Network Working Group K. Pister, Ed. Request for Comments: 5673 Dust Networks Category: Informational P. Thubert, Ed. Cisco Systems S. Dwars Shell T. Phinney Consultant October 2009
Network Working Group K. Pister, Ed. Request for Comments: 5673 Dust Networks Category: Informational P. Thubert, Ed. Cisco Systems S. Dwars Shell T. Phinney Consultant October 2009
Industrial Routing Requirements in Low-Power and Lossy Networks
低功耗有损网络中的工业路由要求
Abstract
摘要
The wide deployment of lower-cost wireless devices will significantly improve the productivity and safety of industrial plants while increasing the efficiency of plant workers by extending the information set available about the plant operations. The aim of this document is to analyze the functional requirements for a routing protocol used in industrial Low-power and Lossy Networks (LLNs) of field devices.
广泛部署低成本无线设备将显著提高工业工厂的生产率和安全性,同时通过扩展工厂运营的可用信息集提高工厂工人的效率。本文件旨在分析现场设备的工业低功耗和有损网络(LLN)中使用的路由协议的功能要求。
Status of This Memo
关于下段备忘
This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.
本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2009 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括《信托法律条款》第4.e节中所述的简化BSD许可文本,并且提供BSD许可中所述的代码组件时不提供任何担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Applications and Traffic Patterns . . . . . . . . . . . . 5 3.2. Network Topology of Industrial Applications . . . . . . . 9 3.2.1. The Physical Topology . . . . . . . . . . . . . . . . 10 3.2.2. Logical Topologies . . . . . . . . . . . . . . . . . . 12 4. Requirements Related to Traffic Characteristics . . . . . . . 13 4.1. Service Requirements . . . . . . . . . . . . . . . . . . . 14 4.2. Configurable Application Requirement . . . . . . . . . . . 15 4.3. Different Routes for Different Flows . . . . . . . . . . . 15 5. Reliability Requirements . . . . . . . . . . . . . . . . . . . 16 6. Device-Aware Routing Requirements . . . . . . . . . . . . . . 18 7. Broadcast/Multicast Requirements . . . . . . . . . . . . . . . 19 8. Protocol Performance Requirements . . . . . . . . . . . . . . 20 9. Mobility Requirements . . . . . . . . . . . . . . . . . . . . 21 10. Manageability Requirements . . . . . . . . . . . . . . . . . . 21 11. Antagonistic Requirements . . . . . . . . . . . . . . . . . . 22 12. Security Considerations . . . . . . . . . . . . . . . . . . . 23 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 25 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25 14.1. Normative References . . . . . . . . . . . . . . . . . . . 25 14.2. Informative References . . . . . . . . . . . . . . . . . . 25
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. Applications and Traffic Patterns . . . . . . . . . . . . 5 3.2. Network Topology of Industrial Applications . . . . . . . 9 3.2.1. The Physical Topology . . . . . . . . . . . . . . . . 10 3.2.2. Logical Topologies . . . . . . . . . . . . . . . . . . 12 4. Requirements Related to Traffic Characteristics . . . . . . . 13 4.1. Service Requirements . . . . . . . . . . . . . . . . . . . 14 4.2. Configurable Application Requirement . . . . . . . . . . . 15 4.3. Different Routes for Different Flows . . . . . . . . . . . 15 5. Reliability Requirements . . . . . . . . . . . . . . . . . . . 16 6. Device-Aware Routing Requirements . . . . . . . . . . . . . . 18 7. Broadcast/Multicast Requirements . . . . . . . . . . . . . . . 19 8. Protocol Performance Requirements . . . . . . . . . . . . . . 20 9. Mobility Requirements . . . . . . . . . . . . . . . . . . . . 21 10. Manageability Requirements . . . . . . . . . . . . . . . . . . 21 11. Antagonistic Requirements . . . . . . . . . . . . . . . . . . 22 12. Security Considerations . . . . . . . . . . . . . . . . . . . 23 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 25 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25 14.1. Normative References . . . . . . . . . . . . . . . . . . . 25 14.2. Informative References . . . . . . . . . . . . . . . . . . 25
Information Technology (IT) is already, and increasingly will be applied to industrial Control Technology (CT) in application areas where those IT technologies can be constrained sufficiently by Service Level Agreements (SLA) or other modest changes that they are able to meet the operational needs of industrial CT. When that happens, the CT benefits from the large intellectual, experiential, and training investment that has already occurred in those IT precursors. One can conclude that future reuse of additional IT protocols for industrial CT will continue to occur due to the significant intellectual, experiential, and training economies that result from that reuse.
信息技术(IT)已经并将越来越多地应用于工业控制技术(CT)的应用领域,这些应用领域的IT技术可以受到服务水平协议(SLA)或其他能够满足工业CT运营需求的适度变化的充分约束。当这种情况发生时,CT将受益于IT先驱者已经进行的大量智力、经验和培训投资。可以得出这样的结论:由于重复使用带来了巨大的智力、经验和培训成本,因此未来工业CT附加IT协议的重复使用将继续发生。
Following that logic, many vendors are already extending or replacing their local fieldbus [IEC61158] technology with Ethernet and IP-based solutions. Examples of this evolution include Common Industrial Protocol (CIP) EtherNet/IP, Modbus/TCP, Fieldbus Foundation High Speed Ethernet (HSE), PROFInet, and Invensys/Foxboro FOXnet. At the same time, wireless, low-power field devices are being introduced that facilitate a significant increase in the amount of information that industrial users can collect and the number of control points that can be remotely managed.
按照这一逻辑,许多供应商已经在用基于以太网和IP的解决方案扩展或替换其本地现场总线[IEC61158]技术。这种演进的例子包括通用工业协议(CIP)Ethernet/IP、Modbus/TCP、Fieldbus基金会高速以太网(HSE)、PROFInet和英文思/福克斯博罗FXNET。与此同时,正在引入无线、低功耗现场设备,以促进工业用户可收集的信息量和可远程管理的控制点数量的显著增加。
IPv6 appears as a core technology at the conjunction of both trends, as illustrated by the current [ISA100.11a] industrial Wireless Sensor Networking specification, where technologies for layers 1-4 that were developed for purposes other than industrial CT -- [IEEE802.15.4] PHY and MAC, IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) [RFC4919], and UDP -- are adapted to industrial CT use. But due to the lack of open standards for routing in Low-power and Lossy Networks (LLNs), even ISA100.11a leaves the routing operation to proprietary methods.
IPv6是两种趋势结合的核心技术,如当前的[ISA100.11a]工业无线传感器网络规范所示,其中第1-4层的技术是为工业CT以外的目的开发的--[IEEE802.15.4]物理层和MAC层,低功率无线个人区域网(6LoWPANs)上的IPv6[RFC4919]和UDP-适用于工业CT使用。但由于缺乏低功耗和有损网络(LLN)中路由的开放标准,即使是ISA100.11a也将路由操作留给专有方法。
The aim of this document is to analyze the requirements from the industrial environment for a routing protocol in Low power and Lossy Networks (LLNs) based on IPv6 to power the next generation of Control Technology.
本文档的目的是分析工业环境对基于IPv6的低功耗和有损网络(LLN)路由协议的要求,以支持下一代控制技术。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[RFC2119]中所述进行解释。
This document employs terminology defined in the ROLL (Routing Over Low-power and Lossy networks) terminology document [ROLL-TERM]. This document also refers to industrial standards:
本文件采用ROLL(低功率和有损网络路由)术语文件[ROLL-TERM]中定义的术语。本文件还涉及工业标准:
HART: Highway Addressable Remote Transducer, a group of specifications for industrial process and control devices administered by the HART Communication Foundation (see [HART]). The latest version for the specifications is HART7, which includes the additions for WirelessHART [IEC62591].
HART:公路可寻址远程传感器,是由HART通信基金会管理的工业过程和控制设备的一组规范(见[ HART])。规范的最新版本是HART7,其中包括WirelessHART[IEC62591]的新增内容。
ISA: International Society of Automation, an ANSI-accredited standards-making society. ISA100 is an ISA committee whose charter includes defining a family of standards for industrial automation. [ISA100.11a] is a working group within ISA100 that is working on a standard for monitoring and non-critical process control applications.
ISA:国际自动化协会,一个经ANSI认证的标准制定协会。ISA100是一个ISA委员会,其章程包括定义一系列工业自动化标准。[ISA100.11a]是ISA100中的一个工作组,负责制定监控和非关键过程控制应用的标准。
Wireless, low-power field devices enable industrial users to significantly increase the amount of information collected and the number of control points that can be remotely managed. The deployment of these wireless devices will significantly improve the productivity and safety of the plants while increasing the efficiency of the plant workers. IPv6 is perceived as a key technology to provide the scalability and interoperability that are required in that space, and it is more and more present in standards and products under development and early deployments.
无线低功耗现场设备使工业用户能够显著增加收集的信息量和可远程管理的控制点数量。这些无线设备的部署将显著提高工厂的生产率和安全性,同时提高工厂工人的效率。IPv6被视为提供该领域所需的可扩展性和互操作性的关键技术,并且越来越多地出现在正在开发和早期部署的标准和产品中。
Cable is perceived as a more proven, safer technology, and existing, operational deployments are very stable in time. For these reasons, it is not expected that wireless will replace wire in any foreseeable future; the consensus in the industrial space is rather that wireless will tremendously augment the scope and benefits of automation by enabling the control of devices that were not connected in the past for reasons of cost and/or deployment complexities. But for LLNs to be adopted in the industrial environment, the wireless network needs to have three qualities: low power, high reliability, and easy installation and maintenance. The routing protocol used for LLNs is important to fulfilling these goals.
有线电视被认为是一种更成熟、更安全的技术,现有的运营部署在时间上非常稳定。由于这些原因,在任何可预见的未来,无线都不会取代有线;工业领域的共识是,无线将通过控制过去由于成本和/或部署复杂性而未连接的设备,极大地扩大自动化的范围和好处。但要在工业环境中采用LLN,无线网络需要具备三个特性:低功耗、高可靠性和易于安装和维护。用于LLN的路由协议对于实现这些目标非常重要。
Industrial automation is segmented into two distinct application spaces, known as "process" or "process control" and "discrete manufacturing" or "factory automation". In industrial process control, the product is typically a fluid (oil, gas, chemicals, etc.). In factory automation or discrete manufacturing, the products
工业自动化分为两个不同的应用空间,即“过程”或“过程控制”和“离散制造”或“工厂自动化”。在工业过程控制中,产品通常是流体(油、气、化学品等)。在工厂自动化或离散制造中,产品
are individual elements (screws, cars, dolls). While there is some overlap of products and systems between these two segments, they are surprisingly separate communities. The specifications targeting industrial process control tend to have more tolerance for network latency than what is needed for factory automation.
