Delay Tolerant Networking Research Group M. Ramadas Internet Draft Ohio University S. Burleigh September 2006 NASA/Jet Propulsion Laboratory Expires March 2007 S. Farrell Trinity College Dublin Licklider Transmission Protocol - Specification Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on March 1, 2007. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document describes the Licklider Transmission Protocol (LTP) designed to provide retransmission-based reliability over links characterized by extremely long message round-trip times (RTTs) and/or frequent interruptions in connectivity. Since communication across interplanetary space is the most prominent example of this sort of environment, LTP is principally aimed at supporting "long- Ramadas et al. Expires - March 2007 [Page 1] Internet Draft LTP - Specification September 2006 haul" reliable transmission in interplanetary space, but has applications in other environments as well. In an Interplanetary Internet setting deploying the Bundling protocol being developed by the Delay Tolerant Networking Research Group, LTP is intended to serve as a reliable convergence layer over single hop deep-space RF links. LTP does ARQ of data transmissions by soliciting selective-acknowledgment reception reports. It is stateful, and has no negotiation or handshakes. This document is a product of the Delay Tolerant Networking Research Group and has been reviewed by that group. No objections to its publication as an RFC were raised. Table of Contents 1. Introduction ................................................. 3 2. Terminology .................................................. 3 3. Segment Structure ............................................ 8 3.1 Segment Header ........................................... 9 3.1.1 Segment Type Flags .................................. 10 3.1.2 Segment Type Codes .................................. 10 3.1.3 Segment Class Masks ................................. 11 3.1.4 Extensions Field .................................... 12 3.2 Segment Content .......................................... 13 3.2.1 Data Segment ........................................ 13 3.2.2 Report Segment ...................................... 14 3.2.3 Report Acknowledgment Segment ....................... 16 3.2.4 Session Management Segments ......................... 16 3.3 Segment Trailer .......................................... 17 4. Requests from Client Service ................................. 17 4.1 Transmission Request ..................................... 17 4.2 Cancellation Request ..................................... 18 5. Internal Procedures .......................................... 19 5.1 Start Transmission ....................................... 19 5.2 Start Checkpoint Timer ................................... 20 5.3 Start RS Timer ........................................... 20 5.4 Stop Transmission ........................................ 20 5.5 Suspend Timers ........................................... 20 5.6 Resume Timers ............................................ 21 5.7 Retransmit Checkpoint .................................... 22 5.8 Retransmit RS ............................................ 22 5.9 Signify Red-Part Reception ............................... 23 5.10 Signify Green-Part Segment Arrival ...................... 23 5.11 Send Reception Report ................................... 23 5.12 Signify Transmission Completion ......................... 25 5.13 Retransmit Data ......................................... 25 5.14 Stop RS Timer ........................................... 26 Ramadas et al. Expires - March 2007 [Page 2] Internet Draft LTP - Specification September 2006 5.15 Start Cancel Timer ...................................... 26 5.16 Retransmit Cancellation Segment ......................... 26 5.17 Acknowledge Cancellation ................................ 27 5.18 Stop Cancel Timer ....................................... 27 5.19 Cancel Session .......................................... 28 5.20 Close Session ........................................... 28 5.21 Handle Miscolored Segment ............................... 28 5.22 Handling System Error Conditions ........................ 29 6. Notices to Client Service .................................... 29 6.1 Session Start ............................................. 29 6.2 Green-Part Segment Arrival ................................ 29 6.3 Red-Part Reception ........................................ 30 6.4 Transmission-Session Completion ........................... 30 6.5 Transmission-Session Cancellation ......................... 30 6.6 Reception-Session Cancellation ............................ 31 6.7 Initial-Transmission Completion ........................... 31 7. State Transition Diagrams ..................................... 31 7.1 Sender .................................................... 33 7.2 Receiver .................................................. 38 8. Requirements from the Operating Environment ................... 42 9. Security Considerations ....................................... 43 9.1 Security Mechanisms and Layering Considerations ........... 44 9.2 Denial of Service Considerations .......................... 45 9.3 Replay Handling ........................................... 46 9.4 Implementation Considerations ............................. 47 10. IANA Considerations .......................................... 47 11. Acknowledgments .............................................. 48 12. References ................................................... 48 12.1 Normative References ..................................... 48 12.2 Informative References ................................... 48 13. Author's Addresses ........................................... 49 1. Introduction The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [B97]. Discussions on this internet-draft are being made in the Delay Tolerant Networking Research Group (DTNRG) mailing list. More information can be found in the DTNRG web-site at http://www.dtnrg.org This document serves as the main protocol specification of LTP, and is part of a series of documents describing LTP. Other documents in this series include the motivation document [LTPMTV] and the protocol extensions document [LTPEXT] respectively. We strongly recommend reading the protocol motivation document before reading the Ramadas et al. Expires - March 2007 [Page 3] Internet Draft LTP - Specification September 2006 following document to establish sufficient background and motivation for the contents that follow in this document. 2. Terminology (1) Engine ID A number that uniquely identifies a given LTP engine, within some closed set of communicating LTP engines. Note that when LTP is operating underneath the DTN Bundling protocol [BP][DTN], the convergence layer adapter mediating between the two will be responsible for translating between DTN endpoint IDs and LTP engine IDs in an implementation-specific manner. (2) Block An array of contiguous octets of application data handed down by the upper layer protocol (typically Bundling) to be transmitted via LTP from one client service instance to another. Any subset of a block comprising contiguous octets that begins at the start of the block is termed a "block prefix" and any such subset of the block that ends with the end of the block is termed a "block suffix". (3) Red-Part The block prefix that is to be transmitted reliably, i.e., subject to acknowledgment and retransmission. (4) Green-Part The block suffix that is to be transmitted unreliably, i.e., not subject to acknowledgments or retransmissions. If present, the green- part of a block begins at the octet following the end of the red- part. (5) Session A thread of LTP protocol activity conducted for the purpose of transmitting a block. (6) Segment The unit of LTP data transmission activity. It is the data structure transmitted from one LTP engine to another in the course of a session. An LTP segment is either a data segment, a report segment, a report-acknowledgment segment, a cancel segment, or a cancel- Ramadas et al. Expires - March 2007 [Page 4] Internet Draft LTP - Specification September 2006 acknowledgment segment. (7) Reception Claim An assertion of reception of some number of contiguous octets of application data (a subset of a block) characterized by the offset of the first received octet and the number of contiguous octets received. (8) Scope Scope identifies a subset of a block and comprises two numbers - upper bound and lower bound. For a data segment, lower bound is the offset of the segment's application data from the start of the block (in octets), while upper bound is the sum of the offset and length of the segment's application data (in octets). For example, a segment with block offset 1000 and length 500 would have a lower bound 1000 and upper bound 1500. For a report segment, upper bound is the end of the block prefix to which the reception claims in the report apply, while lower bound is the end of the (smaller) interior block prefix to which the reception claims in the report do *not* apply. That is, data at any offset equal to or greater than the report's lower bound but less than its upper bound and not designated as "received" by any of the report's reception claims must be assumed not received and therefore eligible for retransmission. For example, if a report segment carried a lower bound of 1000 and an upper bound of 5000, and the reception claims indicated reception of data within offsets 1000-1999 and 3000-4999, data within the block offsets 2000-2999 can be considered missing and eligible for retransmission. Reception reports (which may comprise multiple report segments) also have scope, as defined in Section 5.11. (9) End of Block (EOB) The last data segment transmitted as part of the original transmission of a block. This data segment also indicates that the segment's upper bound is the total length of the block (in octets). (10) End of Red-Part (EORP) The segment transmitted as part of the original transmission of a block containing the last octet of the block's red-part. This data segment also indicates that the segment's upper bound is the length Ramadas et al. Expires - March 2007 [Page 5] Internet Draft LTP - Specification September 2006 of the block's red-part (in octets). (11) Checkpoint A data segment soliciting a reception report from the receiving LTP engine. The EORP segment must be flagged as a checkpoint, as must the last segment of any retransmission; these are "mandatory checkpoints". All other checkpoints are "discretionary checkpoints". (12) Reception Report A sequence of one or more report segments reporting on all block data reception within some scope. (13) Synchronous Reception Report A reception report that is issued in response to a checkpoint. (14) Asynchronous Reception Report A reception report that is issued in response to some implementation- defined event other than the arrival of a checkpoint. (15) Primary Reception Report A reception report that is issued in response to some event other than the arrival of a checkpoint segment that was itself issued in response to a reception report. Primary reception reports include all asynchronous reception reports and all synchronous reception reports that are sent in response to discretionary checkpoints or to the EORP segment for a session. (16) Secondary Reception Report A reception report that is issued in response to the arrival of a checkpoint segment that was itself issued in response to a reception report. (17) Self-Delimiting Numeric Value (SDNV) The design of LTP attempts to reconcile minimal consumption of transmission bandwidth with (a) extensibility to satisfy requirements not yet identified, and (b) scalability across a very wide range of network sizes and transmission payload sizes. The SDNV encoding scheme is modeled after the Abstract Syntax Ramadas et al. Expires - March 2007 [Page 6] Internet Draft LTP - Specification September 2006 Notation One [ASN1] scheme for encoding Object Identifier Values. In a data field encoded as an SDNV, the most significant bit (MSB) of each octet of the SDNV serves to indicate whether the octet is the last octet of the SDNV or not. The octet with an MSB of 1 indicates that it is either the first or a middle octet of the multi-octet SDNV; the octet with an MSB of 0 is the last octet of the SDNV. The value encoded in an SDNV is found by concatenating the 7 least significant bits of each octet of the SDNV, beginning at the first octet and ending at the last octet. The following examples illustrate the encoding scheme for various hexadecimal values. 