1. Field of the Invention
The present invention relates to a method for detecting a security module for link protection in an Ethernet Passive Optical Network (EPON), wherein an Optical Line Terminal (OLT) and an Optical Network Unit (ONU) in the EPON can determine whether or not a security module is present in each other and can check configuration information of each other for link protection between the OLT and the ONU.
2. Description of the Related Art
Generally, an EPON includes an OLT and a plurality of ONUs connected to the OLT.
FIG. 1 is a schematic diagram illustrating the configuration of an EPON. As shown in FIG. 1, the EPON includes an OLT 11 for connection to systems of other networks such as an IP network, a broadcasting network, and a TDM network, and ONUs 12 that are connected to the OLT 11 and also to subscriber terminals 13 such as STBs or PCs.
The EPON has different transmission schemes for upstream and downstream traffic because of its physical tree topology. That is, the EPON unicasts upstream transmission and broadcasts downstream transmission. So, Even though downstream data is unicasted, it is transmitted to all the ONUs 12, and therefore the security of downstream data transmission is poor. A security module is required for link protection in the EPON to protect messages transferred in the EPON.
The security module for link protection in the EPON includes an encryption module for encrypting messages transferred between the OLT 11 and the ONU 12, and a key management module for providing keys required for operation of the encryption module. The key management module manages (for example, generates, distributes, and stores) keys required for encryption and decryption in the encryption module. The key management module also controls (for example, activates or deactivates) the encryption module.
In order for the encryption and key management modules to normally perform a security function, it must be first confirmed whether or not a security module is present in each of the two devices (i.e., the OLT 11 and the ONU 12) between which a security channel is established and whether or not configurations of the security modules of the two devices match. This function can be performed in the encryption module or provided by the key management module.
A security module detection method, in which the encryption module itself performs the procedure for detecting a security module, must use part of the information added to a frame for encryption of a message. This indicates that a separate overhead, other than the overhead added for encryption, must be added to the frame and a functional module for controlling the separate overhead must be added to the encryption module. That is, the security module detection method performed in the encryption module requires a new function to be added to the encryption module and an overhead to be added to the frame. Another method may be employed in which the frame receiving side detects that a received frame is encrypted. However, in this method, a frame may be lost during the time taken to determine what was detected. Particularly when no encryption module is present in the receiving side, encrypted frames received from the transmitting side are constantly lost. It is possible for the transmitting side to determine whether or not an encryption module is present in the receiving side based on whether or not a frame received by the transmitting side has been encrypted. However, this determination cannot be performed properly since transmitting and receiving channels are independent of each other.