是单个元素(螺钉、汽车、玩偶)。虽然这两个部门之间的产品和系统有些重叠,但它们是令人惊讶的独立社区。针对工业过程控制的规范对网络延迟的容忍度往往高于工厂自动化所需的容忍度。
Irrespective of this different 'process' and 'discrete' plant nature, both plant types will have similar needs for automating the collection of data that used to be collected manually, or was not collected before. Examples are wireless sensors that report the state of a fuse, report the state of a luminary, HVAC status, report vibration levels on pumps, report man-down, and so on.
无论这种不同的“过程”和“离散”电厂性质如何,这两种电厂类型在自动收集以前手动收集或以前未收集的数据方面都有类似的需求。例如,报告保险丝状态、报告灯具状态、HVAC状态、报告泵振动水平、报告人员停机等的无线传感器。
Other novel application arenas that equally apply to both 'process' and 'discrete' involve mobile sensors that roam in and out of plants, such as active sensor tags on containers or vehicles.
其他同样适用于“过程”和“离散”的新型应用领域包括进出工厂的移动传感器,如集装箱或车辆上的主动传感器标签。
Some if not all of these applications will need to be served by the same low-power and lossy wireless network technology. This may mean several disconnected, autonomous LLNs connecting to multiple hosts, but sharing the same ether. Interconnecting such networks, if only to supervise channel and priority allocations, or to fully synchronize, or to share path capacity within a set of physical network components may be desired, or may not be desired for practical reasons, such as e.g., cyber security concerns in relation to plant safety and integrity.
这些应用中的一些(如果不是全部的话)将需要使用相同的低功耗和有损无线网络技术。这可能意味着几个断开连接的自主LLN连接到多个主机,但共享同一个以太。如果只是为了监督信道和优先级分配,或为了完全同步,或为了在一组物理网络组件内共享路径容量,则可能需要互连此类网络,也可能出于实际原因(例如,与电厂安全和完整性相关的网络安全问题)而不需要互连此类网络。
All application spaces desire battery-operated networks of hundreds of sensors and actuators communicating with LLN access points. In an oil refinery, the total number of devices might exceed one million, but the devices will be clustered into smaller networks that in most cases interconnect and report to an existing plant network infrastructure.
所有应用空间都需要由数百个传感器和执行器组成的电池供电网络,这些传感器和执行器与LLN接入点进行通信。在炼油厂中,设备总数可能超过100万,但这些设备将被聚集到较小的网络中,在大多数情况下,这些网络相互连接并向现有的工厂网络基础设施报告。
Existing wired sensor networks in this space typically use communication protocols with low data rates, from 1200 baud (e.g., wired HART) to the 100-200 kbps range for most of the others. The existing protocols are often master/slave with command/response.
该领域现有的有线传感器网络通常使用低数据速率的通信协议,对于大多数其他网络,从1200波特(如有线HART)到100-200 kbps。现有的协议通常是带有命令/响应的主/从协议。
The industrial market classifies process applications into three broad categories and six classes.
工业市场将工艺应用分为三大类和六大类。
o Safety
o 安全
* Class 0: Emergency action - Always a critical function
* 0级:紧急行动-始终是关键功能
o Control
o 控制
* Class 1: Closed-loop regulatory control - Often a critical function
* 第1类:闭环调节控制-通常为关键功能
* Class 2: Closed-loop supervisory control - Usually a non-critical function
* 第2类:闭环监控-通常为非关键功能
* Class 3: Open-loop control - Operator takes action and controls the actuator (human in the loop)
* 第3类:开环控制-操作员采取行动并控制致动器(人在回路中)
o Monitoring
o 监测
* Class 4: Alerting - Short-term operational effect (for example, event-based maintenance)
* 第4类:警报-短期运行效果(例如,基于事件的维护)
* Class 5: Logging and downloading / uploading - No immediate operational consequence (e.g., history collection, sequence-of-events, preventive maintenance)
* 第5类:记录和下载/上传-无直接操作后果(例如,历史记录收集、事件顺序、预防性维护)
Safety-critical functions effect the basic safety integrity of the plant. These normally dormant functions kick in only when process control systems, or their operators, have failed. By design and by regular interval inspection, they have a well-understood probability of failure on demand in the range of typically once per 10-1000 years.
安全关键功能影响电厂的基本安全完整性。只有当过程控制系统或其操作员出现故障时,这些通常处于休眠状态的功能才会启动。通过设计和定期间隔检查,他们对按需失效概率有了充分的了解,通常为每10-1000年一次。
In-time deliveries of messages become more relevant as the class number decreases.
随着类别数量的减少,及时传递消息变得更加相关。
Note that for a control application, the jitter is just as important as latency and has a potential of destabilizing control algorithms.
请注意,对于控制应用程序,抖动与延迟一样重要,并且有可能破坏控制算法。
Industrial users are interested in deploying wireless networks for the monitoring classes 4 and 5, and in the non-critical portions of classes 2 through 3.
工业用户对为监控等级4和5以及等级2到3的非关键部分部署无线网络感兴趣。
Classes 4 and 5 also include asset monitoring and tracking, which include equipment monitoring and are essentially separate from process monitoring. An example of equipment monitoring is the recording of motor vibrations to detect bearing wear. However, similar sensors detecting excessive vibration levels could be used as safeguarding loops that immediately initiate a trip, and thus end up being class 0.
第4类和第5类还包括资产监控和跟踪,包括设备监控,基本上与过程监控分开。设备监测的一个例子是记录电机振动以检测轴承磨损。然而,检测过度振动水平的类似传感器可以用作保护回路,立即启动跳闸,因此最终为0级。
In the near future, most LLN systems in industrial automation environments will be for low-frequency data collection. Packets containing samples will be generated continuously, and 90% of the
在不久的将来,工业自动化环境中的大多数LLN系统将用于低频数据采集。包含样本的数据包将连续生成,90%的
market is covered by packet rates of between 1/second and 1/hour, with the average under 1/minute. In industrial process, these sensors include temperature, pressure, fluid flow, tank level, and corrosion. Some sensors are bursty, such as vibration monitors that may generate and transmit tens of kilobytes (hundreds to thousands of packets) of time-series data at reporting rates of minutes to days.
市场上的数据包速率介于1/秒和1/小时之间,平均不到1/分钟。在工业过程中,这些传感器包括温度、压力、流体流量、储罐液位和腐蚀。有些传感器是突发性的,比如振动监测器,它可以以几分钟到几天的报告速率生成和传输数万字节(数百到数千个数据包)的时间序列数据。
Almost all of these sensors will have built-in microprocessors that may detect alarm conditions. Time-critical alarm packets are expected to be granted a lower latency than periodic sensor data streams.
几乎所有这些传感器都有内置微处理器,可以检测报警情况。与定期传感器数据流相比,时间关键型报警数据包的延迟预计较低。
Some devices will transmit a log file every day, again with typically tens of kilobytes of data. For these applications, there is very little "downstream" traffic coming from the LLN access point and traveling to particular sensors. During diagnostics, however, a technician may be investigating a fault from a control room and expect to have "low" latency (human tolerable) in a command/response mode.
有些设备每天都会传输一个日志文件,通常也会传输几十KB的数据。对于这些应用,从LLN接入点到特定传感器的“下游”流量非常少。然而,在诊断过程中,技术人员可能正在从控制室调查故障,并期望在命令/响应模式下具有“低”延迟(人类可容忍)。
Low-rate control, often with a "human in the loop" (also referred to as "open loop"), is implemented via communication to a control room because that's where the human in the loop will be. The sensor data makes its way through the LLN access point to the centralized controller where it is processed, the operator sees the information and takes action, and the control information is then sent out to the actuator node in the network.
低速率控制,通常是“人在回路”(也称为“开环”)通过与控制室的通信来实现,因为回路中的人将在控制室中。传感器数据通过LLN接入点到达中央控制器,在那里进行处理,操作员看到信息并采取行动,然后将控制信息发送到网络中的执行器节点。
In the future, it is envisioned that some open-loop processes will be automated (closed loop) and packets will flow over local loops and not involve the LLN access point. These closed-loop controls for non-critical applications will be implemented on LLNs. Non-critical closed-loop applications have a latency requirement that can be as low as 100 milliseconds but many control loops are tolerant of latencies above 1 second.
在未来,可以预见一些开环过程将是自动化的(闭环),数据包将在本地环路上流动,而不涉及LLN接入点。这些非关键应用的闭环控制将在LLN上实施。非关键闭环应用程序的延迟要求可以低至100毫秒,但许多控制循环允许延迟超过1秒。
More likely though is that loops will be closed in the field entirely, and in such a case, having wireless links within the control loop does not usually present actual value. Most control loops have sensors and actuators within such proximity that a wire between them remains the most sensible option from an economic point of view. This 'control in the field' architecture is already common practice with wired fieldbusses. An 'upstream' wireless link would only be used to influence the in-field controller settings and to occasionally capture diagnostics. Even though the link back to a control room might be wireless, this architecture reduces the tight latency and availability requirements for the wireless links.
但更可能的是,回路将在现场完全闭合,在这种情况下,控制回路内的无线链路通常不会呈现实际值。从经济角度来看,大多数控制回路都有传感器和执行器,因此它们之间的导线仍然是最明智的选择。这种“现场控制”架构已经是有线现场总线的常见做法。“上游”无线链路仅用于影响现场控制器设置和偶尔捕获诊断。尽管回控制室的链路可能是无线的,但这种体系结构降低了无线链路的紧张延迟和可用性要求。
Closing loops in the field:
关闭字段中的循环:
o does not prevent the same loop from being closed through a remote multivariable controller during some modes of operation, while being closed directly in the field during other modes of operation (e.g., fallback, or when timing is more critical)
o 在某些操作模式下,不会阻止同一回路通过远程多变量控制器闭合,而在其他操作模式下(例如,回退或计时更为关键时)直接在现场闭合
o does not imply that the loop will be closed with a wired connection, or that the wired connection is more energy efficient even when it exists as an alternate to the wireless connection.
o 并不意味着环路将通过有线连接闭合,或者即使有线连接作为无线连接的替代物存在,也不意味着有线连接更节能。
A realistic future scenario is for a field device with a battery or ultra-capacitor power storage to have both wireless and unpowered wired communications capability (e.g., galvanically isolated RS-485), where the wireless communication is more flexible and, for local loop operation, more energy efficient. The wired communication capability serves as a backup interconnect among the loop elements, but without a wired connection back to the operations center blockhouse. In other words, the loop elements are interconnected through wiring to a nearby junction box, but the 2 km home-run link from the junction box to the control center does not exist.
