafter, this method is referred to as an extended MACsec method.
 拡張MACsec方式では、MACsecで使用する情報を格納するSecTAG領域の後に本来の宛先および送信元のMACアドレスが格納され、SecTAG領域の前には擬似MACアドレスが格納される。受信装置では、拡張MAC方式により送信されたフレームを受信した場合、擬似MACアドレスは不要であるため削除し、SecTAG領域の後に格納されている本来の宛先および送信元のMACアドレスを宛先および送信元のMACアドレスとして認識する。 In the extended MACsec method, the original destination and the source MAC address are stored after the SecTAG area that stores information used in MACsec, and the pseudo MAC address is stored before the SecTAG area. In the receiving apparatus, when a frame transmitted by the extended MAC method is received, the pseudo MAC address is unnecessary and is deleted, and the original destination and the source MAC address stored after the SecTAG area are deleted. As the MAC address.
 一方、標準MACsec方式(MAC in MACを適用しない方式)では、SecTAG領域の前に本来の宛先および送信元のMACアドレスが格納される。したがって、受信装置では、標準MAC方式により送信されたフレームを受信した場合、SecTAG領域の前に格納されている本来の宛先および送信元のMACアドレスを宛先および送信元のMACアドレスとして認識する。 On the other hand, in the standard MACsec method (a method in which MAC in MAC is not applied), the original destination and the source MAC address are stored before the SecTAG area. Accordingly, when receiving a frame transmitted by the standard MAC method, the receiving device recognizes the original destination and the source MAC address stored before the SecTAG area as the destination and source MAC addresses.
 一方、1台の通信装置が、上記の拡張MACsec方式を採用する機器と標準MACsec方式を採用する機器との両方と通信を行う場合には、拡張MACsec方式と標準MACsec方式の両方の受信処理を行うことになる。 On the other hand, when a single communication apparatus communicates with both a device adopting the above-described extended MACsec method and a device adopting the standard MACsec method, reception processing of both the extended MACsec method and the standard MACsec method is performed. Will do.
 拡張MACsec方式と標準MACsec方式のどちらを用いるかについては、通常は、通信装置間で、接続後のネゴシエーションにより設定される。しかし、このネゴシエーションでエラーが発生した場合等には、受信側で拡張MACsec方式と標準MACsec方式のどちらの通信であるかが誤って設定される、またはどちらであるか不明として設定される可能性がある。 Whether to use the extended MACsec method or the standard MACsec method is normally set by negotiation after connection between communication devices. However, if an error occurs during this negotiation, etc., there is a possibility that either the extended MACsec method or the standard MACsec method will be set incorrectly on the receiving side, or it may be set as unknown There is.
 また、受信装置は、拡張MACsec方式と標準MACsec方式のいずれで送信されたフレームであるかをフレーム自身から判別することができない。このため、例えば、標準MACsec方式で送信されたフレームを拡張MACsec方式として受信処理を行うと、正常な(本来の)MACアドレスを削除してしまう、という問題があった。逆に拡張MACsec方式で送信されたフレームを標準MACsec方式として受信処理を行うと、削除すべきMACアドレス(擬似MACアドレス)の削除漏れが発生する、という問題があった。 Also, the receiving device cannot determine from the frame itself whether the frame is transmitted by the extended MACsec method or the standard MACsec method. For this reason, for example, when a reception process is performed on a frame transmitted by the standard MACsec method using the extended MACsec method, there is a problem that a normal (original) MAC address is deleted. Conversely, when a frame transmitted using the extended MACsec method is received using the standard MACsec method, there is a problem in that omission of deletion of a MAC address (pseudo MAC address) to be deleted occurs.
 さらに、このような問題が発生しても、受信したフレーム自体はICV(Integrity Check Value),FCS(Frame Check Sequence)等のエラーチェックにおいて正常であると判定されるため、エラー判定されないサイレントエラーとなってしまう、という問題があった。 Furthermore, even if such a problem occurs, the received frame itself is determined to be normal in error checks such as ICV (Integrity Check Value), FCS (Frame Check Sequence), etc. There was a problem of becoming.
 本発明は、上記に鑑みてなされたものであって、フレームの受信時に、拡張MACsec方式と標準MACsec方式との両方の方式の受信処理を実施可能な場合に、方式の選択誤りにより誤った処理が実施されることによる不具合を防ぐことができる通信制御装置、送信装置、受信装置、通信システムおよび通信制御方法を得ることを目的とする。 The present invention has been made in view of the above, and when a frame is received, if both the extended MACsec method and the standard MACsec method can be received, erroneous processing due to a method selection error is performed. An object of the present invention is to obtain a communication control device, a transmission device, a reception device, a communication system, and a communication control method that can prevent problems caused by the implementation of.
 上述した課題を解決し、目的を達成するために、本発明は、MACsecにより暗号化したフレームである標準MACsecフレームと宛先および送信元のアドレスも含めてMACsecにより暗号化したフレームである拡張MACsecフレームと送信する送信装置における通信制御装置であって、送信フレームを拡張MACsecフレームとして送信する場合に、前記送信フレームの所定のビット位置に拡張MACsecフレームであることを示す所定の値を格納する識別情報付与部、を備えることを特徴とする。 In order to solve the above-described problems and achieve the object, the present invention provides a standard MACsec frame that is a frame encrypted by MACsec and an extended MACsec frame that is a frame encrypted by MACsec including the address of the destination and the transmission source. Identification information for storing a predetermined value indicating an extended MACsec frame at a predetermined bit position of the transmission frame when the transmission frame is transmitted as an extended MACsec frame A provision unit.
 本発明にかかる通信制御装置、送信装置、受信装置、通信システムおよび通信制御方法は、フレームの受信時に、拡張MACsec方式と標準MACsec方式との両方の方式の受信処理を実施可能な場合に、方式の選択誤りにより誤った処理が実施されることによる不具合を防ぐことができる、という効果を奏する。 A communication control device, a transmission device, a reception device, a communication system, and a communication control method according to the present invention are used when a reception process of both the extended MACsec method and the standard MACsec method can be performed when a frame is received. There is an effect that it is possible to prevent problems caused by erroneous processing due to selection errors.
図1は、実施の形態1の送信装置の送信制御部の機能構成例を示す図である。FIG. 1 is a diagram illustrating a functional configuration example of a transmission control unit of the transmission apparatus according to the first embodiment. 図2は、実施の形態1の受信装置の受信制御部の機能構成例を示す図である。FIG. 2 is a diagram illustrating a functional configuration example of the reception control unit of the receiving apparatus according to the first embodiment. 図3は、実施の形態1の通信装置の機能構成例を示す図である。FIG. 3 is a diagram illustrating a functional configuration example of the communication apparatus according to the first embodiment. 図4は、実施の形態1の通信システムの構成例を示す図である。FIG. 4 is a diagram illustrating a configuration example of the communication system according to the first embodiment. 図5は、標準MACsec方式のフレームの構成を示す図である。FIG. 5 is a diagram showing the structure of a standard MACsec frame. 図6は、拡張MACsec方式のフレームの構成を示す図である。FIG. 6 is a diagram illustrating the configuration of an extended MACsec frame. 図7は、実施の形態1の受信動作の一例を示すフローチャートである。FIG. 7 is a flowchart illustrating an example of the receiving operation according to the first embodiment. 図8は、受信時の拡張MACsecフレームのフレームフォーマットの変化の一例を示す図である。FIG. 8 is a diagram illustrating an example of a change in the frame format of the extended MACsec frame at the time of reception. 図9は、実施の形態1の通信システムにおける通信シーケンスの一例を示す図である。FIG. 9 is a diagram illustrating an example of a communication sequence in the communication system according to the first embodiment. 図10は、実施の形態2の受信動作の一例を示すフローチャートである。FIG. 10 is a flowchart illustrating an example of a receiving operation according to the second embodiment. 図11は、実施の形態3の受信動作の一例を示すフローチャートである。FIG. 11 is a flowchart illustrating an example of a receiving operation according to the third embodiment. 図12は、実施の形態4の受信動作の一例を示すフローチャートである。FIG. 12 is a flowchart illustrating an example of a receiving operation according to the fourth embodiment. 図13は、実施の形態5の受信装置の受信制御部の機能構成例を示す図である。FIG. 13 is a diagram illustrating a functional configuration example of the reception control unit of the receiving apparatus according to the fifth embodiment. 図14は、実施の形態5の受信動作の一例を示すフローチャートである。FIG. 14 is a flowchart illustrating an example of a receiving operation according to the fifth embodiment. 図15は、実施の形態6の受信動作の一例を示すフローチャートである。FIG. 15 is a flowchart illustrating an example of a receiving operation according to the sixth embodiment. 図16は、実施の形態7の送信装置の送信制御部の機能構成例を示す図である。FIG. 16 is a diagram illustrating a functional configuration example of a transmission control unit of the transmission apparatus according to the seventh embodiment. 図17は、実施の形態7の受信装置の受信制御部の機能構成例を示す図である。FIG. 17 is a diagram illustrating a functional configuration example of the reception control unit of the receiving apparatus according to the seventh embodiment. 図18は、実施の形態7の標準MACsecフレームの受信動作の一例を示すフローチャートである。FIG. 18 is a flowchart illustrating an example of a standard MACsec frame reception operation according to the seventh embodiment. 図19は、実施の形態7の拡張MACsecフレームの受信動作の一例を示すフローチャートである。FIG. 19 is a flowchart illustrating an example of an operation for receiving an extended MACsec frame according to the seventh embodiment.
 以下に、本発明にかかる通信制御装置、送信装置、受信装置、通信システムおよび通信制御方法の実施の形態を図面に基づいて詳細に説明する。なお、この実施の形態によりこの発明が限定されるものではない。 Hereinafter, embodiments of a communication control device, a transmission device, a reception device, a communication system, and a communication control method according to the present invention will be described in detail with reference to the drawings. Note that the present invention is not limited to the embodiments.
実施の形態1.
 図1は、本発明にかかる送信装置の送信制御部の実施の形態1の機能構成例を示す図である。また、図2は、本実施の形態の受信装置の受信制御部の機能構成例を示す図である。本実施の形態では、送信装置が暗号化したフレームを受信装置へ送信し、受信装置が受信したフレームを復号化する。 Embodiment 1 FIG.
FIG. 1 is a diagram illustrating a functional configuration example of a first embodiment of a transmission control unit of a transmission apparatus according to the present invention. Moreover, FIG. 2 is a figure which shows the function structural example of the reception control part of the receiver of this Embodiment. In this embodiment, a frame encrypted by the transmission device is transmitted to the reception device, and the frame received by the reception device is decrypted.
 本実施の形態では送信装置および受信装置は、PON(Passive Optical Network)システムを構成することとするが、PONシステムに限らずどのような通信システムを構成してもよい。 In the present embodiment, the transmission device and the reception device constitute a PON (Passive Optical Network) system, but any communication system may be configured without being limited to the PON system.
 本実施の形態の送信装置の送信制御部は、図1に示すように、送信フレーム生成部1と、Typeエンコード部2、MACsec SecTAGエンコード部3、標準MACsec SecTAG生成部4、拡張MACsec SecTAG生成部5、パケットナンバ付与部6、拡張MACSecプリアンブル生成部7、鍵管理部8、データ暗号部9、ICV生成部10、擬似MACアドレス生成部11、PON制御部12、FCS付与部13およびプリアンブル付与部14を備える。 As shown in FIG. 1, the transmission control unit of the transmission apparatus according to the present embodiment includes a transmission frame generation unit 1, a Type encoding unit 2, a MACsec SecTAG encoding unit 3, a standard MACsec SecTAG generation unit 4, and an extended MACsec SecTAG generation unit. 5, packet number giving unit 6, extended MACSec preamble generation unit 7, key management unit 8, data encryption unit 9, ICV generation unit 10, pseudo MAC address generation unit 11, PON control unit 12, FCS addition unit 13 and preamble addition unit 14.
 本実施の形態の受信装置の受信制御部は、図2に示すように、プリアンブルチェック部101、FCSチェック部102、PON制御部103、受信フレーム識別・復号化フレーム再構成部104、Typeチェック部105、フレーム判定部106、SecTAGデコード部107、拡張MACsec SecTAGチェック部108、標準MACsec SecTAGチェック部109、リプレイチェック部110、SC/AN確認部111、鍵管理部112、データ復号部113および正常性確認(ICVチェック)部114を備える。 As shown in FIG. 2, the reception control unit of the receiving apparatus according to the present embodiment includes a preamble check unit 101, an FCS check unit 102, a PON control unit 103, a received frame identification / decoded frame reconstruction unit 104, and a Type check unit. 105, frame determination unit 106, SecTAG decoding unit 107, extended MACsec SecTAG check unit 108, standard MACsec SecTAG check unit 109, replay check unit 110, SC / AN confirmation unit 111, key management unit 112, data decoding unit 113, and normality A confirmation (ICV check) unit 114 is provided.
 図3は、本実施の形態の通信装置の機能構成例を示す図である。図3に示した通信装置200は、図1に示した送信装置としての機能と受信装置としての機能の両方を有する通信装置であり、PONシステムにおけるOLT(Optical Line Terminal:局側通信装置)またはONU(Optical Network Unit:加入者側通信装置)として機能する。図3に示すように、通信装置200は、WDM(Wavelength Division Multiplex:波長分割多重部)201、光Tx(光送信部)202、光Rx(光受信部)203、PON-LSI(Large Scale Integration)204およびインタフェース205を備える。また、通信装置200は、上位ネットワーク210に接続されている。通信制御を行うPON-LSI204は、装置動作を管理する管理装置211と接続されている。なお、上位ネットワーク210の代わりに端末(ユーザ装置)に接続される場合もある。 FIG. 3 is a diagram illustrating a functional configuration example of the communication apparatus according to the present embodiment. The communication device 200 shown in FIG. 3 is a communication device having both the function as the transmission device and the function as the reception device shown in FIG. 1, and is an OLT (Optical Line Terminal: station side communication device) in the PON system or It functions as an ONU (Optical Network Unit). As shown in FIG. 3, the communication apparatus 200 includes a WDM (Wavelength Division Multiplex) 201, an optical Tx (optical transmitter) 202, an optical Rx (optical receiver) 203, a PON-LSI (Large Scale Integration). ) 204 and an interface 205. Further, the communication device 200 is connected to the upper network 210. The PON-LSI 204 that performs communication control is connected to a management apparatus 211 that manages apparatus operations. In some cases, it is connected to a terminal (user device) instead of the host network 210.
 PON-LSI204は、上述の送信装置における送信制御部と受信装置における受信制御部とを備えた通信制御装置である。図3では、図1または図2と同様の機能を有する構成要素は同一の符号を付している。暗号部206は、図1の送信フレーム生成部1と、Typeエンコード部2、MACsec SecTAGエンコード部3、標準MACsec SecTAG生成部4、拡張MACsec SecTAG生成部5、パケットナンバ付与部6、拡張MACSecプリアンブル生成部7、鍵管理部8、データ暗号部9、ICV生成部10および擬似MACアドレス生成部11で構成される。 The PON-LSI 204 is a communication control device including a transmission control unit in the above-described transmission device and a reception control unit in the reception device. In FIG. 3, components having functions similar to those in FIG. 1 or FIG. The encryption unit 206 includes the transmission frame generation unit 1 of FIG. 1, the Type encoding unit 2, the MACsec SecTAG encoding unit 3, the standard MACsec SecTAG generation unit 4, the extended MACsec SecTAG generation unit 5, the packet number granting unit 6, and the extended MACSec preamble generation. Unit 7, key management unit 8, data encryption unit 9, ICV generation unit 10, and pseudo MAC address generation unit 11.
 また、復号部207は、受信フレーム識別・復号化フレーム再構成部104、Typeチェック部105、フレーム判定部106、SecTAGデコード部107、拡張MACsec SecTAGチェック部108、標準MACsec SecTAGチェック部109、リプレイチェック部110、SC/AN確認部111、鍵管理部112、データ復号部113および正常性確認部114で構成される。 Also, the decoding unit 207 includes a received frame identification / decoded frame reconstruction unit 104, a type check unit 105, a frame determination unit 106, a SecTAG decoding unit 107, an extended MACsec SecTAG check unit 108, a standard MACsec SecTAG check unit 109, a replay check. Unit 110, SC / AN confirmation unit 111, key management unit 112, data decryption unit 113, and normality confirmation unit 114.
 図4は、本実施の形態の通信システムの構成例を示す図である。図4に示すように、本実施の形態の通信システムはPONシステムであり、図3に示した通信装置200であるOLT301と、図3に示した通信装置200であるONU302-1~302-N(Nは1以上の整数)と、で構成される。 FIG. 4 is a diagram illustrating a configuration example of the communication system according to the present embodiment. As shown in FIG. 4, the communication system of the present embodiment is a PON system, and OLT 301 that is communication apparatus 200 shown in FIG. 3 and ONUs 302-1 to 302-N that are communication apparatuses 200 shown in FIG. (N is an integer of 1 or more).
 本実施の形態では、例えば、図4に示した通信システムは、IEEE802.1AEで規定されているMACsec(標準MACsec)方式による通信と、標準MACsec方式に対してMAC in MAC方式を追加した拡張MACsec方式による通信と、の両方に対応可能とする。従って、OLT301は、標準MACsec方式による送受信と拡張MACsec方式による送受信との両方を実施する機能を有する。なお、ONU302-1~302-Nについては、ここでは標準MACsec方式による送受信と拡張MACsec方式による送受信との両方を実施できる構成とするが、標準MACsec方式による送受信と拡張MACsec方式のいずれか一方の送受信を実施する構成としてもよい。 In the present embodiment, for example, the communication system shown in FIG. 4 includes a MACsec (standard MACsec) method defined by IEEE 802.1AE and an extended MACsec in which a MAC in MAC method is added to the standard MACsec method. It is possible to cope with both communication by a method. Accordingly, the OLT 301 has a function of performing both transmission and reception by the standard MACsec method and transmission and reception by the extended MACsec method. Note that the ONUs 302-1 to 302-N are configured so that both transmission / reception using the standard MACsec method and transmission / reception using the extended MACsec method can be performed here. It is good also as a structure which implements transmission / reception.
 図5は、IEEE802.1AEで規定されているMACsec(標準MACsec)方式のフレームの直前にPONシステムで使用する情報を格納したプリアンブル領域を設けたフレームの構成を示す図である。また、図6は、拡張MACsec方式のフレームの直前に同じくプリアンブル領域を設けたフレームの構成を示す図である。このプリアンブル領域はIEEE802.3で規定されているものである。 FIG. 5 is a diagram showing a frame configuration in which a preamble area storing information used in the PON system is provided immediately before a MACsec (standard MACsec) frame defined by IEEE802.1AE. FIG. 6 is a diagram showing a frame configuration in which a preamble area is also provided immediately before an extended MACsec frame. This preamble area is defined by IEEE 802.3.