0xABC : 1010 1011 1100 is encoded as {100 1010 1} {0 011 1100} = 10010101 00111100 0x1234 : 0001 0010 0011 0100 = 1 0010 0011 0100 is encoded as {10 1 0010 0} {0 011 0100} = 10100100 00110100 0x4234 : 0100 0010 0011 0100 =100 0010 0011 0100 is encoded as {1000000 1} {1 00 0010 0} {0 011 0100} = 10000001 10000100 00110100 0x7F : 0111 1111 =111 1111 is encoded as {0 111 1111} = 01111111 Note : Care must be taken to make sure that the value to be encoded is padded with zeroes at the most significant bit end (NOT at the least significant bit end) to make its bitwise length a multiple of 7 before encoding. While there is no theoretical limit on the size of an SDNV field, note that the overhead of the SDNV scheme is 1:7, i.e., one bit of overhead for every 7 bits of actual data to be encoded. Thus a 7-octet value (a 56-bit quantity with no leading zeroes) would be encoded in an 8-octet SDNV; an 8-octet value (a 64-bit quantity Ramadas et al. Expires - March 2007 [Page 7] Internet Draft LTP - Specification September 2006 with no leading zeroes) would be encoded in a 10-octet SDNV. In general, an N-bit quantity with no leading zeroes would be encoded in a ceil(N/7) octet SDNV, where ceil is the integer ceiling function. Clearly, for fields that typically carry larger values such as RSA public keys, the SDNV overhead could become unacceptable. Hence for adopting the above SDNV scheme in other places related to this document such as any protocol extensions, we RECOMMEND that if the typical data field value is expected to be larger than 8 octets, the data field be specified as a {LENGTH, VALUE} tuple with the LENGTH parameter encoded as an SDNV, followed by LENGTH octets housing the VALUE parameter as is. We also note that SDNV is clearly not the best way to represent every numeric value. When the maximum possible value of a number is known without question, the cost of additional bits may not be justified. For example, an SDNV is a poor way to represent an integer whose value typically falls in the range 128 to 255. In general, though, we believe that the SDNV representation of various protocol data fields in LTP segments yields the smallest segment sizes without sacrificing scalability. (18) Client Service Instance A software entity, such as an application or a higher-layer protocol implementation, that is using LTP to transfer data. 3. Segment Structure Each LTP segment comprises (a) a "header" in the format defined below. (b) zero or more octets of "content". (c) zero or more octets of "trailer" as indicated by information in the "extensions field" of the header. LTP segments are of four general types depending on the nature of the content carried: Data segments carry client service (application) data, together with metadata enabling the receiving client service instance to receive and make use of that data. A report segment carries data reception claims together with the upper and lower bounds of the data block scope to which the claims pertain. Ramadas et al. Expires - March 2007 [Page 8] Internet Draft LTP - Specification September 2006 A report-acknowledgment segment carries only the serial number of the report being acknowledged. Session management segments are of two general subtypes: Cancellation and Cancellation-acknowledgment. A Cancellation segment carries a single byte reason-code to indicate the reason for the cancellation. Cancellation-acknowledgment segments have no content. The overall segment structure is illustrated below : Ramadas et al. Expires - March 2007 [Page 9] Internet Draft LTP - Specification September 2006 Bit 0 1 2 3 4 5 6 7 ^ +-----+-----+-----+-----+-----+-----+-----+-----+ | | Version number | Segment Type Flags | | +-----------------------+-----------------------+ | | | | / Session ID \ | \ / Header +-----------------------+-----------------------+ | | Header Extension Cnt. | Trailer Extension Cnt.|Extensions | +-----------------------+-----------------------+ | | | | / Header Extensions \ | \ / V +-----------------------------------------------+ | | | | | | | Segment Content | / \ \ / | | | | | | ^ +-----------------------------------------------+ | | | Trailer / Trailer Extensions \ | \ / V +-----------------------------------------------+ 3.1 Segment Header An LTP segment header comprises three data items: a single-octet control byte, a session ID, and an extensions field. Control byte comprises the following: Version number (4 bits): MUST be set to the binary value 0000 for this version of the protocol. Segment type flags (4 bits): described below. Session ID uniquely identifies, among all transmissions between the segment's sender and receiver, the session of which the segment is one token. It comprises the following: Session originator (SDNV): the engine ID of the LTP engine that initiated the session. Ramadas et al. Expires - March 2007 [Page 10] Internet Draft LTP - Specification September 2006 Session number (SDNV) : Typically a random number (for anti-DoS reasons), generated by the LTP engine identified as the session originator. The format and resolution of session number are matters that are private to the session-originating engine; the only requirement imposed by LTP is that every session initiated by an LTP engine MUST be uniquely identified by the session ID. The extensions field is described in Section 3.1.4. 3.1.1 Segment Type Flags The last four bits of the control byte in the segment header are flags that indicate the nature of the segment. In order (most significant bit first), these flags are CTRL, EXC, Flag 1 and Flag 0. A value of 0 in the CTRL (Control) flag identifies the segment as a data segment while a value of 1 identifies it as a control segment. A data segment with the EXC (Exception) flag set to 0 is a red-part segment; a data segment with EXC set to 1 is a green-part segment. For a control segment, having the EXC flag set to 1 indicates that the segment pertains to session cancellation activity. Any data segment (whether red-part or green-part) with both Flag 1 and Flag 0 set to 1 indicates EOB. Any data segment (whether red-part or green- part) with both Flag 1 and Flag 0 set to 0 indicates data without any additional protocol significance. Any red-part data segment with either Flag bit non-zero is a checkpoint. Any red-part data segment with Flag 1 set to 1 indicates the end of the red-part of the block. 3.1.2 Segment Type Codes Combinations of the settings of the segment type flags CTRL, EXC, Flag 1 and Flag 0 constitute segment type codes which serve as concise representations of detailed segment nature. CTRL EXC Flag 1 Flag 0 Code Nature of segment ---- --- ------ ------ ---- --------------------------------------- 0 0 0 0 0 Red data, NOT {Checkpoint, EORP or EOB} 0 0 0 1 1 Red data, Checkpoint, NOT {EORP or EOB} 0 0 1 0 2 Red data, Checkpoint, EORP, NOT EOB 0 0 1 1 3 Red data, Checkpoint, EORP, EOB 0 1 0 0 4 Green data, NOT EOB 0 1 0 1 5 Undefined 0 1 1 0 6 Undefined 0 1 1 1 7 Green data, EOB Ramadas et al. Expires - March 2007 [Page 11] Internet Draft LTP - Specification September 2006 1 0 0 0 8 Report segment 1 0 0 1 9 Report-acknowledgment segment 1 0 1 0 10 Undefined 1 0 1 1 11 Undefined 1 1 0 0 12 Cancel segment from block sender 1 1 0 1 13 Cancel-acknowledgment segment to block sender 1 1 1 0 14 Cancel segment from block receiver 1 1 1 1 15 Cancel-acknowledgment segment to block receiver 3.1.3 Segment Class Masks For the purposes of this specification, some bit patterns in the segment type flags field correspond to "segment classes" that are designated by mnemonics. The mnemonics are intended to evoke the characteristics shared by all types of segments characterized by these flag bit patterns. CTRL EXC Flag 1 Flag 0 Mnemonic Description ---- --- ------ ------ -------- --------------------------- 0 0 - 1 -- or -- 0 0 1 - CP Checkpoint 0 0 1 - EORP End of red-part; red-part size = offset + length 0 - 1 1 EOB End of block; block size = offset + length 1 0 0 0 RS Report segment; carries reception claims 1 0 0 1 RA Report-acknowledgment segment 1 1 0 0 CS Cancel segment from block sender 1 1 0 1 CAS Cancel-acknowledgment segment to block sender 1 1 1 0 CR Cancel segment from block receiver 1 1 1 1 CAR Cancel-acknowledgment segment to block receiver Ramadas et al. Expires - March 2007 [Page 12] Internet Draft LTP - Specification September 2006 1 1 - 0 Cx Cancel segment (generic) 1 1 - 1 CAx Cancel-acknowledgment segment (generic) 3.1.4 Extensions field The extension field enables the inclusion of zero or more functional extensions to the basic LTP segment, each in type-length-value (TLV) representation as explained below. The first octet of the extensions field indicates the number of extensions present in the segment: the high-order 4 bits indicate the number of extension TLVs in the header (immediately following the extensions count octet and preceding the segment's content) while the low-order 4 bits indicate the number of extension TLVs in the trailer (immediately following the segment's content). That is, each segment may have from 0 to 15 extension TLVs in its header and from 0 to 15 extension TLVs in its trailer. In the absence of any extension TLVs, all bits of this extensions count octet MUST be set to zero. Note that it is valid to have header extensions be immediately followed by trailer extensions; for example, since CAx segments have no contents, if both header and trailer extensions were in use in a session being cancelled, trailer extensions would immediately follow the header extensions. Each extension consists of a one-octet tag identifying the type of the extension, a length parameter in SDNV, followed by the value of the specified length. The diagram below illustrates the extension TLVs as they may occur in the header or trailer. +--------+----///-----///--+ |ext-tag | length | value | +--------+-------///-------+----------///-------+ |ext-tag | length | value | +--------+-----///-----///-+---------////-------+ |ext-tag | length | value | +--------+----------+----------+ Extension tags are assigned as follows. Extension tag Meaning ------------- ------- 0x00 LTP authentication extension [LTPEXT] 0x01 LTP cookie extension [LTPEXT] Ramadas et al. Expires - March 2007 [Page 13] Internet Draft LTP - Specification September 2006 0x02-0xBF Reserved 0xC0-0xFF Private / Experimental Use Note that since the last quarter of the extension-tag space is reserved for experimental use, implementations should be aware that collisions for these tags are possible. 