一个现实的未来场景是,带有电池或超级电容储能器的现场设备具有无线和无电源有线通信能力(例如,电隔离RS-485),其中无线通信更灵活,并且对于本地环路操作,更节能。有线通信能力可作为回路元件之间的备用互连,但无需有线连接回操作中心碉堡。换言之,回路元件通过接线连接到附近的接线盒,但从接线盒到控制中心的2 km本垒打链路不存在。
When wireless communication conditions are good, devices use wireless for loop interconnect, and either one wireless device reports alarms and other status to the control center for all elements of the loop, or each element reports independently. When wireless communications are sporadic, the loop interconnect uses the self-powered galvanically isolated RS-485 link and one of the devices with good wireless communications to the control center serves as a router for those devices that are unable to contact the control center directly.
当无线通信条件良好时,设备使用无线环路互连,一个无线设备向控制中心报告环路所有元件的警报和其他状态,或者每个元件独立报告。当无线通信是零星的时,环路互连使用自供电的电隔离RS-485链路,其中一个与控制中心具有良好无线通信的设备用作无法直接联系控制中心的设备的路由器。
The above approach is particularly attractive for large storage tanks in tank farms, where devices may not all have good wireless visibility of the control center, and where a home-run cable from the tank to the control center is undesirable due to the electro-potential differences between the tank location and the distant control center that arise during lightning storms.
上述方法对罐区中的大型储罐尤其有吸引力,因为在罐区中,设备可能并非都具有控制中心的良好无线可视性,由于雷暴期间储罐位置和远程控制中心之间的电位差,不需要从储罐到控制中心的本垒电缆。
In fast control, tens of milliseconds of latency is typical. In many of these systems, if a packet does not arrive within the specified interval, the system enters an emergency shutdown state, often with substantial financial repercussions. For a one-second control loop in a system with a target of 30 years for the mean time between shutdowns, the latency requirement implies nine 9s of reliability (aka 99.9999999% reliability). Given such exposure, given the intrinsic vulnerability of wireless link availability, and given the
在快速控制中,典型的延迟为数十毫秒。在许多这样的系统中,如果数据包没有在规定的时间间隔内到达,系统将进入紧急关闭状态,通常会产生严重的财务影响。对于平均停机时间为30年的系统中的1秒控制回路,延迟要求意味着9秒的可靠性(也称为99.9999999%的可靠性)。鉴于这种暴露,鉴于无线链路可用性的内在脆弱性,以及
emergence of control in the field architectures, most users tend not to aim for fast closed-loop control with wireless links within that fast loop.
随着控制在现场架构中的出现,大多数用户倾向于不以快速闭环控制为目标,在该快速环路中使用无线链路。
Although network topology is difficult to generalize, the majority of existing applications can be met by networks of 10 to 200 field devices and a maximum number of hops of 20. It is assumed that the field devices themselves will provide routing capability for the network, and additional repeaters/routers will not be required in most cases.
虽然网络拓扑很难推广,但现有的大多数应用程序都可以通过10到200个现场设备和最大20个跳数的网络来满足。假设现场设备本身将为网络提供路由能力,并且在大多数情况下不需要额外的中继器/路由器。
For the vast majority of industrial applications, the traffic is mostly composed of real-time publish/subscribe sensor data also referred to as buffered, from the field devices over an LLN towards one or more sinks. Increasingly over time, these sinks will be a part of a backbone, but today they are often fragmented and isolated.
对于绝大多数工业应用而言,通信量主要由实时发布/订阅传感器数据(也称为缓冲)组成,这些数据通过LLN从现场设备流向一个或多个接收器。随着时间的推移,这些汇将越来越多地成为主干的一部分,但今天它们往往是分散和孤立的。
The wireless sensor network (WSN) is an LLN of field devices for which two logical roles are defined, the field routers and the non-routing devices. It is acceptable and even probable that the repartition of the roles across the field devices changes over time to balance the cost of the forwarding operation amongst the nodes.
无线传感器网络(wirelesssensornetwork,WSN)是一种现场设备的LLN,定义了两个逻辑角色:现场路由器和非路由设备。跨现场设备的角色重新分配随着时间的推移而改变,以平衡节点之间转发操作的成本,这是可以接受的,甚至是可能的。
In order to scale a control network in terms of density, one possible architecture is to deploy a backbone as a canopy that aggregates multiple smaller LLNs. The backbone is a high-speed infrastructure network that may interconnect multiple WSNs through backbone routers. Infrastructure devices can be connected to the backbone. A gateway/ manager that interconnects the backbone to the plant network of the corporate network can be viewed as collapsing the backbone and the infrastructure devices into a single device that operates all the required logical roles. The backbone is likely to become an option in the industrial network.
为了在密度方面扩展控制网络,一种可能的架构是部署主干网作为聚集多个较小LLN的树冠。主干网是一种高速基础设施网络,可通过主干路由器互连多个无线传感器网络。基础设施设备可以连接到主干网。将主干网与公司网络的工厂网络互连的网关/管理器可视为将主干网和基础设施设备拆分为一个设备,该设备可操作所有所需的逻辑角色。主干网很可能成为工业网络中的一种选择。
Typically, such backbones interconnect to the 'legacy' wired plant infrastructure, which is known as the plant network or Process Control Domain (PCD). These plant automation networks are segregated domain-wise from the office network or office domain (OD), which in itself is typically segregated from the Internet.
通常,此类主干网与“传统”有线电厂基础设施互连,即电厂网络或过程控制域(PCD)。这些工厂自动化网络在域方面与办公网络或办公域(OD)分离,后者本身通常与互联网分离。
Sinks for LLN sensor data reside on the plant network (the PCD), the business network (the OD), and on the Internet. Applications close to existing plant automation, such as wired process control and monitoring systems running on fieldbusses, that require high availability and low latencies, and that are managed by 'Control and Automation' departments typically reside on the PCD. Other
LLN传感器数据接收器位于工厂网络(PCD)、业务网络(OD)和互联网上。接近现有工厂自动化的应用程序,如运行在现场总线上的有线过程控制和监控系统,需要高可用性和低延迟,并且由“控制和自动化”部门管理,通常驻留在PCD上。另外
applications such as automated corrosion monitoring, cathodic protection voltage verification, or machine condition (vibration) monitoring where one sample per week is considered over-sampling, would more likely deliver their sensor readings in the OD. Such applications are 'owned' by, e.g., maintenance departments.
自动腐蚀监测、阴极保护电压验证或机器状态(振动)监测等应用(每周一个样本被视为过度采样)更有可能在OD中提供传感器读数。此类应用程序由维护部门等“拥有”。
Yet other applications like third-party-maintained luminaries, or vendor-managed inventory systems, where a supplier of chemicals needs access to tank level readings at his customer's site, will be best served with direct Internet connectivity all the way to its sensor at his customer's site. Temporary 'babysitting sensors' deployed for just a few days, say during startup or troubleshooting or for ad hoc measurement campaigns for research and development purposes, are other examples where Internet would be the domain where wireless sensor data would land, and other domains such as the OD and PCD should preferably be circumvented if quick deployment without potentially impacting plant safety integrity is required.
然而,其他应用,如第三方维护的灯具,或供应商管理的库存系统,其中化学品供应商需要访问其客户现场的储罐液位读数,最好通过直接互联网连接到其客户现场的传感器。仅部署几天的临时“保姆传感器”,例如在启动或故障排除期间,或为研发目的的临时测量活动,是互联网将成为无线传感器数据登陆的领域的其他例子,如果需要在不影响电厂安全完整性的情况下快速部署,则最好避开OD和PCD等其他领域。
This multiple-domain multiple-application connectivity creates a significant challenge. Many different applications will all share the same medium, the ether, within the fence, preferably sharing the same frequency bands, and preferably sharing the same protocols, preferably synchronized to optimize coexistence challenges, yet logically segregated to avoid creation of intolerable shortcuts between existing wired domains.
这种多域多应用程序连接带来了重大挑战。许多不同的应用程序都将在围栏内共享相同的介质以太,最好共享相同的频带,最好共享相同的协议,最好同步以优化共存挑战,但在逻辑上隔离以避免在现有有线域之间创建不可容忍的捷径。
Given this challenge, LLNs are best to be treated as all sitting on yet another segregated domain, segregated from all other wired domains where conventional security is organized by perimeter. Moving away from the traditional perimeter-security mindset means moving towards stronger end-device identity authentication, so that LLN access points can split the various wireless data streams and interconnect back to the appropriate domain (pending the gateways' establishment of the message originators' identity and trust).
鉴于这一挑战,LLN最好被视为位于另一个隔离域上,与所有其他有线域隔离,在这些域中,传统的安全是由周界组织的。离开传统的外围安全思维意味着转向更强大的终端设备身份验证,以便LLN接入点可以分割各种无线数据流并互连回适当的域(等待网关建立消息发起人的身份和信任)。
Similar considerations are to be given to how multiple applications may or may not be allowed to share routing devices and their potentially redundant bandwidth within the network. Challenges here are to balance available capacity, required latencies, expected priorities, and (last but not least) available (battery) energy within the routing devices.
对于如何允许或不允许多个应用程序共享路由设备及其在网络中的潜在冗余带宽,也要给予类似的考虑。这里的挑战是平衡路由设备内的可用容量、所需延迟、预期优先级和(最后但并非最不重要的)可用(电池)能量。
There is no specific physical topology for an industrial process control network.
工业过程控制网络没有特定的物理拓扑。
One extreme example is a multi-square-kilometer refinery where isolated tanks, some of them with power but most with no backbone connectivity, compose a farm that spans over of the surface of the plant. A few hundred field devices are deployed to ensure the global coverage using a wireless self-forming self-healing mesh network that might be 5 to 10 hops across. Local feedback loops and mobile workers tend to be only 1 or 2 hops. The backbone is in the refinery proper, many hops away. Even there, powered infrastructure is also typically several hops away. In that case, hopping to/from the powered infrastructure may often be more costly than the direct route.