 ここでは、図5に示すように、IEEE802.1AEで規定されているMACsec(標準MACsec)方式のフレームにプリアンブル領域を加えたものを標準MACsecフレームとし、以降の説明を行う。標準MACsecフレームは、プリアンブル、DA(Destination Address:宛先MACアドレス)、SA(Source Address:送信元MACアドレス)、SecTAG、Data、ICVおよびFCSで構成される。 Here, as shown in FIG. 5, the MACsec (standard MACsec) method frame defined by IEEE802.1AE is added to the preamble area as a standard MACsec frame, and the following description will be given. The standard MACsec frame includes a preamble, DA (Destination Address: destination MAC address), SA (Source Address: source MAC address), SecTAG, Data, ICV, and FCS.
 プリアンブルには、IEEE802.3ahのEPON規定に基づいて、“0x55”を5つ格納された後にLLID(Logical Link IDentifier)が格納され、その後に8ビットのCRC(Cyclic Redundancy Check)8が格納される。 In the preamble, LLID (Logical Link IDentifier) is stored after storing 5 “0x55” based on the EPON specification of IEEE 802.3ah, and then 8-bit CRC (Cyclic Redundancy Check) 8 is stored. .
 SecTAGはMACsecに使用する情報であり、フレームの種別を識別するType情報であるTypeと、TCI(TAG Control Information)と、同一のSC(Secure Channel)内でのSAの識別番号であるAN(Association Number)と、暗号化されたデータの長さに関する情報であるSL(Short Length)と、パケットを識別する番号であるPN(Packet Number)と、SCの識別情報であるSCI(Secure Channel IDentifier)と、で構成される。 SecTAG is information used for MACsec. Type, which is Type information for identifying the type of frame, TCI (TAG Control Information), and AN (Association), which is the SA identification number in the same SC (Secure Channel). Number), SL (Short Length) which is information about the length of the encrypted data, PN (Packet Number) which is a packet identifying number, and SCI (Secure Channel IDentifier) which is identification information of SC. , Is composed.
 また、TCIは、MACsecのバージョンを示すVビットと、ES(End Station)ビットと、SCIフィールドの存在を示すSCビットと、SCB(Single Copy Broadcast)ビットと、ICVに関する情報を示すCビットと、暗号化の有無などを示すEビットと、で構成される。 The TCI includes a V bit indicating the MACsec version, an ES (End Station) bit, an SC bit indicating the presence of an SCI field, an SCB (Single Copy Broadcast) bit, a C bit indicating information on the ICV, And an E bit indicating the presence or absence of encryption.
 一方、MAC in MAC方式を追加した拡張MACsec方式のフレーム(以下、拡張MACsecフレームという)も、図6に示すように、プリアンブル領域を含めて拡張MACsecフレームとし、プリアンブル、擬似DA、擬似SA、SecTAG、DA、SA、Data、ICVおよびFCSで構成される。 On the other hand, an extended MACsec frame (hereinafter referred to as an extended MACsec frame) to which a MAC in MAC method is added is also an extended MACsec frame including a preamble area, as shown in FIG. 6, and includes a preamble, pseudo DA, pseudo SA, and SecTAG. , DA, SA, Data, ICV and FCS.
 拡張MACsecフレームでは、標準MACsecフレームと同様に暗号化されたDataと、SecTAGの間にDA(宛先MACアドレス)およびSA(送信元MACアドレス)が格納される。また、拡張MACsecフレームでは、標準MACsecフレームでDA(宛先MACアドレス)およびSA(送信元MACアドレス)が格納される位置に、擬似DA、擬似SAが格納される。 In the extended MACsec frame, DA (destination MAC address) and SA (source MAC address) are stored between the encrypted Data and SecTAG in the same manner as the standard MACsec frame. In the extended MACsec frame, pseudo DA and pseudo SA are stored at the positions where DA (destination MAC address) and SA (source MAC address) are stored in the standard MACsec frame.
 以下、図4で示した構成例に基づいて、本実施の形態の動作を説明する。まず、送信装置の送信動作について説明する。送信装置(OLT301またはONU302-1~302-N)の送信フレーム生成部1は、上位ネットワーク210(または端末等)から送信データを受信し、管理装置211から当該送信データに関する暗号化に関する情報である暗号化情報を受信する。暗号化情報には、暗号化を行なうか否かを示す情報、標準MACsecフレームとして送信するか拡張MACsecフレームとして送信するかの判別情報、暗号化を行う場合の暗号化に使用する情報(暗号鍵を選択するための情報を含む)等が含まれるとする。 Hereinafter, the operation of the present embodiment will be described based on the configuration example shown in FIG. First, the transmission operation of the transmission apparatus will be described. The transmission frame generation unit 1 of the transmission device (OLT 301 or ONUs 302-1 to 302-N) receives transmission data from the upper network 210 (or a terminal or the like), and is information related to encryption regarding the transmission data from the management device 211. Receive encryption information. The encryption information includes information indicating whether to perform encryption, information for determining whether to transmit as a standard MACsec frame or an extended MACsec frame, information used for encryption when performing encryption (encryption key) And the like) are included.
 送信フレーム生成部1は、暗号化情報をTypeエンコード部2へ通知する。Typeエンコード部2は、送信フレーム生成部1からの通知された暗号化情報に基づいて、Type情報を生成し、生成したType情報をMACsec SecTAGエンコード部3へ通知する。具体的には、標準MACsecフレームで送信する場合はType情報としてIEEE802.1AEにて規定される“0x88E5”を生成し、拡張MACsecフレームで送信する場合は“0x88E4”を生成する。なお、本実施の形態では、拡張MACsecフレームで送信する場合のType情報を“0x88E4”としたが、“0x88E4”に限らず、Type情報として規格等で予め規定されていない値であればどのような数値を用いてもよい。 The transmission frame generation unit 1 notifies the encryption information to the type encoding unit 2. The Type encoding unit 2 generates Type information based on the notified encryption information from the transmission frame generating unit 1 and notifies the MACsec SecTAG encoding unit 3 of the generated Type information. Specifically, “0x88E5” defined by IEEE802.1AE is generated as Type information when transmitting with a standard MACsec frame, and “0x88E4” is generated when transmitting with an extended MACsec frame. In the present embodiment, the Type information when transmitting in the extended MACsec frame is set to “0x88E4”. However, the Type information is not limited to “0x88E4”, and any value that is not preliminarily defined by the standard or the like as Type information may be used. Any numerical value may be used.
 また、送信フレーム生成部1は、暗号化情報に基づいて標準MACsecフレームで送信すると判断した場合は、標準MACsec SecTAG生成部4へSecTAGの生成を指示する。標準MACsec SecTAG生成部4は、送信フレーム生成部1からSecTAGの生成を指示されると、IEEE802.1AEにて規定されるSecTAG(Type情報以外のSecTAG)を生成し、MACsec SecTAGエンコード部3へ通知する。 If the transmission frame generation unit 1 determines that the transmission is performed using the standard MACsec frame based on the encryption information, the transmission frame generation unit 1 instructs the standard MACsec SecTAG generation unit 4 to generate the SecTAG. When the standard MACsec SecTAG generation unit 4 is instructed by the transmission frame generation unit 1 to generate a SecTAG, the standard MACsec SecTAG generation unit 4 generates a SECTAG (SecTAG other than Type information) defined by IEEE802.1AE and notifies the MACsec SecTAG encoding unit 3 To do.
 一方、送信フレーム生成部1は、暗号化情報に基づいて拡張MACsecフレームで送信すると判断した場合は、拡張MACsec SecTAG生成部5へSecTAGの生成を指示する。拡張MACsec SecTAG生成部5は、送信フレーム生成部1からSecTAGの生成を指示されると、IEEE802.1AEにて規定されるSecTAG(Type情報以外のSecTAG)を生成し、MACsec SecTAGエンコード部3へ通知する。 On the other hand, if the transmission frame generation unit 1 determines to transmit in the extended MACsec frame based on the encryption information, the transmission frame generation unit 1 instructs the extended MACsec SecTAG generation unit 5 to generate a SecTAG. When the generation of SecTAG is instructed from the transmission frame generation unit 1, the extended MACsec SecTAG generation unit 5 generates SecTAG (SecTAG other than Type information) defined in IEEE802.1AE and notifies the MACsec SecTAG encoding unit 3 To do.
 なお、本実施の形態では、拡張MACsec SecTAG生成部5が生成するSecTAG(Type情報、PNを除く)と標準MACsec SecTAG生成部4が生成するSecTAG(Type情報、PNを除く)が同一であるため、拡張MACsec SecTAG生成部5を備えずに、標準MACsec SecTAG生成部4が拡張MACsec SecTAG生成部5の機能を有するようにしてもよい。 In this embodiment, the SecTAG (excluding Type information and PN) generated by the extended MACsec SecTAG generation unit 5 and the SecTAG (excluding Type information and PN) generated by the standard MACsec SecTAG generation unit 4 are the same. The standard MACsec SecTAG generation unit 4 may have the function of the extended MACsec SecTAG generation unit 5 without including the extended MACsec SecTAG generation unit 5.
 パケットナンバ付与部6は、パケット番号を生成し、生成したパケット番号(PN)をMACsec SecTAGエンコード部3へ通知する。 The packet number giving unit 6 generates a packet number and notifies the generated packet number (PN) to the MACsec SecTAG encoding unit 3.
 MACsec SecTAGエンコード部3は、Typeエンコード部2から通知されたType情報と、標準MACsec SecTAG生成部4または拡張MACsec SecTAG生成部5から通知されたSecTAG(Type情報、PNを除く)と、パケットナンバ付与部6から通知されたPNと、をコード化し、コード化したSecTAGとして送信フレーム生成部1へ通知する。 The MACsec SecTAG encoding unit 3 provides the type information notified from the type encoding unit 2, the SecTAG (excluding type information and PN) notified from the standard MACsec SecTAG generation unit 4 or the extended MACsec SecTAG generation unit 5, and packet number assignment. The PN notified from the unit 6 is encoded and notified to the transmission frame generating unit 1 as an encoded SecTAG.
 送信フレーム生成部1は、暗号化情報に基づいて暗号化を行なうと判断した場合には、鍵管理部8およびデータ暗号部9へその旨を通知する。このとき、送信フレーム生成部1は、暗号化情報に含まれる暗号化に使用する情報についても鍵管理部8およびデータ暗号部9へ通知する。また、送信フレーム生成部1は、データ暗号部9へ送信データを出力する。鍵管理部8は、暗号化に使用する情報のうち暗号鍵の選択に必要な情報(LLIDまたはMACアドレス、SCI等)を用いIEEE802.1AEの規定に従って、予め保持している暗号鍵から暗号鍵を選択し、選択した暗号鍵をデータ暗号部9へ通知する。 When the transmission frame generation unit 1 determines to perform encryption based on the encryption information, the transmission frame generation unit 1 notifies the key management unit 8 and the data encryption unit 9 to that effect. At this time, the transmission frame generation unit 1 notifies the key management unit 8 and the data encryption unit 9 of information used for encryption included in the encryption information. Further, the transmission frame generation unit 1 outputs transmission data to the data encryption unit 9. The key management unit 8 uses information necessary for selecting an encryption key (LLID, MAC address, SCI, etc.) out of information used for encryption from an encryption key held in advance according to IEEE 802.1AE regulations. And the data encryption unit 9 is notified of the selected encryption key.
 データ暗号部9は、送信フレーム生成部1から出力された送信データと鍵管理部8から通知された暗号鍵とを用いてIEEE802.1AEの規定に従って送信データを暗号化した暗号化データを生成し、暗号化データを送信フレーム生成部1およびICV生成部10へ出力する。なお、拡張MACsecフレームとして送信する場合は、送信フレーム生成部1は送信データとともに宛先および送信元のMACアドレスをデータ暗号部9へ渡し、データ暗号部9は、宛先および送信元のMACアドレスと送信データとを暗号化する。ICV生成部10は、暗号化データを用いてIEEE802.1AEの規定に従ってICV(Integrity Check Value)を生成し、ICVを送信フレーム生成部1へ通知する。 The data encryption unit 9 uses the transmission data output from the transmission frame generation unit 1 and the encryption key notified from the key management unit 8 to generate encrypted data obtained by encrypting the transmission data in accordance with the IEEE 802.1AE regulations. The encrypted data is output to the transmission frame generation unit 1 and the ICV generation unit 10. When transmitting as an extended MACsec frame, the transmission frame generation unit 1 passes the MAC address of the destination and the transmission source together with the transmission data to the data encryption unit 9, and the data encryption unit 9 transmits the transmission destination MAC address and the MAC address of the transmission source. Encrypt data. The ICV generation unit 10 generates an ICV (Integrity Check Value) according to the IEEE802.1AE standard using the encrypted data, and notifies the transmission frame generation unit 1 of the ICV.
 また、送信フレーム生成部1は、暗号化情報に基づいて拡張MACsecで送信すると判断した場合は、拡張MACsecプリアンブル生成部7へプリアンブルの生成を指示する。拡張MACsecプリアンブル生成部7は、送信フレーム生成部1からの指示に基づいてプリアンブルを生成し、生成したプリアンブルをプリアンブル付与部14へ通知する。なお、本実施の形態では、拡張MACsecプリアンブル生成部7は、IEEE標準に準拠したプリアンブルを生成するため、標準MACsecフレームの場合のプリアンブルと同様のプリアンブルを生成する。従って、拡張MACsecプリアンブル生成部7を備えないようにしてもよい。 Further, when the transmission frame generation unit 1 determines to transmit in the extended MACsec based on the encryption information, the transmission frame generation unit 1 instructs the extended MACsec preamble generation unit 7 to generate a preamble. The extended MACsec preamble generation unit 7 generates a preamble based on an instruction from the transmission frame generation unit 1 and notifies the preamble addition unit 14 of the generated preamble. In the present embodiment, the extended MACsec preamble generation unit 7 generates a preamble similar to the preamble in the case of a standard MACsec frame in order to generate a preamble compliant with the IEEE standard. Therefore, the extended MACsec preamble generation unit 7 may not be provided.
 また、送信フレーム生成部1は、暗号化情報に基づいて拡張MACsecで送信すると判断した場合は、擬似MACアドレス生成部11へ擬似MACアドレスの生成を指示する。擬似MACアドレス生成部11は、送信フレーム生成部1から擬似MACアドレスの生成の指示を受けると、擬似MACアドレス(擬似DA,擬似SA)を生成し、送信フレーム生成部1へ通知する。本実施の形態では、擬似MACアドレス生成部11は、任意の擬似MACアドレスを生成することができる。 Further, when the transmission frame generation unit 1 determines to transmit in extended MACsec based on the encryption information, the transmission frame generation unit 1 instructs the pseudo MAC address generation unit 11 to generate a pseudo MAC address. When receiving a pseudo MAC address generation instruction from the transmission frame generation unit 1, the pseudo MAC address generation unit 11 generates a pseudo MAC address (pseudo DA, pseudo SA) and notifies the transmission frame generation unit 1 of the pseudo MAC address. In the present embodiment, the pseudo MAC address generation unit 11 can generate an arbitrary pseudo MAC address.
 送信フレーム生成部1は、送信データを拡張MACsecフレームとして送信する場合には、MACsec SecTAGエンコード部3から通知されたコード化したSecTAGと、データ暗号部9から受け取った暗号化データと、ICV生成部10から通知されたICVと、擬似MACアドレス生成部11から通知された擬似MACアドレスと、を用いて図6に示したフォーマットで、FCSおよびプリアンブル部分を除いた送信フレームを生成する。 When transmitting the transmission data as an extended MACsec frame, the transmission frame generation unit 1 encodes the SecTAG notified from the MACsec SecTAG encoding unit 3, the encrypted data received from the data encryption unit 9, and the ICV generation unit. The transmission frame excluding the FCS and the preamble part is generated in the format shown in FIG. 6 using the ICV notified from 10 and the pseudo MAC address notified from the pseudo MAC address generation unit 11.
 また、送信フレーム生成部1は、送信データを標準MACsecフレームとして送信する場合には、MACsec SecTAGエンコード部3から通知されたコード化されたSecTAGと、データ暗号部9から受け取った暗号化データと、ICV生成部10から通知されたICVと、を用いて図5に示したフォーマットで、FCSおよびプリアンブル部分を除いた送信フレームを生成し、PON制御部12へ出力する。 Further, when transmitting the transmission data as a standard MACsec frame, the transmission frame generation unit 1 encodes the coded SecTAG notified from the MACsec SecTAG encoding unit 3, the encrypted data received from the data encryption unit 9, Using the ICV notified from the ICV generation unit 10, a transmission frame excluding the FCS and the preamble portion is generated in the format shown in FIG. 5 and output to the PON control unit 12.
 PON制御部12は、PONアーキテクチャによる送信タイミング制御を行う機能であり、PONアーキテクチャに対応した送信制御により送信フレームをFCS付与部13へ出力する。具体的には、OLT301のPON制御部12である場合には、各ONUへの送信タイミング(下り送信タイミング)および各ONUからの送信タイミング(上り送信タイミング)を決定し、送信先のONUに対応する下り送信タイミングに基づいて送信フレームを出力する。また、ONU302-1~302-NのPON制御部12である場合には、OLT301から通知された自装置に割当てられた下り送信タイミングに基づいて送信フレームを出力する。 The PON control unit 12 is a function for performing transmission timing control by the PON architecture, and outputs a transmission frame to the FCS adding unit 13 by transmission control corresponding to the PON architecture. Specifically, in the case of the PON control unit 12 of the OLT 301, the transmission timing to each ONU (downlink transmission timing) and the transmission timing from each ONU (uplink transmission timing) are determined, and the transmission destination ONU is supported. A transmission frame is output based on the downlink transmission timing to be performed. In the case of the PON control unit 12 of the ONUs 302-1 to 302-N, a transmission frame is output based on the downlink transmission timing assigned to the own device notified from the OLT 301.
 FCS付与部13は、送信フレームのFCSを計算して、計算したFCSを送信フレームに付与し、付与後の送信フレームをプリアンブル付与部14へ出力する。プリアンブル付与部14は、受け取った送信フレームにプリアンブルを付与し、光Tx202へ出力する。なお、プリアンブル付与部14は、拡張MACsecプリアンブル生成部7からプリアンブルが通知された場合には通知されたプリアンブルを付与し、それ以外の場合はIEEE802.3準拠のプリアンブルを付与する。 The FCS appending unit 13 calculates the FCS of the transmission frame, appends the calculated FCS to the transmission frame, and outputs the transmitted transmission frame to the preamble appending unit 14. The preamble assigning unit 14 assigns a preamble to the received transmission frame and outputs it to the optical Tx 202. The preamble assigning unit 14 assigns the notified preamble when the preamble is notified from the extended MACsec preamble generating unit 7, and assigns the IEEE802.3-compliant preamble otherwise.
 そして、プリアンブル付与後の送信フレームは、光Tx202により光信号に変換され、WDM201により多重化されて宛先へ送信される。 The transmission frame after the preamble is added is converted into an optical signal by the optical Tx 202, multiplexed by the WDM 201, and transmitted to the destination.
 次に、本実施の形態の受信装置の受信動作を説明する。図7は、本実施の形態の受信動作の一例を示すフローチャートである。図7に示すように、受信装置は、WDM201および光Rx203経由でフレームを受信する(ステップS1)と、プリアンブルチェック部101がIEEE802.3に準拠してプリアンブルの正常性を確認し(ステップS2)、プリアンブル部分を削除した受信フレームをFCSチェック部102へ出力する。 Next, the receiving operation of the receiving apparatus of this embodiment will be described. FIG. 7 is a flowchart illustrating an example of a reception operation according to this embodiment. As shown in FIG. 7, when the receiving apparatus receives a frame via the WDM 201 and the optical Rx 203 (step S1), the preamble check unit 101 confirms the normality of the preamble according to IEEE 802.3 (step S2). The received frame from which the preamble part is deleted is output to the FCS check unit 102.
 次に、FCSチェック部102は、受信フレームに基づいてFCSチェックを行ない(ステップS3)、FCSを削除した受信フレームをPON制御部103へ出力する。また、PON制御部103は、PONアーキテクチャによる受信タイミング制御と自受信機宛フレーム識別を行い、自装置宛の受信フレームを受信フレーム識別・復号化フレーム再構成部104へ出力する(ステップS4)。 Next, the FCS check unit 102 performs an FCS check based on the received frame (step S3), and outputs the received frame from which the FCS has been deleted to the PON control unit 103. Further, the PON control unit 103 performs reception timing control by the PON architecture and identification of a frame addressed to the own receiver, and outputs a received frame addressed to the own device to the received frame identification / decoded frame reconstruction unit 104 (step S4).