3.2 Segment Content 3.2.1 Data Segment (DS) The content of a data segment includes client service data and the metadata enabling the receiving client service instance to receive and make use of that data. Client service ID [SDNV] The client service ID number identifies the upper-level service to which the segment is to be delivered by the destination LTP engine. It is functionally analogous to a well-known TCP port number. If multiple instances of the client service are present at the destination, multiplexing must be done by the client service itself on the basis of information encoded within the transmitted block. Offset [SDNV] Offset indicates the location of the segment's client service data within the session's transmitted block. It is the number of bytes in the block prior to the byte from which the first octet of the segment's client service data was copied. Length [SDNV] The length of the ensuing client service data, in octets. If the data segment is a checkpoint, the segment MUST additionally include the following two serial numbers (Checkpoint serial number and Report serial number) to support efficient retransmission. Data segments that are not checkpoints MUST NOT have these two fields in the header and MUST continue on directly with the client service data. Checkpoint serial number [SDNV] The checkpoint serial number uniquely identifies the checkpoint among all checkpoints issued by the block sender in a session. Ramadas et al. Expires - March 2007 [Page 14] Internet Draft LTP - Specification September 2006 The first checkpoint issued by the sender MUST have this serial number chosen randomly for security reasons, and it is RECOMMENDED that the sender use the guidelines in [ECS94] for this. Any subsequent checkpoints issued by the sender MUST have the serial number value found by incrementing the prior checkpoint serial number by 1. When a checkpoint segment is retransmitted, however, its serial number MUST be the same as when it was originally transmitted. Report serial number [SDNV] If the checkpoint was queued for transmission in response to the reception of an RS [Sec 5.13], then its value MUST be the report serial number value of the RS that caused the data segment to be queued for transmission. Otherwise, the value of report serial number MUST be zero. Client service data [array of octets] The client service data carried in the segment is a copy of a subset of the bytes in the original client service data block, starting at the indicated offset. 3.2.2 Report Segment (RS) The content of an RS comprises one or more data reception claims, together with the upper and lower bounds of the scope within the data block to which the claims pertain. It also includes two serial numbers to support efficient retransmission. Report serial number [SDNV] The report serial number uniquely identifies the report among all reports issued by the block receiver in a session. The first report issued by the receiver MUST have this serial number chosen randomly for security reasons, and it is RECOMMENDED that the receiver use the guidelines in [ECS94] for this. Any subsequent RS issued by the receiver MUST have the serial number value found by incrementing the last report serial number by 1. When an RS is retransmitted however, its serial number MUST be the same as when it was originally transmitted. Checkpoint serial number [SDNV] The value of checkpoint serial number MUST be zero if the report segment is NOT a response to reception of a checkpoint, i.e., the reception report is asynchronous; otherwise it is the checkpoint Ramadas et al. Expires - March 2007 [Page 15] Internet Draft LTP - Specification September 2006 serial number of the checkpoint that caused the RS to be issued. Upper bound [SDNV] The upper bound of a report segment is the size of the block prefix to which the segment's reception claims pertain. Lower bound [SDNV] The lower bound of a report segment is the size of the (interior) block prefix to which the segment's reception claims do NOT pertain. Reception claim count [SDNV] The number of data reception claims in this report segment. Reception claims Each reception claim comprises two elements: offset and length. Offset [SDNV] The offset indicates the successful reception of data beginning at the indicated offset from the lower bound of the RS. The offset within the entire block can be calculated by summing this offset with the lower bound of the RS. Length [SDNV] The length of a reception claim indicates the number of contiguous octets of block data starting at the indicated offset (within the scope of the report) that have been successfully received so far. Reception claims MUST conform to the following rules: A reception claim's length shall never be less than 1 and shall never exceed the difference between the upper and lower bounds of the report segment. The offset of a reception claim shall always be greater than the sum of the offset and length of the prior claim, if any. The sum of a reception claim's offset and length and the lower bound of the report segment shall never exceed the upper bound of the report segment. Ramadas et al. Expires - March 2007 [Page 16] Internet Draft LTP - Specification September 2006 Implied requests for retransmission of client service data can be inferred from an RS's data reception claims. However, *nothing* can be inferred regarding reception of block data at any offset equal to or greater than the segment's upper bound or at any offset less than the segment's lower bound. For example, if the scope of a report segment has lower bound 0 and upper bound 6000, and the report contains a single data reception claim with offset 0 and length 6000, then the report signifies successful reception of the first 6000 bytes of the block. If the total length of the block is 6000, then the report additionally signifies successful reception of the entire block. If on the other hand, the scope of a report segment has lower bound 1000 and upper bound 6000, and the report contains two data reception claims, one with offset 0 and length 2000 and the other with offset 3000 and length 500, then the report signifies successful reception only of bytes 1000-2999 and 4000-4499 of the block. From this we can infer that bytes 3000-3999 and 4500-5999 of the block need to be retransmitted, but we cannot infer anything about reception of the first 1000 bytes. 3.2.3 Report Acknowledgment Segment The content of an RA is simply the report serial number of the RS in response to which the segment was generated. Report serial number [SDNV] This field returns the report serial number of the RS being acknowledged. 3.2.4 Session Management Segments Cancel segments (Cx) carry a single byte reason-code with the following semantics : Reason-Code Mnemonic Semantics ----------- -------- --------------------------------------- 00 USR_CNCLD Client Service canceled session. 01 UNREACH Unreachable Client Service. 02 RLEXC Retransmission limit exceeded. 03 MISCOLORED Received either a red-part data segment at block offset above any green-part data segment offset or a green-part Ramadas et al. Expires - March 2007 [Page 17] Internet Draft LTP - Specification September 2006 data segment at block offset below any red-part data segment offset. 04 SYS_CNCLD A system error condition caused unexpected session termination. 05 RXMTCYCEXC Exceeded the Retransmission-Cycles limit 06-FF Reserved The Cancel-acknowledgments (CAx) have no content. Note: the reason we use different cancel segment types for the originator and recipient is to allow a loopback mode to work without disturbing any replay protection mechanism in use. 3.3 Segment Trailer The segment trailer consists of a sequence of from zero to 15 extension TLVs as described in Section 3.1.4 above. 4. Requests from Client Service In all cases the representation of request parameters is a local implementation matter, as are validation of parameter values and notification of the client service in the event that a request is found to be invalid. 4.1 Transmission Request In order to request transmission of a block of client service data, the client service MUST provide the following parameters to LTP: Client service ID Destination LTP engine ID Client service data to send, as an array of bytes. Length of the data to be sent. Length of the red-part of the data. This value MUST be in the range from zero to the total length of data to be sent. On reception of a valid transmission request from a client service, LTP proceeds as follows. First the array of data to be sent is subdivided as necessary, with Ramadas et al. Expires - March 2007 [Page 18] Internet Draft LTP - Specification September 2006 each subdivision serving as the client service data of a single new LTP data segment. The algorithm used for subdividing the data is a local implementation matter; it is expected that data size constraints imposed by the underlying communication service, if any, will be accommodated in this algorithm. The last (and only the last) of the resulting data segments must be marked as the EOB. Note that segment type indicates that the client service data in a given LTP segment either is or is not in the red-part of the block. To prevent segment type ambiguity, each data segment MUST contain either only red-part data or only green-part data. Therefore, when the length of the block's red-part is N, the total length of the block is M, and N is not equal to M, the (N+1)th byte of the block SHOULD be the first byte of client service data in a green-part data segment. Note that this means that at the red-part boundary, LTP may send a segment of size lesser than the link MTU size; For bandwidth efficiency reasons, implementations MAY choose to instead mark the entire segment (within which the red-part boundary falls) as red-part causing green-part data falling within the segment also be treated as red-part. If the length of the block's red-part is greater than zero, then the last data segment containing red-part data must be marked as the EORP segment by setting the appropriate segment type flag bits [Sec 3.1.2]. Zero or more preceding data segments containing red-part data (selected according to an algorithm that is a local implementation matter) MAY additionally be marked to serve as additional discretionary checkpoints [Sec 3.1.2]. All data segments are appended to the (conceptual) application data queue for transmission. Finally, a session start notice [Sec 6.1] is sent back to the client service that requested the transmission. 4.2 Cancellation Request In order to request cancellation of a session, either as the sender or as the receiver of the associated data block, the client service must provide the session ID identifying the session to be canceled. On reception of a valid cancellation request from a client service, LTP proceeds as follows. First the internal "Cancel session" procedure [Sec 5.19] is invoked. Ramadas et al. Expires - March 2007 [Page 19] Internet Draft LTP - Specification September 2006 Next, if the session is being canceled by the block sender (i.e., the session originator part of the session ID supplied in the cancellation request is the local LTP engine ID): If none of the data segments previously queued for transmission as part of this session have yet been de-queued and transmitted - i.e., if the destination engine cannot possibly be aware of this session - then the session is simply closed; the "Close session" procedure [Sec 5.20] is invoked. Otherwise, a CS segment with reason-code USR_CNCLD MUST be queued for transmission to the destination LTP engine specified in the transmission request that started this session. Otherwise (i.e., the session is being canceled by the block receiver): If there is no transmission queue-set bound for the block sender (possibly because the local LTP engine is running on a receive- only device), then the session is simply closed; the "Close session" procedure [Sec 5.20] is invoked. Otherwise, a CR segment with reason-code USR_CNCLD MUST be queued for transmission to the block sender. 5. Internal Procedures This section describes the internal procedures that are triggered by the occurrence of various events during the life-time of the LTP session. Whenever the content of any of the fields of the header of any received LTP segment does not conform to this specification document, the segment is assumed to be corrupt and MUST be discarded immediately and processed no further. This procedure supersedes all other procedures described below. All internal procedures described below that are triggered by the arrival of a data segment are superseded by the following procedure in the event that the client service identified by the data segment does not exist at the local LTP engine: If there is no transmission queue-set bound for the block sender (possibly because the local LTP engine is running on a receive- only device), then the received data segment is simply discarded. Otherwise, if the data segment contains data from the red-part of the block, a CR with reason-code UNREACH MUST be enqueued for Ramadas et al. Expires - March 2007 [Page 20] Internet Draft LTP - Specification September 2006 transmission to the block sender. A CR with reason-code UNREACH SHOULD be similarly enqueued for transmission to the data sender even if the data segment contained data from the green-part of the block; note however that (for example) in the case where the block receiver knows that the sender of this green-part data is functioning in a "beacon" (transmit-only) fashion, a CR need not be sent. In either case the received data segment is discarded. 