Communication networks are used in a variety of applications including telephone and computer systems, weapons systems, navigational systems, and advanced control systems in cars, aircraft and other complex systems. Given the variety of applications, many kinds of communications networks have been developed over the years. One common characteristic of communication networks is the use of a communication medium that interconnects various nodes on the network. Various topologies and protocols have been developed to control communications between the nodes of these networks.
One network architecture is referred to as Time Division Multiple Access (TDMA). In a TDMA network, nodes in the network are assigned time slots for communicating over the network. Many different TDMA protocols have been developed for communication between nodes of a network. For example, these protocols include TTP/C, SAFEbus, FlexRay and other TDMA protocols.
FIG. 1 is a block diagram of a conventional communication network 100. Network 100 includes a plurality of communicating end stations, referred to herein as nodes, (1). The network 100 also includes relaying devices (2), commonly referred to as guardians. Each guardian (2) has a number of ports (5). In this example, network 100 includes two guardians (2). This allows all data from one node (1) to be transmitted to another node over two different channels, e.g., one channel per guardian. Two channels are commonly used in the industry to provide fault tolerance for the network 100. In other embodiments, any appropriate number of guardians (2) may be used.
The network 100 also includes a number of communication links (3). Communication links (3) comprise one or more of wired, e.g., copper cable, twisted pair, coaxial cable, optical fiber; wireless, e.g., radio frequency, infrared; or other appropriate communication medium. The communication links (3) couple each node (1) with each guardian (2). Messages (4) are sent between nodes (1) through the guardians (2).
Collectively, the nodes (1), guardians (2), and communication links (3) comprise a cluster.
One problem with these TDMA based networks is that faulty nodes can masquerade as other nodes. Masquerading nodes can influence local decisions by pretending to be another node and by behaving differently on different communication channels.
Fault-tolerant systems with only two replicated communication channels are vulnerable to masquerading-induced failure. Previous techniques developed to mitigate masquerade failures require additional redundancy (adding more nodes) and global knowledge of the communication schedule embodied and enforced by a central guardian. In some conventional systems, these techniques have been achieved using dedicated special communication links between guardians. Unfortunately, this, in turn, has compromised the underlying requirement of channel independence in the fault tolerant network. Furthermore, the existing techniques developed to date assume that benign failure modes (such as “stuck at” faults in a guardian). There are other simple failure modes that can cause total system failure, such as shorts between a guardian's inputs and outputs that destroys a network's clock synchronization mechanism by eliminating the assumed propagation delay through each guardian. Further, before achieving synchronous operation, authentication assumed by TDMA protocols cannot be counted on due to the possibility of the masquerading-induced failures and hence proper start-up is also an issue.
Therefore, a need exists for an improved technique for containing faults caused by masquerading nodes in a time division multiple access network.