Proceedings 2002/2003 - IRSE

More documents

Recommendations

Info

34 EURORADIO AND THE RBC Note that an Application and an Application Layer are not the same thing! An application could be for word-processing or train-control; the application layer is responsible typically for the transfer, access and management of files, documents, or messages – that is, for common services for all applications. The other point to note is that, as in most common communication stacks, not all layers are implemented. In this case there are no Application, Presentation or Session layers, but, unlike most, there is an extra one – the Safety layer. For convenience, it is probably easiest to think of the Safety layer as a particular form of Session layer – the key used for the Message Authentication Code (MAC) is generated on a per-session basis. It also has the benefit of being easy to remember. So the EuroRadio protocol stack is as shown in Figure 2. (application) SAFETY LAYER TRANSPORT LAYER NETWORK LAYER DATA LINK LAYER (GSM-R) Figure 2 – EuroRadio Stack 3.1 APPLICATION The application is responsible for initiating connection set-up from train to RBC, by requesting data to be sent. Note that, although EuroRadio is symmetric (that is, either side can initiate a connection), there is no requirement in the ETCS System Requirement Specification for the trackside application to connect to the train. It also implements the timestamp protection against delay. 3.2 SAFETY LAYER The safety layer is responsible for authentication, that is confirming the identities of the two applications, and to a lesser extent for final errorchecking. It is the guarantee of most of the communications safety so, like the application, it is generally implemented at SIL4. 3.3 TRANSPORT LAYER The transport layer contains a number of functions. It segments the message into 123-byte lengths and reassembles, if the message from the safety layer is too long for the network layer (but it does not recreate-sequence). It also provides flow control to restrict transmission in the lower layers. 3.4 NETWORK LAYER The network layer co-ordinates the transport connections above it – there can be more than one transport, but only one network, connection – and sets up connections over GSM-R using the correct commands. Further segmentation down to 23 bytes and recreate-assembly occurs. 3.5 DATA LINK LAYER The link layer based on HDLC is the lowest EuroRadio layer. It has a 16-bit cyclic redundancy code, acknowledgements and recreate-tries, so it can provide a reliable service over unreliable lower layers. This does not mean that the lower layers are unreliable in practice – just that they can be prone to data errors. So, if there is a problem, it is the data link layer that will recover the situation. 3.6 PHYSICAL LAYER It always seems strange that the “physical” layer, which is usually a piece of wire or optical fibre, is the whole GSM-R radio network. However, as far as EuroRadio is concerned, it performs exactly the role of a physical connection, transferring data between link layers. 4 THE LIFE OF A RBC-TRAIN CONNECTION 4.1 CONNECTION – SET-UP When a train is switched on, very little happens for EuroRadio as all the action is initiated in the cab. The ETCS cab equipment enters stand-by, possibly with invalid or unknown data. It finds out the driver-ID, whether it is in a Level 2 area, and whether its stored position is valid. The driver will probably have to enter or confirm this data. When the GSM-R mobile powers up, it registers automatically with the GSM- R network. The next stage is for the train to open a session with the RBC. The application attempts to send the initiation message, and it does this by passing the message, the destination ETCS-ID, the destination network id if known, and the Quality of Service (QoS) parameters to the Safety Layer. The idea of Quality of Service is inherited from modern communications practice. Normally, it gives an application a way of specifying its requirements in terms of connection establishment delay, failure probability, throughput, transmission delay, residual error, security and priority. However, the QoS parameters for GSM-R are mainly set either in the specifications, or at network design time, and so in practice the only parameters to set are priority (preset to 1) and data rate (usually 4800, but 2400 and 9600 are possible). It is not possible to recreatenegotiate QoS during the life of a connection. Note that the priority assigned by the application calling up a particular QoS parameter set is that of the connection relative to other connections, not that of the message. Messages can have normal or high priority, determined by which queue they are placed on by the application: high-priority messages effectively by-pass the safety and network layers, and are sent as data-link layer Unnumbered Information frames. So the on-board Safety Layer has received the initiation message and a destination ID, and possibly a network ID (incorrectly called phone number in the rest of the paper, as it is clearer for non-