 なお、PON制御部103は、受信フレームが標準MACsecフレームである場合には、プリアンブルの後のSA,DAにより、自装置宛の受信フレームであるか否かを判断することができる。一方で、拡張標準MACsecフレームである場合には、プリアンブルの後には擬似SA,擬似DAが格納されている。したがって、擬似SA,擬似DAにより自装置宛の受信フレームであるか否かを判断する場合には、送信装置において擬似SA,擬似DAを生成する際に、例えば擬似SA,擬似DAとしてLLIDに基づいた値を格納する等、自装置宛の受信フレームであるかを判別できる情報として生成しておく。 Note that when the received frame is a standard MACsec frame, the PON control unit 103 can determine whether the received frame is addressed to the own apparatus based on the SA and DA after the preamble. On the other hand, in the case of an extended standard MACsec frame, pseudo SA and pseudo DA are stored after the preamble. Therefore, when determining whether or not the received frame is addressed to the own apparatus by the pseudo SA and pseudo DA, when generating the pseudo SA and pseudo DA in the transmitting apparatus, for example, based on the LLID as the pseudo SA and pseudo DA. Such information is stored as information that can be used to determine whether the received frame is addressed to the own apparatus.
 また、プリアンブルチェック部101が、プリアンブルに含まれるLLIDに基づいて自装置宛の受信フレームであるか否かを判断するようにし、PON制御部103における自装置宛の受信フレームであるか否かの判断を行なわないようにしてもよい。 Further, the preamble check unit 101 determines whether the received frame is addressed to the own device based on the LLID included in the preamble, and determines whether the received frame is addressed to the own device in the PON control unit 103. The determination may not be performed.
 受信フレーム識別・復号化フレーム再構成部104は、受信フレームからType情報を抽出し、Type情報をTypeチェック部105へ通知する。Typeチェック部105は、Type情報が“0x88E5”であるか否かを判断し(ステップS5)、“0x88E5”である場合には、受信フレームが標準MACsecフレームであると判定しその旨をフレーム判定部106へ通知する。 The received frame identification / decoded frame reconstruction unit 104 extracts type information from the received frame and notifies the type information to the type check unit 105. The type check unit 105 determines whether or not the type information is “0x88E5” (step S5). If the type information is “0x88E5”, the type check unit 105 determines that the received frame is a standard MACsec frame, and determines that frame. Notification to the unit 106.
 フレーム判定部106は、Typeチェック部105から受信フレームが、標準MACsecフレームであると通知された場合には、その旨を受信フレーム識別・復号化フレーム再構成部104へ通知する。受信フレーム識別・復号化フレーム再構成部104は、その通知を受けると、SecTAGデコード部107へデコードの開始を指示するとともに受信フレームからSecTAGを抽出して出力する。また、この際、受信フレーム識別・復号化フレーム再構成部104は、受信したフレームが標準MACsecフレームであることもSecTAGデコード部107へ通知する。SecTAGデコード部107は、受信フレーム識別・復号化フレーム再構成部104から出力されたSecTAGをデコードし、標準MACsec SecTAGチェック部109、リプレイチェック部110およびSC/AN確認部111へ出力する(ステップS6)。 When it is notified from the type check unit 105 that the received frame is a standard MACsec frame, the frame determination unit 106 notifies the received frame identification / decoded frame reconstruction unit 104 to that effect. When receiving the notification, the received frame identifying / decoded frame reconstructing unit 104 instructs the SecTAG decoding unit 107 to start decoding and extracts and outputs the SecTAG from the received frame. At this time, the received frame identification / decoded frame reconstruction unit 104 also notifies the SecTAG decoding unit 107 that the received frame is a standard MACsec frame. The SecTAG decoding unit 107 decodes the SecTAG output from the received frame identification / decoded frame reconstruction unit 104, and outputs the decoded SecTAG to the standard MACsec SecTAG check unit 109, the replay check unit 110, and the SC / AN confirmation unit 111 (step S6). ).
 標準MACsec SecTAGチェック部109は、IEEE802.1AEにて規定されるSecTAGの確認処理を実施し、判定結果をフレーム判定部106へ通知する(ステップS7)。 The standard MACsec SecTAG check unit 109 performs a SECTAG confirmation process defined in IEEE 802.1AE, and notifies the frame determination unit 106 of the determination result (step S7).
 リプレイチェック部110は、SecTAG内のPNに基づいてIEEE802.1AEにて規定されるリプレイプロテクションチェックを実施し、チェック結果をフレーム判定部106へ通知する(ステップS8)。 The replay check unit 110 performs a replay protection check defined by IEEE802.1AE based on the PN in the SecTAG, and notifies the frame determination unit 106 of the check result (step S8).
 SC/AN確認部111は、SCおよびANを確認し、SCおよびANを鍵管理部112へ通知する(ステップS9)。次に、鍵管理部112は、予め保持している暗号鍵のうちからSCおよびANに基づいて暗号鍵を選択し、選択した暗号鍵をデータ復号部113へ通知する(ステップS10)。 SC / AN confirmation unit 111 confirms SC and AN, and notifies SC and AN to key management unit 112 (step S9). Next, the key management unit 112 selects an encryption key based on SC and AN from among the encryption keys held in advance, and notifies the data decryption unit 113 of the selected encryption key (step S10).
 データ復号部113は、受信フレーム識別・復号化フレーム再構成部104から受信フレームを取得し、受信フレームを、鍵管理部112から通知された暗号鍵を用いて復号化し、復号化データを正常性確認部114へ出力する(ステップS11)。 The data decryption unit 113 acquires the reception frame from the reception frame identification / decryption frame reconstruction unit 104, decrypts the reception frame using the encryption key notified from the key management unit 112, and normalizes the decrypted data. It outputs to the confirmation part 114 (step S11).
 正常性確認部114は、受信フレーム識別・復号化フレーム再構成部104から取得したICVと、データ復号部113から出力された復号化データに基づいてICVチェック(正常性確認)を行ない(ステップS12)、チェック結果をフレーム判定部106へ通知する。 The normality confirmation unit 114 performs an ICV check (normality confirmation) based on the ICV acquired from the received frame identification / decoded frame reconstruction unit 104 and the decoded data output from the data decoding unit 113 (step S12). ), And notifies the frame determination unit 106 of the check result.
 フレーム判定部106は、チェック結果が正常である場合(ステップS12 Yes)は、その旨を受信フレーム識別・復号化フレーム再構成部104へ通知し、受信フレーム識別・復号化フレーム再構成部104はその通知を受けると、標準MACsecフレームの再構成を行い(ステップS13)、フレーム受信を完了する(ステップS15)。 If the check result is normal (Yes in step S12), the frame determination unit 106 notifies the reception frame identification / decoded frame reconstruction unit 104 to that effect, and the reception frame identification / decoded frame reconstruction unit 104 When the notification is received, the standard MACsec frame is reconstructed (step S13), and the frame reception is completed (step S15).
 また、フレーム判定部106は、正常性確認部114から通知されたチェック結果が正常でなかった場合(ステップS12 No)、フレーム判定部106は当該フレームを破棄するよう受信フレーム識別・復号化フレーム再構成部104へ指示し、処理を終了する(ステップS14)。 In addition, when the check result notified from the normality confirmation unit 114 is not normal (No in step S12), the frame determination unit 106 re-receives the received frame identification / decoded frame so that the frame is discarded. The configuration unit 104 is instructed, and the process ends (step S14).
 一方、ステップS5で、Typeチェック部105が、Type情報が“0x88E5”でないと判断した場合(ステップS5 No)、Typeチェック部105は、Type情報が“0x88E4”であるか否かを判断する(ステップS16)。Type情報が“0x88E4”である場合(ステップS16 Yes)には、Typeチェック部105は、受信フレームが拡張MACsecフレームであると判定しその旨をフレーム判定部106へ通知する。 On the other hand, when the Type check unit 105 determines in Step S5 that the Type information is not “0x88E5” (No in Step S5), the Type check unit 105 determines whether or not the Type information is “0x88E4” ( Step S16). When the Type information is “0x88E4” (Yes in Step S16), the Type check unit 105 determines that the received frame is an extended MACsec frame and notifies the frame determination unit 106 to that effect.
 フレーム判定部106は、Typeチェック部105から受信フレームが、拡張準MACsecフレームであると通知された場合には、その旨を受信フレーム識別・復号化フレーム再構成部104へ通知する。受信フレーム識別・復号化フレーム再構成部104は、その通知を受けると、SecTAGデコード部107へデコードの開始を指示するとともに受信フレームからSecTAGを抽出して出力する。また、この際、受信フレーム識別・復号化フレーム再構成部104は、受信したフレームが拡張MACsecフレームであることもSecTAGデコード部107へ通知する。SecTAGデコード部107は、受信フレーム識別・復号化フレーム再構成部104から出力されたSecTAGをデコードし、拡張MACsec SecTAGチェック部108、リプレイチェック部110およびSC/AN確認部111へ出力する(ステップS17)。 When it is notified from the type check unit 105 that the received frame is an extended quasi-MACsec frame, the frame determination unit 106 notifies the received frame identification / decoded frame reconstruction unit 104 to that effect. When receiving the notification, the received frame identifying / decoded frame reconstructing unit 104 instructs the SecTAG decoding unit 107 to start decoding and extracts and outputs the SecTAG from the received frame. At this time, the received frame identification / decoded frame reconstruction unit 104 also notifies the SecTAG decoding unit 107 that the received frame is an extended MACsec frame. The SecTAG decoding unit 107 decodes the SecTAG output from the received frame identification / decoded frame reconstruction unit 104 and outputs the decoded SecTAG to the extended MACsec SecTAG check unit 108, the replay check unit 110, and the SC / AN confirmation unit 111 (step S17). ).
 拡張MACsec SecTAGチェック部108は、IEEE802.1AEにて規定されるSecTAGの確認処理を実施し、判定結果をフレーム判定部106へ通知する(ステップS18)。なお、本実施の形態では、拡張MACsec SecTAGチェック部108が実施するSecTAGの確認処理と標準MACsec SecTAGチェック部109が実施するSecTAGの確認処理は同一であるため、拡張MACsec SecTAGチェック部108を備えずに、標準MACsec SecTAGチェック部109が拡張MACsec SecTAGチェック部108としての機能を有するようにしてもよい。 The extended MACsec SecTAG check unit 108 performs a SECTAG confirmation process defined by IEEE 802.1AE and notifies the frame determination unit 106 of the determination result (step S18). In this embodiment, since the SECTAG confirmation process performed by the extended MACsec SecTAG check unit 108 and the SecTAG confirmation process performed by the standard MACsec SecTAG check unit 109 are the same, the extended MACsec SecTAG check unit 108 is not provided. In addition, the standard MACsec SecTAG check unit 109 may have a function as the extended MACsec SecTAG check unit 108.
 以降、ステップS8~ステップS12までと同様にステップS19~ステップS23を実施する。ステップS23で、正常性確認部114から通知されたチェック結果が正常でなかった場合(ステップS23 No)、フレーム判定部106は、当該フレームを破棄するよう受信フレーム識別・復号化フレーム再構成部104へ指示し、処理を終了する(ステップS25)。 Thereafter, Steps S19 to S23 are performed in the same manner as Steps S8 to S12. If the check result notified from the normality confirmation unit 114 is not normal in step S23 (No in step S23), the frame determination unit 106 receives the frame identification / decoded frame reconstruction unit 104 so as to discard the frame. To terminate the process (step S25).
 また、フレーム判定部106は、チェック結果が正常である場合(ステップS23 Yes)は、その旨を受信フレーム識別・復号化フレーム再構成部104へ通知し、受信フレーム識別・復号化フレーム再構成部104はその通知を受けると、拡張MACsecフレームの再構成を行い(ステップS24)、フレーム受信を完了する(ステップS15)。 If the check result is normal (Yes in step S23), the frame determination unit 106 notifies the reception frame identification / decoded frame reconstruction unit 104 to that effect, and receives the frame identification / decoded frame reconstruction unit. Upon receiving the notification, 104 reconstructs the extended MACsec frame (step S24), and completes frame reception (step S15).
 また、ステップS16で、Type情報が“0x88E4”でない場合(ステップS16 No)には、Typeチェック部105は、受信フレームが暗号化されていないフレーム(標準MACsecフレームでも拡張MACsecフレームでもない)と判定しその旨をフレーム判定部106へ通知する。フレーム判定部106は、受信フレームを未暗号フレームとして再構成し(ステップS26)、フレーム受信を完了する(ステップS15)。 If the Type information is not “0x88E4” in Step S16 (No in Step S16), the Type check unit 105 determines that the received frame is an unencrypted frame (not a standard MACsec frame or an extended MACsec frame). Then, the fact is notified to the frame determination unit 106. The frame determination unit 106 reconstructs the received frame as an unencrypted frame (step S26), and completes frame reception (step S15).
 以上の処理により、受信フレーム識別・復号化フレーム再構成部104が再構成した受信フレームは、インタフェース205を経由して上位ネットワーク210(または端末)へ送信される。なお、以上述べた送信装置および受信装置の動作は一例であり、同様の処理結果が得られる動作であれば個々の処理の順番等は異なってもよい。 The received frame reconstructed by the received frame identifying / decoding frame reconstructing unit 104 by the above processing is transmitted to the upper network 210 (or terminal) via the interface 205. Note that the operations of the transmission device and the reception device described above are merely examples, and the order of individual processes may be different as long as the same processing results can be obtained.
 上記のように、本実施の形態では、送信装置のTypeエンコード部2が、Type情報に拡張MACsecフレームであることを示す値を格納する識別情報付与部として機能する。そして、受信装置では、Typeチェック部105が、Type情報に基づいて拡張MACsecフレームであるかを識別する識別部として機能する。 As described above, in the present embodiment, the Type encoding unit 2 of the transmission device functions as an identification information adding unit that stores a value indicating that it is an extended MACsec frame in the Type information. In the receiving apparatus, the type check unit 105 functions as an identification unit that identifies whether the frame is an extended MACsec frame based on the type information.
 図8は、受信時の拡張MACsecフレームのフレームフォーマットの変化の一例を示す図である。まず、WDM201、光Rx203経由でプリアンブルチェック部101へ入力された段階では、図8(1)に示すように、Data部分は暗号化された暗文であり、受信フレームは図6で示したフォーマットである。そして、プリアンブルチェック部101から出力される受信フレームは、図8(2)に示すようにプリアンブルが削除されている。 FIG. 8 is a diagram illustrating an example of a change in the frame format of the extended MACsec frame at the time of reception. First, at the stage of input to the preamble check unit 101 via the WDM 201 and the optical Rx 203, as shown in FIG. 8 (1), the Data portion is encrypted ciphertext, and the received frame has the format shown in FIG. It is. In the received frame output from the preamble check unit 101, the preamble is deleted as shown in FIG.
 さらに、FCSチェック部102から出力される時点では、図8(3)に示すようにFCSが削除される。そして、データ復号部113から出力された時点で暗文の部分は復号化されたMAC(MACアドレス:SA,DA)と平文となり、受信フレーム識別・復号化フレーム再構成部104は、再構成したフレームとして図8(4)に示すフォーマットのフレームを出力する。なお、図8(1),図8(2)のFCSは、図8(1)の擬似MACからICVまでに対するFCSであり、図8(4)のFCSは、図8(4)に示したMACおよび平文に対してのFCSである。 Furthermore, at the time of output from the FCS check unit 102, the FCS is deleted as shown in FIG. When the data is output from the data decryption unit 113, the portion of the ciphertext becomes a plaintext with the decrypted MAC (MAC address: SA, DA), and the received frame identification / decoded frame reconstruction unit 104 reconstructs it. A frame having the format shown in FIG. 8 (4) is output as a frame. 8 (1) and 8 (2) are FCSs from the pseudo MAC to ICV in FIG. 8 (1), and the FCS in FIG. 8 (4) is shown in FIG. 8 (4). FCS for MAC and plain text.
 次に、本実施の形態の通信システムにおける通信シーケンスについて説明する。図9は、本実施の形態の通信システムにおける通信シーケンスの一例を示す図である。ここでは、図4に示した通信システムを想定する。そして、ONU302-1~302-Nのうちいずれか1つが標準MACsecフレームを送受信する標準MACsec動作ONU#1であるとし、ONU302-1~302-NのうちONU#1以外のいずれか1つが拡張MACsecフレームを送受信する拡張MACsec動作ONU#2であるとする。 Next, a communication sequence in the communication system of the present embodiment will be described. FIG. 9 is a diagram illustrating an example of a communication sequence in the communication system according to the present embodiment. Here, the communication system shown in FIG. 4 is assumed. Then, it is assumed that any one of the ONUs 302-1 to 302-N is a standard MACsec operation ONU # 1 that transmits / receives a standard MACsec frame, and any one of the ONUs 302-1 to 302-N other than the ONU # 1 is an extension. Assume that the extended MACsec operation ONU # 2 transmits and receives a MACsec frame.
 OLT301は、本実施の形態の受信装置としての機能を有することとし、ONU#1,ONU#2は、本実施の形態の送信装置としての機能を有することとする。 Suppose that the OLT 301 has a function as a receiving apparatus according to the present embodiment, and the ONU # 1 and ONU # 2 have a function as a transmitting apparatus according to the present embodiment.
 図9に示すように、まず、ONU#1は、OLT301から送信されたDiscovery Gateを受信する(ステップS31)と、OLT301へRegister Request(#1)を送信する(ステップS32)。なお、Discovery Gateは、OLT301が定期的に送信するメッセージであり、Register Requestは、ONU#1がOLT301に対して登録を要求するメッセージである。 As shown in FIG. 9, first, when ONU # 1 receives the Discovery Gate transmitted from OLT 301 (step S31), it transmits Register Request (# 1) to OLT 301 (step S32). The Discovery Gate is a message periodically transmitted by the OLT 301, and the Register Request is a message that the ONU # 1 requests the OLT 301 to register.
 OLT301は、ONU#1からRegister Requestを受信すると、ONU#1を登録したことを示すRegister(#1)を送信する(ステップS33)。ONU#1は、Register(#1)を受信すると、応答としてRegister Ack(#1)をOLT301へ送信する(ステップS34)。 When the OLT 301 receives the Register Request from the ONU # 1, the OLT 301 transmits a Register (# 1) indicating that the ONU # 1 has been registered (step S33). When ONU # 1 receives Register (# 1), ONU # 1 transmits Register Ack (# 1) as a response to OLT 301 (step S34).
 OLT301とONU#2との間でも、上記のOLT301とONU#1との間と同様に、ステップS35~ステップS38が実施される。 Steps S35 to S38 are also performed between the OLT 301 and the ONU # 2 as in the case between the OLT 301 and the ONU # 1.
 そして、OLT301は、MACsec動作についての問い合わせ(拡張MACsec動作をサポートしているか否か)をONU#1へ送信し(ステップS39)、ONU#1は問い合わせの回答として拡張MACsec動作をサポートしていることを通知する(ステップS40)。OLT301は、受信した回答に基づいてONU#1との間で拡張MACsec動作を行なうと判断し、MACsec動作設定として、拡張MACsec動作を設定するよう指示する(ステップS41)。ONU#1は、指示に基づいて拡張MACsec動作を行なうよう自装置を設定し、MACsec動作設定完了をOLT301へ通知する(ステップS42)。 Then, the OLT 301 transmits an inquiry about the MACsec operation (whether or not the extended MACsec operation is supported) to the ONU # 1 (step S39), and the ONU # 1 supports the extended MACsec operation as an answer to the inquiry. (Step S40). The OLT 301 determines that the extended MACsec operation is to be performed with the ONU # 1 based on the received answer, and instructs the extended MACsec operation to be set as the MACsec operation setting (step S41). ONU # 1 sets itself to perform the extended MACsec operation based on the instruction, and notifies the OLT 301 of the completion of the MACsec operation setting (step S42).
