1. Field of the Invention
The present invention relates to an Ethernet passive optical network (EPON), and more particularly, to a method for setting a security channel based on a multi-point control protocol (MPCP) between an optical line terminator (OLT) and optical network units (ONUs) in an EPON, and a MPCP message structure for controlling frame transmission.
2. Description of the Related Art
In 2004, an IEEE802.3ah Ethernet in the First Mile (EFM) working group, which is an Ethernet transmission technology standardization association, standardized EPON technology to efficiently provide a broadband to users. The EPON technology uses conventional Ethernet transmission technology and additionally uses an EPON media access control (MAC) function to control frame transmission in the EPON. In the EPON, a single OLT is connected to multiple ONUs based on a point-to-multipoint mode. The single OLT and the multiple ONUs exchange frames without any collision through frame transmission using broadcasting scheme for downstream transmission and using TDMA scheme for upstream transmission.
The IEEE802.3ah EFM working group defines five types of MPCP messages to control the frame transmission. The MPCP messages include a discovery message (GATE), a register request message (REGISTER_REQUEST), a register message (REGISTER), a register acknowledgement message (RESIGSTER_ACK), and a report message (REPORT).
The discovery message (GATE) is used to transfer an instruction (Discovery Window Open) for opening a discovery window and a time for using an upstream channel of each ONUs when the ONUs are initially registered. The report message (REPORT) is used to inform the OLT of the size of data on standby at the ONUs. The register request message (REGISTER_REQUEST) is used for the ONUs to express their registration intention to the OLT within the discovery window. The register message (REGISTER) is used to confirm whether ONUs are successfully registered or not after r an OLT receives the registration intention from the ONUs. The register acknowledgement message (REGISTER_ACK) is transmitted from the ONUs to OLT in order to transmit information that the ONU confirms the registering state of the OLT to the OLT.
The OLT in the EPON performs an automatic registration procedure to find out the existence of the ONUs and controls upstream data transmission of the ONUs using the MPCP messages. In the automatic registration procedure, the OLT ranges the distance of the ONUs and allocates EPON identifiers (PHY ID) to the ONUs.
FIG. 1 is a block diagram illustrating downstream message transmission between an OLT and an ONU in an EPON according to the related art.
As shown in FIG. 1, the OLT 10 is connected to ONUs 32, 34, and 36 through an optical cable. The ONUs 32, 34, and 36 are installed inside home or offices and receives various services, such as Internet services, telephone services and interactive video services, from the OLT 10.
In the EPON, Ethernet frames 22, 24, 26, and 28 including data for various services are transmitted to the individual ONUs 32, 34, and 36 from the OLT through an 1:N passive optical distribution unit such as a splitter or coupler. Each of the Ethernet frames 22, 24, 26, and 28 is created as a variable length packet having a maximum length of 1,518 bytes and includes information about the destination ONUs 32, 34, and 36. Upon receiving the above packets, each of the ONUs 32, 34, and 36 accepts only the packets corresponding to itself and discards the other packets, and then transmits the accepted packets to the corresponding users 52, 54, and 56, respectively.
FIG. 2 is a block diagram showing upstream message transmission from ONUs to an OLT in an EPON according to the related art.
As shown in FIG. 2, a plurality of users 52, 54, and 56 transmit frames 40, 41, 43, 46, 47 and 48 to the corresponding ONUs 34, 34, and 36, respectively. The ONUs 32, 34, and 36 load the corresponding frames onto respective time slot intervals 42, 44 and 49 allocated by an OLT 10 in advance, and transmit the loaded frames to the OLT 10 through an optical cable.
In the aforementioned EPON, the multiple ONUs share the optical cable, which is a single transmission medium, to perform data transmission/reception with the OLT 10. Therefore, an MAC protocol is required for the multiple ONUs to effectively access the transmission medium. According to such a requirement, the MPCP in the EPON uses a TDMA based mechanism to effectively transmit the upstream data between the multiple ONUs and the single OLT.
The main function of the MPCP is to control a discovery procedure of the OLT to discover ONUS, allocate time slots to the respective ONUS, and provide the timing reference of the OLT and ONUs.
Since the EPON is usually configured in a point-to-multipoint connection, the downstream frame transmission is performed in a broadcasting mode. Hence, network intruder, hackers, may easily see the frames that are transmitted to the ONUs through simple program manipulation.