EURORADIO AND THE RBC 35 communications engineers!) – what happens next? Basically, the connection request ripples down the protocol stack, and then the layer connections ripple back up. So the Safety Layer passes the connection request to the Transport Layer, which cannot do anything until there is a Network Layer connection, then the Data Link Layer, then GSM-R. It is at this point there can be a problem. The onboard application knows all about application addresses – the ETCS-ID which when used with the ETCS-ID-TYPE is unique in the world, safely – but it knows and cares little about phone numbers (they could be different from last week to this). At the bottom of the stack, GSM-R knows all about phone numbers, but nothing about application IDs. How is the translation achieved? It is possible that the application received the number along with the ETCS-ID from a balise – the simplest solution. It may have received it from an RBC in an application message, but of course it needs a connection first to do that. Another possibility is that, as people do, it remembers associations, in a look-up table in the Transport layer. But if all else fails, it has the possibility of using a feature of the network – location-dependent addressing. As with a ‘999’ call in the UK, the network is aware of the location of the source of the call, and can route it to an appropriate local destination. Similarly, a GSM network is aware of the source’s cell, and can route the call to a pre-defined ‘most-appropriate RBC’. So, the Safety layer requests a connection from the Transport layer, the Transport layer requests a connection from the Network layer and the Network layer requests a connection from the Data Link layer – except that the Data Link layer has no mechanism to cause GSM to connect. So in fact the Network layer sends the dial commands to GSM. Once GSM has connected, the Network layer can request a connection from the Data Link layer, ie the HDLC Data Link layer synchronises. Once the train’s Data Link layer receives an Unnumbered Acknowledge frame, it can confirm the connection to the Network layer, which sends confirmation to the Transport layer, which confirms the connection to the Safety layer. 4.2 AUTHENTICATION It is only at this point that the Safety layer, on the train and in the RBC, can start to authenticate the end users – but why should it? It was assumed in the design of EuroRadio that the data may go over some form of ‘open’ network – that is, a network where the data is not only subject to random noise, but could also be the subject of a malicious human attack from outside or inside the Railway. Authentication uses two defences. One is random data generated at the time of connection set-up. The other is use of a ‘shared secret’ – the ‘key’ – that only the correct user will know. But how does the train know what key to use? Once again, we could use a look-up table, matching ETCS-ID against phone number and key. But now, the look-up table must be much, much larger. If a train does not know the ETCS-ID or phone number of the next RBC, it can be given this by the last RBC or a balise – but it cannot find out the key in the same way. And the same applies if an RBC does not know the key for a train arriving in its area. A process is defined in the Symmetric Key Management specification (Unisig document Subset064), but it should really come with a health warning! It should not be considered a real-time system, and is best used for a train in operation only in exceptional conditions, and preferably when the train is stationary – in fact it is likely to take so long that the train will be stationary. It requires the use of a home Key Management Centre (KMC), which could be a PC in a locked room. Trains only ever call their home KMC, so interoperability is not an issue here. Only KMCs talk directly to other KMCs. So, to take an example, assume an English train in France does not have the key for the French