 また、OLT301は、MACsec動作についての問い合わせをONU#2へ送信し(ステップS43)、ONU#2は問い合わせの回答として拡張MACsec動作をサポートしていないことを通知する(ステップS44)。OLT301は、受信した回答に基づいてONU#2との間で標準MACsec動作を行なうと判断し、MACsec動作設定として、標準MACsec動作を設定するよう指示する(ステップS45)。ONU#2は、指示に基づいて標準MACsec動作を行なうよう自装置を設定し、MACsec動作設定完了をOLT301へ通知する(ステップS46)。 Also, the OLT 301 transmits an inquiry about the MACsec operation to the ONU # 2 (step S43), and the ONU # 2 notifies the inquiry that the extended MACsec operation is not supported (step S44). The OLT 301 determines that the standard MACsec operation is to be performed with the ONU # 2 based on the received answer, and instructs the standard MACsec operation to be set as the MACsec operation setting (step S45). The ONU # 2 sets itself to perform the standard MACsec operation based on the instruction, and notifies the OLT 301 of the completion of the MACsec operation setting (step S46).
 以降、ONU#1は、拡張MACsec処理(上述の送信装置が拡張MACsecフレームを送信する場合の処理)により拡張MACsecフレーム401を生成し(ステップS47)、OLT301は、拡張MACsecフレーム401に対して拡張MACsec処理により受信処理(上述の受信装置が拡張MACsecフレームを受信した場合の処理)、を行う(ステップS48)。 Thereafter, ONU # 1 generates an extended MACsec frame 401 by extended MACsec processing (processing when the above-described transmission apparatus transmits an extended MACsec frame) (step S47), and the OLT 301 extends the extended MACsec frame 401. Reception processing (processing when the above-described receiving apparatus receives an extended MACsec frame) is performed by MACsec processing (step S48).
 また、ONU#2は、標準MACsec処理(上述の送信装置が標準MACsecフレームを送信する場合の処理)により標準MACsecフレーム402を生成し(ステップS49)、OLT301は、標準MACsecフレーム402に対して標準MACsec処理により受信処理(上述の受信装置が標準MACsecフレームを受信した場合の処理)を行う(ステップS50)。 The ONU # 2 generates a standard MACsec frame 402 by standard MACsec processing (processing when the above-described transmission device transmits a standard MACsec frame) (step S49), and the OLT 301 is standard with respect to the standard MACsec frame 402. Reception processing (processing when the above-described receiving apparatus receives a standard MACsec frame) is performed by MACsec processing (step S50).
 なお、以上述べた通信シーケンスは一例であり、これに限らず、OLT301とONU302-1~302-Nの間のデータの送受信の前に、拡張MACsec動作を行なうか、または標準MACsec動作を行なうか(または暗号化を行なわないか)等の合意ができるような通信シーケンスであればどのようなシーケンスでもよい。 The communication sequence described above is merely an example, and is not limited to this. Whether the extended MACsec operation or the standard MACsec operation is performed before data transmission / reception between the OLT 301 and the ONUs 302-1 to 302-N. Any sequence may be used as long as an agreement such as (or not to perform encryption) can be agreed.
 上述の通信シーケンスにおいて、MACsec動作に関する合意が正常にされた場合には、従来の受信方法により受信処理を行っても問題は生じない。しかしMACsec動作に関する合意が正常になされなかった場合は、OLT301が受信フレームの種別(標準MACsecフレームであるか拡張MACsecフレームであるか)を誤って設定される、または種別が不定となり、この場合には、従来の受信方法では、正常な(本来の)MACアドレスの誤削除、または削除すべきMACアドレス(擬似MACアドレス)の削除漏れが発生することになる。 In the above communication sequence, when the agreement regarding the MACsec operation is made normal, there is no problem even if the reception process is performed by the conventional reception method. However, when the agreement regarding the MACsec operation is not normally made, the OLT 301 sets the type of the received frame (whether it is a standard MACsec frame or an extended MACsec frame) or the type becomes indefinite. In the conventional receiving method, a normal (original) MAC address is erroneously deleted, or a MAC address (pseudo MAC address) to be deleted is omitted.
 これに対し、本実施の形態では、送信装置が、拡張MACsecフレームを送信する場合にType情報として拡張MACsecフレームであることを示す値を格納し、受信装置がType情報に基づいて拡張MACsecフレームであるか否かを判定するようにした。そのため、フレームの受信時に、拡張MACsec方式と標準MACsec方式のいずれで送信されたフレームであるかを正しく識別することができる。したがって、上述したMACアドレスの誤削除または削除すべきMACアドレスの削除漏れ等、方式の選択誤りにより誤った処理が実施されることによる不具合を防ぐことができる。 On the other hand, in this embodiment, when the transmitting apparatus transmits an extended MACsec frame, a value indicating that it is an extended MACsec frame is stored as Type information, and the receiving apparatus uses an extended MACsec frame based on the Type information. Judgment whether or not there is. Therefore, when receiving a frame, it is possible to correctly identify whether the frame is transmitted by the extended MACsec method or the standard MACsec method. Therefore, it is possible to prevent problems caused by erroneous processing due to a method selection error such as the erroneous deletion of the MAC address or the deletion omission of the MAC address to be deleted.
実施の形態2.
 次に、本発明にかかる実施の形態2の送信装置および受信装置について説明する。本実施の形態の送信装置および受信装置の構成は、実施の形態1の送信装置および受信装置の構成と同様である。実施の形態1と同様の機能を有する構成要素は、実施の形態1と同一の符号を付す。以下、実施の形態1と重複する説明は省略し、実施の形態1と異なる部分を説明する。 Embodiment 2. FIG.
Next, a transmitting apparatus and a receiving apparatus according to the second embodiment of the present invention will be described. The configuration of the transmission device and the reception device of the present embodiment is the same as the configuration of the transmission device and the reception device of the first embodiment. Components having functions similar to those of the first embodiment are denoted by the same reference numerals as those of the first embodiment. Hereinafter, the description which overlaps with Embodiment 1 is abbreviate | omitted, and a different part from Embodiment 1 is demonstrated.
 まず、本実施の形態の送信装置の動作を説明する。本実施の形態では、Typeエンコード部2は、拡張MACsecフレームの送信時にも標準MACsecフレームと同様のType情報を生成する。そして、拡張MACsec SecTAG生成部5は、SecTAGのV(Vビット)を“1”に設定する。また、標準MACsec SecTAG生成部4は、SecTAGのVビットをIEEE802.1AEにて規定される値(“0”)に設定する。以上述べた以外の送信装置の動作は、実施の形態1と同様である。 First, the operation of the transmission apparatus according to this embodiment will be described. In the present embodiment, the Type encoding unit 2 generates the same Type information as that of the standard MACsec frame even when the extended MACsec frame is transmitted. Then, the extended MACsec SecTAG generation unit 5 sets the SECTAG V (V bit) to “1”. Further, the standard MACsec SecTAG generation unit 4 sets the V bit of the SecTAG to a value (“0”) defined by IEEE 802.1AE. The operations of the transmitting apparatus other than those described above are the same as those in the first embodiment.
 次に受信装置の動作について説明する。図10は、本実施の形態の受信動作の一例を示すフローチャートである。ステップS1~ステップS6は、実施の形態1のステップS1~ステップS6と同様である。なお、本実施の形態ではステップS6では、標準MACsecフレームであるか拡張MACsecフレームであるかは判別せずに、どちらのフレームであってもSecTAGのデコード処理を実施する。 Next, the operation of the receiving device will be described. FIG. 10 is a flowchart illustrating an example of a reception operation according to this embodiment. Steps S1 to S6 are the same as steps S1 to S6 of the first embodiment. In this embodiment, in step S6, the SECTAG decoding process is performed in either frame without determining whether the frame is a standard MACsec frame or an extended MACsec frame.
 ステップS6の後、拡張MACsec SecTAGチェック部108は、SecTAGのVビットが0(または標準MACsecフレームの値)であるか否かを判断する(ステップS30)。Vビットが0であると判断した場合(ステップS30 Yes)は、拡張MACsec SecTAGチェック部108は、受信フレームが標準MACsecフレームであると判定し、判定結果をフレーム判定部106へ通知する。フレーム判定部106は、その判定結果を受信フレーム識別・復号化フレーム再構成部104へ通知する。 After step S6, the extended MACsec SecTAG check unit 108 determines whether or not the SECTAG V bit is 0 (or the value of the standard MACsec frame) (step S30). When it is determined that the V bit is 0 (Yes in step S30), the extended MACsec SecTAG check unit 108 determines that the received frame is a standard MACsec frame, and notifies the frame determination unit 106 of the determination result. The frame determination unit 106 notifies the reception frame identification / decoded frame reconstruction unit 104 of the determination result.
 また、ステップS7では、実施の形態1のステップS1と同様に、標準MACsec SecTAGチェック部109がSecTAGの確認を行なう(ステップS7)。ただし、本実施の形態ではVビットについてはステップS30で確認済みであるため、Vビットの確認は省略してもよい。その後のステップS8~ステップS15は、実施の形態1と同様である。 In step S7, as in step S1 of the first embodiment, the standard MACsec SecTAG check unit 109 confirms SecTAG (step S7). However, in this embodiment, since the V bit has been confirmed in step S30, the confirmation of the V bit may be omitted. The subsequent steps S8 to S15 are the same as in the first embodiment.
 一方、Vビットが0でないと判断した場合(ステップS30 No)は、拡張MACsec SecTAGチェック部108は、受信フレームが拡張MACsecフレームであると判定し、判定結果をフレーム判定部106へ通知する。フレーム判定部106は、その判定結果を受信フレーム識別・復号化フレーム再構成部104へ通知する。その後のステップS18は、実施の形態1と同様である。 On the other hand, when it is determined that the V bit is not 0 (No in step S30), the extended MACsec SecTAG check unit 108 determines that the received frame is an extended MACsec frame, and notifies the frame determination unit 106 of the determination result. The frame determination unit 106 notifies the reception frame identification / decoded frame reconstruction unit 104 of the determination result. The subsequent step S18 is the same as that in the first embodiment.
 そして、ステップS18では、実施の形態1のステップS18と同様に、拡張MACsec SecTAGチェック部108がSecTAGの確認を行なう(ステップS18)。ただし、本実施の形態ではVビットについては標準とは異なるため、“1”であるか否かを確認する。その後のステップS19~ステップS25は、実施の形態1と同様である。また、ステップS26も実施の形態1と同様である。 In step S18, as in step S18 of the first embodiment, the extended MACsec SecTAG check unit 108 confirms SecTAG (step S18). However, in this embodiment, since the V bit is different from the standard, it is confirmed whether or not it is “1”. The subsequent steps S19 to S25 are the same as in the first embodiment. Step S26 is also the same as that in the first embodiment.
 上記のように、本実施の形態では、送信装置の拡張MACsec SecTAG生成部5がVビットに拡張MACsecフレームであることを示す値を格納する識別情報付与部として機能する。そして、受信装置では、拡張MACsec SecTAGチェック部108がVビットに基づいて拡張MACsecフレームであるかを識別する識別部として機能する。 As described above, in this embodiment, the extended MACsec SecTAG generating unit 5 of the transmission device functions as an identification information adding unit that stores a value indicating that an extended MACsec frame is in the V bit. In the receiving apparatus, the extended MACsec SecTAG check unit 108 functions as an identification unit that identifies whether the frame is an extended MACsec frame based on the V bit.
 以上のように、本実施の形態では、送信装置が、拡張MACsecフレームを送信する場合にSec TAGのVビットとして、拡張MACsecフレームであることを示す値“1”を格納し、受信装置がVビットに基づいて拡張MACsecフレームであるか否かを判定するようにした。そのため、フレームの受信時に、拡張MACsec方式と標準MACsec方式のいずれで送信されたフレームであるかを正しく識別することができる。したがって、上述したMACアドレスの誤削除または削除すべきMACアドレスの削除漏れ等、方式の選択誤りにより誤った処理が実施されることによる不具合を防ぐことできる。 As described above, in the present embodiment, when the transmitting apparatus transmits an extended MACsec frame, the value “1” indicating the extended MACsec frame is stored as the V bit of the Sec TAG, and the receiving apparatus V Whether or not the frame is an extended MACsec frame is determined based on the bit. Therefore, when receiving a frame, it is possible to correctly identify whether the frame is transmitted by the extended MACsec method or the standard MACsec method. Therefore, it is possible to prevent problems caused by erroneous processing due to a method selection error such as the above-described erroneous deletion of the MAC address or omission of deletion of the MAC address to be deleted.
実施の形態3.
 次に、本発明にかかる実施の形態3の送信装置および受信装置について説明する。本実施の形態の送信装置および受信装置の構成は、実施の形態1の送信装置および受信装置の構成と同様である。実施の形態1と同様の機能を有する構成要素は、実施の形態1と同一の符号を付す。以下、実施の形態1と重複する説明は省略し、実施の形態1と異なる部分を説明する。 Embodiment 3 FIG.
Next, a transmitting apparatus and a receiving apparatus according to the third embodiment of the present invention will be described. The configuration of the transmission device and the reception device of the present embodiment is the same as the configuration of the transmission device and the reception device of the first embodiment. Components having functions similar to those of the first embodiment are denoted by the same reference numerals as those of the first embodiment. Hereinafter, the description which overlaps with Embodiment 1 is abbreviate | omitted, and a different part from Embodiment 1 is demonstrated.
 まず、本実施の形態の送信装置の動作を説明する。本実施の形態では、Typeエンコード部2は、拡張MACsecフレームの送信時にも標準MACsecフレームと同様のType情報を生成する。そして、拡張MACsec SecTAG生成部5は、SecTAGのSL(SLバイト)の上位2ビットを“11”に設定する。また、標準MACsec SecTAG生成部4は、SecTAGのSLバイトの上位2ビットを“00”に設定する。以上述べた以外の送信装置の動作は、実施の形態1と同様である。 First, the operation of the transmission apparatus according to this embodiment will be described. In the present embodiment, the Type encoding unit 2 generates the same Type information as that of the standard MACsec frame even when the extended MACsec frame is transmitted. Then, the extended MACsec SecTAG generation unit 5 sets the upper 2 bits of SL (SL byte) of SecTAG to “11”. Further, the standard MACsec SecTAG generation unit 4 sets the upper 2 bits of the SecTAG SL byte to “00”. The operations of the transmitting apparatus other than those described above are the same as those in the first embodiment.
 なお、IEEE802.1AEで規定されたSecTAGのSLは、最短のEthernet(登録商標)フレームとして規定された64byteよりも短いフレームか否かを識別するための領域である。SecTAGの末尾オクテットとICVの先頭オクテットの間が48byte(64byteからMACアドレス分を差し引いた値)よりも短い場合にはSecure Data領域(図5のDataの部分)のオクテット数が設定され、それ以外の場合にはゼロが設定される。本実施の形態のように擬似MACアドレスを用いる場合、元のMACアドレスはSecure Data領域(図6のDA、SAおよびDataの部分)に含まれるため、上記48byteの代わりに64byteを基準としてSecure Data領域のオクテット数またはゼロが設定される。 Note that the SecTAG SL defined by IEEE 802.1AE is an area for identifying whether the frame is shorter than 64 bytes defined as the shortest Ethernet (registered trademark) frame. If the length between the last octet of the SECTAG and the first octet of the ICV is shorter than 48 bytes (64 bytes minus the MAC address), the number of octets in the Secure Data area (Data portion in FIG. 5) is set. In case of zero is set. When a pseudo MAC address is used as in the present embodiment, the original MAC address is included in the Secure Data area (DA, SA, and Data portions in FIG. 6). Therefore, instead of the above 48 bytes, Secure Data is used as a reference. The number of octets in the region or zero is set.
 次に受信装置の動作について説明する。図11は、本実施の形態の受信動作の一例を示すフローチャートである。ステップS1~ステップS6は、実施の形態1のステップS1~ステップS6と同様である。なお、本実施の形態ではステップS6では、標準MACsecフレームであるか拡張MACsecフレームであるかは判別せずに、どちらのフレームであってもSecTAGのデコード処理を実施する。 Next, the operation of the receiving device will be described. FIG. 11 is a flowchart illustrating an example of the reception operation according to the present embodiment. Steps S1 to S6 are the same as steps S1 to S6 of the first embodiment. In this embodiment, in step S6, the SECTAG decoding process is performed in either frame without determining whether the frame is a standard MACsec frame or an extended MACsec frame.
 ステップS6の後、拡張MACsec SecTAGチェック部108は、SecTAGのSLバイトの上位2ビットが“00”であるか否かを判断する(ステップS40)。SLバイトの上位2ビットが“00”であると判断した場合(ステップS40 Yes)は、拡張MACsec SecTAGチェック部108は、受信フレームが標準MACsecフレームであると判定し、判定結果をフレーム判定部106へ通知する。フレーム判定部106は、その判定結果を受信フレーム識別・復号化フレーム再構成部104へ通知する。 After step S6, the extended MACsec SecTAG check unit 108 determines whether the upper 2 bits of the SecTAG SL byte are “00” (step S40). When it is determined that the upper 2 bits of the SL byte are “00” (Yes in step S40), the extended MACsec SecTAG check unit 108 determines that the received frame is a standard MACsec frame, and the determination result is the frame determination unit 106. To notify. The frame determination unit 106 notifies the reception frame identification / decoded frame reconstruction unit 104 of the determination result.
 また、ステップS7では、実施の形態1のステップS1と同様に、標準MACsec SecTAGチェック部109がSecTAGの確認を行なう(ステップS7)。ただし、本実施の形態ではSLバイトについてはMACsec Sec上位ビットを“00”としているため、それを考慮して確認を行なう。その後のステップS8~ステップS15は、実施の形態1と同様である。 In step S7, as in step S1 of the first embodiment, the standard MACsec SecTAG check unit 109 confirms SecTAG (step S7). However, in this embodiment, since the MACsec Sec upper bit is set to “00” for the SL byte, the confirmation is performed in consideration thereof. The subsequent steps S8 to S15 are the same as in the first embodiment.
 一方、SLバイトの上位2ビットが“00”でないと判断した場合(ステップS40 No)は、拡張MACsec SecTAGチェック部108は、受信フレームが拡張MACsecフレームであると判定し、判定結果をフレーム判定部106へ通知する。フレーム判定部106は、その判定結果を受信フレーム識別・復号化フレーム再構成部104へ通知する。その後のステップS18は、実施の形態1と同様である。 On the other hand, when it is determined that the upper 2 bits of the SL byte are not “00” (No in step S40), the extended MACsec SecTAG check unit 108 determines that the received frame is an extended MACsec frame, and the determination result is a frame determination unit. 106 is notified. The frame determination unit 106 notifies the reception frame identification / decoded frame reconstruction unit 104 of the determination result. The subsequent step S18 is the same as that in the first embodiment.
 そして、ステップS18では、実施の形態1のステップS18と同様に、拡張MACsec SecTAGチェック部108がSecTAGの確認を行なう(ステップS18)。ただし、本実施の形態ではSLビットについては上位2ビットを“11”としているため、これを考慮して確認する。その後のステップS19~ステップS25は、実施の形態1と同様である。また、ステップS26も実施の形態1と同様である。 In step S18, as in step S18 of the first embodiment, the extended MACsec SecTAG check unit 108 confirms SecTAG (step S18). However, in the present embodiment, the upper 2 bits of the SL bit are set to “11”, and therefore the SL bit is checked in consideration of this. The subsequent steps S19 to S25 are the same as in the first embodiment. Step S26 is also the same as that in the first embodiment.
 上記のように、本実施の形態では、送信装置の拡張MACsec SecTAG生成部5がSLバイトに拡張MACsecフレームであることを示す値を格納する識別情報付与部として機能する。そして、受信装置では、拡張MACsec SecTAGチェック部108がSLバイトに基づいて拡張MACsecフレームであるかを識別する識別部として機能する。 As described above, in this embodiment, the extended MACsec SecTAG generating unit 5 of the transmission device functions as an identification information adding unit that stores a value indicating that it is an extended MACsec frame in the SL byte. In the receiving apparatus, the extended MACsec SecTAG check unit 108 functions as an identification unit that identifies whether the MAC MAC frame is an extended MACsec frame based on the SL byte.
