Delay Tolerant Networking Research Group M. Ramadas Internet Draft Ohio University S. Burleigh December 2004 NASA/Jet Propulsion Laboratory Expires June 2005 S. Farrell Trinity College Dublin Licklider Transmission Protocol - Specification Status of this Memo By submitting this Internet-Draft, we certify that any applicable patent or other IPR claims of which we are aware have been disclosed, or will be disclosed, and any of which we become aware will be disclosed, in accordance with RFC 3668. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than a "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [B97]. Discussions on this internet-draft are being made in the Delay Tolerant Networking Research Group (DTNRG) mailing list. More information can be found in the DTNRG web-site at http://www.dtnrg.org Abstract This document describes the Licklider Transmission Protocol (LTP) designed to provide retransmission-based reliability over links characterized by extremely long message round-trip times (RTTs) Ramadas et al. Expires - June 2005 [Page 1] Internet Draft LTP - Specification December 2004 and/or frequent interruptions in connectivity. Since communication across interplanetary space is the most prominent example of this sort of environment, LTP is principally aimed at supporting "long- haul" reliable transmission in interplanetary space, but has applications in other environments as well. In an Interplanetary Internet setting deploying the Bundling protocol being developed by the Delay Tolerant Networking Research Group, LTP is intended to serve as a reliable convergence layer over single hop deep-space RF links. LTP does ARQ of data transmissions by soliciting selective-acknowledgment reception reports. It is stateful, and has no negotiation or handshakes. Table of Contents 1. Introduction ................................................. 3 2. Terminology .................................................. 3 3. Segment Structure ............................................ 8 3.1 Segment Header ........................................... 9 3.1.1 Segment Type Flags .................................. 10 3.1.2 Segment Type Codes .................................. 10 3.1.3 Segment Class Masks ................................. 11 3.1.4 Extensions Field .................................... 12 3.2 Segment Content .......................................... 13 3.2.1 Data Segment ........................................ 13 3.2.2 Report Segment ...................................... 14 3.2.3 Report Acknowledgment Segment ....................... 16 3.2.4 Session Management Segments ......................... 16 3.3 Segment Trailer .......................................... 17 4. Requests from Client Service ................................. 17 4.1 Transmission Request ..................................... 17 4.2 Cancellation Request ..................................... 18 5. Internal Procedures .......................................... 19 5.1 Start Transmission ....................................... 19 5.2 Start Checkpoint Timer ................................... 19 5.3 Start RS Timer ........................................... 20 5.4 Stop Transmission ........................................ 20 5.5 Suspend Timers ........................................... 20 5.6 Resume Timers ............................................ 21 5.7 Retransmit Checkpoint .................................... 21 5.8 Retransmit RS ............................................ 22 5.9 Signify Red-Part Reception ............................... 22 5.10 Signify Green-Part Segment Arrival ...................... 22 5.11 Send Reception Report ................................... 23 5.12 Signify Transmission Completion ......................... 24 5.13 Retransmit Data ......................................... 25 5.14 Stop RS Timer ........................................... 26 5.15 Start Cancel Timer ...................................... 26 Ramadas et al. Expires - June 2005 [Page 2] Internet Draft LTP - Specification December 2004 5.16 Retransmit Cancellation Segment ......................... 26 5.17 Acknowledge Cancellation ................................ 26 5.18 Stop Cancel Timer ....................................... 27 5.19 Cancel Session .......................................... 27 5.20 Close Session ........................................... 27 5.21 Handle Miscolored Segment ............................... 27 6. Notices to Client Service .................................... 28 6.1 Session Start ............................................. 28 6.2 Green-Part Segment Arrival ................................ 28 6.3 Red-Part Reception ........................................ 29 6.4 Transmission Completion ................................... 29 6.5 Transmission Cancellation ................................. 29 6.6 Reception Cancellation .................................... 30 7. State Transition Diagrams ..................................... 30 7.1 Sender .................................................... 32 7.2 Receiver .................................................. 37 8. Requirements from the Operating Environment ................... 41 9. Security Considerations ....................................... 42 9.1 Security Mechanisms and Layering Considerations ........... 43 9.2 Denial of Service Considerations .......................... 44 9.3 Replay Handling ........................................... 45 9.4 Implementation Considerations ............................. 46 10. IANA Considerations .......................................... 46 11. Acknowledgments .............................................. 47 12. References ................................................... 47 12.1 Normative References ..................................... 47 12.2 Informative References ................................... 47 13. Author's Addresses ........................................... 48 14. Copyright Statement .......................................... 48 1. Introduction This document serves as the main protocol specification of LTP, and is part of a series of documents describing LTP. Other documents in this series include the motivation document [LTPMOTIVE] and the protocol extensions document [LTPEXT] respectively. We strongly recommend reading the protocol motivation document before reading the following document to establish sufficient background and motivation for the contents that follow in this document. 2. Terminology (1) Engine ID A number that uniquely identifies a given LTP engine, within some closed set of communicating LTP engines. Note that when LTP is operating underneath the DTN Bundling protocol [BP][DTN], the convergence layer adapter mediating between the two will be Ramadas et al. Expires - June 2005 [Page 3] Internet Draft LTP - Specification December 2004 responsible for translating between DTN endpoint IDs and LTP engine IDs in an implementation-specific manner. (2) Block An array of contiguous octets of application data handed down by the upper layer protocol (typically Bundling) to be transmitted via LTP from one client service instance to another. Any subset of a block comprising contiguous octets that begins at the start of the block is termed a "block prefix" and any such subset of the block that ends with the end of the block is termed a "block suffix". (3) Red-Part The block prefix that is to be transmitted reliably, i.e., subject to acknowledgement and retransmission. (4) Green-Part The block suffix that is to be transmitted unreliably, i.e., not subject to acknowledgments or retransmissions. If present, the green- part of a block begins at the octet following the end of the red- part. (5) Session A thread of LTP protocol activity conducted for the purpose of transmitting a block. (6) Segment The unit of LTP data transmission activity. It is the data structure transmitted from one LTP engine to another in the course of a session. An LTP segment is either a data segment, a report segment, a report-acknowledgment segment, a cancel segment, or a cancel- acknowledgment segment. (7) Reception Claim An assertion of reception of some number of contiguous octets of application data (a subset of a block) characterized by the offset of the first received octet and the number of contiguous octets received. (8) Scope Ramadas et al. Expires - June 2005 [Page 4] Internet Draft LTP - Specification December 2004 Scope identifies a subset of a block and comprises two numbers - upper bound and lower bound. For a data segment, lower bound is the offset of the segment's application data from the start of the block (in octets), while upper bound is the sum of the offset and length of the segment's application data (in octets). For example, a segment with block offset 1000 and length 500 would have a lower bound 1000 and upper bound 1500. For a report segment, upper bound is the end of the block prefix to which the reception claims in the report apply, while lower bound is the end of the (smaller) interior block prefix to which the reception claims in the report do *not* apply. That is, data at any offset equal to or greater than the report's lower bound but less than its upper bound and not designated as "received" by any of the report's reception claims must be assumed not received and therefore eligible for retransmission. For