5.1 Start Transmission This procedure is triggered by the arrival of a link state cue indicating the start of transmission to a specified remote LTP engine. Response: the de-queuing and delivery of segments to the LTP engine specified in the link state cue begins. 5.2 Start Checkpoint Timer This procedure is triggered by the arrival of a link state cue indicating the de-queuing (for transmission) of a CP segment. Response: the expected arrival time of the RS segment that will be produced on reception of this CP segment is computed, and a countdown timer is started for this arrival time. However, if it is known that the remote LTP engine has ceased transmission [Sec 5.5], then this timer is immediately suspended, because the computed expected arrival time may require an adjustment that cannot yet be computed. 5.3 Start RS Timer This procedure is triggered by the arrival of a link state cue indicating the de-queuing (for transmission) of an RS segment. Response: the expected arrival time of the RA segment in response to the reception of this RS segment is computed, and a countdown timer is started for this arrival time. However, as in Sec 5.2, if it is known that the remote LTP engine has ceased transmission [Sec 5.5], then this timer is immediately suspended, because the computed expected arrival time may require an adjustment that cannot yet be computed. 5.4 Stop Transmission This procedure is triggered by the arrival of a link state cue indicating the cessation of transmission to a specified remote LTP engine. Ramadas et al. Expires - March 2007 [Page 21] Internet Draft LTP - Specification September 2006 Response: the de-queuing and delivery to the underlying communication system of segments from traffic queues bound for the LTP engine specified in the link state cue ceases. 5.5 Suspend Timers This procedure is triggered by the arrival of a link state cue indicating the cessation of transmission from a specified remote LTP engine to the local LTP engine. Normally, this event is inferred from advance knowledge of the remote engine's planned transmission schedule. Response: countdown timers for the acknowledging segments that the remote engine is expected to return are suspended as necessary based on the following procedure. The nominal remote engine acknowledge transmission time is computed as the sum of the transmission time of the original segment (to which the acknowledging segment will respond) and the one-way light time to the remote engine, plus N seconds of "additional anticipated latency" (AAL) encompassing anticipated transmission delays other than signal propagation time. N is determined in an implementation-specific manner. For example, when LTP is deployed in deep space vehicles, the one-way light time to the remote engine may be very large while N normally need only reflect processing and queuing delay margin; it can be a network management parameter, for which 2 seconds seems to be a reasonable default value. As another example, when LTP is deployed in a terrestrial "data mule" environment, one-way light time latency is effectively zero while N may need to be some dynamically computed function of the data mule circulation schedule. If the nominal remote engine acknowledge transmission time is greater than or equal to the current time (i.e., the acknowledging segment may be presented for transmission during the time that transmission at the remote engine is suspended), then the countdown timer for this acknowledging segment is suspended. 5.6 Resume Timers This procedure is triggered by the arrival of a link state cue indicating the start of transmission from a specified remote LTP engine to the local LTP engine. Normally, this event is inferred from advance knowledge of the remote engine's planned transmission schedule. Response: expected arrival time is adjusted for every acknowledging segment that the remote engine is expected to return, for which the countdown timer has been suspended. First, the transmission delay Ramadas et al. Expires - March 2007 [Page 22] Internet Draft LTP - Specification September 2006 interval is calculated as follows : The nominal remote engine acknowledge transmission time is computed as the sum of the transmission time of the original segment (to which the acknowledging segment will respond) and the one-way light time to the remote engine, plus N seconds of AAL [Sec 5.5]. If the nominal remote engine acknowledge transmission time is greater than the current time i.e., the remote engine resumed transmission prior to presentation of the acknowledging segment for transmission, then the transmission delay interval is zero. Otherwise, the transmission delay interval is computed as the current time less the nominal remote engine acknowledge transmission time. The expected arrival time is increased by the respective transmission delay interval for each of the suspended countdown timers, and the timers are resumed. 5.7 Retransmit Checkpoint This procedure is triggered by the expiration of a countdown timer associated with a CP segment. Response: if the number of times this CP segment has been queued for transmission exceeds the checkpoint retransmission limit established for the local LTP engine by network management, then the session of which the segment is one token is canceled: the "Cancel session" procedure [Sec 5.19] is invoked, a CS with reason-code RLEXC is appended to the (conceptual) application data queue, and a transmission-session cancellation notice [Sec 6.5] is sent back to the client service that requested the transmission. Otherwise, a new copy of the CP segment is appended to the (conceptual) application data queue. 5.8 Retransmit RS This procedure is triggered by either (a) the expiration of a countdown timer associated with an RS segment or (b) the reception of a CP segment whose checkpoint serial number is equal to that of one or more previously issued RS segments for the same session -- an unnecessarily retransmitted checkpoint. Response: if the number of times any affected RS segment has been queued for transmission exceeds the report retransmission limit Ramadas et al. Expires - March 2007 [Page 23] Internet Draft LTP - Specification September 2006 established for the local LTP engine by network management, then the session of which the segment is one token is canceled: the "Cancel session" procedure [Sec 5.19] is invoked, a CR segment with reason- code RLEXC is queued for transmission to the LTP engine that originated the session, and a reception-session cancellation notice [Sec 6.6] is sent to the client service identified in each of the data segments received in this session. Otherwise, a new copy of each affected RS segment is queued for transmission to the LTP engine that originated the session. 5.9 Signify Red-Part Reception This procedure is triggered by the arrival of a CP segment when the EORP for this session has been received (ensuring that the size of the data block's red-part is known; this includes the case where the CP segment itself is the EORP segment) and all data in the red-part of the block being transmitted in this session have been received. Response: a red-part reception notice [Sec 6.3] is sent to the specified client service. 5.10 Signify Green-Part Segment Arrival This procedure is triggered by the arrival of a data segment whose content is a portion of the green-part of a block. Response: a green-part segment arrival notice [Sec 6.2] is sent to the specified client service. 5.11 Send Reception Report This procedure is triggered by either (a) the reception of a CP segment whose checkpoint serial number is not equal to that of any previously issued RS or (b) an implementation-specific circumstance pertaining to a particular block reception session for which no EORP has yet been received ("asynchronous" reception reporting). Response: if the number of reception problems detected for this session exceeds a limit established for the local LTP engine by network management, then the affected session is canceled: the "Cancel session" procedure [Sec 5.19] is invoked, a CR segment with reason-code RLEXC is issued and is, in concept, appended to the queue of internal operations traffic bound for the LTP engine that originated the session, and a reception-session cancellation notice [Sec 6.6] is sent to the client service identified in each of the data segments received in this session. One possible limit on reception problems would be the maximum number of reception reports Ramadas et al. Expires - March 2007 [Page 24] Internet Draft LTP - Specification September 2006 which can be issued for any single session. If such limit is not reached, a reception report is issued as follows. If production of the reception report was triggered by reception of a checkpoint: The upper bound of the report SHOULD be the upper bound (the sum of the offset and length) of the checkpoint data segment, to minimize unnecessary retransmission. Note: If a discretionary checkpoint is lost but subsequent segments are received, by the time the retransmission of the lost checkpoint is received, the receiver would have segments at block offsets beyond the upper bound of the checkpoint. For deployments where bandwidth economy is not critical, the upper bound of a synchronous reception report MAY be the maximum upper bound value among all red-part data segments received so far in the affected session. If the checkpoint was itself issued in response to a report segment, then this report is a "secondary" reception report. In that case the lower bound of the report SHOULD be the lower bound of the report segment to which the triggering checkpoint was itself a response, to minimize unnecessary retransmission. Note: For deployments where bandwidth economy is not critical, the lower bound of the report MAY instead be zero. If the checkpoint was not issued in response to a report segment, this report is a "primary" reception report. The lower bound of the first primary reception report issued for any session MUST be zero. The lower bound of each subsequent primary reception report issued for the same session SHOULD be the upper bound of the prior primary reception report issued for the session, to minimize unnecessary retransmission. Note: For deployments where bandwidth economy is not critical, the lower bound of every primary reception report MAY be zero. If production of the reception report is "asynchronous" as noted above: The upper bound of the report MUST be the maximum upper bound among all red-part data segments received so far for this session. The lower bound of the first asynchronous reception report issued for any session for which no other primary reception reports have yet been issued MUST be zero. The lower bound of each subsequent asynchronous reception report SHOULD be the upper bound of the prior primary reception report issued for the session, to minimize Ramadas et al. Expires - March 2007 [Page 25] Internet Draft LTP - Specification September 2006 unnecessary retransmission. Note: For deployments where bandwidth economy is not critical, the lower bound of every asynchronous reception report MAY be zero. In all cases, if the applicable lower bound of the scope of a report is determined to be greater than or equal to the applicable upper bound (for example, due to out-of-order arrival of discretionary checkpoints) then the reception report MUST NOT be issued. Otherwise: As many RS segments must be produced as are needed in order to report on all data reception within the scope of the report, given whatever data size constraints are imposed by the underlying communication service. The RS segments are, in concept, appended to the queue of internal operations traffic bound for the LTP engine that originated the indicated session. The lower bound of the first RS segment of the report MUST be the reception report's lower bound. The upper bound of the last RS segment of the report MUST be the reception report's upper bound. 