 以上のように、本実施の形態では、送信装置が、拡張MACsecフレームを送信する場合にSec TAGのSLバイトの上位2ビットを拡張MACsecフレームであることを示す値“11”とし、受信装置がSLバイトに基づいて拡張MACsecフレームであるか否かを判定するようにした。そのため、フレームの受信時に、拡張MACsec方式と標準MACsec方式のいずれで送信されたフレームであるかを正しく識別することができる。したがって、上述したMACアドレスの誤削除または削除すべきMACアドレスの削除漏れ等、方式の選択誤りにより誤った処理が実施されることによる不具合を防ぐことができる。 As described above, in this embodiment, when the transmitting apparatus transmits an extended MACsec frame, the upper 2 bits of the SL byte of the Sec TAG are set to a value “11” indicating that it is an extended MACsec frame, and the receiving apparatus Whether or not the frame is an extended MACsec frame is determined based on the SL byte. Therefore, when receiving a frame, it is possible to correctly identify whether the frame is transmitted by the extended MACsec method or the standard MACsec method. Therefore, it is possible to prevent problems caused by erroneous processing due to a method selection error such as the erroneous deletion of the MAC address or the deletion omission of the MAC address to be deleted.
実施の形態4.
 次に、本発明にかかる実施の形態4の送信装置および受信装置について説明する。本実施の形態の送信装置および受信装置の構成は、実施の形態1の送信装置および受信装置の構成と同様である。実施の形態1と同様の機能を有する構成要素は、実施の形態1と同一の符号を付す。以下、実施の形態1と重複する説明は省略し、実施の形態1と異なる部分を説明する。 Embodiment 4 FIG.
Next, a transmitting apparatus and a receiving apparatus according to the fourth embodiment of the present invention are described. The configuration of the transmission device and the reception device of the present embodiment is the same as the configuration of the transmission device and the reception device of the first embodiment. Components having functions similar to those of the first embodiment are denoted by the same reference numerals as those of the first embodiment. Hereinafter, the description which overlaps with Embodiment 1 is abbreviate | omitted, and a different part from Embodiment 1 is demonstrated.
 まず、本実施の形態の送信装置の動作を説明する。本実施の形態では、Typeエンコード部2は、拡張MACsecフレームの送信時にも標準MACsecフレームと同様のType情報を生成する。そして、拡張MACsecプリアンブル生成部7は、プリアンブの5バイト目(図6のプリアンブル5バイト目500)の値を“0xAA”に設定し、それ以外はIEEE802.3で規定されている値に設定したプリアンブルを生成し、プリアンブル付与部14へ出力する。プリアンブル付与部14は、拡張MACsecプリアンブル生成部7からプリアンブルが入力された場合には、入力されたプリアンブルを付加し、それ以外の場合はIEEE802.3で規定されているプリアンブルを付加する。以上述べた以外の送信装置の動作は、実施の形態1と同様である。 First, the operation of the transmission apparatus according to this embodiment will be described. In the present embodiment, the Type encoding unit 2 generates the same Type information as that of the standard MACsec frame even when the extended MACsec frame is transmitted. Then, the extended MACsec preamble generation unit 7 sets the value of the fifth byte of the preamble (preamble fifth byte 500 in FIG. 6) to “0xAA”, and sets the other values to the values specified in IEEE 802.3. A preamble is generated and output to the preamble adding unit 14. The preamble adding unit 14 adds the input preamble when the preamble is input from the extended MACsec preamble generation unit 7, and adds the preamble defined by IEEE 802.3 otherwise. The operations of the transmitting apparatus other than those described above are the same as those in the first embodiment.
 次に受信装置の動作について説明する。図12は、本実施の形態の受信動作の一例を示すフローチャートである。ステップS1,ステップS2は、実施の形態1のステップS1,ステップS2と同様である。ただし、本実施の形態では、ステップS2では、プリアンブの5バイト目以外をチェックする。 Next, the operation of the receiving device will be described. FIG. 12 is a flowchart illustrating an example of the reception operation according to the present embodiment. Steps S1 and S2 are the same as steps S1 and S2 in the first embodiment. However, in the present embodiment, in step S2, other than the fifth byte of the preamble is checked.
 ステップS2の後、プリアンブルチェック部101は、プリアンブの5バイト目が“0xAA”であるか否かを判断する(ステップS50)。プリアンブルチェック部101は、プリアンブルの5バイト目が“0xAA”でないと判断した場合(ステップS50 No)には、拡張MACsecフレームではないと判定し、FCSチェック部102およびPON制御部103を経由、またはフレーム判定部106経由で受信フレーム識別・復号化フレーム再構成部104へ判定結果を通知する。その後、実施の形態1と同様に、ステップS3~ステップS15を実施する。 After step S2, the preamble check unit 101 determines whether or not the fifth byte of the preamble is “0xAA” (step S50). If the preamble check unit 101 determines that the fifth byte of the preamble is not “0xAA” (No in step S50), the preamble check unit 101 determines that the preamble is not an extended MACsec frame, passes through the FCS check unit 102 and the PON control unit 103, or The received frame identification / decoded frame reconstruction unit 104 is notified of the determination result via the frame determination unit 106. Thereafter, similarly to the first embodiment, steps S3 to S15 are performed.
 一方、ステップS50で、プリアンブの5バイト目が“0xAA”であると判断した場合(ステップS50 Yes)には、プリアンブルチェック部101は、拡張MACsecフレームであると判定し、FCSチェック部102およびPON制御部103を経由、またはフレーム判定部106経由で受信フレーム識別・復号化フレーム再構成部104へ判定結果を通知する。その後、実施の形態1と同様に、ステップS3~ステップS5を実施し、ステップS5でType情報が“0x88E5”であった場合(ステップS5 Yes)には、実施の形態1と同様にステップS17~ステップS25を実施する。 On the other hand, if it is determined in step S50 that the fifth byte of the preamble is “0xAA” (step S50 Yes), the preamble check unit 101 determines that it is an extended MACsec frame, and the FCS check unit 102 and the PON The determination result is notified to the received frame identification / decoded frame reconstruction unit 104 via the control unit 103 or the frame determination unit 106. Thereafter, Steps S3 to S5 are performed as in the first embodiment. If the Type information is “0x88E5” in Step S5 (Yes in Step S5), Steps S17 to S5 are performed as in the first embodiment. Step S25 is performed.
 また、ステップS5でType情報が“0x88E5”でなかった場合(ステップS5 No)には、実施の形態1と同様のステップS26を実施する。 If the Type information is not “0x88E5” in Step S5 (No in Step S5), Step S26 similar to that in Embodiment 1 is performed.
 なお、本実施の形態では、プリアンブルチェック部101がプリアンブルの5バイト目が“0xAA”であるか否かを判断したが、この代わりにプリアンブルの5バイト目が“0xAA”であるか否かを判断する拡張プリアンブルチェック部を備えるようにしてもよい。 In this embodiment, the preamble check unit 101 determines whether or not the fifth byte of the preamble is “0xAA”, but instead determines whether or not the fifth byte of the preamble is “0xAA”. You may make it provide the extended preamble check part to judge.
 上記のように、本実施の形態では、送信装置の拡張MACsecプリアンブル生成部7がプリアンブルに拡張MACsecフレームであることを示す値を格納する識別情報付与部として機能する。そして、受信装置では、プリアンブルチェック部101がプリアンブルに基づいて拡張MACsecフレームであるかを識別する識別部として機能する。 As described above, in this embodiment, the extended MACsec preamble generation unit 7 of the transmission device functions as an identification information adding unit that stores a value indicating that it is an extended MACsec frame in the preamble. In the receiving apparatus, the preamble check unit 101 functions as an identification unit that identifies whether the preamble is an extended MACsec frame based on the preamble.
 なお、本実施の形態では、プリアンブルの5バイト目を“0xAA”としたが、設定する値は“0xAA”に限らず、標準MACsecフレームや他のフレームで規定済みの値以外であればどのような数値を用いてもよい。プリアンブル内の他の位置に拡張MACsecフレームであることを示す値を格納するようにしてもよい。 In the present embodiment, the fifth byte of the preamble is set to “0xAA”. However, the value to be set is not limited to “0xAA”, and any value other than those specified in the standard MACsec frame or other frames may be used. Any numerical value may be used. A value indicating an extended MACsec frame may be stored in another position in the preamble.
 以上のように、本実施の形態では、拡張MACsecフレームを送信する場合に送信装置がプリアンブルの5バイト目を拡張MACsecフレームであることを示す値“0xAA”とし、受信装置がプリアンブルの5バイト目に基づいて拡張MACsecフレームであるか否かを判定するようにした。そのため、フレームの受信時に、拡張MACsec方式と標準MACsec方式のいずれで送信されたフレームであるかを正しく識別することができる。したがって、上述したMACアドレスの誤削除または削除すべきMACアドレスの削除漏れ等、方式の選択誤りにより誤った処理が実施されることによる不具合を防ぐことできる。 As described above, in this embodiment, when transmitting an extended MACsec frame, the transmitting apparatus sets the fifth byte of the preamble to a value “0xAA” indicating that it is an extended MACsec frame, and the receiving apparatus sets the fifth byte of the preamble. Whether or not the frame is an extended MACsec frame is determined. Therefore, when receiving a frame, it is possible to correctly identify whether the frame is transmitted by the extended MACsec method or the standard MACsec method. Therefore, it is possible to prevent problems caused by erroneous processing due to a method selection error such as the above-described erroneous deletion of the MAC address or omission of deletion of the MAC address to be deleted.
実施の形態5.
 図13は、本発明にかかる実施の形態5の受信装置の受信制御部の機能構成例を示す図である。本実施の形態の受信装置は、拡張MACsec MACアドレスチェック部115を追加する以外は、実施の形態1の受信装置と同様である。送信装置の構成は、実施の形態1の送信装置の構成と同様である。実施の形態1と同様の機能を有する構成要素は、実施の形態1と同一の符号を付す。以下、実施の形態1と重複する説明は省略し、実施の形態1と異なる部分を説明する。 Embodiment 5 FIG.
FIG. 13: is a figure which shows the function structural example of the reception control part of the receiver of Embodiment 5 concerning this invention. The receiving apparatus according to the present embodiment is the same as the receiving apparatus according to the first embodiment except that an extended MACsec MAC address check unit 115 is added. The configuration of the transmission device is the same as the configuration of the transmission device of the first embodiment. Components having functions similar to those of the first embodiment are denoted by the same reference numerals as those of the first embodiment. Hereinafter, the description which overlaps with Embodiment 1 is abbreviate | omitted, and a different part from Embodiment 1 is demonstrated.
 まず、本実施の形態の送信装置の動作を説明する。本実施の形態では、Typeエンコード部2は、拡張MACsecフレームの送信時にも標準MACsecフレームと同様のType情報を生成する。そして、擬似MACアドレス生成部11が、拡張MACsecフレームの場合には擬似MACアドレス(擬似DA,擬似SA)を“0x01-80-C2-00-00―09”として生成し、標準MACsecフレームの場合擬似MACアドレスは不要のため、値のない“Null”として生成する。以上述べた以外の送信装置の動作は、実施の形態1と同様である。 First, the operation of the transmission apparatus according to this embodiment will be described. In the present embodiment, the Type encoding unit 2 generates the same Type information as that of the standard MACsec frame even when the extended MACsec frame is transmitted. Then, the pseudo MAC address generation unit 11 generates a pseudo MAC address (pseudo DA, pseudo SA) as “0x01-80-C2-00-00-09” in the case of an extended MACsec frame. Since the pseudo MAC address is unnecessary, it is generated as “Null” having no value. The operations of the transmitting apparatus other than those described above are the same as those in the first embodiment.
 なお、“0x01-80-C2-00-00―09”は、一例であり、例えばIEEEにて規定されているグループアドレスのうち、自通信システムに予約されているアドレスを用いることができる。 Note that “0x01-80-C2-00-00-09” is an example, and for example, an address reserved in the own communication system among group addresses defined by IEEE can be used.
 次に受信装置の動作について説明する。図14は、本実施の形態の受信動作の一例を示すフローチャートである。ステップS1~ステップS4は、実施の形態1のステップS1~ステップS4と同様である。ステップS4の後、拡張MACsec MACアドレスチェック部115は、擬似MACアドレス(擬似DA,擬似SA)が“0x01-80-C2-00-00―09”であるか否かを判断する(ステップS60)。 Next, the operation of the receiving device will be described. FIG. 14 is a flowchart illustrating an example of a reception operation according to the present embodiment. Steps S1 to S4 are the same as steps S1 to S4 of the first embodiment. After step S4, the extended MACsec MAC address check unit 115 determines whether or not the pseudo MAC address (pseudo DA, pseudo SA) is “0x01-80-C2-00-00-09” (step S60). .
 擬似MACアドレス(擬似DA,擬似SA)が“0x01-80-C2-00-00―09”でないと判断した場合(ステップS60 No)、拡張MACsec MACアドレスチェック部115は、受信フレームが拡張MACsecフレームでないと判定し、フレーム判定部106へ判定結果を通知する。フレーム判定部106は、この判定結果を受信フレーム識別・復号化フレーム再構成部104へ通知する。その後、実施の形態1と同様に、ステップS5~ステップS15を実施する。 When it is determined that the pseudo MAC address (pseudo DA, pseudo SA) is not “0x01-80-C2-00-00-09” (No in step S60), the extended MACsec MAC address check unit 115 determines that the received frame is an extended MACsec frame. Is determined, and the determination result is notified to the frame determination unit 106. The frame determination unit 106 notifies the reception frame identification / decoded frame reconstruction unit 104 of the determination result. Thereafter, similarly to the first embodiment, steps S5 to S15 are performed.
 一方、擬似MACアドレス(擬似DA,擬似SA)が“0x01-80-C2-00-00―09”であると判断した場合(ステップS60 Yes)、拡張MACsec MACアドレスチェック部115は、受信フレームが拡張MACsecフレームであると判定し、フレーム判定部106へ判定結果を通知する。フレーム判定部106は、この判定結果を受信フレーム識別・復号化フレーム再構成部104へ通知する。その後、実施の形態1と同様に、ステップS5を実施し、ステップS5でType情報が“0x88E5”で有ると判断した場合(ステップS5 Yes)、実施の形態1と同様にステップS17~ステップS25を実施する。 On the other hand, when it is determined that the pseudo MAC address (pseudo DA, pseudo SA) is “0x01-80-C2-00-00-09” (Yes in step S60), the extended MACsec MAC address check unit 115 determines that the received frame is It is determined that the frame is an extended MACsec frame, and the determination result is notified to the frame determination unit 106. The frame determination unit 106 notifies the reception frame identification / decoded frame reconstruction unit 104 of the determination result. After that, step S5 is performed as in the first embodiment, and when it is determined in step S5 that the Type information is “0x88E5” (step S5, Yes), steps S17 to S25 are performed as in the first embodiment. carry out.
 なお、ステップS5では、Type情報が“0x88E5”で無いと判断した場合(ステップS5 No)、実施の形態1と同様のステップS26を実施する。 In Step S5, when it is determined that the Type information is not “0x88E5” (No in Step S5), Step S26 similar to that in Embodiment 1 is performed.
 なお、本実施の形態では、擬似MACアドレスと記述したが、擬似送信先MACアドレス(MACディスティネーションアドレス)、擬似送信元MACアドレス(MACソースアドレス)のどちらか一方に拡張MACsecフレームを示す値を設定してもよい。また、擬似送信先MACアドレス、擬似送信元MACアドレスの両方を同じ値またはそれぞれ別の値として拡張MACsecフレームを示す値を設定してもよい。 In this embodiment, the pseudo MAC address is described. However, a value indicating an extended MACsec frame is set in one of the pseudo transmission destination MAC address (MAC destination address) and the pseudo transmission source MAC address (MAC source address). It may be set. Alternatively, a value indicating an extended MACsec frame may be set with both the pseudo transmission destination MAC address and the pseudo transmission source MAC address being the same value or different values.
 上記のように、本実施の形態では、送信装置の擬似MACアドレス生成部11が擬似MACアドレスに拡張MACsecフレームであることを示す値を格納する識別情報付与部として機能する。そして、受信装置では、拡張MACsec MACアドレスチェック部115が擬似MACアドレスに基づいて拡張MACsecフレームであるかを識別する識別部として機能する。 As described above, in the present embodiment, the pseudo MAC address generation unit 11 of the transmission device functions as an identification information adding unit that stores a value indicating an extended MACsec frame in the pseudo MAC address. In the receiving apparatus, the extended MACsec MAC address check unit 115 functions as an identification unit that identifies whether the MAC frame is an extended MACsec frame based on the pseudo MAC address.
 以上のように、本実施の形態では、送信装置が、拡張MACsecフレームを送信する場合に擬似MACアドレスに拡張MACsecフレームを示す値を設定し、受信装置が擬似MACアドレスに基づいて拡張MACsecフレームであるか否かを判定するようにした。そのため、フレームの受信時に、拡張MACsec方式と標準MACsec方式のいずれで送信されたフレームであるかを正しく識別することができる。したがって、上述したMACアドレスの誤削除または削除すべきMACアドレスの削除漏れ等、方式の選択誤りにより誤った処理が実施されることによる不具合を防ぐことができる。 As described above, in this embodiment, when the transmitting apparatus transmits an extended MACsec frame, a value indicating the extended MACsec frame is set in the pseudo MAC address, and the receiving apparatus uses the extended MACsec frame based on the pseudo MAC address. Judgment whether or not there is. Therefore, when receiving a frame, it is possible to correctly identify whether the frame is transmitted by the extended MACsec method or the standard MACsec method. Therefore, it is possible to prevent problems caused by erroneous processing due to a method selection error such as the erroneous deletion of the MAC address or the deletion omission of the MAC address to be deleted.
実施の形態6.
 次に、本発明にかかる実施の形態6の送信装置および受信装置について説明する。本実施の形態の送信装置および受信装置の構成は、実施の形態5の送信装置および受信装置の構成と同様である。実施の形態1または実施の形態6と同様の機能を有する構成要素は、実施の形態1または実施の形態6と同一の符号を付す。以下、実施の形態1または実施の形態6と重複する説明は省略し、実施の形態1と異なる部分を説明する。 Embodiment 6 FIG.
Next, a transmitting apparatus and a receiving apparatus according to the sixth embodiment of the present invention will be described. The configurations of the transmission device and the reception device of the present embodiment are the same as the configurations of the transmission device and the reception device of the fifth embodiment. Components having the same functions as those in the first embodiment or the sixth embodiment are denoted by the same reference numerals as those in the first or sixth embodiment. Hereinafter, the description which overlaps with Embodiment 1 or Embodiment 6 is abbreviate | omitted, and a different part from Embodiment 1 is demonstrated.
 まず、本実施の形態の送信装置の動作を説明する。本実施の形態では、実施の形態1の図4に示したようなPONシステムを想定する。そして、擬似MACアドレス生成部11は、拡張MACsecフレームを送信する場合は擬似MACアドレスとしてOLT301のMACアドレスまたはONU302-1~302-NのMACアドレスを生成し、標準MACsecフレームを送信する場合は擬似MACアドレスは不要のため、値のない“Null”を生成する。 First, the operation of the transmission apparatus according to this embodiment will be described. In this embodiment, a PON system as shown in FIG. 4 of Embodiment 1 is assumed. The pseudo MAC address generation unit 11 generates the MAC address of the OLT 301 or the MAC addresses of the ONUs 302-1 to 302-N as the pseudo MAC address when transmitting the extended MACsec frame, and the pseudo MAC address generation unit 11 transmits the standard MACsec frame. Since the MAC address is unnecessary, “Null” having no value is generated.