example, if a report segment carried a lower bound of 1000 and an upper bound of 5000, and the reception claims indicated reception of data within offsets 1000-1999 and 3000-4999, data within the block offsets 2000-2999 can be considered eligible for retransmission. Reception reports (which may comprise multiple report segments) also have scope, as defined in Section 5.11. (9) End of Block (EOB) The last data segment transmitted as part of the original transmission of a block. This data segment also indicates that the segment's upper bound is the total length of the block (in octets). (10) End of Red-Part (EORP) That segment transmitted as part of the original transmission of a block which contains the last octet of the block's red-part. This data segment also indicates that the segment's upper bound is the length of the block's red-part (in octets). (11) Checkpoint A data segment soliciting a reception report from the receiving LTP engine. The EORP segment must be flagged as a checkpoint, as must the last segment of any retransmission; these are "mandatory checkpoints". All other checkpoints are "discretionary checkpoints". (12) Reception Report Ramadas et al. Expires - June 2005 [Page 5] Internet Draft LTP - Specification December 2004 A sequence of one or more report segments reporting on all block data reception within some scope. (13) Synchronous Reception Report A reception report that is issued in response to a checkpoint. (14) Asynchronous Reception Report A reception report that is issued in response to some implementation- defined event other than the arrival of a checkpoint. (15) Primary Reception Report A reception report that is issued in response to some event other than the arrival of a checkpoint segment that was itself issued in response to a reception report. Primary reception reports include all asynchronous reception reports and all synchronous reception reports that are sent in response to discretionary checkpoints or to the EORP segment for a session. (16) Secondary Reception Report A reception report that is issued in response to the arrival of a checkpoint segment that was itself issued in response to a reception report. (17) Self-Delimiting Numeric Value (SDNV) The design of LTP attempts to reconcile minimal consumption of transmission bandwidth with (a) extensibility to satisfy requirements not yet identified and (b) scalability across a very wide range of network sizes and transmission payload sizes. A key strategic element in the design is the use of self-delimiting numeric values (SDNVs) that are similar in design to the Abstract Syntax Notation One [ASN1] encoding of data structures. SDNVs are of two basic types, SDNV-8 and SDNV-16. An SDNV-8 can be used to encode a variable length number from 1 to 128 octets in length; an SDNV-16 can be used to encode a variable length number from 2 to 128 octets in length. The first octet of an SDNV - the "discriminant" - fully characterizes the SDNV's value. SDNV-8 If the most significant bit of the discriminant is zero, the Ramadas et al. Expires - June 2005 [Page 6] Internet Draft LTP - Specification December 2004 length of the SDNV-8 is 1 octet and the contents of the remaining 7 bits of the discriminant viewed as an unsigned integer is the value of the SDNV. An integer in the range of 0 to 127 can be encoded this way. Otherwise (if the most significant bit of the discriminant is 1), the remaining 7 bits encode the length of the SDNV's value. If the content of the remaining 7 bits viewed as an unsigned integer has the value N, the encoded number is N+1 octets long and has the value found by concatenating octets 2 through N+2 of the SDNV-8, viewed as an unsigned integer. For example, if N were 0, the following single octet would contain the value of the SDNV-8; if N were 127, the following 128 octets would contain the encoded unsigned number. SDNV-16 If the most significant bit of the discriminant is zero, then the length of the SDNV-16 is 2 octets and the contents of the remaining 7 bits of the discriminant concatenated with the following octet, viewed as a 15-bit unsigned integer, is the value encoded. An integer in the range of 0 to 32767 can be encoded this way. Otherwise (if the most significant bit of the discriminant is 1), the encoding is similar to SDNV-8. If the content of the remaining 7 bits viewed as an unsigned integer has the value N, the encoded number is N+1 octets long and has the value found by concatenating octets 2 through N+2 of the SDNV-16, viewed as an unsigned integer. An SDNV can therefore be used to represent both very large and very small integer values. For example, the maximum size of an SDNV - a 1024-bit number - is large enough to contain a fairly safe encryption key, while any whole-degree Celsius temperature in the range in which water is a liquid can be represented in a single-octet SDNV-8. In the LTP header specification that follows, various fields in the header are defined to be of types SDNV-8 or SDNV-16 depending on the typical range of values expected for the field. If a field in the header carries a number that typically requires 16 bits to encode, but under certain infrequent conditions may grow longer and require, say, 32 bits to encode, it might be optimal to specify it as an SDNV-16 instead of specifying the field as a fixed 32 bit integer. However, SDNV is clearly not the best way to represent every numeric value. When the maximum possible value of a number is known without question, the cost of an additional 8 bits of discriminant may not be Ramadas et al. Expires - June 2005 [Page 7] Internet Draft LTP - Specification December 2004 justified. For example, an SDNV-8 is a poor way to represent an integer whose value typically falls in the range 128 to 255. In general, though, we believe that SDNV representation of selected numeric values in LTP segments yields the smallest segment sizes without sacrificing scalability. (18) Client Service Instance A software entity, such as an application or a higher-layer protocol implementation, that is using LTP to transfer data. 3. Segment Structure Each LTP segment comprises (a) a "header" in the format defined below. (b) zero or more octets of "content". (c) zero or more octets of "trailer" as indicated by information in the "extensions field" of the header. LTP segments are of four general types depending on the nature of the content carried: Data segments carry client service (application) data, together with metadata enabling the receiving client service instance to receive and make use of that data. A report segment carries data reception claims together with the upper and lower bounds of the data block scope to which the claims pertain. A report-acknowledgment segment carries only the serial number of the report being acknowledged. Session management segments are of two general subtypes: Cancellation and Cancellation-acknowledgment. A Cancellation segment carries a single byte reason-code to indicate the reason for the cancellation. Cancellation-acknowledgment segments have no content. The overall segment structure is illustrated below : Ramadas et al. Expires - June 2005 [Page 8] Internet Draft LTP - Specification December 2004 Bit 0 1 2 3 4 5 6 7 ^ +-----+-----+-----+-----+-----+-----+-----+-----+ | | Version number | Segment Type Flags | | +-----------------------+-----------------------+ | | | | / Session ID \ | \ / Header +-----------------------+-----------------------+ | | Header Extension Cnt. | Trailer Extension Cnt.| | +-----------------------+-----------------------+ | | | | / Header Extensions \ | \ / V +-----------------------------------------------+ | | | | | | | Segment Content | / \ \ / | | | | | | ^ +-----------------------------------------------+ | | | Trailer / Trailer Extensions \ | \ / V +-----------------------------------------------+ 3.1 Segment Header An LTP segment header comprises three data items: a single-octet control byte, a session ID, and an extensions field. Control byte comprises the following: Version number (4 bits): MUST be set to the binary value 0000 for this version of the protocol. Segment type flags (4 bits): described below. Session ID uniquely identifies, among all transmissions between the segment's sender and receiver, the session of which the segment is one token. It comprises the following: Session originator: the engine ID of the LTP engine that initiated the session, in SDNV-8 representation. Ramadas et al. Expires - June 2005 [Page 9] Internet Draft LTP - Specification December 2004 Session number: a number in SDNV-16 representation, typically a random number (for anti-DoS reasons), generated by the LTP engine identified as the session originator. The format and resolution of session number are matters that are private to the session-originating engine; the only requirement imposed by LTP is that every session initiated by an LTP engine MUST be uniquely identified by the session ID. The extensions field is described in Section 3.1.4. 