Described herein is a method for protecting, in a communication network of a motor vehicle, devices of the motor vehicle against communication data of a non-authenticated device. Also described herein is a switch device by which the communication network is provided, and a motor vehicle having the switch device as described herein.
In a motor vehicle, a communication network can be provided on the basis of the Ethernet standard. An Ethernet structure can include switches or switch devices, on the one hand, and network users, that is to say devices of the motor vehicle, on the other hand. The switch device can separate communication data streams from one another by providing a VLAN (Virtual Local Area Network or virtual network). By this, an unauthorized access of a device to another device of the motor vehicle can be prevented. A motor vehicle with a switch device which provides a VLAN is known, for example, from German Patent Application Publication 10 2013 202 064 A1. According to this, devices of a motor vehicle are connected to ports of a switch device. A port is understood to refer to the physical connecting device for a communication cable in relation to the switch device and communication network described herein. In each case, only one communication cable can be connected to a port.
For a device to be able to feed communication data into a VLAN, that is to say transmit them via a port of the switch into the VLAN, the device must be licensed for the VLAN. An authentication by using approaches based on the network standard IEEE 802.1x can be provided for this purpose, by way of example. If a device is not authenticated because its device identifier is not entered or stored as authorized or valid for the VLAN of the switch device, the switch device will switch off any communication at the switch port affected. The only exception is the reception of a repeated authentication request of the device.
However, this means that no further communication to a non-authorized device can take place via the motor vehicle communication network. From the perspective of data security, this is a desirable behavior. The disadvantageous factor is that, for example, the non-authorized device cannot be recognized via the communication network even in a workshop. As a result, it then remains unclear why the device is not operating correctly in the motor vehicle.
A motor vehicle having an Ethernet network as communication network is known, for example, from German Patent Application Publication 10 2012 208 205 A1. Components of the network are connected to one another via a switch device. Individual data packets from communication data of the devices can be allocated to a particular class of data by evaluating a VLAN tag.
From German Patent Application Publication 10 2006 009 583 A1, it is known to provide diagnostic functionalities by a diagnostic module on board a motor vehicle. Additionally, a vehicle-external tester or a diagnostic device can be connected to the motor vehicle in order to provide further diagnostic modules.