 なお、擬似MACアドレスとしてOLT301のMACアドレスまたはONU302-1~302-NのMACアドレスについては、通信の開始時に送信装置が把握できるとする。例えば、実施の形態1の図4に示したようなPONシステムの場合、OLT301のMACアドレスとOLT301と通信するONU302-1~302-NのMACアドレスとは、起動時に行なわれるIEEE802.3で規定されるディスカバリシーケンスによりPON制御部103が認識する。PON制御部103は、認識したOLT301のMACアドレスとOLT301と通信するONU302-1~302-NのMACアドレスとを拡張MACsec MACアドレスチェック部115に通知する。以上述べた以外の本実施の送信装置の動作は、実施の形態5と同様である。 Note that it is assumed that the transmission device can grasp the MAC address of the OLT 301 or the MAC addresses of the ONUs 302-1 to 302-N as the pseudo MAC address at the start of communication. For example, in the case of the PON system as shown in FIG. 4 of the first embodiment, the MAC address of the OLT 301 and the MAC addresses of the ONUs 302-1 to 302-N communicating with the OLT 301 are defined by IEEE 802.3 that is performed at the time of startup. The PON control unit 103 recognizes the detected discovery sequence. The PON control unit 103 notifies the extended MACsec MAC address check unit 115 of the recognized MAC address of the OLT 301 and the MAC addresses of the ONUs 302-1 to 302-N communicating with the OLT 301. The operations of the transmitting apparatus of the present embodiment other than those described above are the same as those in the fifth embodiment.
 例えば、また、擬似DAと擬似SAのいずれか1つを擬似DAとして宛先のOLT301のMACアドレスとOLT301と通信するONU302-1~302-NのMACアドレスとのいずれかを設定するようにしてもよいし、擬似DAと擬似SAのそれぞれをOLT301のMACアドレスとOLT301と通信するONU302-1~302-NのMACアドレスとのいずれかとしてもよい。例えば、OLT301からの送信の場合には、MACアドレスを設定し、擬似SAとしてOLT301のMACアドレスを設定する。なお、予め規則を定めておけば、この逆として、擬似DAとしてOLT301のMACアドレスを設定し、擬似SAとして宛先のONUのMACアドレスを設定する等としてもよい。 For example, either one of the pseudo DA and the pseudo SA may be set as the pseudo DA, and the MAC address of the destination OLT 301 and the MAC addresses of the ONUs 302-1 to 302-N communicating with the OLT 301 may be set. Alternatively, each of the pseudo DA and the pseudo SA may be either the MAC address of the OLT 301 or the MAC addresses of the ONUs 302-1 to 302-N that communicate with the OLT 301. For example, in the case of transmission from the OLT 301, a MAC address is set, and the MAC address of the OLT 301 is set as a pseudo SA. If a rule is defined in advance, conversely, the MAC address of the OLT 301 may be set as the pseudo DA, and the MAC address of the destination ONU may be set as the pseudo SA.
 次に受信装置の動作について説明する。図15は、本実施の形態の受信動作の一例を示すフローチャートである。ステップS1~ステップS4は、実施の形態1のステップS1~ステップS4と同様である。ステップS4の後、拡張MACsec MACアドレスチェック部115は、擬似MACアドレス(擬似DA,擬似SA)がOLT301またはOLT301と通信するONU302-1~302-NのMACアドレスでないか否かを判断する(ステップS70)。 Next, the operation of the receiving device will be described. FIG. 15 is a flowchart illustrating an example of a reception operation according to this embodiment. Steps S1 to S4 are the same as steps S1 to S4 of the first embodiment. After step S4, the extended MACsec MAC address check unit 115 determines whether the pseudo MAC address (pseudo DA, pseudo SA) is not the MAC address of the ONUs 302-1 to 302-N communicating with the OLT 301 or the OLT 301 (step S4). S70).
 擬似MACアドレス(擬似DA,擬似SA)がOLT301またはOLT301と通信するONU302-1~302-NのMACアドレスでないと判断した場合(ステップS70 Yes)、拡張MACsec MACアドレスチェック部115は、受信フレームが拡張MACsecフレームでないと判定し、フレーム判定部106へ判定結果を通知する。フレーム判定部106は、この判定結果を受信フレーム識別・復号化フレーム再構成部104へ通知する。その後、実施の形態1と同様に、ステップS5~ステップS15を実施する。 When it is determined that the pseudo MAC address (pseudo DA, pseudo SA) is not the MAC address of the ONUs 302-1 to 302-N communicating with the OLT 301 or the OLT 301 (step S70 Yes), the extended MACsec MAC address check unit 115 It is determined that the frame is not an extended MACsec frame, and the determination result is notified to the frame determination unit 106. The frame determination unit 106 notifies the reception frame identification / decoded frame reconstruction unit 104 of the determination result. Thereafter, similarly to the first embodiment, steps S5 to S15 are performed.
 一方、擬似MACアドレス(擬似DA,擬似SA)がOLT301またはOLT301と通信するONU302-1~302-NのMACアドレスであると判断した場合(ステップS70 No)、拡張MACsec MACアドレスチェック部115は、受信フレームが拡張MACsecフレームであると判定し、フレーム判定部106へ判定結果を通知する。フレーム判定部106は、この判定結果を受信フレーム識別・復号化フレーム再構成部104へ通知する。その後、実施の形態1と同様に、ステップS5を実施し、ステップS5でType情報が“0x88E5”で有ると判断した場合(ステップS5 Yes)、実施の形態1と同様にステップS17~ステップS25を実施する。 On the other hand, when it is determined that the pseudo MAC address (pseudo DA, pseudo SA) is the MAC address of the ONUs 302-1 to 302-N communicating with the OLT 301 or the OLT 301 (No in step S70), the extended MACsec MAC address check unit 115 It is determined that the received frame is an extended MACsec frame, and the determination result is notified to the frame determination unit 106. The frame determination unit 106 notifies the reception frame identification / decoded frame reconstruction unit 104 of the determination result. After that, step S5 is performed as in the first embodiment, and when it is determined in step S5 that the Type information is “0x88E5” (step S5, Yes), steps S17 to S25 are performed as in the first embodiment. carry out.
 なお、ステップS5では、Type情報が“0x88E5”で無いと判断した場合(ステップS5 No)、実施の形態1と同様のステップS26を実施する。 In Step S5, when it is determined that the Type information is not “0x88E5” (No in Step S5), Step S26 similar to that in Embodiment 1 is performed.
 なお、本実施の形態では、PONシステムを例に説明したが、PONシステム以外でも送信装置および受信装置が宛先装置と送信元装置の間の通信を中継する場合には、OLT301またはOLT301と通信するONU302-1~302-NのMACアドレスと同様に、送信装置または受信装置のアドレスを擬似MACアドレスに設定してもよい。 In the present embodiment, the PON system has been described as an example. However, when the transmission apparatus and the reception apparatus relay communication between the destination apparatus and the transmission source apparatus other than the PON system, they communicate with the OLT 301 or the OLT 301. Similarly to the MAC addresses of the ONUs 302-1 to 302-N, the address of the transmission device or the reception device may be set as a pseudo MAC address.
 上記のように、本実施の形態では、送信装置の擬似MACアドレス生成部11が擬似MACアドレスに拡張MACsecフレームであることを示す値を格納する識別情報付与部として機能する。そして、受信装置では、拡張MACsec MACアドレスチェック部115が擬似MACアドレスに基づいて拡張MACsecフレームであるかを識別する識別部として機能する。 As described above, in the present embodiment, the pseudo MAC address generation unit 11 of the transmission device functions as an identification information adding unit that stores a value indicating an extended MACsec frame in the pseudo MAC address. In the receiving apparatus, the extended MACsec MAC address check unit 115 functions as an identification unit that identifies whether the MAC frame is an extended MACsec frame based on the pseudo MAC address.
 以上のように、本実施の形態では、送信装置が、拡張MACsecフレームを送信する場合に擬似MACアドレスにOLT301またはONU302-1~302-NのMACアドレスを設定し、受信装置が擬似MACアドレスに基づいて拡張MACsecフレームであるか否かを判定するようにした。そのため、フレームの受信時に、拡張MACsec方式と標準MACsec方式のいずれで送信されたフレームであるかを正しく識別することができる。したがって、上述したMACアドレスの誤削除または削除すべきMACアドレスの削除漏れ等、方式の選択誤りにより誤った処理が実施されることによる不具合を防ぐことができる。 As described above, in this embodiment, when the transmitting apparatus transmits an extended MACsec frame, the MAC address of the OLT 301 or the ONUs 302-1 to 302-N is set in the pseudo MAC address, and the receiving apparatus sets the pseudo MAC address. Based on this, it is determined whether the frame is an extended MACsec frame. Therefore, when receiving a frame, it is possible to correctly identify whether the frame is transmitted by the extended MACsec method or the standard MACsec method. Therefore, it is possible to prevent problems caused by erroneous processing due to a method selection error such as the erroneous deletion of the MAC address or the deletion omission of the MAC address to be deleted.
実施の形態7.
 図16は、本発明にかかる実施の形態7の送信装置の送信制御部の機能構成例を示す図である。図17は、本発明にかかる実施の形態7の受信装置の受信制御部の機能構成例を示す図である。本実施の形態の送信装置は、ICV反転部15を追加する以外は、実施の形態1の送信装置と同様である。本実施の形態の受信装置の構成は、ICV反転部116を追加する以外は、実施の形態1の受信装置の構成と同様である。実施の形態1と同様の機能を有する構成要素は、実施の形態1と同一の符号を付す。以下、実施の形態1と重複する説明は省略し、実施の形態1と異なる部分を説明する。 Embodiment 7 FIG.
FIG. 16 is a diagram illustrating a functional configuration example of the transmission control unit of the transmission apparatus according to the seventh embodiment of the present invention. FIG. 17 is a diagram illustrating a functional configuration example of the reception control unit of the receiving apparatus according to the seventh embodiment of the present invention. The transmission apparatus according to the present embodiment is the same as the transmission apparatus according to the first embodiment except that an ICV inverting unit 15 is added. The configuration of the receiving apparatus according to the present embodiment is the same as that of the receiving apparatus according to the first embodiment except that ICV inversion unit 116 is added. Components having functions similar to those of the first embodiment are denoted by the same reference numerals as those of the first embodiment. Hereinafter, the description which overlaps with Embodiment 1 is abbreviate | omitted, and a different part from Embodiment 1 is demonstrated.
 まず、本実施の形態の送信装置の動作を説明する。本実施の形態では、Typeエンコード部2は、拡張MACsecフレームの送信時にも標準MACsecフレームと同様のType情報を生成する。そして、本実施の形態では、ICV生成部10は、ICVを生成した後にICV反転部15に出力する。そして、ICV反転部15は、拡張MACsecフレームの送信の場合には、ICVを反転させて送信フレーム生成部1へ出力し、標準MACsecフレームの場合は、ICVを反転させずにそのまま送信フレーム生成部1へ出力する。なお、送信フレーム生成部1は、送信フレームを標準MACsecフレームとするか拡張MACsecフレームとするかの情報をICV反転部15へ指示することとする。以上述べた以外の本実施の送信装置の動作は、実施の形態1と同様である。 First, the operation of the transmission apparatus according to this embodiment will be described. In the present embodiment, the Type encoding unit 2 generates the same Type information as that of the standard MACsec frame even when the extended MACsec frame is transmitted. In the present embodiment, the ICV generation unit 10 generates the ICV and outputs the ICV to the ICV inversion unit 15. Then, the ICV inversion unit 15 inverts the ICV in the case of transmission of the extended MACsec frame and outputs the inverted frame to the transmission frame generation unit 1. In the case of the standard MACsec frame, the ICV inversion unit 15 inverts the ICV without inversion. Output to 1. The transmission frame generation unit 1 instructs the ICV inversion unit 15 to determine whether the transmission frame is a standard MACsec frame or an extended MACsec frame. The operations of the transmitting apparatus of the present embodiment other than those described above are the same as those of the first embodiment.
 次に受信装置の動作について説明する。本実施の形態では、受信フレームが、標準MACsecフレームである拡張MACsecフレームであるかを受信フレーム自体に基づいて判別することはできないが、標準MACsecフレームの受信処理および拡張MACsecフレームの受信処理において、フレームの種別が正しいことは識別できる。本実施の形態では、受信フレームに対して標準MACsecフレームの受信処理と拡張MACsecフレームのいずれかを実施する。通常は、実施の形態1で述べたように標準MACsec動作についての合意を行い、合意に基づいて受信フレーム識別・復号化フレーム再構成部104が、標準MACsecフレームの受信処理または拡張MACsecフレームを実施するかを選択する。 Next, the operation of the receiving device will be described. In the present embodiment, it is not possible to determine whether the received frame is an extended MACsec frame that is a standard MACsec frame based on the received frame itself. However, in the receiving process of the standard MACsec frame and the receiving process of the extended MACsec frame, It can be identified that the frame type is correct. In the present embodiment, either the standard MACsec frame reception process or the extended MACsec frame is performed on the received frame. Usually, as described in the first embodiment, the standard MACsec operation is agreed, and based on the agreement, the received frame identification / decoded frame reconstruction unit 104 performs the reception process of the standard MACsec frame or the extended MACsec frame. Select what to do.
 図18,19は、本実施の形態の受信動作の一例を示すフローチャートである。図18は、標準MACsecフレームの受信動作を示し、図19は、拡張MACsecフレームの受信動作を示している。 18 and 19 are flowcharts showing an example of the reception operation of the present embodiment. FIG. 18 shows a standard MACsec frame reception operation, and FIG. 19 shows an extended MACsec frame reception operation.
 図18に示す標準MACsecフレームの受信動作は、実施の形態1のステップS1~ステップS15(実施の形態1の標準MACsecフレームを受信した場合の動作)と同様である。このとき、標準MACsecフレームとして処理した受信フレームが、ICVを反転させた拡張MACsecフレームであった場合には、ステップS12では、チェック結果が正常でないと判断され(ステップS12 No)、フレーム判定部106は当該フレームを破棄するよう受信フレーム識別・復号化フレーム再構成部104へ指示し、処理を終了する(ステップS14)。この場合、当該拡張MACsecフレームを再構成することはできないが、標準MACsecフレームとしてエラーにならずに処理されてしまうことを防ぐことができる。 The reception operation of the standard MACsec frame shown in FIG. 18 is the same as step S1 to step S15 of the first embodiment (operation when the standard MACsec frame of the first embodiment is received). At this time, if the received frame processed as the standard MACsec frame is an extended MACsec frame obtained by inverting ICV, it is determined in step S12 that the check result is not normal (No in step S12), and the frame determination unit 106 Instructs the received frame identification / decoded frame reconstruction unit 104 to discard the frame, and ends the process (step S14). In this case, the extended MACsec frame cannot be reconstructed, but it can be prevented from being processed as a standard MACsec frame without causing an error.
 次に、拡張MACsecフレームを受信動作について図19を用いて説明する。ステップS1~ステップS5,ステップS17~ステップS22を実施する。ステップS22の後、受信フレーム識別・復号化フレーム再構成部104はICV反転部116へ受信フレームのICVを出力し、ICV反転部116は、受け取ったICVを反転させて正常性確認部114へ出力する(ステップS80)。ICVは、ICV反転部116から受け取ったICVと、復号化されたデータと、に基づいて実施の形態1と同様に正常性確認処理を行う(ステップS23)。ステップS23以降の処理は実施の形態1と同様である。 Next, the operation for receiving the extended MACsec frame will be described with reference to FIG. Steps S1 to S5 and Steps S17 to S22 are performed. After step S22, the received frame identification / decoded frame reconstruction unit 104 outputs the ICV of the received frame to the ICV inversion unit 116, and the ICV inversion unit 116 inverts the received ICV and outputs it to the normality confirmation unit 114. (Step S80). The ICV performs normality confirmation processing based on the ICV received from the ICV inversion unit 116 and the decrypted data in the same manner as in the first embodiment (step S23). The processing after step S23 is the same as that in the first embodiment.
 上記のように、本実施の形態では、送信装置のICV反転部15がICVを反転させることによりICVに拡張MACsecフレームであることを示す値を格納する識別情報付与部として機能する。そして、受信装置では、正常性確認部114およびICV反転部116が、ICVに基づいてフレームの種別の認識が正しいか否かを識別する識別部として機能する。 As described above, in this embodiment, the ICV inversion unit 15 of the transmission apparatus functions as an identification information adding unit that stores a value indicating an extended MACsec frame in the ICV by inverting the ICV. In the receiving apparatus, the normality confirmation unit 114 and the ICV inversion unit 116 function as an identification unit that identifies whether the recognition of the frame type is correct based on the ICV.
 以上のように、本実施の形態では、送信装置が、拡張MACsecフレームを送信する場合に擬似MACアドレスにOLT301またはONU302-1~302-NのMACアドレスを設定し、受信装置が擬似MACアドレスに基づいて拡張MACsecフレームであるか否かを判定するようにした。そのため、受信フレームに対して受信処理の方式を誤った場合にも、誤った受信フレームを破棄することができ、誤った処理が実施されることによる不具合を防ぐことができる。 As described above, in the present embodiment, when the transmitting device transmits an extended MACsec frame, the MAC address of the OLT 301 or the ONUs 302-1 to 302-N is set in the pseudo MAC address, and the receiving device sets the pseudo MAC address. Based on this, it is determined whether it is an extended MACsec frame. For this reason, even when the reception processing method for the received frame is wrong, the erroneous received frame can be discarded, and problems caused by performing the incorrect process can be prevented.
 以上のように、本発明にかかる通信制御装置、送信装置、受信装置、通信システムおよび通信制御方法は、標準MACsecと拡張MACsecフレームの両方に対応する通信システムに有用であり、特に、PONシステムを構成する通信システムに適している。 As described above, the communication control device, the transmission device, the reception device, the communication system, and the communication control method according to the present invention are useful for a communication system that supports both standard MACsec and extended MACsec frames. It is suitable for the communication system which comprises.
 1 送信フレーム生成部
 2 Typeエンコード部
 3 MACsec SecTAGエンコード部
 4 標準MACsec SecTAG生成部
 5 拡張MACsec SecTAG生成部
 6 パケットナンバ付与部
 7 拡張MACSecプリアンブル生成部
 8,112 鍵管理部
 9 データ暗号部
 10 ICV生成部
 11 擬似MACアドレス生成部
 12 PON制御部
 13 FCS付与部
 14 プリアンブル付与部
 101 プリアンブルチェック部
 102 FCSチェック部
 103 PON制御部
 104 受信フレーム識別・復号化フレーム再構成部
 105 Typeチェック部
 106 フレーム判定部
 107 SecTAGデコード部
 108 拡張MACsec SecTAGチェック部
 109 標準MACsec SecTAGチェック部
 110 リプレイチェック部
 111 SC/AN確認部
 113 データ復号部
 114 正常性確認部
 115 拡張MACsec MACアドレスチェック部
 116 ICV反転部
 201 WDM
 202 光Tx
 203 光Rx
 204 PON-LSI
 205 インタフェース
 210 上位ネットワーク(端末)
 211 管理装置
 301 OLT
 302-1~302-N ONU
 401 拡張MACsecフレーム
 402 標準MACsecフレーム
 500 プリアンブル5バイト目 DESCRIPTION OF SYMBOLS 1 Transmission frame generation part 2 Type encoding part 3 MACsec SecTAG encoding part 4 Standard MACsec SecTAG generation part 5 Extended MACsec SecTAG generation part 6 Packet number grant part 7 Extended MACSec preamble generation part 8,112 Key management part 9 Data encryption part 10 ICV generation Unit 11 Pseudo MAC address generation unit 12 PON control unit 13 FCS grant unit 14 Preamble grant unit 101 Preamble check unit 102 FCS check unit 103 PON control unit 104 Received frame identification / decoded frame reconstruction unit 105 Type check unit 106 Frame determination unit 107 SecTAG decoding unit 108 Extended MACsec SecTAG check unit 109 Standard MACsec SecTAG check unit 110 Replay check Block 111 SC / AN confirmation unit 113 data decoding unit 114 normality confirmation unit 115 extended MACsec MAC address check unit 116 ICV inversion unit 201 WDM
202 Light Tx
203 Light Rx
204 PON-LSI
205 Interface 210 Host network (terminal)
211 Management device 301 OLT
302-1 to 302-N ONU
401 Extended MACsec frame 402 Standard MACsec frame 500 5th byte of preamble