3.1.1 Segment Type Flags The last four bits of the control byte in the segment header are flags that indicate the nature of the segment. In order (most significant bit first), these flags are CTRL, EXC, Flag 1 and Flag 0. A value of 0 in the CTRL (Control) flag identifies the segment as a data segment while a value of 1 identifies it as a control segment. A data segment with the EXC (Exception) flag set to 0 is a red-part segment; a data segment with EXC set to 1 is a green-part segment. For a control segment, having the EXC flag set to 1 indicates that the segment pertains to session cancellation activity. Any data segment (whether red-part or green-part) with both Flag 1 and Flag 0 set to 1 indicates end of block. Any data segment (whether red-part or green-part) with both Flag 1 and Flag 0 set to 0 indicates data without any additional protocol significance. Any red-part data segment with either Flag bit non-zero is a checkpoint. Any red-part data segment with Flag 1 set to 1 indicates the end of the red-part of the block. 3.1.2 Segment Type Codes Combinations of the settings of the segment type flags CTRL, EXC, Flag 1 and Flag 0 constitute segment type codes which serve as concise representations of detailed segment nature. CTRL EXC Flag 1 Flag 0 Code Nature of segment ---- --- ------ ------ ---- ----------------------------------------- 0 0 0 0 0 Red data, NOT {Checkpoint or EORP or EOB} 0 0 0 1 1 Red data, Checkpoint, NOT {EORP or EOB} 0 0 1 0 2 Red data, Checkpoint, EORP, NOT EOB 0 0 1 1 3 Red data, Checkpoint, EORP, EOB 0 1 0 0 4 Green data, NOT EOB 0 1 0 1 5 Undefined 0 1 1 0 6 Undefined 0 1 1 1 7 Green data, EOB Ramadas et al. Expires - June 2005 [Page 10] Internet Draft LTP - Specification December 2004 1 0 0 0 8 Report segment 1 0 0 1 9 Report-acknowledgment segment 1 0 1 0 10 Undefined 1 0 1 1 11 Undefined 1 1 0 0 12 Cancel segment from block sender 1 1 0 1 13 Cancel-acknowledgment segment to block sender 1 1 1 0 14 Cancel segment from block receiver 1 1 1 1 15 Cancel-acknowledgment segment to block receiver 3.1.3 Segment Class Masks For the purposes of this specification, some bit patterns in the segment type flags field correspond to "segment classes" that are designated by mnemonics. The mnemonics are intended to evoke the characteristics shared by all types of segments characterized by these flag bit patterns. CTRL EXC Flag 1 Flag 0 Mnemonic Description ---- --- ------ ------ -------- --------------------------- 0 0 - 1 -- or -- 0 0 1 - CP Checkpoint 0 0 1 - EORP End of red-part; red-part size = offset + length 0 - 1 1 EOB End of block; block size = offset + length 1 0 0 0 RS Report segment; carries reception claims 1 0 0 1 RA Report-acknowledgment segment 1 1 0 0 CS Cancel segment from block sender 1 1 0 1 CAS Cancel-acknowledgment segment to block sender 1 1 1 0 CR Cancel segment from block receiver 1 1 1 1 CAR Cancel-acknowledgment segment to block receiver Ramadas et al. Expires - June 2005 [Page 11] Internet Draft LTP - Specification December 2004 1 1 - 0 Cx Cancel segment (generic) 1 1 - 1 CAx Cancel-acknowledgment segment (generic) 3.1.4 Extensions field The extension field enables the inclusion of zero or more functional extensions to the basic LTP segment, each in type-length-value (TLV) representation as explained below. The first octet of the extensions field indicates the number of extensions present in the segment: the high-order 4 bits indicate the number of extension TLVs in the header (immediately following the extensions count octet and preceding the segment's content) while the low-order 4 bits indicate the number of extension TLVs in the trailer (immediately following the segment's content). That is, each segment may have from 0 to 15 extension TLVs in its header and from 0 to 15 extension TLVs in its trailer. In the absence of any extension TLVs, all bits of this extensions count octet MUST be set to zero. Each extension consists of a one-octet tag identifying the type of extension (the "T" of the extension TLV), followed by an extension specification in SDNV-8 format. [Since an SDNV-8 comprises both a numeric data value and the length of that value, the extension specification serves to supply both the "L" and the "V" of the extension TLV.] The diagram below illustrates the extension TLVs as they may occur in the header or trailer. +--------+---------------///-+ |ext-tag | SDNV-8 spec | +--------+-------------------////-+ |ext-tag | SDNV-8 spec | +--------+-------------------////-+ |ext-tag | SDNV-8 spec | +--------+------------////-+-+ |ext-tag | SDNV-8 spec | +--------+--------------////-+ One extension type is defined at this time. Extension tag Meaning ------------- ------- 0x00 LTP authentication extension [LTPEXT] 0x01 LTP cookie estension [LTPEXT] 0x02-0xff Reserved Ramadas et al. Expires - June 2005 [Page 12] Internet Draft LTP - Specification December 2004 3.2 Segment Content 3.2.1 Data Segment (DS) The content of a data segment includes client service data and metadata enabling the receiving client service instance to receive and make use of that data. Client service ID [SDNV-8] The client service ID number identifies the upper-level service to which the segment is to be delivered by the destination LTP engine. It is functionally analogous to a well-known TCP port number. If multiple instances of the client service are present at the destination, multiplexing must be done by the client service itself on the basis of information encoded within the transmitted block. Offset [SDNV-16] Offset indicates the location of the segment's client service data within the session's transmitted block. It is the number of bytes in the block prior to the byte from which the first octet of the segment's client service data was copied. Length [SDNV-16] The length of the ensuing client service data, in octets. If the data segment is a checkpoint, the segment MUST additionally include the following two serial numbers (Checkpoint serial number and Report serial number) to support efficient retransmission. Data segments that are not checkpoints MUST NOT have these two fields in the header and MUST continue on directly with the client service data. Checkpoint serial number [SDNV-8] The checkpoint serial number uniquely identifies the checkpoint among all checkpoints issued by the block sender in a session. The first checkpoint issued by the sender MUST have this serial number chosen randomly for security reasons, and it is RECOMMENDED that the sender use the guidelines in [ECS94] for this. Any subsequent checkpoints issued by the sender MUST have the serial number value found by incrementing the prior checkpoint serial number by 1. When a checkpoint segment is retransmitted, however, its serial number MUST be the same as when it was originally Ramadas et al. Expires - June 2005 [Page 13] Internet Draft LTP - Specification December 2004 transmitted. Report serial number [SDNV-8] If the checkpoint was queued for transmission in response to the reception of an RS [Sec 5.13], then its value MUST be the report serial number value of the RS that caused the data segment to be queued for transmission. Otherwise, the value of report serial number MUST be zero. Client service data [array of octets] The client service data carried in the segment is a copy of a subset of the bytes in the original client service data block, starting at the indicated offset. 3.2.2 Report Segment (RS) The content of an RS comprises one or more data reception claims, together with the upper and lower bounds of the scope within the data block to which the claims pertain. It also includes two serial numbers to support efficient retransmission. Report serial number [SDNV-8] The report serial number uniquely identifies the report among all reports issued by the block receiver in a session. The first report issued by the receiver MUST have this serial number chosen randomly for security reasons, and it is RECOMMENDED that the receiver use the guidelines in [ECS94] for this. Any subsequent RS issued by the receiver MUST have the serial number value found by incrementing the last report serial number by 1. When an RS is retransmitted however, its serial number MUST be the same as when it was originally transmitted. Checkpoint serial number [SDNV-8] The value of checkpoint serial number MUST be zero if the report segment is NOT a response to reception of a checkpoint, i.e., the reception report is asynchronous; otherwise it is the checkpoint serial number of the checkpoint that caused the RS to be issued. Upper bound [SDNV-16] The upper bound of a report segment is the size of the block prefix to which the segment's reception claims pertain. Ramadas et al. Expires - June 2005 [Page 14] Internet Draft LTP - Specification December 2004 Lower bound [SDNV-16] The lower bound of a report segment is the size of the (interior) block prefix to which the segment's reception claims do NOT pertain. Reception claim count [SDNV-8] The number of data reception claims in this report segment. Reception claims Each reception claim comprises two elements: offset and length. Offset [SDNV-16] The offset indicates the successful reception of data beginning at the indicated offset from the lower bound of the RS. The offset within the entire block can be calculated by summing this offset with the lower bound of the RS. Length [SDNV-16] The length of a reception claim indicates the number of contiguous octets of block data starting at the indicated offset (within the scope of the report) that have been successfully received so far. Reception claims MUST conform to the following rules: A reception claim's length shall never be less than 1 and shall never exceed the difference between the upper and lower bounds