5.12 Signify Transmission Completion This procedure is triggered at the earliest time at which (a) all data in the block are known to have been transmitted *and* (b) the entire red-part of the block - if of non-zero length - is known to have been successfully received. Condition (a) is signaled by arrival of a link state cue indicating the de-queuing (for transmission) of the EOB segment for the block. Condition (b) is signaled by reception of an RS segment whose reception claims, taken together with the reception claims of all other RS segments previously received in the course of this session, indicate complete reception of the red-part of the block. Response: a transmission-session completion notice [Sec 6.4] is sent to the client service that requested the transmission identified in the segment header and the session is closed: the "Close session" procedure [Sec 5.20] is invoked. 5.13 Retransmit Data This procedure is triggered by the reception of an RS segment. Response: first, an RA segment with the same report serial number as the RS segment is issued and is, in concept, appended to the queue of internal operations traffic bound for the LTP engine that originated the indicated session. If the RS segment is redundant -- i.e., either the indicated session is unknown (for example, the RS segment is received after the session has been completed or canceled), or the RS segment's report serial number is equal to that of a previously Ramadas et al. Expires - March 2007 [Page 26] Internet Draft LTP - Specification September 2006 received report segment for this session -- then no further action is taken. Otherwise the procedure below is followed. If the report's checkpoint serial number is not zero, then the countdown timer associated with the indicated checkpoint segment is deleted. Note: All retransmission buffer space occupied by data whose reception is claimed in the report segment can (in concept) be released. If the segment's reception claims indicate incomplete data reception within the scope of the report segment: If the number of transmission problems for this session exceeds a limit established for the local LTP engine by network management, then the session of which the segment is one token is canceled: the "Cancel session" procedure [Sec 5.19] is invoked, a CS with reason-code RLEXC is appended to the transmission queue specified in the transmission request that started this session, and a transmission-session cancellation notice [Sec 6.5] is sent back to the client service that requested the transmission. One possible limit on transmission problems would be the maximum number of retransmission CP segments which may be issued for any single session. If the number of transmission problems for this session has not exceeded any limit, new data segments encapsulating all block data whose non-reception is implied by the reception claims are appended to the transmission queue specified in the transmission request that started this session. The last - and only the last - such segment must be marked as a CP segment and must contain the report serial number of the received RS segment. 5.14 Stop RS Timer This procedure is triggered by the reception of an RA. Response: the countdown timer associated with the original RS segment (identified by the report serial number of the RA segment) is deleted. If no other countdown timers associated with RS segments exist for this session, then the session is closed: the "Close session" procedure [Sec 5.20] is invoked. 5.15 Start Cancel Timer This procedure is triggered by arrival of a link state cue indicating the de-queuing (for transmission) of a Cx segment. Ramadas et al. Expires - March 2007 [Page 27] Internet Draft LTP - Specification September 2006 Response: the expected arrival time of the CAx segment that will be produced on reception of this Cx segment is computed and a countdown timer for this arrival time is started. However, if it is known that the remote LTP engine has ceased transmission [Sec 5.5] then this timer is immediately suspended, because the computed expected arrival time may require an adjustment that cannot yet be computed. 5.16 Retransmit Cancellation Segment This procedure is triggered by the expiration of a countdown timer associated with a Cx segment. Response: if the number of times this Cx segment has been queued for transmission exceeds the cancellation retransmission limit established for the local LTP engine by network management, then the session of which the segment is one token is simply closed: the "Close session" procedure [Sec 5.20] is invoked. Otherwise, a copy of the cancellation segment (retaining the same reason-code) is queued for transmission to the appropriate LTP engine. 5.17 Acknowledge Cancellation This procedure is triggered by the reception of a Cx segment. Response: in the case of a CS segment where there is no transmission queue-set bound for the engine that originated the segment's session (possibly because the local LTP engine is running on a receive-only device), then no action is taken. Otherwise: If the received segment is a CS segment, a CAS segment is issued and is, in concept, appended to the queue of internal operations traffic bound for the LTP engine that sent the CS segment. If the received segment is a CR segment, a CAR segment is issued and is, in concept appended to the queue of internal operations traffic bound for the LTP engine that sent the CR segment. It is possible that the Cx segment has been retransmitted because a previous responding acknowledgment CAx segment was lost, in which case there will no longer be any record of the session of which the segment is one token. If so, no further action is taken. Ramadas et al. Expires - March 2007 [Page 28] Internet Draft LTP - Specification September 2006 Otherwise: the "Cancel session" procedure [Sec 5.19] is invoked and a reception-session cancellation notice [Sec 6.6] is sent to the client service identified in each of the data segments received in this session. Finally, the session is closed: the "Close session" procedure [Sec 5.20] is invoked. 5.18 Stop Cancel Timer This procedure is triggered by reception of a CAx segment. Response: the session of which the segment is one token is closed, i.e., the "Close session" procedure [Sec 5.20] is invoked. 5.19 Cancel Session This procedure is triggered internally by one of the other procedures described above. Response: all segments of the affected session that are currently queued for transmission can be deleted from the outbound traffic queues. All countdown timers currently associated with the session are deleted. Note: If the local LTP engine is the originator of the session, then all remaining data retransmission buffer space allocated to the session can be released. 5.20 Close Session This procedure is triggered internally by one of the other procedures described above. Response: any remaining countdown timers associated with the session (such as the timer associated with a Cx segment) are deleted. The session state record (SSR|RSR) for the session is deleted; existence of the session is no longer recognized. 5.21 Handle Miscolored Segment This procedure is triggered by the arrival of either (a) a red- part data segment whose block offset begins at an offset higher than the offset of any green-part data segment previously received for the same session or (b) a green-part data segment whose block offset begins at an offset lower than the offset of any red-part data segment previously received for the same session. Response: the received data segment is simply discarded. The Cancel Session procedure [Sec 5.19] is invoked and a CR segment with reason-code MISCOLORED SHOULD be enqueued for Ramadas et al. Expires - March 2007 [Page 29] Internet Draft LTP - Specification September 2006 transmission to the data sender. Note : If there is no transmission queue-set bound for the block sender (possibly because the local LTP engine is running on a receive-only device), or if the block receiver knows that the sender of this green-part data is functioning in a "beacon" (transmit-only) fashion, a CR segment need not be sent. A Reception-Session Cancellation Notice [Sec 6.6] is sent to the client service. 5.22 Handling System Error Conditions It is possible (especially for long-lived LTP sessions) that an unexpected operating-system error condition may occur during the lifetime of an LTP session. An example is the case where the system faces severe memory crunch forcing LTP sessions into a scenario similar to that of TCP SACK [SACK] reneging. But unlike TCP SACK reception reports which are advisory, LTP reception reports are binding, and reneging is NOT permitted on previously made reception claims. Under any such irrecoverable system error condition, the following response is to be initiated: The Cancel Session procedure [Sec 5.19] is invoked. If the session is a local sender session, a CS segment with reason-code SYS_CNCLD SHOULD be enqueued for transmission to the receiver, and a Transmission-Session Cancellation Notice [Sec 6.5] is sent to the client service. On the other hand, if it is a local receiver session, a CR segment with the same reason-code SYS_CNCLD SHOULD be enqueued for transmission to the sender, and a Reception-Session Cancellation Notice [Sec 6.6] is sent to the client service. Note that as in Sec 5.21, if there is no transmission queue-set bound for the block sender (possibly because the local LTP engine is running on a receive-only device), or if the block receiver knows that the sender of this green-part data is functioning in a "beacon" (transmit-only) fashion, a CR segment need not be sent. There may be other implementation-specific limits which may cause an LTP implementation to initiate session-cancellation procedures. One such limit is the maximum number of retransmission-cycles seen. A retransmission cycle at the LTP sender comprises the two related sets of events: the transmission of all outstanding CP segments from the sender, and the reception of all related RS segments issued from the receiver in response to those CP segments. Similar definition would apply at the LTP receiver but relate to the reception of the CP segments and transmission of all Ramadas et al. Expires - March 2007 [Page 30] Internet Draft LTP - Specification September 2006 RS segments in response. Note that retransmitted CP, RS segments remain part of their original retransmission-cycle. Also, a single CP segment may cause multiple RS segments to be generated if a Reception Report would not fit in the datalink-MTU-sized RS segment; All such RS segments issued are part of the same retransmission cycle to which the CP segment belongs. In the presence of severe channel error conditions, many retransmission- cycles may elapse before red-part transmission is deemed successful; an implementation may therefore impose a retransmission-cycle limit to shield itself from a resource-crunch situation. If a sender LTP notices the retransmission-cycle limit being crossed, it SHOULD initiate the Cancel Session Procedure [Sec 5.19] queuing a CS segment with reason-code RXMTCYCEXC and send a Transmission-Session Cancellation Notice [Sec 6.5] to the client-service. 6. Notices to Client Service In all cases the representation of notice parameters is a local implementation matter. 6.1 Session Start The LTP engine returns the session ID of the new transmission session when a session start notice is delivered. A session start notice informs the client service of the initiation of a transmission session in response to a transmission request from that client service. On receiving this notice the client service may, for example, release resources of its own that are allocated to the block being transmitted, or remember the session ID so that the session can be canceled in the future if necessary. 