Claims (20)

  1.  MACsecにより暗号化したフレームである標準MACsecフレームと宛先および送信元のアドレスも含めてMACsecにより暗号化したフレームである拡張MACsecフレームと送信する送信装置における通信制御装置であって、
     送信フレームを拡張MACsecフレームとして送信する場合に、前記送信フレームの所定のビット位置に拡張MACsecフレームであることを示す所定の値を格納する識別情報付与部、
     を備えることを特徴とする通信制御装置。     A communication control device in a transmission device for transmitting a standard MACsec frame that is a frame encrypted by MACsec and an extended MACsec frame that is a frame encrypted by MACsec including the address of the destination and the transmission source,
    When transmitting a transmission frame as an extended MACsec frame, an identification information adding unit that stores a predetermined value indicating that the frame is an extended MACsec frame at a predetermined bit position of the transmission frame;
    A communication control apparatus comprising:
  2.  前記所定のビット位置をSecTAGフィールド内とする、ことを特徴とする請求項1に記載の通信制御装置。 The communication control apparatus according to claim 1, wherein the predetermined bit position is in a SecTAG field.
  3.  前記所定のビット位置をSecTAGフィールド内のType領域とする、ことを特徴とする請求項2に記載の通信制御装置。 3. The communication control apparatus according to claim 2, wherein the predetermined bit position is a Type area in a SecTAG field.
  4.  前記所定のビット位置をSecTAGフィールド内のVビット領域とする、ことを特徴とする請求項2に記載の通信制御装置。 3. The communication control apparatus according to claim 2, wherein the predetermined bit position is a V bit area in a SecTAG field.
  5.  前記所定のビット位置をSecTAGフィールド内のSLビット領域とする、ことを特徴とする請求項2に記載の通信制御装置。 3. The communication control apparatus according to claim 2, wherein the predetermined bit position is an SL bit area in a SecTAG field.
  6.  前記所定のビット位置をプリアンブルの領域とする、ことを特徴とする請求項1に記載の通信制御装置。 2. The communication control apparatus according to claim 1, wherein the predetermined bit position is a preamble area.
  7.  前記所定のビット位置をICV領域とし、前記所定の値を暗号化したデータに基づいて求めたICVを反転させた値とする、
     ことを特徴とする請求項1に記載の通信制御装置。     The predetermined bit position is an ICV area, and the predetermined value is an inverted value of ICV obtained based on encrypted data.
    The communication control apparatus according to claim 1.
  8.  前記所定のビット位置をプリアンブルの直後のアドレス領域とする、ことを特徴とする請求項1に記載の通信制御装置。 The communication control apparatus according to claim 1, wherein the predetermined bit position is an address area immediately after the preamble.
  9.  前記所定の値を、IEEEにて規定されているグループアドレスのうち、自通信システムに予約されているアドレスとする、ことを特徴とする請求項8に記載の通信制御装置。 9. The communication control apparatus according to claim 8, wherein the predetermined value is an address reserved in a local communication system among group addresses defined by IEEE.
  10.  前記送信装置を、PONシステムを構成する局側通信装置または加入者側通信装置とする、ことを特徴とする請求項1~9のいずれか1つに記載の通信制御装置。 10. The communication control device according to claim 1, wherein the transmission device is a station-side communication device or a subscriber-side communication device that constitutes a PON system.
  11.  前記送信装置を、PONシステムを構成する局側通信装置または加入者側通信装置とし、
     前記所定の値を自装置のアドレスと通信相手の装置のアドレスとのうち少なくとも1つとする、ことを特徴とする請求項8に記載の通信制御装置。     The transmitting device is a station side communication device or a subscriber side communication device constituting a PON system,
    9. The communication control apparatus according to claim 8, wherein the predetermined value is at least one of an address of the own apparatus and an address of a communication partner apparatus.
  12.  MACsecにより暗号化したフレームである標準MACsecフレームと宛先および送信元のアドレスも含めてMACsecにより暗号化したフレームである拡張MACsecフレームと受信する受信装置における通信制御装置であって、
     受信フレームの所定のビット位置に格納されている拡張MACsecフレームであるか否かを示す情報に基づいて拡張MACsecフレームであるか否かを識別する識別部、
     を備えることを特徴とする通信制御装置。     A communication control device in a receiving device that receives a standard MACsec frame that is a frame encrypted by MACsec and an extended MACsec frame that is a frame encrypted by MACsec including the address of a destination and a transmission source,
    An identification unit for identifying whether or not the frame is an extended MACsec frame based on information indicating whether or not the frame is an extended MACsec frame stored in a predetermined bit position of the received frame;
    A communication control apparatus comprising:
  13.  MACsecにより暗号化したフレームである標準MACsecフレームと宛先および送信元のアドレスも含めてMACsecにより暗号化したフレームである拡張MACsecフレームと受信する受信装置における通信制御装置であって、
     受信フレームの種別を拡張MACsecフレームまたは標準MACsecフレームとして設定して受信処理を行う場合に、前記受信フレームの所定のビット位置に格納されている拡張MACsecフレームであるか否かを示す情報に基づいて設定した種別が正しいか否かを識別する識別部、
     を備えることを特徴とする通信制御装置。     A communication control device in a receiving device that receives a standard MACsec frame that is a frame encrypted by MACsec and an extended MACsec frame that is a frame encrypted by MACsec including the address of a destination and a transmission source,
    When the reception frame type is set as an extended MACsec frame or a standard MACsec frame and reception processing is performed, based on information indicating whether the received frame is an extended MACsec frame stored in a predetermined bit position of the received frame An identification unit for identifying whether the set type is correct,
    A communication control apparatus comprising:
  14.  MACsecにより暗号化したフレームである標準MACsecフレームと宛先および送信元のアドレスも含めてMACsecにより暗号化したフレームである拡張MACsecフレームと送信する送信装置であって、
     送信フレームを拡張MACsecフレームとして送信する場合に、前記送信フレームの所定のビット位置に拡張MACsecフレームであることを示す所定の値を格納する識別情報付与部、
     を備えることを特徴とする送信装置。     A transmission device that transmits a standard MACsec frame that is a frame encrypted by MACsec and an extended MACsec frame that is a frame encrypted by MACsec including the address of the destination and the transmission source.
    When transmitting a transmission frame as an extended MACsec frame, an identification information adding unit that stores a predetermined value indicating that the frame is an extended MACsec frame at a predetermined bit position of the transmission frame;
    A transmission device comprising:
  15.  MACsecにより暗号化したフレームである標準MACsecフレームと宛先および送信元のアドレスも含めてMACsecにより暗号化したフレームである拡張MACsecフレームと受信する受信装置であって、
     受信フレームの所定のビット位置に格納されている拡張MACsecフレームであるか否かを示す情報に基づいて拡張MACsecフレームであるか否かを識別する識別部、
     を備えることを特徴とする受信装置。     A receiving device that receives a standard MACsec frame that is a frame encrypted by MACsec and an extended MACsec frame that is a frame encrypted by MACsec including the address of the destination and the transmission source.
    An identification unit for identifying whether or not the frame is an extended MACsec frame based on information indicating whether or not the frame is an extended MACsec frame stored in a predetermined bit position of the received frame;
    A receiving apparatus comprising:
  16.  MACsecにより暗号化したフレームである標準MACsecフレームと宛先および送信元のアドレスも含めてMACsecにより暗号化したフレームである拡張MACsecフレームと受信する受信装置であって、
     受信フレームの種別を拡張MACsecフレームまたは標準MACsecフレームとして設定して受信処理を行う場合に、前記受信フレームの所定のビット位置に格納されている拡張MACsecフレームであるか否かを示す情報に基づいて設定した種別が正しいか否かを識別する識別部、
     を備えることを特徴とする受信装置。     A receiving device that receives a standard MACsec frame that is a frame encrypted by MACsec and an extended MACsec frame that is a frame encrypted by MACsec including the address of the destination and the transmission source.
    When the reception frame type is set as an extended MACsec frame or a standard MACsec frame and reception processing is performed, based on information indicating whether the received frame is an extended MACsec frame stored in a predetermined bit position of the received frame An identification unit for identifying whether the set type is correct,
    A receiving apparatus comprising:
  17.  MACsecにより暗号化したフレームである標準MACsecフレームと宛先および送信元のアドレスも含めてMACsecにより暗号化したフレームである拡張MACsecフレームと伝送する通信システムであって、
     送信フレームを拡張MACsecフレームとして送信する場合に、前記送信フレームの所定のビット位置に拡張MACsecフレームであることを示す所定の値を格納する識別情報付与部、
     を備える送信装置と、
     受信フレームの所定のビット位置に格納されている拡張MACsecフレームであるか否かを示す情報に基づいて拡張MACsecフレームであるか否かを識別する識別部、
     を備える受信装置と、
     を備えることを特徴とする通信システム。     A communication system for transmitting a standard MACsec frame that is a frame encrypted by MACsec and an extended MACsec frame that is a frame encrypted by MACsec including addresses of a destination and a transmission source,
    When transmitting a transmission frame as an extended MACsec frame, an identification information adding unit that stores a predetermined value indicating that the frame is an extended MACsec frame at a predetermined bit position of the transmission frame;
    A transmission device comprising:
    An identification unit for identifying whether or not the frame is an extended MACsec frame based on information indicating whether or not the frame is an extended MACsec frame stored in a predetermined bit position of the received frame;
    A receiving device comprising:
    A communication system comprising:
  18.  MACsecにより暗号化したフレームである標準MACsecフレームと宛先および送信元のアドレスも含めてMACsecにより暗号化したフレームである拡張MACsecフレームと伝送する通信システムであって、
     送信フレームを拡張MACsecフレームとして送信する場合に、前記送信フレームの所定のビット位置に拡張MACsecフレームであることを示す所定の値を格納する識別情報付与部、
     を備える送信装置と、
     受信フレームの種別を拡張MACsecフレームまたは標準MACsecフレームとして設定して受信処理を行う場合に、前記受信フレームの所定のビット位置に格納されている拡張MACsecフレームであるか否かを示す情報に基づいて設定した種別が正しいか否かを識別する識別部、
     を備える受信装置と、
     を備えることを特徴とする通信システム。     A communication system for transmitting a standard MACsec frame that is a frame encrypted by MACsec and an extended MACsec frame that is a frame encrypted by MACsec including addresses of a destination and a transmission source,
    When transmitting a transmission frame as an extended MACsec frame, an identification information adding unit that stores a predetermined value indicating that the frame is an extended MACsec frame at a predetermined bit position of the transmission frame;
    A transmission device comprising:
    Based on information indicating whether or not the received MAC frame is an extended MACsec frame stored in a predetermined bit position of the received frame when the reception frame type is set as an extended MACsec frame or a standard MACsec frame. An identification unit for identifying whether the set type is correct,
    A receiving device comprising:
    A communication system comprising:
  19.  MACsecにより暗号化したフレームである標準MACsecフレームと宛先および送信元のアドレスも含めてMACsecにより暗号化したフレームである拡張MACsecフレームと伝送する通信システムにおける通信制御方法であって、
     前記通信システムを構成する送信装置が、送信フレームを拡張MACsecフレームとして送信する場合に、前記送信フレームの所定のビット位置に拡張MACsecフレームであることを示す所定の値を格納する第1のステップと、
     前記通信システムを構成する受信装置が、受信フレームの所定のビット位置に格納されている拡張MACsecフレームであるか否かを示す情報に基づいて拡張MACsecフレームであるか否かを識別する第2のステップと、
     を含むことを特徴とする通信制御方法。     A communication control method in a communication system that transmits a standard MACsec frame that is a frame encrypted by MACsec and an extended MACsec frame that is a frame encrypted by MACsec including addresses of a destination and a transmission source,
    A first step of storing a predetermined value indicating that it is an extended MACsec frame in a predetermined bit position of the transmission frame when a transmission device constituting the communication system transmits the transmission frame as an extended MACsec frame; ,
    A second device for identifying whether or not the receiving apparatus constituting the communication system is an extended MACsec frame based on information indicating whether or not the extended MACsec frame is stored in a predetermined bit position of the received frame; Steps,
    The communication control method characterized by including.
  20.  MACsecにより暗号化したフレームである標準MACsecフレームと宛先および送信元のアドレスも含めてMACsecにより暗号化したフレームである拡張MACsecフレームと伝送する通信システムにおける通信制御方法であって、
     前記通信システムを構成する送信装置が、送信フレームを拡張MACsecフレームとして送信する場合に、前記送信フレームの所定のビット位置に拡張MACsecフレームであることを示す所定の値を格納する第1のステップと、
     前記通信システムを構成する受信装置が、受信フレームの種別を拡張MACsecフレームまたは標準MACsecフレームとして設定して受信処理を行う場合に、前記受信フレームの所定のビット位置に格納されている拡張MACsecフレームであるか否かを示す情報に基づいて設定した種別が正しいか否かを識別する第2のステップと、
     を含むことを特徴とする通信制御方法。     A communication control method in a communication system that transmits a standard MACsec frame that is a frame encrypted by MACsec and an extended MACsec frame that is a frame encrypted by MACsec including addresses of a destination and a transmission source,
    A first step of storing a predetermined value indicating that it is an extended MACsec frame in a predetermined bit position of the transmission frame when a transmission device constituting the communication system transmits the transmission frame as an extended MACsec frame; ,
    When the receiving device constituting the communication system performs reception processing by setting the type of the received frame as an extended MACsec frame or a standard MACsec frame, an extended MACsec frame stored in a predetermined bit position of the received frame is used. A second step for identifying whether or not the type set based on the information indicating whether or not there is correct;
    The communication control method characterized by including.
PCT/JP2010/068742 2010-10-22 2010-10-22 Communication control device, transmission device, reception device, communication system, and communication control method WO2012053109A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2012539550A JP5465335B2 (en) 2010-10-22 2010-10-22 COMMUNICATION SYSTEM, COMMUNICATION CONTROL DEVICE, TRANSMISSION DEVICE, RECEPTION DEVICE, AND COMMUNICATION CONTROL METHOD
PCT/JP2010/068742 WO2012053109A1 (en) 2010-10-22 2010-10-22 Communication control device, transmission device, reception device, communication system, and communication control method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2010/068742 WO2012053109A1 (en) 2010-10-22 2010-10-22 Communication control device, transmission device, reception device, communication system, and communication control method