of the report segment. The offset of a reception claim shall always be greater than the sum of the offset and length of the prior claim, if any. The sum of a reception claim's offset and length and the lower bound of the report segment shall never exceed the upper bound of the report segment. Implied requests for retransmission of client service data can be inferred from an RS's data reception claims. However, *nothing* can be inferred regarding reception of block data at any offset equal to or greater than the segment's upper bound or at any offset less than the segment's lower bound. For example, if the scope of a report segment has lower bound 0 and Ramadas et al. Expires - June 2005 [Page 15] Internet Draft LTP - Specification December 2004 upper bound 6000, and the report contains a single data reception claim with offset 0 and length 6000, then the report signifies successful reception of the first 6000 bytes of the block. If the total length of the block is 6000, then the report additionally signifies successful reception of the entire block. If on the other hand, the scope of a report segment has lower bound 1000 and upper bound 6000, and the report contains two data reception claims, one with offset 0 and length 2000 and the other with offset 3000 and length 500, then the report signifies successful reception only of bytes 1000-2999 and 4000-4499 of the block. From this we can infer that bytes 3000-3999 and 4500-5999 of the block need to be retransmitted, but we cannot infer anything about reception of the first 1000 bytes. 3.2.3 Report Acknowledgment Segment The content of an RA is simply the report serial number of the RS in response to which the segment was generated. Report serial number [SDNV-8] This field returns the report serial number of the RS being acknowledged. 3.2.4 Session Management Segments Note: the reason we use different cancel segment types for the originator and recipient is to allow a loopback mode to work without disturbing any replay protection mechanism in use. Cancel segments (Cx) carry a single byte reason-code with the following semantics : Reason-Code Mnemonic Semantics ----------- -------- --------------------------------------- 00 CNCLD Client Service canceled session. 01 UNREACH Unreachable Client Service. 02 RLEXC Retransmission limit exceeded. 03 MISCOLORED Received either a red-part data segment at block offset above any green-part data segment offset or a green-part data segment at block offset below any red-part data segment offset. Ramadas et al. Expires - June 2005 [Page 16] Internet Draft LTP - Specification December 2004 04-FF Undefined The Cancel-acknowledgments (CAx) have no content. 3.3 Segment Trailer The segment trailer consists of a sequence of from zero to 15 extension TLVs as described in Section 3.1.4 above. 4. Requests from Client Service In all cases the representation of request parameters is a local implementation matter, as are validation of parameter values and notification of the client service in the event that a request is found to be invalid. 4.1 Transmission Request In order to request transmission of a block of client service data, the client service MUST provide the following parameters to LTP: Client service ID Destination LTP engine ID Client service data to send, as an array of bytes. Length of the data to be sent. This value MUST NOT exceed the largest numeric value that can be represented in an SDNV-8. Length of the red-part of the data. This value MUST be in the range from zero to the total length of data to be sent. On reception of a valid transmission request from a client service, LTP proceeds as follows. First the array of data to be sent is subdivided as necessary, with each subdivision serving as the client service data of a single new LTP data segment. The algorithm used for subdividing the data is a local implementation matter; it is expected that data size constraints imposed by the underlying communication service, if any, will be accommodated in this algorithm. The last (and only the last) of the resulting data segments must be marked as the EOB. Note that segment type indicates that the client service data in a given LTP segment either is or is not in the red-part of the block. Ramadas et al. Expires - June 2005 [Page 17] Internet Draft LTP - Specification December 2004 To prevent segment type ambiguity, each data segment MUST contain either only red-part data or only green-part data. Note that this implies that, when the length of the block's red-part is N and the total length of the block M, and N is not equal to M, the (N+1)st byte of the block MUST be the first byte of client service data in some green-part data segment. If the length of the block's red-part is greater than zero, then the last data segment containing red-part data must be marked as the EORP segment by setting the appropriate segment type flag bits [Sec 3.1.2]. Zero or more preceding data segments containing red-part data (selected according to an algorithm that is a local implementation matter) MAY additionally be marked to serve as additional discretionary checkpoints [Sec 3.1.2]. All data segments are appended to the (conceptual) application data queue for transmission. Finally, a session start notice [Sec 6.1] is sent back to the client service that requested the transmission. 4.2 Cancellation Request In order to request cancellation of a session, either as sender or as receiver of the associated data block, the client service must provide to LTP the session ID of the session to be canceled. On reception of a valid cancellation request from a client service, LTP proceeds as follows. First the internal "Cancel session" procedure [Sec 5.19] is invoked. Next, if the session is being canceled by the block sender (i.e., the session originator part of the session ID supplied in the cancellation request is the local LTP engine ID): If none of the data segments previously queued for transmission as part of this session have yet been de-queued and radiated - i.e., if the destination engine cannot possibly be aware of this session - then the session is simply closed; the "Close session" procedure [Sec 5.20] is invoked. Otherwise, a CS with reason-code CNCLD MUST be queued for transmission to the destination LTP engine specified in the transmission request that started this session. Otherwise (i.e., the session is being canceled by the block receiver): Ramadas et al. Expires - June 2005 [Page 18] Internet Draft LTP - Specification December 2004 If there is no transmission queue-set bound for the block sender (possibly because the local LTP engine is running on a receive- only device), then the session is simply closed; the "Close session" procedure [Sec 5.20] is invoked. Otherwise, a CR with reason-code CNCLD MUST be queued for transmission to the block sender. 5. Internal Procedures This section describes the internal procedures that are triggered by the occurrence of various events during the life-time of the LTP session. Whenever the content of any of the fields of the header of any received LTP segment does not conform to this specification document, the segment is assumed to be corrupt and MUST be discarded immediately and processed no further. This procedure supersedes all other procedures described below. All internal procedures described below that are triggered by the arrival of a data segment are superseded by the following procedure in the event that the client service identified by the data segment does not exist at the local LTP engine: If there is no transmission queue-set bound for the block sender (possibly because the local LTP engine is running on a receive- only device), then the received data segment is simply discarded. Otherwise, if the data segment contains data from the red-part of the block, a CR with reason-code UNREACH MUST be enqueued for transmission to the block sender. A CR with reason-code UNREACH SHOULD be similarly enqueued for transmission to the data sender even if the data segment contained data from the green-part of the block; note however that (for example) in the case where the block receiver knows that the sender of this green-part data is functioning in a "beacon" (transmit-only) fashion, a CR need not be sent. In either case the received data segment is discarded. 5.1 Start Transmission This procedure is triggered by arrival of a link state cue indicating the start of transmission to a specified remote LTP engine. Response: the de-queuing and delivery of segments to the LTP engine specified in the link state cue begins. 5.2 Start Checkpoint Timer Ramadas et al. Expires - June 2005 [Page 19] Internet Draft LTP - Specification December 2004 This procedure is triggered by arrival of a link state cue indicating the de-queuing (for transmission) of a CP segment. Response: the expected arrival time of the RS that will be produced on reception of this CP segment is computed, and a countdown timer for this arrival time is started. However, if it is known that the remote LTP engine has ceased transmission [Sec 5.5], then this timer is immediately suspended, because the computed expected arrival time may require an adjustment that cannot yet be computed. 