However, the IEEE802.3ah EPON working group does not define any standard for a channel security function, only recommends the IEEE802.1ae MAC security specification to use if it is required to provide the channel security function in the EPON. Accordingly, the currently used MPCP messages for performing the transmission control do not include any information for providing the security for the links of the EPON.
As a result, when the IEEE801.ae MAC security specification is used in the EPON, an additional key distribution protocol is required for negotiating and setting of a security channel. However, the additional key distribution protocol may cause the waste of the bandwidth by transmitting additional overhead frames.
Also, the ONU need to have a central processing unit (CPU) to operate the key distribution protocol. Without the CPU, the key distribution protocol cannot be operated. In order to provide the channel security function in the EPON, the ONUs are registered based on the MPCP, and the OLT negotiates a security capability with the registered ONUs and provides the key distribution to the ONUs.
Hence, there is a demand for a method that can simultaneously registering the ONUs, and negotiating and setting of the security channel using the MPCP function, which is a transmission control mechanism defined as a standard in EPON, without using the additional key distribution protocol. Furthermore, there is also demand for a key distribution method using the aforementioned method. The OLT should be capable of setting the security channel for the ONUs that do not have the CPU and providing an encryption function.
FIG. 3 is a flowchart for a session key distribution method for providing a security service through the MPCP in the conventional EPON.
As shown, the OLT 10 periodically multicasts a discovery gate message GATE in plain text to perform a procedure of discovering a destined ONU 30 at step S11. The discovery gate message GATE allocates a time slot GRANT to allow a new ONU 30 to be registered. The discovery gate message GATE includes a predetermined value, i.e., time stamp, EKROLT[N1] that is encoded using a secret key of the OLT for signature, the capability of the OLT capabilities, and a public key KUOLT.
When the new destined ONU 30 receives the discovery gate message GATE, the ONU 30 transmits a register request message REGISTER_REQUEST to the OLT 10 as a response to the discovery gate message GATE at step S13. The register request message REGISTER_REQUEST includes the capability of a physical layers PHY ID capa., the capability of the ONU 30 ONU capa., the capability of the OLT 10 echo of OLT capa., a session key EKUOLT [SESSION KEY] that is encoded by the public key of the OLT 10, a predetermined value N1 that is decoded by the public key of the OLT 10, and another predetermined value N2 that is generated for the signature of the ONU 30. The fields of the registration request message REGISTRATION_REQUEST are encoded by a session key excepting fields encoded by the public key of the OLT 10.
At step S15, the OLT 10 decodes the transmitted register request message REGISTER_REQUEST using the session key, and then, transmits a register message (REGISTER) to the ONU 30 in order to notify that the ONU 30 is registered.
The register message REGISTER includes a permanent MAC address dest_addr=ONU MAC addr of the ONU 30, a physical layer ID list PHY ID list, the capability of the ONU 30 echo of ONU capa., and the other predetermined value N2 for the signature of the ONU 30.
At step S17, the OLT 10 transmits a general gate message GATE to the ONU 30 for an upstream transmission of the ONU 30. The general gate message GATE includes the permanent MAC address of the ONU 30 dest_addr=ONU MAC addr and a time slot allocation field GRANT to allocate a time slot. The general gate message GATE is encoded by the session key.
At step S19, the ONU 30 transmits a registration acknowledgement message REGISTER_ACK to the OLT 10 as a response to the register message REGISTER transmitted from the OLT 10. The register acknowledgement message REGISTER_ACK includes the session key EKUOLT[SESSION KEY] that is encoded by the public key of the OLT 10 and the IDs of the registered physical layers echo of registered PHY ID. The register acknowledgement message REGISTER_ACK is encoded by the session key and then transmitted to the OLT 10. On the basis of the above sequential operations, the session key is distributed.
However, the conventional session key distribution method may have several drawbacks. First, ONUs that do not have the key distribution algorithm may not be registered because the ONUs can interpret a coded portion encoded by the OLT only if a key distribution algorithm is provided to the ONU. This registration disablement violates a standardized discovery procedure defined for EPON.
Second, the same type of the key distribution algorithm must be provided to all ONUs connected to the single OLT. As a result, it may be difficult to effectively operate the key distribution protocol.
Third, during the key distribution procedure, the multiple ONUs encode the session keys of the ONUs using the public key of the OLT and then, encode all of the fields using the session keys of the ONUs. These two steps of encryption usually make a key distribution protocol structure complex.
Last, since the transmitted different types of the MPCP message are encoded by the session keys and the public key, the ONUs that have the key distribution protocol and the typical ONUs that do not have the same are not allowed to exist on the same line.