一个极端的例子是一个多平方公里的炼油厂,其中一些孤立的储罐有动力,但大多数没有主干连接,组成了一个横跨整个工厂表面的农场。部署了数百台现场设备,以确保使用可能跨越5到10跳的无线自形成自愈网状网络实现全球覆盖。本地反馈环路和移动工作者往往只有1或2跳。主干线在炼油厂,有许多啤酒花。即使在那里,电力基础设施通常也需要几步之遥。在这种情况下,从电力基础设施跳到/跳到电力基础设施往往比直接路由成本更高。
In the opposite extreme case, the backbone network spans all the nodes and most nodes are in direct sight of one or more backbone routers. Most communication between field devices and infrastructure devices, as well as field device to field device, occurs across the backbone. From afar, this model resembles the WiFi ESS (Extended Service Set). But from a layer-3 (L3) perspective, the issues are the default (backbone) router selection and the routing inside the backbone, whereas the radio hop towards the field device is in fact a simple local delivery.
在相反的极端情况下,主干网络跨越所有节点,大多数节点直接看到一个或多个主干路由器。现场设备与基础设施设备之间以及现场设备与现场设备之间的大多数通信都是通过主干网进行的。从远处看,该模型类似于WiFi ESS(扩展服务集)。但从第3层(L3)的角度来看,问题在于默认(主干)路由器的选择和主干内的路由,而通向现场设备的无线电跳转实际上是一个简单的本地传送。
---------+---------------------------- | Plant Network | +-----+ | | Gateway M : Mobile device | | o : Field device +-----+ | | Backbone +--------------------+------------------+ | | | +-----+ +-----+ +-----+ | | Backbone | | Backbone | | Backbone | | router | | router | | router +-----+ +-----+ +-----+ o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o M o o o o o o o M o o o o o o o o o o o o o o o o o o o o o o o o o o o LLN
---------+---------------------------- | Plant Network | +-----+ | | Gateway M : Mobile device | | o : Field device +-----+ | | Backbone +--------------------+------------------+ | | | +-----+ +-----+ +-----+ | | Backbone | | Backbone | | Backbone | | router | | router | | router +-----+ +-----+ +-----+ o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o M o o o o o o o M o o o o o o o o o o o o o o o o o o o o o o o o o o o LLN
Figure 1: Backbone-Based Physical Topology
图1:基于主干网的物理拓扑
An intermediate case is illustrated in Figure 1 with a backbone that spans the Wireless Sensor Network in such a fashion that any WSN node is only a few wireless hops away from the nearest backbone router. WSN nodes are expected to organize into self-forming, self-healing, self-optimizing logical topologies that enable leveraging the backbone when it is most efficient to do so.
中间情况如图1所示,主干网跨越无线传感器网络,任何WSN节点距离最近的主干网路由器只有几个无线跳数。无线传感器网络节点被期望组织成自形成、自修复、自优化的逻辑拓扑,以便在最有效的时候利用主干网。
It must be noted that the routing function is expected to be so simple that any field device could assume the role of a router, depending on the self-discovery of the topology and the power status of the neighbors. On the other hand, only devices equipped with the appropriate hardware and software combination could assume the role of an endpoint for a given purpose, such as sensor or actuator.
必须注意的是,路由功能非常简单,任何现场设备都可以扮演路由器的角色,这取决于拓扑的自我发现和邻居的电源状态。另一方面,只有配备了适当硬件和软件组合的设备才能承担特定目的的端点角色,如传感器或执行器。
Most of the traffic over the LLN is publish/subscribe of sensor data from the field device towards a sink that can be a backbone router, a gateway, or a controller/manager. The destination of the sensor data is an infrastructure device that sits on the backbone and is reachable via one or more backbone routers.
LLN上的大部分流量是将传感器数据从现场设备发布/订阅到可以是主干路由器、网关或控制器/管理器的接收器。传感器数据的目的地是位于主干上的基础设施设备,可通过一个或多个主干路由器访问。
For security, reliability, availability, or serviceability reasons, it is often required that the logical topologies are not physically congruent over the radio network; that is, they form logical partitions of the LLN. For instance, a routing topology that is set up for control should be isolated from a topology that reports the temperature and the status of the vents, if that second topology has lesser constraints for the security policy. This isolation might be implemented as Virtual LANs and Virtual Routing Tables in shared nodes in the backbone, but correspond effectively to physical nodes in the wireless network.
出于安全性、可靠性、可用性或可维护性的原因,通常要求无线网络上的逻辑拓扑在物理上不一致;也就是说,它们构成LLN的逻辑分区。例如,如果第二个拓扑对安全策略的约束较小,则为控制而设置的路由拓扑应与报告通风口温度和状态的拓扑隔离。这种隔离可以作为骨干网中共享节点中的虚拟LAN和虚拟路由表来实现,但可以有效地对应于无线网络中的物理节点。
Since publishing the data is the raison d'etre for most of the sensors, in some cases it makes sense to build proactively a set of routes between the sensors and one or more backbone routers and maintain those routes at all time. Also, because of the lossy nature of the network, the routing in place should attempt to propose multiple paths in the form of Directed Acyclic Graphs oriented towards the destination.
由于发布数据是大多数传感器存在的理由,因此在某些情况下,在传感器和一个或多个主干路由器之间主动构建一组路由并始终维护这些路由是有意义的。此外,由于网络的有损性质,适当的路由应尝试以面向目的地的有向无环图的形式提出多条路径。
In contrast with the general requirement of maintaining default routes towards the sinks, the need for field device to field device (FD-to-FD) connectivity is very specific and rare, though the traffic associated might be of foremost importance. FD-to-FD routes are often the most critical, optimized, and well-maintained routes. A class 0 safeguarding loop requires guaranteed delivery and extremely tight response times. Both the respect of criteria in the route
与维持通向接收器的默认路由的一般要求相反,现场设备到现场设备(FD到FD)连接的需求非常具体和罕见,尽管相关的流量可能是最重要的。FD至FD路线通常是最关键、优化和维护良好的路线。0级安全保护循环需要有保证的交付和极短的响应时间。这两个方面的标准在路线上
computation and the quality of the maintenance of the route are critical for the field devices' operation. Typically, a control loop will be using a dedicated direct wire that has very different capabilities, cost, and constraints than the wireless medium, with the need to use a wireless path as a backup route only in case of loss of the wired path.
线路的计算和维护质量对于现场设备的运行至关重要。通常,控制回路将使用与无线介质具有非常不同的能力、成本和约束的专用直接导线,仅在有线路径丢失的情况下,才需要使用无线路径作为备份路由。
Considering that each FD-to-FD route computation has specific constraints in terms of latency and availability, it can be expected that the shortest path possible will often be selected and that this path will be routed inside the LLN as opposed to via the backbone. It can also be noted that the lifetimes of the routes might range from minutes for a mobile worker to tens of years for a command and control closed loop. Finally, time-varying user requirements for latency and bandwidth will change the constraints on the routes, which might either trigger a constrained route recomputation, a reprovisioning of the underlying L2 protocols, or both in that order. For instance, a wireless worker may initiate a bulk transfer to configure or diagnose a field device. A level sensor device may need to perform a calibration and send a bulk file to a plant.
考虑到每个FD-to-FD路由计算在延迟和可用性方面具有特定的约束,可以预期通常会选择可能的最短路径,并且该路径将在LLN内部路由,而不是通过主干。还可以注意到,路线的寿命可能从移动工人的几分钟到命令和控制闭环的几十年不等。最后,用户对延迟和带宽的时间变化需求将改变路由上的约束,这可能会触发受约束的路由重新计算、底层L2协议的重新规划,或者按此顺序同时触发这两种情况。例如,无线工作者可以发起批量传输以配置或诊断现场设备。液位传感器设备可能需要执行校准并向工厂发送批量文件。
[ISA100.11a] selected IPv6 as its network layer for a number of reasons, including the huge address space and the large potential size of a subnet, which can range up to 10K nodes in a plant deployment. In the ISA100 model, industrial applications fall into four large service categories:
[ISA100.11a]选择IPv6作为其网络层的原因有很多,包括巨大的地址空间和巨大的潜在子网大小,在工厂部署中可以覆盖多达10K个节点。在ISA100模型中,工业应用分为四大服务类别:
1. Periodic data (aka buffered). Data that is generated periodically and has a well understood data bandwidth requirement, both deterministic and predictable. Timely delivery of such data is often the core function of a wireless sensor network and permanent resources are assigned to ensure that the required bandwidth stays available. Buffered data usually exhibits a short time to live, and the newer reading obsoletes the previous. In some cases, alarms are low-priority information that gets repeated over and over. The end-to-end latency of this data is not as important as the regularity with which the data is presented to the plant application.
1. 周期性数据(也称为缓冲数据)。周期性生成的数据,具有明确的数据带宽需求,既有确定性又有可预测性。及时交付此类数据通常是无线传感器网络的核心功能,并分配永久资源以确保所需带宽保持可用。缓冲数据的生存时间通常较短,较新的读数会淘汰先前的读数。在某些情况下,警报是低优先级信息,会反复出现。该数据的端到端延迟不如数据呈现给工厂应用程序的规律性重要。
2. Event data. This category includes alarms and aperiodic data reports with bursty data bandwidth requirements. In certain cases, alarms are critical and require a priority service from the network.
2. 事件数据。该类别包括具有突发数据带宽要求的警报和非周期数据报告。在某些情况下,警报非常重要,需要网络提供优先服务。
3. Client/Server. Many industrial applications are based on a client/server model and implement a command response protocol. The data bandwidth required is often bursty. The acceptable round-trip latency for some legacy systems was based on the time to send tens of bytes over a 1200 baud link. Hundreds of milliseconds is typical. This type of request is statistically multiplexed over the LLN and cost-based, fair-share, best-effort service is usually expected.
3. 客户端/服务器。许多工业应用程序基于客户机/服务器模型并实现命令响应协议。所需的数据带宽通常是突发的。某些传统系统可接受的往返延迟基于通过1200波特链路发送数十字节的时间。几百毫秒是典型的。这种类型的请求在LLN上进行统计复用,通常期望基于成本、公平共享、尽力而为的服务。
4. Bulk transfer. Bulk transfers involve the transmission of blocks of data in multiple packets where temporary resources are assigned to meet a transaction time constraint. Transient resources are assigned for a limited time (related to file size and data rate) to meet the bulk transfers service requirements.