5.3 Start RS Timer This procedure is triggered by arrival of a link state cue indicating the de-queuing (for transmission) of an RS. Response: the expected arrival time of the RA that will be produced on reception of this RS is computed, and a countdown timer for this arrival time is started. However, if it is known that the remote LTP engine has ceased transmission [Sec 5.5], then this timer is immediately suspended, because the computed expected arrival time may require an adjustment that cannot yet be computed. 5.4 Stop Transmission This procedure is triggered by arrival of a link state cue indicating the cessation of transmission to a specified remote LTP engine. Response: the de-queuing and delivery to the underlying communication system of segments from traffic queues bound for the LTP engine specified in the link state cue ceases. 5.5 Suspend Timers This procedure is triggered by arrival of a link state cue indicating the cessation of transmission from a specified remote LTP engine to the local LTP engine. Normally, this event is inferred from advance knowledge of the remote engine's planned transmission schedule. Response: countdown timers for the acknowledging segments that the remote engine is expected to return are suspended as necessary based on the following procedure. The nominal acknowledge transmission time is computed as the sum of the transmission time of the original segment (to which the acknowledging segment will respond) and the one-way light time to the remote engine, plus N seconds of "additional anticipated latency" (AAL) encompassing anticipated transmission delays other than signal propagation time. N is determined in an implementation-specific Ramadas et al. Expires - June 2005 [Page 20] Internet Draft LTP - Specification December 2004 manner. For example, when LTP is deployed in deep space vehicles, the one-way light time to the remote engine may be very large while N normally need only reflect processing and queuing delay margin; it can be a network management parameter, for which 2 seconds seems to be a reasonable default value. As another example, when LTP is deployed in a terrestrial "data mule" environment, one-way light time latency is effectively zero while N may need to be some dynamically computed function of the data mule circulation schedule. If the nominal acknowledge transmission time is greater than or equal to the current time (i.e., the acknowledging segment may be presented for transmission during the time that transmission at the remote engine is suspended), then the countdown timer for this acknowledging segment is suspended. 5.6 Resume Timers This procedure is triggered by arrival of a link state cue indicating the start of transmission from a specified remote LTP engine to the local LTP engine. Normally, this event is inferred from advance knowledge of the remote engine's planned transmission schedule. Response: expected arrival time is adjusted for every acknowledging segment that the remote engine is expected to return, for which the countdown timer has been suspended. In each case, expected arrival time is increased by a transmission delay interval that is calculated as follows: The nominal acknowledge transmission time is computed as the sum of the transmission time of the original segment (to which the acknowledging segment will respond) and the one-way light time to the remote engine, plus N seconds of AAL [Sec 5.5]. If the nominal acknowledge transmission time is greater than the current time i.e., the remote engine resumed transmission prior to presentation of the acknowledging segment for transmission, then the transmission delay interval is zero. Otherwise, the transmission delay interval is computed as the current time less the nominal acknowledge transmission time. After adjustment of expected arrival time, each of the suspended countdown timers is resumed. 5.7 Retransmit Checkpoint This procedure is triggered by the expiration of a countdown timer associated with a CP segment. Ramadas et al. Expires - June 2005 [Page 21] Internet Draft LTP - Specification December 2004 Response: if the number of times this CP segment has been queued for transmission exceeds the checkpoint retransmission limit established for the local LTP engine by network management, then the session of which the segment is one token is canceled: the "Cancel session" procedure [Sec 5.19] is invoked, a CS with reason-code RLEXC is appended to the (conceptual) application data queue, and a transmission cancellation notice [Sec 6.5] is sent back to the client service that requested the transmission. Otherwise, a new copy of the CP segment is appended to the (conceptual) application data queue. 5.8 Retransmit RS This procedure is triggered by either (a) expiration of a countdown timer associated with an RS or (b) reception of a CP segment whose checkpoint serial number is equal to that of one or more previously issued RSs for the same session -- an unnecessarily retransmitted checkpoint. Response: if the number of times any affected RS has been queued for transmission exceeds the report retransmission limit established for the local LTP engine by network management, then the session of which the segment is one token is canceled: the "Cancel session" procedure [Sec 5.19] is invoked, a CR with reason-code RLEXC is queued for transmission to the LTP engine that originated the session, and a reception cancellation notice [Sec 6.6] is sent to the client service identified in each of the data segments received in this session. Otherwise, a new copy of each affected RS is queued for transmission to the LTP engine that originated the session. 5.9 Signify Red-Part Reception This procedure is triggered by the arrival of a CP segment when the EORP for this session has been received (ensuring that the size of the data block's red-part is known; this includes the case where the CP segment itself is the EORP segment) and all data in the red-part of the block being transmitted in this session have been received. Response: a red-part reception notice [Sec 6.3] is sent to the specified client service. 5.10 Signify Green-Part Segment Arrival This procedure is triggered by the arrival of a data segment whose content is a portion of the green-part of a block. Ramadas et al. Expires - June 2005 [Page 22] Internet Draft LTP - Specification December 2004 Response: a green-part segment arrival notice [Sec 6.2] is sent to the specified client service. 5.11 Send Reception Report This procedure is triggered by either (a) reception of a CP segment whose checkpoint serial number is not equal to that of any previously issued RS or (b) an implementation-specific circumstance pertaining to a particular block reception session for which no EORP has yet been received ("asynchronous" reception reporting). Response: if the number of reception problems detected for this session exceeds a limit established for the local LTP engine by network management, then the affected session is canceled: the "Cancel session" procedure [Sec 5.19] is invoked, a CR with reason- code RLEXC is issued and is, in concept, appended to the queue of internal operations traffic bound for the LTP engine that originated the session, and a reception cancellation notice [Sec 6.6] is sent to the client service identified in each of the data segments received in this session. One possible limit on reception problems would be the maximum number of reception reports which can be issued for any single session. If such limit is not reached, a reception report is issued as follows. If production of the reception report was triggered by reception of a checkpoint: The upper bound of the report SHOULD be the upper bound (the sum of the offset and length) of the checkpoint data segment, to minimize unnecessary retransmission. Note: For deployments where bandwidth economy is not critical, the upper bound of a synchronous reception report MAY be the maximum upper bound value among all red-part data segments received so far in the affected session. If the checkpoint was itself issued in response to a report segment, then this report is a "secondary" reception report. In that case the lower bound of the report SHOULD be the lower bound of the report segment to which the triggering checkpoint was itself a response, to minimize unnecessary retransmission. Note: For deployments where bandwidth economy is not critical, the lower bound of the report MAY instead be zero. If the checkpoint was not issued in response to a report segment, this report is a "primary" reception report. The lower bound of the first primary reception report issued for any session MUST be Ramadas et al. Expires - June 2005 [Page 23] Internet Draft LTP - Specification December 2004 zero. The lower bound of each subsequent primary reception report issued for the same session SHOULD be the upper bound of the prior primary reception report issued for the session, to minimize unnecessary retransmission. Note: For deployments where bandwidth economy is not critical, the lower bound of every primary reception report MAY be zero. If production of the reception report is "asynchronous" as noted above: The upper bound of the report MUST be the maximum upper bound among all red-part data segments received so far for this session. The lower bound of the first asynchronous reception report issued for any session for which no other primary reception reports have yet been issued MUST be zero. The lower bound of each subsequent asynchronous reception report SHOULD be the upper bound of the prior primary reception report issued for the session, to minimize unnecessary retransmission. Note: For deployments where bandwidth economy is not critical, the lower bound of every asynchronous reception report MAY be zero. In all cases, if the applicable lower bound of the scope of a report is determined to be greater than or equal to the applicable upper bound (e.g., due to out-of-order arrival of discretionary checkpoints) then the reception report MUST NOT be issued. Otherwise: As many RSs must be produced as are needed in order to report on all data reception within the scope of the report, given whatever data size constraints are imposed by the underlying communication service. The RSs are, in concept, appended to the queue of internal operations traffic bound for the LTP engine that originated the indicated session. The lower bound of the first RS of the report MUST be the reception report's lower bound. The upper bound of the last RS of the report MUST be the reception report's upper bound. 