Publications (1)

Publication Number Publication Date
WO2012053109A1 true WO2012053109A1 (en) 2012-04-26

Family

ID=45974842

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2010/068742 WO2012053109A1 (en) 2010-10-22 2010-10-22 Communication control device, transmission device, reception device, communication system, and communication control method

Country Status (2)

Country Link
JP (1) JP5465335B2 (en)
WO (1) WO2012053109A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009015616A (en) * 2007-07-05 2009-01-22 Sharp Corp Server device, communication system, and communication terminal
JP2009130589A (en) * 2007-11-22 2009-06-11 Rohm Co Ltd Information communication terminal, radio communication equipment and radio communication network
WO2010119587A1 (en) * 2009-04-16 2010-10-21 住友電気工業株式会社 Dynamic bandwidth assignment device, method of the same, and optical line terminal of pon system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009015616A (en) * 2007-07-05 2009-01-22 Sharp Corp Server device, communication system, and communication terminal
JP2009130589A (en) * 2007-11-22 2009-06-11 Rohm Co Ltd Information communication terminal, radio communication equipment and radio communication network
WO2010119587A1 (en) * 2009-04-16 2010-10-21 住友電気工業株式会社 Dynamic bandwidth assignment device, method of the same, and optical line terminal of pon system

Also Published As

Publication number Publication date
JP5465335B2 (en) 2014-04-09
JPWO2012053109A1 (en) 2014-02-24

Similar Documents

Publication Publication Date Title
RU2469485C1 (en) Method and device for transmission of coding parameters
US8538021B2 (en) Sending apparatus, receiving apparatus, sending method, and receiving method
US7797745B2 (en) MAC security entity for link security entity and transmitting and receiving method therefor
CN102037663B (en) For the method and apparatus of data privacy in passive optical networks
RU2466503C9 (en) Method and device for use in telecommunications system
KR100594153B1 (en) Formation of Logical Link and Its Secure Communication Method in Network of Point-to-Manage Topology
JP3774455B2 (en) Data transfer method in Ethernet (registered trademark) passive optical network system
US9009839B2 (en) Method and device for protecting the integrity of data transmitted over a network
US20100074628A1 (en) Optical communication system, station-side apparatus, and subscriber-side apparatus
JP5467574B2 (en) Method for performing IEEE 802.1AE and 802.1af security in EPON (1GEPON and 10GEPON) networks
CN104703176A (en) Configuration method of wireless network, intelligent terminal and wireless network equipment
TW200948160A (en) Mobile station and base station and method for deriving traffic encryption key
WO2011137819A1 (en) Time message processing method, apparatus and system
KR100723832B1 (en) MAC security entity for link security and sending and receiving method therefor
US7571310B2 (en) Method for detecting security module for link protection in ethernet passive optical network
JP5465335B2 (en) COMMUNICATION SYSTEM, COMMUNICATION CONTROL DEVICE, TRANSMISSION DEVICE, RECEPTION DEVICE, AND COMMUNICATION CONTROL METHOD
JP2015126320A (en) Communication system, transmitter, receiver and data transmission method for communication system
WO2018040605A1 (en) Data processing method and apparatus, and computer storage medium
JP2004180183A (en) Office device, subscriber device, and system and method for point/multipoint communication
JPH10327143A (en) Data transmission system
JPH1168735A (en) Protecting method for communication data, transmitter and receiver
JP5119184B2 (en) Relay device, terminal device, and secret communication system
JP2003060633A (en) Passive light network system, ciphering method therefor and network system
JP2004064326A (en) Security holding method, its execution system, and its processing program
CN101277251B (en) Method and apparatus for controlling data exchange in wireless network based on packet transmission

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 10858663

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2012539550

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 10858663

Country of ref document: EP

Kind code of ref document: A1