4. 批量转移。批量传输涉及在多个数据包中传输数据块,其中分配临时资源以满足事务时间限制。临时资源的分配时间有限(与文件大小和数据速率有关),以满足批量传输服务要求。
The following service parameters can affect routing decisions in a resource-constrained network:
以下服务参数可能会影响资源受限网络中的路由决策:
o Data bandwidth - the bandwidth might be allocated permanently or for a period of time to a specific flow that usually exhibits well-defined properties of burstiness and throughput. Some bandwidth will also be statistically shared between flows in a best-effort fashion.
o 数据带宽-带宽可以永久或在一段时间内分配给特定的流,该流通常具有明确定义的突发性和吞吐量特性。一些带宽也将以尽力而为的方式在流之间进行统计共享。
o Latency - the time taken for the data to transit the network from the source to the destination. This may be expressed in terms of a deadline for delivery. Most monitoring latencies will be in seconds to minutes.
o 延迟-数据从源传输到目标所花费的时间。这可以用交货期限来表示。大多数监控延迟将以秒到分钟为单位。
o Transmission phase - process applications can be synchronized to wall clock time and require coordinated transmissions. A common coordination frequency is 4 Hz (250 ms).
o 传输阶段-进程应用程序可以与挂钟时间同步,并且需要协调传输。常见的协调频率为4 Hz(250 ms)。
o Service contract type - revocation priority. LLNs have limited network resources that can vary with time. This means the system can become fully subscribed or even over-subscribed. System policies determine how resources are allocated when resources are over-subscribed. The choices are blocking and graceful degradation.
o 服务合同类型-吊销优先级。LLN的网络资源有限,可能会随时间而变化。这意味着系统可以完全订阅,甚至超额订阅。系统策略确定资源超额订阅时如何分配资源。选择是阻塞和优雅降级。
o Transmission priority - the means by which limited resources within field devices are allocated across multiple services. For transmissions, a device has to select which packet in its queue will be sent at the next transmission opportunity. Packet priority is used as one criterion for selecting the next packet. For reception, a device has to decide how to store a received
o 传输优先级-现场设备内有限资源跨多个服务分配的方式。对于传输,设备必须选择其队列中的哪个数据包将在下一个传输机会发送。数据包优先级用作选择下一个数据包的一个标准。对于接收,设备必须决定如何存储接收到的数据
packet. The field devices are memory-constrained and receive buffers may become full. Packet priority is used to select which packets are stored or discarded.
小包裹现场设备内存受限,接收缓冲区可能已满。数据包优先级用于选择存储或丢弃哪些数据包。
The routing protocol MUST also support different metric types for each link used to compute the path according to some objective function (e.g., minimize latency) depending on the nature of the traffic.
路由协议还必须支持用于根据某些目标函数(例如,最小化延迟)计算路径的每个链路的不同度量类型,这取决于流量的性质。
For these reasons, the ROLL routing infrastructure is REQUIRED to compute and update constrained routes on demand, and it can be expected that this model will become more prevalent for FD-to-FD connectivity as well as for some FD-to-infrastructure-device connectivity over time.
由于这些原因,滚动路由基础设施需要按需计算和更新受约束的路由,并且可以预期,随着时间的推移,该模型对于FD到FD的连接以及某些FD到基础设施的设备连接将变得更加普遍。
Industrial application data flows between field devices are not necessarily symmetric. In particular, asymmetrical cost and unidirectional routes are common for published data and alerts, which represent the most part of the sensor traffic. The routing protocol MUST be able to compute a set of unidirectional routes with potentially different costs that are composed of one or more non-congruent paths.
现场设备之间的工业应用数据流不一定是对称的。特别是,对于已发布的数据和警报,不对称成本和单向路由是常见的,它们代表了传感器流量的大部分。路由协议必须能够计算由一条或多条非全等路径组成的具有潜在不同代价的一组单向路由。
As multiple paths are set up and a variety of flows traverse the network towards a same destination (for instance, a node acting as a sink for the LLN), the use of an additional marking/tagging mechanism based on upper-layer information will be REQUIRED for intermediate routers to discriminate the flows and perform the appropriate routing decision using only the content of the IPv6 packet (e.g., use of DSCP, Flow Label).
当设置多条路径且各种流穿过网络到达同一目的地(例如,充当LLN接收器的节点)时,中间路由器需要使用基于上层信息的附加标记/标记机制来区分流,并仅使用IPv6数据包的内容执行适当的路由决策(例如,使用DSCP、流标签)。
Time-varying user requirements for latency and bandwidth may require changes in the provisioning of the underlying L2 protocols. A technician may initiate a query/response session or bulk transfer to diagnose or configure a field device. A level sensor device may need to perform a calibration and send a bulk file to a plant. The routing protocol MUST support the ability to recompute paths based on network-layer abstractions of the underlying link attributes/metrics that may change dynamically.
用户对延迟和带宽的时间变化要求可能需要更改底层L2协议的配置。技师可以启动查询/响应会话或批量传输,以诊断或配置现场设备。液位传感器设备可能需要执行校准并向工厂发送批量文件。路由协议必须支持基于可能动态变化的底层链路属性/度量的网络层抽象来重新计算路径的能力。
Because different services categories have different service requirements, it is often desirable to have different routes for different data flows between the same two endpoints. For example, alarm or periodic data from A to Z may require path diversity with
由于不同的服务类别具有不同的服务需求,因此通常希望在相同的两个端点之间为不同的数据流提供不同的路由。例如,从A到Z的报警或周期数据可能需要路径分集
specific latency and reliability. A file transfer between A and Z may not need path diversity. The routing algorithm MUST be able to generate different routes with different characteristics (e.g., optimized according to different costs, etc.).
特定的延迟和可靠性。A和Z之间的文件传输可能不需要路径多样性。路由算法必须能够生成具有不同特征的不同路由(例如,根据不同成本进行优化等)。
Dynamic or configured states of links and nodes influence the capability of a given path to fulfill operational requirements such as stability, battery cost, or latency. Constraints such as battery lifetime derive from the application itself, and because industrial applications data flows are typically well-defined and well-controlled, it is usually possible to estimate the battery consumption of a router for a given topology.
链路和节点的动态或配置状态会影响给定路径满足操作要求(如稳定性、电池成本或延迟)的能力。电池寿命等约束源自应用程序本身,并且由于工业应用程序数据流通常定义良好且控制良好,因此通常可以估计给定拓扑的路由器电池消耗。
The routing protocol MUST support the ability to (re)compute paths based on network-layer abstractions of upper-layer constraints to maintain the level of operation within required parameters. Such information MAY be advertised by the routing protocol as metrics that enable routing algorithms to establish appropriate paths that fit the upper-layer constraints.
路由协议必须支持基于上层约束的网络层抽象(重新)计算路径的能力,以将操作级别保持在所需参数内。这种信息可以由路由协议作为使路由算法能够建立适合上层约束的适当路径的度量来公布。
The handling of an IPv6 packet by the network layer operates on the standard properties and the settings of the IPv6 packet header fields. These fields include the 3-tuple of the Flow Label and the Source and Destination Address that can be used to identify a flow and the Traffic Class octet that can be used to influence the Per Hop Behavior in intermediate routers.
网络层对IPv6数据包的处理取决于IPv6数据包头字段的标准属性和设置。这些字段包括流标签的3元组、可用于标识流的源地址和目标地址,以及可用于影响中间路由器中每跳行为的流量类八位字节。
An application MAY choose how to set those fields for each packet or for streams of packets, and the routing protocol specification SHOULD state how different field settings will be handled to perform different routing decisions.
应用程序可以选择如何为每个数据包或数据包流设置这些字段,路由协议规范应说明如何处理不同的字段设置以执行不同的路由决策。
LLN reliability constitutes several unrelated aspects:
LLN可靠性由几个不相关的方面组成:
1) Availability of source-to-destination connectivity when the application needs it, expressed in number of successes divided by number of attempts.
1) 应用程序需要时源到目标连接的可用性,表示为成功次数除以尝试次数。
2) Availability of source-to-destination connectivity when the application might need it, expressed in number of potential failures / available bandwidth,
2) 应用程序可能需要时源到目标连接的可用性,以潜在故障数/可用带宽表示,
3) Ability, expressed in number of successes divided by number of attempts to get data delivered from source to destination within a capped time,
3) 能力,用成功次数除以在限定时间内从源到目标传递数据的尝试次数表示,
4) How well a network (serving many applications) achieves end-to-end delivery of packets within a bounded latency,
4) 一个网络(服务于多个应用程序)在有限的延迟内实现端到端数据包交付的能力,
5) Trustworthiness of data that is delivered to the sinks,
5) 传送到接收器的数据的可信度,
6) and others depending on the specific case.
6) 其他则视具体情况而定。
This makes quantifying reliability the equivalent of plotting it on a three (or more) dimensional graph. Different applications have different requirements, and expressing reliability as a one dimensional parameter, like 'reliability on my wireless network is 99.9%' often creates more confusion than clarity.
这使得量化可靠性相当于将其绘制在三维(或更多)图形上。不同的应用程序有不同的要求,将可靠性表示为一维参数,如“我的无线网络的可靠性为99.9%”,通常会造成更多的混淆而不是清晰。
The impact of not receiving sensor data due to sporadic network outages can be devastating if this happens unnoticed. However, if destinations that expect periodic sensor data or alarm status updates fail to get them, then automatically these systems can take appropriate actions that prevent dangerous situations. Pending the wireless application, appropriate action ranges from initiating a shutdown within 100 ms, to using a last known good value for as much as N successive samples, to sending out an operator into the plant to collect monthly data in the conventional way, i.e., some portable sensor, or paper and a clipboard.
如果没有注意到这种情况,由于偶发的网络中断而无法接收传感器数据的影响可能是毁灭性的。但是,如果预期定期传感器数据或报警状态更新的目的地无法获取这些数据或报警状态更新,则这些系统可以自动采取适当的措施,防止出现危险情况。在无线应用之前,适当的行动范围从在100 ms内启动关机,到为多达N个连续样本使用最后一个已知的良好值,再到派遣操作员到工厂以常规方式收集每月数据,即一些便携式传感器,或纸张和剪贴板。
The impact of receiving corrupted data, and not being able to detect that received data is corrupt, is often more dangerous. Data corruption can either come from random bit errors due to white noise, or from occasional bursty interference sources like thunderstorms or leaky microwave ovens, but also from conscious attacks by adversaries.