5.12 Signify Transmission Completion This procedure is triggered at the earliest time at which (a) all data in the block are known to have been transmitted *and* (b) the entire red-part of the block - if of non-zero length - is known to have been successfully received. Condition (a) is signaled by arrival of a link state cue indicating the de-queuing (for transmission) of the EOB segment for the block. Condition (b) is signaled by reception of an RS whose reception claims, taken together with the reception claims of all other RSs previously received in the course of this session, indicate complete reception of the red-part of the block. Ramadas et al. Expires - June 2005 [Page 24] Internet Draft LTP - Specification December 2004 Response: a transmission completion notice [Sec 6.4] is sent to the client service that requested the transmission identified in the segment header and the session is closed: the "Close session" procedure [Sec 5.20] is invoked. 5.13 Retransmit Data This procedure is triggered by reception of an RS. Response: first, an RA with the same report serial number as the RS is issued and is, in concept, appended to the queue of internal operations traffic bound for the LTP engine that originated the indicated session. If the RS is redundant -- i.e., either the indicated session is unknown (for example, the RS is received after the session has been completed or canceled), or the RS's report serial number is equal to that of a previously received report segment for this session -- then no further action is taken. Otherwise the procedure below is followed. If the report's checkpoint serial number is not zero, then the countdown timer associated with the indicated checkpoint segment is deleted. Note: All retransmission buffer space occupied by data whose reception is claimed in the report segment can be released. If the segment's reception claims indicate incomplete data reception within the scope of the report segment: If the number of transmission problems for this session exceeds a limit established for the local LTP engine by network management, then the session of which the segment is one token is canceled: the "Cancel session" procedure [Sec 5.19] is invoked, a CS with reason-code RLEXC is appended to the transmission queue specified in the transmission request that started this session, and a transmission cancellation notice [Sec 6.5] is sent back to the client service that requested the transmission. One possible limit on transmission problems would be the maximum number of retransmission CP segments which may be issued for any single session. If the number of transmission problems for this session has not exceeded any limit, new data segments encapsulating all block data whose non-reception is implied by the reception claims are appended to the transmission queue specified in the transmission request that started this session. The last - and only the last - such segment must be marked as a CP segment and must contain the report serial number of the received RS. Ramadas et al. Expires - June 2005 [Page 25] Internet Draft LTP - Specification December 2004 5.14 Stop RS Timer This procedure is triggered by reception of an RA. Response: the countdown timer associated with the original RS (identified by the report serial number of the RA segment) is deleted. If no other countdown timers associated with RSs exist for this session, then the session is closed: the "Close session" procedure [Sec 5.20] is invoked. 5.15 Start Cancel Timer This procedure is triggered by arrival of a link state cue indicating the de-queuing (for transmission) of a Cx. Response: the expected arrival time of the CAx that will be produced on reception of this Cx is computed and a countdown timer for this arrival time is started. However, if it is known that the remote LTP engine has ceased transmission [Sec 5.5] then this timer is immediately suspended, because the computed expected arrival time may require an adjustment that cannot yet be computed. 5.16 Retransmit Cancellation Segment This procedure is triggered by the expiration of a countdown timer associated with a Cx. Response: if the number of times this Cx has been queued for transmission exceeds the cancellation retransmission limit established for the local LTP engine by network management, then the session of which the segment is one token is simply closed: the "Close session" procedure [Sec 5.20] is invoked. Otherwise, a copy of the cancellation segment (retaining the same reason-code) is queued for transmission to the appropriate LTP engine. 5.17 Acknowledge Cancellation This procedure is triggered by the reception of a Cx. Response: in the case of a CS where there is no transmission queue-set bound for the engine that originated the segment's session (possibly because the local LTP engine is running on a receive-only device), then no action is taken. Otherwise: If the received segment is a CS, a CAS is issued and is, in Ramadas et al. Expires - June 2005 [Page 26] Internet Draft LTP - Specification December 2004 concept, appended to the queue of internal operations traffic bound for the LTP engine that sent the CS. If the received segment is a CR, a CAR is issued and is, in concept appended to the queue of internal operations traffic bound for the LTP engine that sent the CR. It is possible that the Cx has been retransmitted because a previous responding acknowledgment CAx was lost, in which case there will no longer be any record of the session of which the segment is one token. If so, no further action is taken. Otherwise: the "Cancel session" procedure [Sec 5.19] is invoked and a reception cancellation notice [Sec 6.6] is sent to the client service identified in each of the data segments received in this session. Finally, the session is closed: the "Close session" procedure [Sec 5.20] is invoked. 5.18 Stop Cancel Timer This procedure is triggered by reception of a CAx. Response: the session of which the segment is one token is closed, i.e., the "Close session" procedure [Sec 5.20] is invoked. 5.19 Cancel Session This procedure is triggered internally by one of the other procedures described above. Response: all segments of the affected session that are currently queued for transmission can be deleted from the outbound traffic queues. All countdown timers currently associated with the session are deleted. Note: If the local LTP engine is the originator of the session, then all remaining data retransmission buffer space allocated to the session can be released. 5.20 Close Session This procedure is triggered internally by one of the other procedures described above. Response: any remaining countdown timers associated with the session (such as the timer associated with a Cx) are deleted. The session state record (SSR|RSR) for the session is deleted; existence of the session is no longer recognized. 5.21 Handle Miscolored Segment Ramadas et al. Expires - June 2005 [Page 27] Internet Draft LTP - Specification December 2004 This procedure is triggered by the arrival of either (a) a red- part data segment whose block offset begins at an offset higher than the offset of any green-part data segment previously received for the same session or (b) a green-part data segment whose block offset begins at an offset lower than the offset of any red-part data segment previously received for the same session. Response: the received data segment is simply discarded. The Cancel Session procedure [Sec 5.19] is invoked and a CR with reason-code MISCOLORED SHOULD be enqueued for transmission to the data sender. Note : If there is no transmission queue-set bound for the block sender (possibly because the local LTP engine is running on a receive-only device), or if the block receiver knows that the sender of this green-part data is functioning in a "beacon" (transmit-only) fashion, a CR need not be sent. A Reception Cancellation Notice [Sec 6.6] is sent to the client service. 6. Notices to Client Service In all cases the representation of notice parameters is a local implementation matter. 6.1 Session Start The LTP engine returns the session ID of the new transmission session when a session start notice is delivered. A session start notice informs the client service of the initiation of a transmission session in response to a transmission request from that client service. On receiving this notice the client service may, for example, release resources of its own that are allocated to the block being transmitted, or remember the session ID so that the session can be canceled in the future if necessary. 