6.2 Green-Part Segment Arrival The following parameters are provided by the LTP engine when a green-part segment arrival notice is delivered: Session ID of the transmission session. Array of client service data bytes contained in the data segment. Offset of the data segment's content from the start of the block. Length of the data segment's content. Ramadas et al. Expires - March 2007 [Page 31] Internet Draft LTP - Specification September 2006 Indication as to whether or not the last byte of this data segment's content is also the end of the block. Source LTP engine ID. 6.3 Red-Part Reception The following parameters are provided by the LTP engine when a red-part reception notice is delivered: Session ID of the transmission session. Array of client service data bytes that constitute the red-part of the block. Length of the red-part of the block. Indication as to whether or not the last byte of the red-part is also the end of the block. Source LTP engine ID. 6.4 Transmission-Session Completion The sole parameter provided by the LTP engine when a transmission- session completion notice is delivered is the session ID of the transmission session. A transmission-session completion notice informs the client service that all bytes of the indicated data block have been transmitted and the destination LTP engine has received the red- part of the block. 6.5 Transmission-Session Cancellation The parameters provided by the LTP engine when a transmission- session cancellation notice is delivered are: Session ID of the transmission session. The reason-code sent or received in the Cx segment that initiated the cancellation sequence. A transmission-session cancellation notice informs the client service that the indicated session was terminated, either by decision of the destination client service instance or due to violation of a retransmission limit in the local LTP engine. There is no assurance that the destination client service instance Ramadas et al. Expires - March 2007 [Page 32] Internet Draft LTP - Specification September 2006 received the critical part of the data block. 6.6 Reception-Session Cancellation The parameters provided by the LTP engine when a reception cancellation notice is delivered are: Session ID of the transmission session. The reason-code explaining the cancellation. A reception-session cancellation notice informs the client service that the indicated session was terminated, either by decision of the source client service instance or due to error conditions at the local LTP engine. No subsequent delivery notices will be issued for this session. 6.7 Initial-Transmission Completion The session ID of the transmission session is included with the initial-transmission completion notice. This notice informs the client service that all segments of a block (both red-part and green-part) have been transmitted. This notice only serves to indicate that original transmission is complete; retransmissions of any lost red-part data segments may still be necessary. 7. State Transition Diagrams The following mnemonics have been used in the sender and receiver LTP state transition diagrams that follow : TE Timer Expiry RDS Regular Red Data Segment (NOT {CP|EORP|EOB}) GDS Regular Green Data Segment (NOT EOB) RL EXC Retransmission Limit Exceeded Both the diagrams have been specified in two parts such that sequence of state transitions that occur multiple times in the main diagram have been presented in the second part. Note that blocks represented in rectangles as in +---------+ | FG_XMIT | +---------+ specify actual states in the state-transition diagrams, while Ramadas et al. Expires - March 2007 [Page 33] Internet Draft LTP - Specification September 2006 blocks represented as in /\/\/\/\ | Cncld | \/\/\/\/ are not actual states but merely pointers to a state or a sequence of state transitions represented elsewhere in the state transition diagram (to avoid having multiple copies of a sequence of state transitions, thus accommodating space constraints). Ramadas et al. Expires - March 2007 [Page 34] Internet Draft LTP - Specification September 2006 7.1 Sender LTP Sender State Transition Diagram /\/\/\/\ | Cncld | \/\/\/\/ +--------+ | +------+ Rcv CR; | V V V | Rcv RS; Snd CAR | +-------------+ | Snd RA +-------+ CLOSED +----+ +---------------------------->+------+------+ | | Blk. Trans. Req | Zero RP + | Xmit ________________________/ \ Non-Zero RP | GDS; / \ | +---+ | +------------------+ | +------+ | | V V | /\/\ Rcv RS V V V | | | +---------+ +<-| RX |<---+ +---------+ | | +<-+ FG_XMIT | | \/\/ +---+ +--->+ Xmit RDS; | +----+----+ | | RP_XMIT | | | | | /\/\ +---+ +--->+ Xmit {RDS, CP}; +<--------+ +<-| CP |<---+ +-----+---+ Start CP Tmr | Xmit \/\/ CP TE | \ | {GDS, EOB}; | | | Xmit {RDS, CP, EORP}; | +-------+ | Start CP Tmr | | | | | | +------------------+ | +---+ | Xmit {RDS, | | /\/\ Rcv RS V V V | | CP, EORP, | +<-| RX |<---+ +---------+ | | EOB}; | | \/\/ +---+ | | | Start | | | GP_XMIT +->+ | CP Tmr | | /\/\ +---+ | Xmit | | +<-| CP |<---+ +-----+---+ GDS; | | \/\/ CP TE | | | | | | Xmit {GDS, EOB}; | +---------+ | | | | +------------------+ | | | | /\/\ Rcv RS V V V | +<-| RX |<---+ +-------------+ | | \/\/ +---+ | | | | WAIT_RP_ACK | | | /\/\ +---+ | | +<-| CP |<---+ +-----+-------+ | \/\/ CP TE | RP acknowledged fully; | V +----------------------------------------+ Ramadas et al. Expires - March 2007 [Page 35] Internet Draft LTP - Specification September 2006 LTP Sender State Transition Diagram (contd.) /\/\ /\/\ | CP | | CX | \/\/ \/\/ | | | Snd CS, | | RL EXC; | Start CS Tmr; | | | | | /\/\ | +---+ | +------>| CX | V V | | \/\/ +---------+ | CS TE, | | CS_SENT | | RL NOT EXC; V RL NOT EXC; +-+--+--+-+ | Rxmt CS, Rxmt CP, | | | | Restart Start CP Tmr; CS TE, | | +---+ CS Tmr RL EXC; | | | | Rcv CAS; V V /\/\/\/\ | Cncld | \/\/\/\/ /\/\ | RX | \/\/ | Cncl CP Tmr (if any) V Snd RA +---------+ +----+ | CHK_RPT | | | +-+--+----+ RP in scope V | | | \ NOT rcvd. fully +---------+ | Rxmt Redundant | | RP +--------------------->| RP_RXMT | | missing RS rcvd; | | in scope +----+--+-+ | RDS; | | rcvd. fully | | | V V Rxmt last | +----+ missing RDS | (marked CP) | Start CP Tmr; | V Ramadas et al. Expires - March 2007 [Page 36] Internet Draft LTP - Specification September 2006 The sender LTP stays in the CLOSED state until receiving a Block Transmission Request (Blk. Trans. Req) from the client service instance. Upon receiving the request it either moves to the Fully Green Transmission State (FG_XMIT) if no portion of the block was requested to be transmitted as red, or moves to the Red-Part Transmission State (RP_XMIT) state if a non-zero block-prefix was requested to be transmitted red. In the FG_XMIT state, the block is segmented as multiple green LTP data segments respecting the link MTU size and the segments are queued for transmission to the remote engine. The last such segment is marked as EOB and the sender LTP returns to the CLOSED state after queuing it for transmission. Similarly, from the RP_XMIT state multiple red data segments are queued for transmission. The sender LTP may optionally mark some of the red data segments as asynchronous checkpoints; the internal procedure Start Checkpoint Timer [Sec 5.2] is followed upon receiving a link-state cue indicating the actual beginning of transmission of such segments. The sender LTP marks the last red-data segment of the block as both CP and EORP, and after queuing it for transmission moves to the Green Part Transmission (GP_XMIT) state. If the block transmission was fully red however, the last red-data segment is marked as CP, EORP, and EOB and the sender LTP moves to the Wait-for- Red-Part-Acknowledgment (WAIT_RP_ACK) state instead. For both the above state-transitions, the internal procedure Start Checkpoint Timer [Sec 5.2] is followed upon receiving a link-state cue indicating the beginning of transmission of the queued CP segments. If the sender LTP entered the GP_XMIT state, the remaining green-part of the block is segmented as green data segments and queued for transmission to the receiver LTP; the last green segment of the block is additionally marked as EOB and the sender LTP moves to the WAIT_RP_ACK state. While the sender LTP is at any of the RP_XMIT, GP_XMIT, or WAIT_RP_ACK states, it might be interrupted by the following two events asynchronously: 1. An RS might be received from the receiver LTP (either in response to a previously transmitted CP segment or sent asynchronously for accelerated retransmission). The sender LTP then moves to perform the sequence of state transitions beginning at the RX marker (second-part of the diagram), and retransmits data if necessary, illustrating the internal procedure Retransmit Data [Sec 5.13]: First, if the RS segment had a non-zero CP serial number, the corresponding CP timer is canceled. Then, an RA segment Ramadas et al. Expires - March 2007 [Page 37] Internet Draft LTP - Specification September 2006 acknowledging the received RS segment is queued for transmission to the receiver LTP and the sender LTP moves to the Check Report state (CHK_RPT). If the RS segment was redundantly transmitted by the receiver LTP (possibly because either the last transmitted RA segment got lost or the RS segment timer expired prematurely at the receiver), the sender LTP does nothing more and returns back to the interrupted state. Similarly, if all red-data within the scope of the RS segment is reported as received, there is no work to be done and the sender LTP returns to the interrupted state. However, if the RS segment indicated incomplete reception of data within its scope, the sender LTP moves to the Red-part Retransmit state (RP_RXMT) where missing red data-segments within scope are queued for transmission. The last such segment is marked as a CP, and the sender LTP returns to the interrupted state. The internal procedure [Sec 5.2] is followed upon receiving a link-state cue indicating beginning of transmission of the CP segment. 2. A previously set CP timer might expire. Now the sender LTP follows the states beginning at the CP marker (second-part of the diagram), and follows the internal procedure Retransmit Checkpoint [Sec 5.7]: If the CP Retransmission Limit set by network management for the session has been exceeded, the sender LTP proceeds towards canceling the session (with reason-code RLEXC) as indicated by the sequence of state transitions following the CX marker. Otherwise (if the Retransmission Limit is not exceeded yet), the CP segment is queued for retransmission and the sender LTP returns to the interrupted state. The Start Checkpoint Timer internal procedure [Sec 5.2] is started again upon receiving a link-state cue indicating the beginning of transmission of the segment. The sender LTP stays at the WAIT_RP_ACK state after reaching it until the red-part data is fully acknowledged as received by the receiver LTP, and then returns to the CLOSED state following the internal procedure Close Session [Sec 5.20]. Note that while at the CLOSED state, the sender LTP might receive an RS segment (if the last transmitted RA segment before session close got lost or if the receiver LTP retransmitted the RS segment prematurely), in which case it retransmits an acknowledging RA segment and stays in the CLOSED state. If the session was canceled by the Receiver by issuing a CR segment, the receiver may retransmit the CR segment (either prematurely or because the acknowledging CAR segment got lost). In this case, the sender LTP retransmits the acknowledging CAR segment and stays in the CLOSED state. Asynchronous cancel request may be received from the local client Ramadas et al. Expires - March 2007 [Page 38] Internet Draft LTP - Specification September 2006 service while the sender LTP was in any of the states mentioned. If it was not already in the sequence of state transitions beginning at the CX marker, the internal procedure Cancel Session [Sec 5.19] is followed, and the sender LTP moves from its current state into the sequence beginning at the CX marker initiating session cancellation with reason-code USR_CNCLD. From the CX marker, the CS segment with appropriate reason-code (USR_CNCLD or RLEXC depending on how the CX sequence was entered) is queued for transmission to the receiver LTP and the sender enters the Cancel-from-Sender Sent(CS_SENT) state. The internal procedure Start Cancel Timer [Sec 5.15] is started upon receiving a link-state cue indicating the beginning of transmission of the CS segment. Upon receiving the acknowledging CAS segment