接收损坏的数据以及无法检测到接收到的数据已损坏的影响通常更为危险。数据损坏可能来自白噪声导致的随机位错误,或者来自偶尔的突发干扰源,如雷雨或微波炉泄漏,也可能来自对手的有意识攻击。
Another critical aspect for the routing is the capability to ensure maximum disruption time and route maintenance. The maximum disruption time is the time it takes at most for a specific path to be restored when broken. Route maintenance ensures that a path is monitored cannot stay disrupted for more than the maximum disruption time. Maintenance should also ensure that a path continues to provide the service for which it was established, for instance, in terms of bandwidth, jitter, and latency.
路由的另一个关键方面是确保最大中断时间和路由维护的能力。最长中断时间是特定路径在中断时最多恢复所需的时间。路由维护确保受监控的路径中断时间不会超过最大中断时间。维护还应确保路径继续提供为其建立的服务,例如,在带宽、抖动和延迟方面。
In industrial applications, availability is usually defined with respect to end-to-end delivery of packets within a bounded latency. Availability requirements vary over many orders of magnitude. Some non-critical monitoring applications may tolerate an availability of less than 90% with hours of latency. Most industrial standards, such as HART7 [IEC62591], have set user availability expectations at 99.9%. Regulatory requirements are a driver for some industrial applications. Regulatory monitoring requires high data integrity
在工业应用中,可用性通常是根据有限延迟内的端到端数据包交付来定义的。可用性要求在许多数量级上都有所不同。一些非关键监控应用程序可能容忍低于90%的可用性和数小时的延迟。大多数工业标准,如HART7[IEC62591],都将用户可用性预期设定为99.9%。监管要求是某些工业应用的驱动因素。监管监控要求高数据完整性
because lost data is assumed to be out of compliance and subject to fines. This can drive up either availability or trustworthiness requirements.
因为丢失的数据被认为是不合规的,可能会被罚款。这可能会提高可用性或可靠性要求。
Because LLN link stability is often low, path diversity is critical. Hop-by-hop link diversity is used to improve latency-bounded reliability by sending data over diverse paths.
由于LLN链路稳定性通常较低,因此路径分集至关重要。逐跳链路分集通过在不同路径上发送数据来提高延迟受限的可靠性。
Because data from field devices are aggregated and funneled at the LLN access point before they are routed to plant applications, LLN access point redundancy is an important factor in overall availability. A route that connects a field device to a plant application may have multiple paths that go through more than one LLN access point. The routing protocol MUST be able to compute paths of not-necessarily-equal cost toward a given destination so as to enable load-balancing across a variety of paths. The availability of each path in a multipath route can change over time. Hence, it is important to measure the availability on a per-path basis and select a path (or paths) according to the availability requirements.
由于来自现场设备的数据在路由到电厂应用程序之前在LLN接入点进行聚合和漏斗式传输,因此LLN接入点冗余是总体可用性的一个重要因素。将现场设备连接到电厂应用程序的路由可能具有多条路径,这些路径通过多个LLN接入点。路由协议必须能够计算指向给定目的地的成本不一定相等的路径,以便在各种路径之间实现负载平衡。多路径路由中每条路径的可用性都可能随时间而变化。因此,在每个路径的基础上测量可用性并根据可用性要求选择一个(或多个)路径是很重要的。
Wireless LLN nodes in industrial environments are powered by a variety of sources. Battery-operated devices with lifetime requirements of at least five years are the most common. Battery operated devices have a cap on their total energy, and typically can report an estimate of remaining energy, and typically do not have constraints on the short-term average power consumption. Energy-scavenging devices are more complex. These systems contain both a power-scavenging device (such as solar, vibration, or temperature difference) and an energy storage device, such as a rechargeable battery or a capacitor. These systems, therefore, have limits on both long-term average power consumption (which cannot exceed the average scavenged power over the same interval) as well as the short-term limits imposed by the energy storage requirements. For solar-powered systems, the energy storage system is generally designed to provide days of power in the absence of sunlight. Many industrial sensors run off of a 4-20 mA current loop, and can scavenge on the order of milliwatts from that source. Vibration monitoring systems are a natural choice for vibration scavenging, which typically only provides tens or hundreds of microwatts. Due to industrial temperature ranges and desired lifetimes, the choices of energy storage devices can be limited, and the resulting stored energy is often comparable to the energy cost of sending or receiving a packet rather than the energy of operating the node for several days. And of course, some nodes will be line-powered.
工业环境中的无线LLN节点由多种电源供电。寿命要求至少为五年的电池驱动设备是最常见的。电池供电设备的总能量有上限,通常可以报告剩余能量的估计值,并且通常对短期平均功耗没有限制。能量清除装置更为复杂。这些系统包含能量清除装置(如太阳能、振动或温差)和能量储存装置(如可充电电池或电容器)。因此,这些系统对长期平均功耗(不能超过同一时间间隔内的平均清除功率)以及储能要求施加的短期限制都有限制。对于太阳能系统,储能系统通常设计为在没有阳光的情况下提供数天的电力。许多工业传感器通过一个4-20 mA的电流回路运行,可以从该电流源中清除约毫瓦的电量。振动监测系统是振动清除的自然选择,通常仅提供数十或数百微瓦。由于工业温度范围和期望寿命,能量存储设备的选择可能受到限制,并且产生的存储能量通常与发送或接收数据包的能量成本相当,而不是与运行节点数天的能量相当。当然,有些节点将采用线路供电。
Example 1: solar panel, lead-acid battery sized for two weeks of rain.
示例1:太阳能电池板,铅酸电池,可承受两周的降雨。
Example 2: vibration scavenger, 1 mF tantalum capacitor.
示例2:振动清除器,1 mF钽电容器。
Field devices have limited resources. Low-power, low-cost devices have limited memory for storing route information. Typical field devices will have a finite number of routes they can support for their embedded sensor/actuator application and for forwarding other devices packets in a mesh network slotted-link.
现场设备的资源有限。低功耗、低成本的设备存储路由信息的内存有限。典型的现场设备将具有有限数量的路由,它们可以支持其嵌入式传感器/致动器应用,并在网状网络时隙链路中转发其他设备数据包。
Users may strongly prefer that the same device have different lifetime requirements in different locations. A sensor monitoring a non-critical parameter in an easily accessed location may have a lifetime requirement that is shorter and may tolerate more statistical variation than a mission-critical sensor in a hard-to-reach place that requires a plant shutdown in order to replace.
用户可能强烈希望同一设备在不同位置具有不同的寿命要求。在容易接近的位置监测非关键参数的传感器的寿命要求可能比在难以到达的位置需要关闭电厂以进行更换的任务关键型传感器的寿命要求更短,并且可以承受更多的统计变化。
The routing algorithm MUST support node-constrained routing (e.g., taking into account the existing energy state as a node constraint). Node constraints include power and memory, as well as constraints placed on the device by the user, such as battery life.
路由算法必须支持节点约束路由(例如,将现有能量状态考虑为节点约束)。节点约束包括电源和内存,以及用户放置在设备上的约束,如电池寿命。
Some existing industrial plant applications do not use broadcast or multicast addressing to communicate to field devices. Unicast address support is sufficient for them.
一些现有的工业设备应用程序不使用广播或多播寻址与现场设备通信。对他们来说,单播地址支持就足够了。
In some other industrial process automation environments, multicast over IP is used to deliver to multiple nodes that may be functionally similar or not. Example usages are:
在其他一些工业过程自动化环境中,IP多播用于向功能相似或不相似的多个节点传送数据。示例用法包括:
1) Delivery of alerts to multiple similar servers in an automation control room. Alerts are multicast to a group address based on the part of the automation process where the alerts arose (e.g., the multicast address "all-nodes-interested-in-alerts-for-process-unit-X"). This is always a restricted-scope multicast, not a broadcast.
1) 向自动化控制室中的多个类似服务器发送警报。警报是基于警报产生的自动化过程的一部分(例如,多播地址“all-nodes-interest-in-Alerts-for-process-unit-X”)多播到组地址的。这始终是受限范围的多播,而不是广播。
2) Delivery of common packets to multiple routers over a backbone, where the packets result in each receiving router initiating multicast (sometimes as a full broadcast) within the LLN. For instance, this can be a byproduct of having potentially physically separated backbone routers that can inject messages into different portions of the same larger LLN.
2) 通过主干向多个路由器传送公共数据包,其中数据包导致每个接收路由器在LLN内发起多播(有时作为全广播)。例如,这可能是具有潜在物理分离的主干路由器的副产品,主干路由器可以将消息注入同一较大LLN的不同部分。
3) Publication of measurement data to more than one subscriber. This feature is useful in some peer-to-peer control applications. For example, level position may be useful to a controller that operates the flow valve and also to the overfill alarm indicator. Both controller and alarm indicator would receive the same publication sent as a multicast by the level gauge.
3) 向多个订户发布测量数据。此功能在某些对等控制应用程序中非常有用。例如,液位位置可能对操作流量阀的控制器以及溢流报警指示器有用。控制器和报警指示器都将接收由液位计作为多播发送的相同发布。
All of these uses require an 1:N security mechanism as well; they aren't of any use if the end-to-end security is only point-to-point.
所有这些用途都需要1:N安全机制;如果端到端安全性只是点对点的,那么它们就没有任何用处。
It is quite possible that first-generation wireless automation field networks can be adequately useful without either of these capabilities, but in the near future, wireless field devices with communication controllers and protocol stacks will require control and configuration, such as firmware downloading, that may benefit from broadcast or multicast addressing.
第一代无线自动化现场网络很可能在没有这两种功能的情况下充分发挥作用,但在不久的将来,带有通信控制器和协议栈的无线现场设备将需要控制和配置,例如固件下载,这可能得益于广播或多播寻址。
The routing protocol SHOULD support multicast addressing.
路由协议应支持多播寻址。
The routing protocol MUST converge after the addition of a new device within several minutes, and SHOULD converge within tens of seconds such that a device is able to establish connectivity to any other point in the network or determine that there is a connectivity issue. Any routing algorithm used to determine how to route packets in the network, MUST be capable of routing packets to and from a newly added device within several minutes of its addition, and SHOULD be able to perform this function within tens of seconds.