6.2 Green-Part Segment Arrival The following parameters are provided by the LTP engine when a green-part segment arrival notice is delivered: Session ID of the transmission session. Array of client service data bytes contained in the data segment. Offset of the data segment's content from the start of the Ramadas et al. Expires - June 2005 [Page 28] Internet Draft LTP - Specification December 2004 block. Length of the data segment's content. Indication as to whether or not the last byte of this data segment's content is also the end of the block. Source LTP engine ID. 6.3 Red-Part Reception The following parameters are provided by the LTP engine when a red-part reception notice is delivered: Session ID of the transmission session. Array of client service data bytes that constitute the red-part of the block. Length of the red-part of the block. Indication as to whether or not the last byte of the red-part is also the end of the block. Source LTP engine ID. 6.4 Transmission Completion The sole parameter provided by the LTP engine when a transmission completion notice is delivered is the session ID of the transmission session. A transmission completion notice informs the client service that all bytes of the indicated data block have been transmitted and the destination LTP engine has received the red-part of the block. 6.5 Transmission Cancellation The parameters provided by the LTP engine when a transmission cancellation notice is delivered are: Session ID of the transmission session. The reason-code sent or received in the Cx segment that initiated the cancellation sequence. A transmission cancellation notice informs the client service that the indicated session was terminated, either by decision of the Ramadas et al. Expires - June 2005 [Page 29] Internet Draft LTP - Specification December 2004 destination client service instance or due to violation of a retransmission limit in the local LTP engine. There is no assurance that the destination client service instance received the critical part of the data block. 6.6 Reception Cancellation The parameters provided by the LTP engine when a reception cancellation notice is delivered are: Session ID of the transmission session. The reason-code explaining the cancellation. A reception cancellation notice informs the client service that the indicated session was terminated, either by decision of the source client service instance or due to error conditions at the local LTP engine. No subsequent delivery notices will be issued for this session. 7. State Transition Diagrams The following mnemonics have been used in the sender and receiver LTP state transition diagrams that follow : TE Timer Expiry RDS Regular Red Data Segment (NOT {CP|EORP|EOB}) GDS Regular Green Data Segment (NOT EOB) RL EXC Retransmission Limit Exceeded Both the diagrams have been specified in two parts such that sequence of state transitions that occur multiple times in the main diagram have been presented in the second part. Note that blocks represented in rectangles as in +---------+ | FG_XMIT | +---------+ specify actual states in the state-transition diagrams, while blocks represented as in /\/\/\/\ | Cncld | \/\/\/\/ are not actual states but merely pointers to a state or a sequence of state transitions represented elsewhere in the state transition Ramadas et al. Expires - June 2005 [Page 30] Internet Draft LTP - Specification December 2004 diagram (to avoid having multiple copies of a sequence of state transitions, thus accomodating space constraints). Ramadas et al. Expires - June 2005 [Page 31] Internet Draft LTP - Specification December 2004 7.1 Sender LTP Sender State Transition Diagram /\/\/\/\ | Cncld | \/\/\/\/ +--------+ | +------+ Rcv CR; | V V V | Rcv RS; Snd CAR | +-------------+ | Snd RA +-------+ CLOSED +----+ +---------------------------->+------+------+ | | Blk. Trans. Req | Zero RP + | Xmit ________________________/ \ Non-Zero RP | GDS; / \ | +---+ | +------------------+ | +------+ | | V V | /\/\ Rcv RS V V V | | | +---------+ +<-| RX |<---+ +---------+ | | +<-+ FG_XMIT | | \/\/ +---+ +--->+ Xmit RDS; | +----+----+ | | RP_XMIT | | | | | /\/\ +---+ +--->+ Xmit {RDS, CP}; +<--------+ +<-| CP |<---+ +-----+---+ Start CP Tmr | Xmit \/\/ CP TE | \ | {GDS, EOB}; | | | Xmit {RDS, CP, EORP}; | +-------+ | Start CP Tmr | | | | | | +------------------+ | +---+ | Xmit {RDS, | | /\/\ Rcv RS V V V | | CP, EORP, | +<-| RX |<---+ +---------+ | | EOB}; | | \/\/ +---+ | | | Start | | | GP_XMIT +->+ | CP Tmr | | /\/\ +---+ | Xmit | | +<-| CP |<---+ +-----+---+ GDS; | | \/\/ CP TE | | | | | | Xmit {GDS, EOB}; | +---------+ | | | | +------------------+ | | | | /\/\ Rcv RS V V V | +<-| RX |<---+ +-------------+ | | \/\/ +---+ | | | | WAIT_RP_ACK | | | /\/\ +---+ | | +<-| CP |<---+ +-----+-------+ | \/\/ CP TE | RP acknowledged fully; | V +----------------------------------------+ Ramadas et al. Expires - June 2005 [Page 32] Internet Draft LTP - Specification December 2004 LTP Sender State Transition Diagram (contd.) /\/\ /\/\ | CP | | CX | \/\/ \/\/ | | | Snd CS, | | RL EXC; | Start CS Tmr; | | | | | /\/\ | +---+ | +------>| CX | V V | | \/\/ +---------+ | CS TE, | | CS_SENT | | RL NOT EXC; V RL NOT EXC; +-+--+--+-+ | Rxmt CS, Rxmt CP, | | | | Restart Start CP Tmr; CS TE, | | +---+ CS Tmr RL EXC; | | | | Rcv CAS; V V /\/\/\/\ | Cncld | \/\/\/\/ /\/\ | RX | \/\/ | Cncl CP Tmr (if any) V Snd RA +---------+ +----+ | CHK_RPT | | | +-+--+----+ RP in scope V | | | \ NOT rcvd. fully +---------+ | Rxmt Redundant | | RP +--------------------->| RP_RXMT | | missing RS rcvd; | | in scope +----+--+-+ | RDS; | | rcvd. fully | | | V V Rxmt last | +----+ missing RDS | (marked CP) | Start CP Tmr; | V Ramadas et al. Expires - June 2005 [Page 33] Internet Draft LTP - Specification December 2004 The sender LTP stays in the CLOSED state until receiving a Block Transmission Request (Blk. Trans. Req) from the client service instance. Upon receiving the request it either moves to the Fully Green Transmission State (FG_XMIT) if no portion of the block was requested to be transmitted as red, or moves to the Red- Part Transmission State (RP_XMIT) state if a non-zero block-prefix was requested to be transmitted red. In the FG_XMIT state, the block is segmented as multiple green LTP data segments respecting the link MTU size and the segments are queued for transmission to the remote engine. The last such segment is marked as EOB and the sender LTP returns to the CLOSED state after queuing it for transmission. Similarly, from the RP_XMIT state multiple red data segments are queued for transmission. The sender LTP may optionally mark some of the red data segments as asynchronous checkpoints; the internal procedure Start Checkpoint Timer [Sec 5.2] is followed upon receiving a link-state cue indicating the actual beginning of transmission of such segments. The sender LTP marks the last red- data segment of the block as both CP and EORP, and after queuing it for transmission moves to the Green Part Transmission (GP_XMIT) state. If the block transmission was fully red however, the last red-data segment is marked as CP, EORP, and EOB and the sender LTP moves to the Wait-for-Red-Part-Acknowledgment (WAIT_RP_ACK) state instead. For both the above state-transitions, the internal procedure Start Checkpoint Timer [Sec 5.2] is followed upon receiving a link-state cue indicating the beginning of transmission of the queued CP segments. If the sender LTP entered the GP_XMIT state, the remaining green-part of the block is segmented as green data segments and queued for transmission to the receiver LTP; the last green segment of the block is additionally marked as EOB and the sender LTP moves to the WAIT_RP_ACK state. While the sender LTP is at any of the RP_XMIT, GP_XMIT, or WAIT_RP_ACK states, it might be interrupted by the following two events asynchronously: 1. An RS might be received from the receiver LTP (either in response to a previously transmitted CP segment or sent asynchronously for accelerated retransmission). The sender LTP then moves to perform the sequence of state transitions beginning at the RX marker (second-part of the diagram), and retransmits data if necessary, illustrating the internal procedure Retransmit Data [Sec 5.13]: First, if the RS had a non-zero CP serial number, the Ramadas et al. Expires - June 2005 [Page 34] Internet Draft LTP - Specification December 2004 corresponding CP timer is canceled. Then, an RA segment acknowledging the received RS is queued for transmission to the receiver LTP and the sender LTP moves to the Check Report state (CHK_RPT). If the RS was redundantly transmitted by the receiver LTP (possibly because either the last transmitted RA got lost or the RS timer expired prematurely at the receiver), the sender LTP does nothing more and returns back to the interrupted state. Similarly, if all red-data within the scope of the RS is reported as received, there is no work to be done and the sender LTP returns to the interrupted state. However, if the RS indicated incomplete reception of data within its scope, the sender LTP moves to the Red-part Retransmit state (RP_RXMT) where missing red data-segments within scope are queued for transmission. The last such segment is marked as a CP, and the sender LTP returns to the interrupted state. The internal procedure [Sec 5.2] is followed upon receiving a link-state cue indicating beginning of transmission of the CP segment. 