from the receiver, the sender LTP moves to the CLOSED state (via the Cncld marker). If the CS Timer expires, the internal procedure Retransmit Cancellation Segment [Sec 5.16] is followed: If the network management set retransmission limit is exceeded, the session is simply closed and the sender LTP follows the Cncld marker to the CLOSED state. If the retransmission limit is not exceeded however, the CS segment is queued for a retransmission and the sender LTP stays in the CS_SENT state. The CS Timer is started upon receiving a link-state cue indicating the beginning of actual transmission according to the internal procedure Start Cancel Timer [Sec 5.15]. Asynchronous cancel request may also be received from the receiver LTP in the form of a CR segment when the sender LTP is in any of the states. Upon receiving such a CR segment, the internal procedure Acknowledge Cancellation [Sec 5.17] is invoked: The sender LTP sends a CAR segment in response and returns to the CLOSED state. Ramadas et al. Expires - March 2007 [Page 39] Internet Draft LTP - Specification September 2006 7.2 Receiver LTP Receiver State Transition Diagram /\/\/\/\ +----+ +----+ Cncld | Rcv CS; | V V \/\/\/\/ Snd CAS | +-------------+ +--+ CLOSED +<--------------------------+ +------+------+ | +----+ | Rcv first DS | Rcv RA; | V V | Cncl RS Tmr | +--------+ | +---+ DS_REC | | +----------------------------->+-+--+-+-+<----------------------+---+ | | Svc. does not exist | | | RS TE | | | | /\/\ or Rcv miscolored seg. | | | /\/\ | | | | | CX |<-----------------------+ | +------------->| RX |---->+ | | | \/\/ | \/\/ | | | Rcv RDS; | Rcv GDS; | | | +-----------+------------+ | | | V V | | | /\/\ RS TE +--------------+ +--------+ | | +<-| RX |<------+ RCV_RP | | RCV_GP | | | | \/\/ +-+----+--+--+-+ +--+-+-+-+ | | | | | | | | | | | | | Rcvd RDS; | | | | Rcvd {RDS, CP, | | | RS TE /\/\ | | | | | | | EORP, EOB}; | | +------>| RX |->+ | +<----------------+ | | | Snd RS, | | \/\/ | | | | | | Start RS Tmr | | Rcvd GDS; | | | Rcvd {RDS, CP}; | | | | +---------------->+ | | Snd RS, Start RS Tmr | | +-------+ +-----+ | +<---------------------+ | | | Rcvd {GDS, EOB}; | | | | | | | | +-----+ | | +------+ | | Rcvd {RDS, CP, EORP}; | | V V V V | | | Snd RS, Start RS Tmr | | +----------------+ | Rcv RDS; | | | | | +-->+ | | | | | WAIT_RP_REC | | Rcv {RDS, CP}; | | | | | +-->+ Snd RS, Start | +<------------------------+ | +---+--+-+-+-----+ | RS Tmr | | RS TE | | | | Rcv RA; | | | V | | | Cncl | | | /\/\ | | | RS Tmr | | +---| RX | | | +-------->+ | \/\/ | | | /\/\ | | | | CX |<------------------------+ | RP rcvd. fully | \/\/ Rcv miscolored seg. +--------------------------->+ Ramadas et al. Expires - March 2007 [Page 40] Internet Draft LTP - Specification September 2006 LTP Receiver State Transition Diagram (contd.) /\/\ | RX | \/\/ | | | | RL EXC; /\/\ RL NOT EXC; | +---------->| CX | Rxmt RS, | \/\/ Start RS Tmr | V /\/\ | CX | \/\/ | Snd CR, | Start CR Tmr; | | +----+ V V | +---------+ | CR TE, | CR_SENT | | RL NOT EXC; +-+--+--+-+ | Rxmt CR, | | | | Restart CR TE, | | +---+ CR Tmr RL EXC; | | | | Rcv CAR; V V /\/\/\/\ | Cncld | \/\/\/\/ Ramadas et al. Expires - March 2007 [Page 41] Internet Draft LTP - Specification September 2006 The receiver LTP begins at the CLOSED state and enters the Data Segment Reception (DS_REC) state upon receiving the first data segment. If the client service ID referenced in the data segment was non-existent, a CX segment with reason-code UNREACH SHOULD be sent to the sender LTP with the Cancellation sequence beginning with the CX marker (second part of the diagram). If the received segment was found to be miscolored (a red-part data segment whose block offset begins at an offset higher than the offset of any green-part data segment previously received, or a green-part data segment whose block offset begins at an offset lower than the offset of any red-part data segment previously received), the internal procedure Handle Miscolored Segment [Sec 5.21] is followed; a CX segment with reason- code MISCOLORED SHOULD be sent to the sender LTP with the Cancellation sequence beginning with the CX marker. Otherwise, the receiver LTP enters the Receive Red-Part state (RCV_RP) or the Receive Green-Part state (RCV_GP) depending on whether the segment received was red or green respectively. In the RCV_RP state, a check is made of the nature of the received red DS. If the segment was a regular red data segment, the receiver LTP just returns to the DS_REC state. For red data segments marked also as CP and as CP & EORP, a responding RS segment is queued for transmission to the sender following either the internal procedure Retransmit RS [Sec 5.8] or Send Reception Report [Sec 5.11] depending on whether the CP segment was a retransmission (An RS segment corresponding to the Checkpoint Serial Number in the CP segment was previously issued) or not, respectively. The receiver LTP then returns to the DS_REC state. If the block transmission was fully red and the segment was marked as CP, EORP, and EOB, the receiver LTP enters the Wait-for-Red-Part-Reception state (WAIT_RP_REC). In all cases the internal procedure Start RS Timer [Sec 5.3] is followed upon receiving link-state cues indicating beginning of transmission of the RS segments. In the RCV_GP state, if the received green data segment was not marked EOB, the receiver LTP returns to the DS_REC state. Otherwise it enters the WAIT_RP_REC state to receive the red-part of the block fully. A previously set RS timer may expire asynchronously while the receiver LTP was in the DS_REC, RCV_RP, RCV_GP, or WAIT_RP_REC states. If so, the internal procedure Retransmit RS [Sec 5.8] is followed as illustrated in the states beginning at the RX marker (shown in the second part of the diagram) before returning to the interrupted state: A check is made here to see if the retransmission limit set by the Ramadas et al. Expires - March 2007 [Page 42] Internet Draft LTP - Specification September 2006 network management has been exceeded in the number of RSs sent in the session. If so, a CR segment with reason-code RLEXC SHOULD be sent to the sender LTP and the sequence following the CX marker is followed. Otherwise, the RS segment is queued for retransmission and the associated RS timer is started following the internal procedure Start RS Timer [Sec 5.3] upon receiving a link-state cue indicating the beginning of its transmission. The receiver LTP may also receive RA segments from the sender in response to the RS segments sent while in the DS_REC state. If so, then the RS timer corresponding to the report serial number mentioned in the RA segment is canceled following the internal procedure Stop RS Timer [Sec 5.14]. The receiver LTP stays in the WAIT_RP_REC state until the entire red- part of the block is received, and moves to the CLOSED state upon full red-part reception. In this state, a check is made upon reception of every red-part data segment to see if it is at a block offset higher than any green-part data segment received. If so, the Handle Miscolored Segment internal procedure [Sec 5.21] is invoked and the sequence of state transitions beginning with the CX marker is followed; a CX segment with reason-code MISCOLORED SHOULD be sent to the sender LTP with the Cancellation sequence beginning with the CX marker. Note that if there were no red data segments received in the session yet, including the case where the session was indeed fully green or the pathological case where the entire red-part of the block gets lost but at least the green data segment marked EOB is received (the receiver LTP has no indication of whether the session had a red-part transmission), the receiver LTP assumes the "RP rcvd. fully" condition to be true and moves to the CLOSED state from the WAIT_RP_REC state. In the WAIT_RP_REC state, the receiver LTP may receive the retransmitted red data segments. Upon receiving red data segments marked CP, it queues the responding RS segment for transmission based on either internal procedure Retransmit RS [Sec 5.8] or Send Reception Report [Sec 5.11] depending on whether the CP was found to be a retransmission or not, respectively. The Start RS Timer internal procedure is invoked upon receiving a link-state cue indicating the beginning of transmission of the RS segment. If an RA segment is received, the RS timer corresponding to the report segment mentioned is canceled and the receiver LTP stays in the state until the entire red-part is received. In the sequence of state transitions beginning at the CX marker, the CR segment with the given reason-code (depending on how the sequence Ramadas et al. Expires - March 2007 [Page 43] Internet Draft LTP - Specification September 2006 is entered) is queued for transmission, and the CR timer is started upon reception of the link-state cue indicating actual transmission following internal procedure Start Cancel Timer [Sec 5.15]. If the CAR segment is received from the sender LTP, the receiver LTP returns to the CLOSED state (via the Cncld marker) following the Stop Cancel Timer internal procedure [Sec 5.18]. If the CR timer expires asynchronously, the internal procedure Retransmit Cancellation Segment [Sec 5.16] is followed : A check is made to see if the retransmission limit set by the network management for the number of CR segments per session has been exceeded. If so, the receiver LTP returns to the CLOSED state following the Cncld marker. Otherwise, a CR segment is scheduled for retransmission with the CR timer being started following the internal procedure Start Cancel Timer [Sec 5.15] upon reception of a link-state cue indicating actual transmission. The receiver LTP might also receive a retransmitted CS segment at the CLOSED state (either if the CAS segment previously transmitted was lost or if the CS timer expired prematurely at the sender LTP). In such a case the CAS is scheduled for retransmission. Asynchronous cancel requests are handled similar to the way they are handled in the sender LTP. If the cancel request was made from the local client service instance and the receiver LTP was not already in the CR_SENT state, a CR segment with reason-code USR_CNCLD SHOULD be sent to the sender LTP following the sequence of state transitions beginning at the CX marker as described above. If the asynchronous cancel request is received from the sender LTP, a CAS segment is sent and the receiver LTP moves to the CLOSED state (independent of the state the receiver LTP may be in). 