添加新设备后,路由协议必须在几分钟内收敛,并且应在数十秒内收敛,以便设备能够建立到网络中任何其他点的连接或确定存在连接问题。用于确定如何在网络中路由数据包的任何路由算法,必须能够在添加新设备后的几分钟内将数据包路由到新添加的设备,并能够在数十秒内执行此功能。
The routing protocol MUST distribute sufficient information about link failures to enable traffic to be routed such that all service requirements (especially latency) continue to be met. This places a requirement on the speed of distribution and convergence of this information as well as the responsiveness of any routing algorithms used to determine how to route packets. This requirement only applies at normal link failure rates (see Section 5) and MAY degrade during failure storms.
路由协议必须分发有关链路故障的足够信息,以便能够路由流量,从而继续满足所有服务要求(尤其是延迟)。这就要求这些信息的分布和收敛速度,以及用于确定如何路由数据包的任何路由算法的响应速度。该要求仅适用于正常链路故障率(见第5节),并可能在故障风暴期间降级。
Any algorithm that computes routes for packets in the network MUST be able to perform route computations in advance of needing to use the route. Since such algorithms are required to react to link failures, link usage information, and other dynamic link properties as the information is distributed by the routing protocol, the algorithms SHOULD recompute route based on the receipt of new information.
任何为网络中的数据包计算路由的算法必须能够在需要使用路由之前执行路由计算。由于此类算法需要对链路故障、链路使用信息和其他动态链路属性做出反应,因为这些信息是由路由协议分发的,因此这些算法应该根据接收到的新信息重新计算路由。
Various economic factors have contributed to a reduction of trained workers in the industrial plant. A very common problem is that of the "wireless worker". Carrying a PDA or something similar, this worker will be able to accomplish more work in less time than the older, better-trained workers that he or she replaces. Whether the premise is valid, the use case is commonly presented: the worker will be wirelessly connected to the plant IT system to download documentation, instructions, etc., and will need to be able to connect "directly" to the sensors and control points in or near the equipment on which he or she is working. It is possible that this "direct" connection could come via the normal LLNs data collection network. This connection is likely to require higher bandwidth and lower latency than the normal data collection operation.
各种经济因素导致工业工厂受过培训的工人减少。一个非常常见的问题是“无线工作者”的问题。携带PDA或类似设备,该员工将能够在更短的时间内完成比他或她所取代的年龄较大、训练有素的员工更多的工作。无论前提是否有效,通常都会呈现用例:工人将无线连接到工厂IT系统以下载文档、说明等,并且需要能够“直接”连接到他或她正在工作的设备内或附近的传感器和控制点。这种“直接”连接可能通过普通LLNs数据采集网络实现。与正常数据采集操作相比,此连接可能需要更高的带宽和更低的延迟。
PDAs are typically used as the user interfaces for plant historians, asset management systems, and the like. It is undecided if these PDAs will use the LLN directly to talk to field sensors, or if they will rather use other wireless connectivity that proxies back into the field or to anywhere else.
PDA通常用作工厂历史记录、资产管理系统等的用户界面。这些PDA是直接使用LLN与现场传感器通话,还是使用其他无线连接代理返回现场或其他任何地方,尚不确定。
The routing protocol SHOULD support the wireless worker with fast network connection times of a few of seconds, and low command and response latencies to the plant behind the LLN access points, to applications, and to field devices. The routing protocol SHOULD also support the bandwidth allocation for bulk transfers between the field device and the handheld device of the wireless worker. The routing protocol SHOULD support walking speeds for maintaining network connectivity as the handheld device changes position in the wireless network.
路由协议应支持无线工作者,具有几秒钟的快速网络连接时间,以及对LLN接入点后面的工厂、应用程序和现场设备的低命令和响应延迟。路由协议还应支持无线工作者现场设备和手持设备之间批量传输的带宽分配。当手持设备在无线网络中改变位置时,路由协议应支持步行速度以保持网络连接。
Some field devices will be mobile. These devices may be located on moving parts such as rotating components, or they may be located on vehicles such as cranes or fork lifts. The routing protocol SHOULD support vehicular speeds of up to 35 kmph.
一些现场设备将是移动的。这些装置可能位于移动部件(如旋转部件)上,也可能位于车辆(如起重机或叉车)上。路由协议应支持最高35公里/小时的车辆速度。
The process and control industry is manpower constrained. The aging demographics of plant personnel are causing a looming manpower problem for industry across many markets. The goal for the industrial networks is to have the installation process not require any new skills for the plant personnel. The person would install the wireless sensor or wireless actuator the same way the wired sensor or wired actuator is installed, except the step to connect wire is eliminated.
过程和控制行业人力有限。工厂人员的老龄化正在许多市场给工业造成迫在眉睫的人力问题。工业网络的目标是使安装过程不需要电厂人员掌握任何新技能。该人员安装无线传感器或无线执行器的方式与安装有线传感器或有线执行器的方式相同,但排除了连接电线的步骤。
Most users in fact demand even much further simplified provisioning methods, a plug and play operation that would be fully transparent to the user. This requires availability of open and untrusted side channels for new joiners, and it requires strong and automated authentication so that networks can automatically accept or reject new joiners. Ideally, for a user, adding new routing devices should be as easy as dragging and dropping an icon from a pool of authenticated new joiners into a pool for the wired domain that this new sensor should connect to. Under the hood, invisible to the user, auditable security mechanisms should take care of new device authentication, and secret join key distribution. These more sophisticated 'over the air' secure provisioning methods should eliminate the use of traditional configuration tools for setting up devices prior to being ready to securely join an LLN access point.
事实上,大多数用户都要求进一步简化资源调配方法,即插即用操作对用户完全透明。这就需要为新加入者提供开放且不受信任的侧通道,并且需要强大的自动身份验证,以便网络能够自动接受或拒绝新加入者。理想情况下,对于用户来说,添加新路由设备应该很容易,就像将一个图标从经过身份验证的新加入者池拖放到这个新传感器应该连接到的有线域池中一样。在用户看不见的情况下,可审核的安全机制应该负责新设备的身份验证和秘密连接密钥分发。这些更复杂的“空中”安全资源调配方法应该可以在准备安全加入LLN接入点之前,消除使用传统配置工具来设置设备的情况。
The routing protocol SHOULD be fully configurable over the air as part of the joining process of a new routing device.
作为新路由设备加入过程的一部分,路由协议应该是完全可配置的。
There will be many new applications where even without any human intervention at the plant, devices that have never been on site before, should be allowed, based on their credentials and cryptographic capabilities, to connect anyway. Examples are third-party road tankers, rail cargo containers with overfill protection sensors, or consumer cars that need to be refueled with hydrogen by robots at future fueling stations.
将有许多新的应用程序,即使在工厂没有任何人为干预的情况下,也应该允许以前从未在现场使用过的设备,基于其凭据和加密能力,无论如何都可以连接。例如,第三方公路油罐车、带有溢流保护传感器的铁路货运集装箱,或者需要在未来加油站由机器人为其加油的消费汽车。
The routing protocol for LLNs is expected to be easy to deploy and manage. Because the number of field devices in a network is large, provisioning the devices manually may not make sense. The proper operation of the routing protocol MAY require that the node be commissioned with information about itself, like identity, security tokens, radio standards and frequencies, etc.
LLN的路由协议预计将易于部署和管理。由于网络中的现场设备数量很大,因此手动配置设备可能没有意义。路由协议的正确操作可能需要使用关于自身的信息(例如身份、安全令牌、无线电标准和频率等)来委托节点。
The routing protocol SHOULD NOT require to preprovision information about the environment where the node will be deployed. The routing protocol MUST enable the full discovery and setup of the environment (available links, selected peers, reachable network). The protocol MUST enable the distribution of its own configuration to be performed by some external mechanism from a centralized management controller.
路由协议不应要求预先提供有关将部署节点的环境的信息。路由协议必须能够完全发现和设置环境(可用链路、选定对等点、可访问网络)。协议必须能够通过集中管理控制器的某个外部机制执行其自身配置的分发。
This document contains a number of strongly required constraints on the ROLL routing protocol. Some of those strong requirements might appear antagonistic and, as such, impossible to fulfill at the same time.
本文件包含了一些关于滚动路由协议的强烈要求的约束条件。其中一些强大的需求可能看起来是对立的,因此不可能同时满足。
For instance, the strong requirement of power economy applies on general routing but is variant since it is reasonable to spend more energy on ensuring the availability of a short emergency closed-loop path than it is to maintain an alert path that is used for regular updates on the operating status of the device. In the same fashion, the strong requirement on easy provisioning does not match easily the strong security requirements that can be needed to implement a factory policy. Then again, a non-default non-trivial setup can be acceptable as long as the default configuration enables a device to join with some degree of security.
例如,对电源经济性的强烈要求适用于一般路由,但由于在确保短紧急闭环路径的可用性上花费的精力比在维护用于定期更新设备运行状态的警报路径上花费的精力要多,这是合理的。同样,轻松资源调配的强大需求与实现工厂策略所需的强大安全需求并不容易匹配。此外,只要默认配置允许设备以某种程度的安全性加入,就可以接受非默认的非平凡设置。
Convergence time and network size are also antagonistic. The values expressed in Section 8 ("Protocol Performance Requirements") apply to an average network with tens of devices. The use of a backbone can maintain that level of performance and still enable to grow the network to thousands of node. In any case, it is acceptable to grow reasonably the convergence time with the network size.
收敛时间和网络规模也是对立的。第8节(“协议性能要求”)中表示的值适用于具有数十台设备的平均网络。主干网的使用可以保持这种性能水平,并且仍然能够将网络扩展到数千个节点。在任何情况下,随着网络规模的增加,收敛时间的合理增长都是可以接受的。
Given that wireless sensor networks in industrial automation operate in systems that have substantial financial and human safety implications, security is of considerable concern. Levels of security violation that are tolerated as a "cost of doing business" in the banking industry are not acceptable when in some cases literally thousands of lives may be at risk.
鉴于工业自动化中的无线传感器网络在具有重大财务和人身安全影响的系统中运行,安全性是相当值得关注的问题。在某些情况下,数千人的生命可能处于危险之中,银行业容忍的作为“经营成本”的安全违规水平是不可接受的。
Security is easily confused with guarantee for availability. When discussing wireless security, it's important to distinguish clearly between the risks of temporarily losing connectivity, say due to a thunderstorm, and the risks associated with knowledgeable adversaries attacking a wireless system. The conscious attacks need to be split between 1) attacks on the actual application served by the wireless devices and 2) attacks that exploit the presence of a wireless access point that may provide connectivity onto legacy wired plant networks, so these are attacks that have little to do with the wireless devices in the LLNs. In the second type of attack, access points that might be wireless backdoors that allow an attacker outside the fence to access typically non-secured process control and/or office networks are typically the ones that do create exposures where lives are at risk. This implies that the LLN access point on its own must possess functionality that guarantees domain segregation, and thus prohibits many types of traffic further upstream.