RBC: • the train tries to set up a connection as described above, only to find it does not have a working key; • it disconnects; • it sets up a connection to its own UK KMC and requests the key; • the UK KMC realises the key requested is within the control of the French KMC, and so sets up a connection to the French KMC; • the French KMC generates a key for use by the train and the RBC; • the French KMC then encrypts and distributes the new key to the French RBC; • when that is confirmed, the French KMC encrypts and sends the key to the UK KMC; • the UK KMC encrypts the key, and sends it to the English train; • the English train disconnects from the UK KMC, and sets up the connection to the French RBC and 20km down the line is the next French RBC… It is clear that with five connections being set up, this is a process best invoked at start-up and in emergencies. In practice, keys are likely to be created and downloaded for all RBCs likely to be encountered by a train. While on the subject of keys, of course different strategies are possible. The example above assumes the ‘normal’ situation where each pair of entities is allocated a unique key. But it would be quite possible, in a country or area, if the safety case allows it, to allocate: • the same key to all RBCs and trains; • a key for all trains of a particular type; • a key for all trains of a particular operator. This would overcome most of the problems. It really depends how careless you are – if you keep losing trains and RBCs, you need a key management policy that limits the damage to only the stolen equipment; if equipment is rarely if ever stolen, key
Page 1 and 2: Proceedings 2002 - 2003
Page 3 and 4: The Institution of Railway Signal E
Page 5 and 6: Contents Contents ……………
Page 7 and 8: 5 PETER STANLEY BSc CEng FIEE FIRSE
Page 9 and 10: OFFICERS AND COUNCIL 7 Photo: Colin
Page 11 and 12: 9 Institution Announcements (The pr
Page 13 and 14: INSTITUTION ANNOUNCEMENTS 11 Head O
Page 15 and 16: 13 Institution Awards PRESIDENT’S
Page 17 and 18: OBITUARIES 15 overseen the conversi
Page 19 and 20: 17 Annual Dinner and Dance The Inst
Page 21 and 22: 19 The Institution of Railway Signa
Page 23 and 24: PRESIDENTIAL ADDRESS 21 in terms of
Page 25 and 26: PRESIDENTIAL ADDRESS 23 technical l
Page 27 and 28: EUROBALISE TRANSMISSION SYSTEM, A T
Page 33 and 34: Company Announcement Bridgen Enterp
Page 35: EURORADIO AND THE RBC 33 another wh
Page 39 and 40: EURORADIO AND THE RBC 37 PLAINTEXT
Page 41 and 42: EURORADIO AND THE RBC 39 4.7 DISCON
Page 43 and 44: EURORADIO AND THE RBC 41 would be a
Page 45 and 46: EUROCAB AND THE DRIVER MMI - AN INT
Page 51 and 52: 49 Technical Meeting of the Institu
Page 53 and 54: SIGNALLING CONTROL CENTRES TODAY AN
Page 65 and 66: 63 Migration to ERTMS on Existing L
Page 67 and 68: MIGRATION TO ERTMS ON EXISTING LINE
Page 75 and 76: CTRL SIGNALLING AND COMMUNICATIONS
Page 87 and 88:
INTERNATIONAL CONVENTION 85 RIC lev
Page 89 and 90:
INTERNATIONAL CONVENTION 87 case se
Page 91 and 92:
INTERNATIONAL CONVENTION 89 the sys
Page 93 and 94:
INTERNATIONAL CONVENTION 91 Connect
Page 95 and 96:
NINETIETH ANNUAL REPORT 93 see the
Page 97 and 98:
NINETIETH ANNUAL REPORT 95 THE INST
Page 99 and 100:
NINETIETH ANNUAL REPORT 97 THE INST
Page 101 and 102:
NINETIETH ANNUAL REPORT 99 Accounts
Page 103 and 104:
NINETIETH ANNUAL REPORT 101 Adminis
Page 105 and 106:
NINETIETH ANNUAL REPORT 103 Vice-Pr
Page 107 and 108:
NINETIETH ANNUAL REPORT 105 There a
Page 109 and 110:
NINETIETH ANNUAL REPORT 107 Fabbian
Page 111 and 112:
NINETIETH ANNUAL GENERAL MEETING 10
Page 114 and 115:
112 Sydney Hosts 2002 Convention Fo
Page 116 and 117:
114 SYDNEY HOSTS 2002 CONVENTION
Page 118 and 119:
116 SYDNEY HOSTS 2002 CONVENTION Co
Page 120 and 121:
118 Much Better Engineer Signal Eng
Page 122 and 123:
120 2002 Examination Results Anothe
Page 124 and 125:
THIS SPACE COULD BE WORKING FOR YOU
Page 126 and 127:
124 AUSTRALASIAN SECTION dangerous
Page 128 and 129:
126 AUSTRALASIAN SECTION to address
Page 130 and 131:
128 CHAIRMAN’S REPORT Midland & N
Page 132 and 133:
130 SCOTTISH SECTION He drew compar
Page 134 and 135:
132 SOUTHERN AFRICAN SECTION at Spo
Page 136 and 137:
134 WESTERN SECTION Scotland. (Atte
Page 138 and 139:
136 YORK SECTION The October meetin
Page 140 and 141:
138 Younger Members’ Section The
Page 142 and 143:
140 The Editor would like to thank
Page 144:
Railway Signalling… A Science or
show all

Proceedings 2002/2003 - IRSE

Create successful ePaper yourself

Delete template?

Save as template?