8. Requirements from the Operating Environment LTP requires support from its operating environment (which includes network management activities) and link-state cues from the data-link layer for its operations. The local data-link layer needs to inform LTP whenever the link to a specific LTP destination is brought up or torn down. Similarly, the operating environment needs to inform the local LTP engine whenever it is known that a remote LTP engine is set to begin or stop communication with the local engine based on the operating schedules. LTP requires link state cues from the datalink layer upon transmission of the CP, RS, EORP, EOB, and Cx segments. LTP also needs to be able to query the current distance (in light seconds) to any peer engine in order to calculate timeout intervals in a typical deep-space environment. Ramadas et al. Expires - March 2007 [Page 44] Internet Draft LTP - Specification September 2006 A MIB (Management Information Base), with the above parameters filled in by the local data-link layer and the operating environment periodically, should be made available to the LTP engine for its operations. The exact details of the MIB are, however, beyond the scope of this document. The underlying data-link layer is required to never deliver incompletely received LTP segments to LTP. In the absence of the use of LTP authentication [LTPEXT] LTP also requires the underlying data- link layer to perform data integrity check of the segments received. Specifically, the data-link layer is expected to detect any corrupted segments received and to silently discard them. 9. Security Considerations There is a clear risk that unintended receivers can listen in on LTP transmissions over satellite and other radio broadcast datalinks. Such unintended recipients of LTP transmissions may also be able to manipulate LTP segments at will. Hence there is a potential requirement for confidentiality, integrity and anti-DoS (Denial of Service) security services and mechanisms. In particular, DoS problems are more severe for LTP compared to other typical internet protocols because LTP inherently retains state for long periods, and has very high time-out values. Further, it could be difficult to reset LTP nodes to recover from an attack. Thus any adversary who can actively attack an LTP transmission has the potential to create severe DoS conditions for the LTP receiver. To give a terrestrial example - were LTP to be used in a sparse sensor network, DoS attacks could be mounted resulting in nodes missing critical information, for example, communications schedule updates. In such cases, a single successful DoS attack could take a node entirely off the network until the node is physically visited and reset. Even for deep space applications of LTP, we do need to consider certain terrestrial attacks, in particular those involving insertion of messages into an on-going session (usually without having seen the exact bytes of the previous messages in the session). Such attacks are likely in the presence of firewall failures at various nodes in the network, or due to Trojan software running on an authorized host. Many message insertion attacks will depend on the attacker correctly "guessing" something about the state of the LTP peers, but experience shows that successful guesses are easier than might be thought [DDJ]. Ramadas et al. Expires - March 2007 [Page 45] Internet Draft LTP - Specification September 2006 9.1 Security Mechanisms and Layering Considerations In this section we consider the appropriate layer(s) at which security mechanisms can best be deployed to increase the security properties of LTP. The Application layer (above-LTP) Higher layer security mechanisms clearly protect LTP payload, but leave LTP headers open. Such mechanisms provide little or no protection against DoS type attacks against LTP, but may well provide sufficient data integrity and ought to be able to provide data confidentiality. The LTP layer An authentication header (similar to IPSEC [AH]) can help protect against replay attacks and other bogus packets. However, an adversary may still see the LTP header of segments passing by in the ether. This approach also requires some key management infrastructure to be in place in order to provide strong authentication, which may not always be an acceptable overhead. Such an authentication header could mitigate many DoS attacks. Similarly, a confidentiality service could be defined for LTP payload and (some) header fields. However, this seems less attractive since (a) confidentiality is arguably better provided either above or below the LTP layer, (b) key management for such a service is harder (in a high-delay context) than for an integrity service, and (c) forcing LTP engines to attempt decryption of incoming segments can in itself provide a DoS opportunity. Further, within the LTP layer we can make various design decisions to reduce the probability of successful DoS attacks. In particular, we can mandate that values for certain fields in the header (session numbers, for example) be chosen randomly. The Datalink layer (below-LTP) The lower layers can clearly provide confidentiality and integrity services, although such security may result in unnecessary overhead (if a service provided is not required for all LTP sessions, for example) and loss of flexibility. However, the lower layers may well be the optimal place to do compression and encryption. 9.2 Denial of Service Considerations Ramadas et al. Expires - March 2007 [Page 46] Internet Draft LTP - Specification September 2006 Implementers SHOULD consider the likelihood of the following DoS attacks : A fake Cx could be inserted, thus bringing down a session. Various acknowledgment segments (RA, RS, etc.) could be deleted, causing timers to expire, and has the potential to disable communication altogether if done with a knowledge of the communications schedule. This could be achieved either by mounting a DoS attack on a lower layer service in order to prevent it from sending an acknowledgment segment, or by simply jamming the transmission (all of which are more likely for terrestrial applications of LTP). An attacker might also corrupt some bits, which is tantamount to deleting that segment. An attacker may flood a node with segments for the internal operations queue and prevent transmission of legitimate data segments. An attacker could attempt to fill up the storage in a node by sending many large messages to it. In terrestrial LTP applications this may be much more serious since spotting the additional traffic may not be possible from any network management point. LTP includes the following anti-DoS mechanisms: Session numbers MUST be partly random making it harder to insert valid segments. A node which suspects that either it or its peer is under DoS attack could frequently checkpoint its data segments (if it were the sender) or send asynchronous RSs (if it were the receiver), thus eliciting an earlier response from its peer or timing out earlier due to the failure of an attacker to respond. Serial numbers (checkpoint serial numbers, report serial numbers) MUST begin each session anew using random numbers rather than from 0. The authentication header [LTPEXT]. 9.3 Replay Handling The following algorithm is given as an example of how an LTP implementation MAY handle replays. Ramadas et al. Expires - March 2007 [Page 47] Internet Draft LTP - Specification September 2006 1. On receipt of an LTP segment, check against a cache for replay. If this is a replay segment and if a pre-cooked response is available (stored from the last time this segment was processed), then send the pre-cooked response. If there is no pre-cooked response then silently drop the inbound segment. This can all be done without attempting to decode the buffer. 2. If the inbound segment does not decode correctly, then silently drop the segment. If the segment decodes properly, then add its hash to the replay cache and return a handle to the entry. 3. For those cases where a pre-cooked response should be stored, store the response using the handle received from the previous step. These cases include: (a) when the inbound packet is a CP segment the response RS segment gets stored as pre-cooked; (b) when the incoming packet is an RS segment the RA segment is stored as precooked, and, (c) when the incoming packet is a Cx segment the CAx segment sent in response gets stored precooked. 4. Occasionally clean out the replay cache - how frequently this happens in an implementation issue. The downside of this algorithm is that receiving a totally bogus segment still results in a replay cache search and attempted LTP decode operation. It is not clear that it is possible to do much better though, since all an attacker would have to do to get past the replay cache would be to tweak a single bit in the inbound segment each time, which is certainly cheaper than the hash+lookup+decode combination, though also certainly more expensive than simply sending the same octets many times. The benefit of doing this is that implementers no longer need to analyze many bugs/attacks based on replaying packets, which in combination with the use of LTP authentication should defeat many attempted DoS attacks. 9.4 Implementation Considerations SDNV Implementations SHOULD make sanity checks on SDNV length fields and SHOULD check that no SDNV field is too long when compared with the overall segment length. Ramadas et al. Expires - March 2007 [Page 48] Internet Draft LTP - Specification September 2006 Implementations SHOULD check that SDNV values are within suitable ranges where possible. Byte ranges Various report and other segments contain offset and length fields. Implementations MUST ensure that these are consistent and sane. Randomness Various fields in LTP (e.g. serial numbers) should be initialized using random values. Good sources of randomness which are not easily guessable SHOULD be used [ECS94]. The collision of random values is subject to the birthday paradox, which means that a collision is likely after roughly the square-root of the space has been seen (e.g. 2^16 in the case of a 32-bit random value). Implementers MUST ensure that they use sufficiently long random values so that the birthday paradox doesn't cause a problem in their environment. 10. IANA Considerations The UDP port number 1113 with the name "ltp-deepspace" has been reserved for LTP deployments. An LTP implementation may be implemented to operate over UDP datagrams using this port numbers for study and testing over the Internet. 11. Acknowledgments Many thanks to Tim Ray, Vint Cerf, Bob Durst, Kevin Fall, Adrian Hooke, Keith Scott, Leigh Torgerson, Eric Travis, and Howie Weiss for their thoughts on this protocol and its role in Delay-Tolerant Networking architecture. Part of the research described in this document was carried out at the Jet Propulsion laboratory, California Institute of Technology, under a contract with the National Aeronautics and Space Administration. This work was performed under DOD Contract DAA-B07- 00-CC201, DARPA AO H912; JPL Task Plan No. 80-5045, DARPA AO H870; and NASA Contract NAS7-1407. Thanks are also due to Shawn Ostermann, Hans Kruse, Dovel Myers, and Jayram Deshpande at Ohio University for their suggestions and advice in making various design decisions. Part of this work was carried out at Trinity College Dublin as part of the SeNDT contract funded by Enterprise Ireland's research Ramadas et al. Expires - March 2007 [Page 49] Internet Draft LTP - Specification September 2006 innovation fund. 12. References 12.1 Normative References [B97] S. Bradner, "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [LTPMTV] Burleigh, S., Ramadas, M., and Farrell, S., "Licklider Transmission Protocol - Motivation", draft-irtf-dtnrg-ltp- motivation-01.txt (Work in Progress), July 2005. [LTPEXT] Farrell, S., Ramadas, M., and Burleigh, S., "Licklider Transmission Protocol - Extensions", draft-irtf-dtnrg-ltp- extensions-01.txt (Work in Progress), July 2005. 12.2 Informative References [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC 2402, November 1998. [ASN1] Abstract Syntax Notation One (ASN.1). ASN.1 Encoding Rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER), and Distinguished Encoding Rules (DER). ITU-T Rec. X.690 (2002) | ISO/IEC 8825-1:2002. [DDJ] I. Goldberg and E. Wagner, "Randomness and the Netscape Browser", Dr. Dobb's Journal, 1996, (pages 66-70). [BP] K. Scott, and S. Burleigh, "Bundle Protocol Specification", Work in Progress, October 2003. [DTN] K. Fall, "A Delay-Tolerant Network Architecture for Challenged Internets", In Proceedings of ACM SIGCOMM 2003, Karlsruhe, Germany, Aug 2003. [IPN] InterPlanetary Internet Special Interest Group web page, "http://www.ipnsig.org". [ECS94] D. Eastlake, S. Crocker, and J. Schiller, "Randomness Recommendations for Security", RFC 1750, December 1994. [SACK] M. Mathis, J. Mahdavi, S. Floyd, and A. Romanow, "TCP Selective Acknowledgement Options", RFC 2018, October 1996. 13. Author's Addresses Ramadas et al. Expires - March 2007 [Page 50] Internet Draft LTP - Specification September 2006 Manikantan Ramadas Internetworking Research Group 301 Stocker Center Ohio University Athens, OH 45701 Telephone +1 (740) 593-1562 Email mramadas@irg.cs.ohiou.edu Scott C. Burleigh Jet Propulsion Laboratory 4800 Oak Grove Drive M/S: 179-206 Pasadena, CA 91109-8099 Telephone +1 (818) 393-3353 FAX +1 (818) 354-1075 Email Scott.Burleigh@jpl.nasa.gov Stephen Farrell Distributed Systems Group Computer Science Department Trinity College Dublin Ireland Telephone +353-1-608-3070 Email stephen.farrell@cs.tcd.ie Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Ramadas et al. Expires - March 2007 [Page 51] Internet Draft LTP - Specification September 2006 Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Ramadas et al. Expires - March 2007 [Page 52]