安全性很容易与可用性保证混淆。在讨论无线安全时,必须明确区分暂时失去连接的风险(如由于雷雨)和与知识渊博的对手攻击无线系统相关的风险。有意识的攻击需要分为1)对无线设备所服务的实际应用程序的攻击和2)利用无线接入点的存在的攻击,该无线接入点可提供到传统有线电厂网络的连接,因此这些攻击与LLN中的无线设备关系不大。在第二种类型的攻击中,可能是无线后门的接入点,允许围栏外的攻击者访问通常不安全的过程控制和/或办公室网络,这些接入点通常会造成生命风险暴露。这意味着LLN接入点本身必须具有保证域隔离的功能,从而禁止进一步上游的多种类型的通信。
The current generation of industrial wireless device manufacturers is specifying security at the MAC (Media Access Control) layer and the transport layer. A shared key is used to authenticate messages at the MAC layer. At the transport layer, commands are encrypted with
当前一代工业无线设备制造商正在MAC(媒体访问控制)层和传输层指定安全性。共享密钥用于在MAC层对消息进行身份验证。在传输层,命令使用
statistically unique randomly generated end-to-end session keys. HART7 [IEC62591] and ISA100.11a are examples of security systems for industrial wireless networks.
统计上唯一的随机生成的端到端会话密钥。HART7[IEC62591]和ISA100.11a是工业无线网络安全系统的示例。
Although such symmetric key encryption and authentication mechanisms at MAC and transport layers may protect reasonably well during the lifecycle, the initial network boot (provisioning) step in many cases requires more sophisticated steps to securely land the initial secret keys in field devices. Also, it is vital that during these steps, the ease of deployment and the freedom of mixing and matching products from different suppliers does not complicate life for those that deploy and commission. Given the average skill levels in the field and the serious resource constraints in the market, investing a little bit more in sensor-node hardware and software so that new devices automatically can be deemed trustworthy, and thus automatically join the domains that they should join, with just one drag-and-drop action for those in charge of deploying, will yield faster adoption and proliferation of the LLN technology.
尽管MAC层和传输层的对称密钥加密和身份验证机制可以在生命周期中得到很好的保护,但在许多情况下,初始网络引导(供应)步骤需要更复杂的步骤来将初始密钥安全地放置在现场设备中。此外,重要的是,在这些步骤中,部署的便利性以及混合和匹配来自不同供应商的产品的自由不会使部署和调试人员的生活复杂化。考虑到该领域的平均技能水平和市场上严重的资源限制,在传感器节点硬件和软件上多投资一点,这样新设备就可以自动被认为是可信的,从而自动加入他们应该加入的领域,对于负责部署的人员来说,只需一次拖放操作,就能加快LLN技术的采用和扩散。
Industrial plants may not maintain the same level of physical security for field devices that is associated with traditional network sites such as locked IT centers. In industrial plants, it must be assumed that the field devices have marginal physical security and might be compromised. The routing protocol SHOULD limit the risk incurred by one node being compromised, for instance by proposing a non-congruent path for a given route and balancing the traffic across the network.
对于与传统网络站点(如锁定的IT中心)相关的现场设备,工业工厂可能无法保持相同的物理安全级别。在工业工厂中,必须假设现场设备具有边缘物理安全性,并且可能会受到损害。路由协议应限制一个节点被破坏所产生的风险,例如,通过为给定路由建议非一致路径并平衡网络上的流量。
The routing protocol SHOULD compartmentalize the trust placed in field devices so that a compromised field device does not destroy the security of the whole network. The routing MUST be configured and managed using secure messages and protocols that prevent outsider attacks and limit insider attacks from field devices installed in insecure locations in the plant.
路由协议应划分现场设备中的信任,以便受损的现场设备不会破坏整个网络的安全。必须使用安全消息和协议对路由进行配置和管理,以防止外部攻击并限制安装在工厂不安全位置的现场设备的内部攻击。
The wireless environment typically forces the abandonment of classical 'by perimeter' thinking when trying to secure network domains. Wireless nodes in LLN networks should thus be regarded as little islands with trusted kernels, situated in an ocean of untrusted connectivity, an ocean that might be full of pirate ships. Consequently, confidence in node identity and ability to challenge authenticity of source node credentials gets more relevant. Cryptographic boundaries inside devices that clearly demark the border between trusted and untrusted areas need to be drawn. Protection against compromise of the cryptographic boundaries inside the hardware of devices is outside of the scope of this document.
在试图保护网络域安全时,无线环境通常会迫使人们放弃传统的“按边界”思维。因此,LLN网络中的无线节点应该被视为具有可信内核的小岛,位于不可信连接的海洋中,而这个海洋可能充满了海盗船。因此,对节点身份的信心和质疑源节点凭据真实性的能力变得更加重要。需要绘制设备内部的加密边界,该边界清楚地标记受信任和不受信任区域之间的边界。防止设备硬件内部密码边界泄露的保护不在本文档范围内。
Note that because nodes are usually expected to be capable of routing, the end-node security requirements are usually a superset of the router requirements, in order to prevent a end node from being used to inject forged information into the network that could alter the plant operations.
请注意,由于通常预期节点能够进行路由,因此终端节点安全要求通常是路由器要求的超集,以防止终端节点被用于向网络注入伪造信息,从而改变电厂运行。
Additional details of security across all application scenarios are provided in the ROLL security framework [ROLL-SEC-FMWK]. Implications of these security requirements for the routing protocol itself are a topic for future work.
ROLL安全框架[ROLL-SEC-FMWK]中提供了所有应用程序场景中的其他安全详细信息。这些安全要求对路由协议本身的影响是未来工作的主题。
Many thanks to Rick Enns, Alexander Chernoguzov, and Chol Su Kang for their contributions.
非常感谢Rick Enns、Alexander Chernoguzov和Chol Su Kang的贡献。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[HART] HART (Highway Addressable Remote Transducer) Communication Foundation, "HART Communication Protocol and Foundation - Home Page", <http://www.hartcomm.org>.
[ HART ] HART(公路可寻址远程传感器)通信基础,“HART通信协议和基础-主页”,<http://www.hartcomm.org>.
[IEC61158] IEC, "Industrial communication networks - Fieldbus specifications", IEC 61158 series.
[IEC61158]IEC,“工业通信网络-现场总线规范”,IEC 61158系列。
[IEC62591] IEC, "Industrial communication networks - Wireless communication network and communication profiles - WirelessHART", IEC 62591.
[IEC62591]IEC,“工业通信网络-无线通信网络和通信配置文件-WirelessHART”,IEC 62591。
[IEEE802.15.4] IEEE, "Telecommunications and information exchange between systems -- Local and metropolitan area networks -- Specific requirements Part 15.4: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for Low-Rate Wireless Personal Area Networks (WPANs)", IEEE 802.15.4, 2006.
[IEEE802.15.4]IEEE,“系统间的电信和信息交换——局域网和城域网——具体要求第15.4部分:低速无线个人区域网(WPAN)的无线媒体访问控制(MAC)和物理层(PHY)规范”,IEEE 802.15.42006。
[ISA100.11a] ISA, "Wireless systems for industrial automation: Process control and related applications", ISA 100.11a, May 2008, <http://www.isa.org/ Community/SP100WirelessSystemsforAutomation>.
[ISA100.11a]ISA,“工业自动化无线系统:过程控制和相关应用”,ISA 100.11a,2008年5月<http://www.isa.org/ Community/SP100WirelessSystemsforAutomation>。
[RFC4919] Kushalnagar, N., Montenegro, G., and C. Schumacher, "IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs): Overview, Assumptions, Problem Statement, and Goals", RFC 4919, August 2007.
[RFC4919]Kushalnagar,N.,黑山,G.,和C.Schumacher,“低功率无线个人区域网络(6LoWPANs)上的IPv6:概述,假设,问题陈述和目标”,RFC 4919,2007年8月。
[ROLL-SEC-FMWK] Tsao, T., Alexander, R., Dohler, M., Daza, V., and A. Lozano, "A Security Framework for Routing over Low Power and Lossy Networks", Work in Progress, September 2009.
[ROLL-SEC-FMWK]曹,T.,亚历山大,R.,多勒,M.,达扎,V.,和A.洛扎诺,“低功耗和有损网络路由的安全框架”,正在进行的工作,2009年9月。
[ROLL-TERM] Vasseur, JP., "Terminology in Low power And Lossy Networks", Work in Progress, October 2009.
[ROLL-TERM]Vasseur,JP.,“低功耗和有损网络的术语”,正在进行的工作,2009年10月。
Authors' Addresses
作者地址
Kris Pister (editor) Dust Networks 30695 Huntwood Ave. Hayward, CA 94544 USA
克里斯·皮斯特(编辑)美国加利福尼亚州海沃德亨特伍德大道30695号灰尘网络94544
EMail: kpister@dustnetworks.com
EMail: kpister@dustnetworks.com
Pascal Thubert (editor) Cisco Systems Village d'Entreprises Green Side 400, Avenue de Roumanille Batiment T3 Biot - Sophia Antipolis 06410 FRANCE
Pascal Thubert(编辑)Cisco Systems Village d'Enterprises Green Side 400,Roumanille大道Batitment T3 Biot-Sophia Antipolis 06410法国
Phone: +33 497 23 26 34 EMail: pthubert@cisco.com
Phone: +33 497 23 26 34 EMail: pthubert@cisco.com
Sicco Dwars Shell Global Solutions International B.V. Sir Winston Churchilllaan 299 Rijswijk 2288 DC Netherlands
Sicco Dwars壳牌全球解决方案国际有限责任公司Winston Churchilllaan爵士299 Rijswijk 2288 DC荷兰
Phone: +31 70 447 2660 EMail: sicco.dwars@shell.com
Phone: +31 70 447 2660 EMail: sicco.dwars@shell.com
Tom Phinney Consultant 5012 W. Torrey Pines Circle Glendale, AZ 85308-3221 USA
汤姆菲尼顾问5012美国亚利桑那州格兰代尔W.Torrey Pines Circle 85308-3221
Phone: +1 602 938 3163 EMail: tom.phinney@cox.net
Phone: +1 602 938 3163 EMail: tom.phinney@cox.net