2. A previously set CP timer might expire. Now the sender LTP follows the states beginning at the CP marker (second-part of the diagram), and follows the internal procedure Retransmit Checkpoint [Sec 5.7]: If the CP Retransmission Limit set by network management for the session has been exceeded, the sender LTP proceeds towards canceling the session (with reason-code RLEXC) as indicated by the sequence of state transitions following the CX marker. Otherwise (if the Retransmission Limit is not exceeded yet), the CP segment is queued for retransmission and the sender LTP returns to the interrupted state. The Start Checkpoint Timer internal procedure [Sec 5.2] is started again upon receiving a link-state cue indicating the beginning of transmission of the segment. The sender LTP stays at the WAIT_RP_ACK state after reaching it until the red-part data is fully acknowledged as received by the receiver LTP, and then returns to the CLOSED state following the internal procedure Close Session [Sec 5.20]. <> Note that while at the CLOSED state, the sender LTP might receive an RS (if the last transmitted RA before session close got lost or if the receiver LTP retransmitted the RS prematurely), in which case it retransmits an acknowledging RA and stays in the CLOSED state. If the session was canceled by the Receiver by issuing a CR segment, the receiver may retransmit the CR (either prematurely or because the acknowledging CAR got lost). In this case, the sender LTP retransmits the acknowledging Ramadas et al. Expires - June 2005 [Page 35] Internet Draft LTP - Specification December 2004 CAR and stays in the CLOSED state. Asynchronous cancel request may be received from the local client service while the sender LTP was in any of the states mentioned. If it was not already in the sequence of state transitions beginning at the CX marker, the internal procedure Cancel Session [Sec 5.19] is followed, and the sender LTP moves from its current state into the sequence beginning at the CX marker initiating session cancellation with reason-code CNCLD. From the CX marker, the CS segment with appropriate reason-code (CNCLD or RLEXC depending on how the CX sequence was entered) is queued for transmission to the receiver LTP and the sender enters the Cancel- from-Sender Sent(CS_SENT) state. The internal procedure Start Cancel Timer [Sec 5.15] is started upon receiving a link-state cue indicating the beginning of transmission of the CS segment. Upon receiving the acknowledging CAS from the receiver, the sender LTP moves to the CLOSED state (via the Cncld marker). If the CS Timer expires, the internal procedure Retransmit Cancellation Segment [Sec 5.16] is followed: If the network management set retransmission limit is exceeded, the session is simply closed and the sender LTP follows the Cncld marker to the CLOSED state. If the retransmission limit is not exceeded however, the CS segment is queued for a retransmission and the sender LTP stays in the CS_SENT state. The CS Timer is started upon receiving a link-state cue indicating the beginning of actual transmission according to the internal procedure Start Cancel Timer [Sec 5.15]. Asynchronous cancel request may also be received from the receiver LTP in the form of a CR segment when the sender LTP is in any of the states. Upon receiving such a CR segment, the internal procedure Acknowledge Cancellation [Sec 5.17] is invoked: The sender LTP sends a CAR segment in response and returns to the CLOSED state. Ramadas et al. Expires - June 2005 [Page 36] Internet Draft LTP - Specification December 2004 7.2 Receiver LTP Receiver State Transition Diagram /\/\/\/\ +----+ +----+ Cncld | Rcv CS; | V V \/\/\/\/ Snd CAS | +-------------+ +--+ CLOSED +<--------------------------+ +------+------+ | +----+ | Rcv first DS | Rcv RA; | V V | Cncl RS Tmr | +--------+ | +---+ DS_REC | | +----------------------------->+-+--+-+-+<----------------------+---+ | | Svc. does not exist | | | RS TE | | | | /\/\ or Rcv miscolored seg. | | | /\/\ | | | | | CX |<-----------------------+ | +------------->| RX |---->+ | | | \/\/ | \/\/ | | | Rcv RDS; | Rcv GDS; | | | +-----------+------------+ | | | V V | | | /\/\ RS TE +--------------+ +--------+ | | +<-| RX |<------+ RCV_RP | | RCV_GP | | | | \/\/ +-+----+--+--+-+ +--+-+-+-+ | | | | | | | | | | | | | Rcvd RDS; | | | | Rcvd {RDS, CP, | | | RS TE /\/\ | | | | | | | EORP, EOB}; | | +------>| RX |->+ | +<----------------+ | | | Snd RS, | | \/\/ | | | | | | Start RS Tmr | | Rcvd GDS; | | | Rcvd {RDS, CP}; | | | | +---------------->+ | | Snd RS, Start RS Tmr | | +-------+ +-----+ | +<---------------------+ | | | Rcvd {GDS, EOB}; | | | | | | | | +-----+ | | +------+ | | Rcvd {RDS, CP, EORP}; | | V V V V | | | Snd RS, Start RS Tmr | | +----------------+ | Rcv RDS; | | | | | +-->+ | | | | | WAIT_RP_REC | | Rcv {RDS, CP}; | | | | | +-->+ Snd RS, Start | +<------------------------+ | +---+--+-+-+-----+ | RS Tmr | | RS TE | | | | Rcv RA; | | | V | | | Cncl | | | /\/\ | | | RS Tmr | | +---| RX | | | +-------->+ | \/\/ | | | /\/\ | | | | CX |<------------------------+ | RP rcvd. fully | \/\/ Rcv miscolored seg. +--------------------------->+ Ramadas et al. Expires - June 2005 [Page 37] Internet Draft LTP - Specification December 2004 LTP Receiver State Transition Diagram (contd.) /\/\ | RX | \/\/ | | | | RL EXC; /\/\ RL NOT EXC; | +---------->| CX | Rxmt RS, | \/\/ Start RS Tmr | V /\/\ | CX | \/\/ | Snd CR, | Start CR Tmr; | | +----+ V V | +---------+ | CR TE, | CR_SENT | | RL NOT EXC; +-+--+--+-+ | Rxmt CR, | | | | Restart CR TE, | | +---+ CR Tmr RL EXC; | | | | Rcv CAR; V V /\/\/\/\ | Cncld | \/\/\/\/ Ramadas et al. Expires - June 2005 [Page 38] Internet Draft LTP - Specification December 2004 The receiver LTP begins at the CLOSED state and enters the Data Segment Reception (DS_REC) state upon receiving the first data segment. If the client service ID referenced in the data segment was non-existent, a CX segment with reason-code UNREACH SHOULD be sent to the sender LTP with the Cancellation sequence beginning with the CX marker (second part of the diagram). If the received segment was found to be miscolored (a red-part data segment whose block offset begins at an offset higher than the offset of any green-part data segment previously received, or a green-part data segment whose block offset begins at an offset lower than the offset of any red-part data segment previously received), the internal procedure Handle Miscolored Segment [Sec 5.21] is followed; a CX segment with reason-code MISCOLORED SHOULD be sent to the sender LTP with the Cancellation sequence beginning with the CX marker. Otherwise, the receiver LTP enters the Receive Red-Part state (RCV_RP) or the Receive Green-Part state (RCV_GP) depending on whether the segment received was red or green respectively. In the RCV_RP state, a check is made of the nature of the received red DS. If the segment was a regular red data segment, the receiver LTP just returns to the DS_REC state. For red data segments marked also as CP and as CP & EORP, a responding RS is queued for transmission to the sender following either the internal procedure Retransmit RS [Sec 5.8] or Send Reception Report [Sec 5.11] depending on whether the CP segment was a retransmission (An RS corresponding to the Checkpoint Serial Number in the CP was previously issued) or not, respectively. The receiver LTP then returns to the DS_REC state. If the block transmission was fully red and the segment was marked as CP, EORP, and EOB, the receiver LTP enters the Wait-for-Red-Part-Reception state (WAIT_RP_REC). In all cases the internal procedure Start RS Timer [Sec 5.3] is followed upon receiving link-state cues indicating beginning of transmission of the RS segments. In the RCV_GP state, if the received green data segment was not marked EOB, the receiver LTP returns to the DS_REC state. Otherwise it enters the WAIT_RP_REC state to receive the red-part of the block fully. A previously set RS timer may expire asynchronously while the receiver LTP was in the DS_REC, RCV_RP, RCV_GP, or WAIT_RP_REC states. If so, the internal procedure Retransmit RS [Sec 5.8] is followed as illustrated in the states beginning at the RX marker (shown in the second part of the diagram) before returning to the interrupted state: Ramadas et al. Expires - June 2005 [Page 39] Internet Draft LTP - Specification December 2004 A check is made here to see if the retransmission limit set by the network management has been exceeded in the number of RSs sent in the session. If so, a CR segment with reason-code RLEXC SHOULD be sent to the sender LTP and the sequence following the CX marker is followed. Otherwise, the RS is queued for retransmission and the associated RS timer is started following the internal procedure Start RS Timer [Sec 5.3] upon receiving a link-state cue indicating the beginning of its transmission. The receiver LTP may also receive RA segments from the sender in response to the RSs sent while in the DS_REC state. If so, then the RS timer corresponding to the report serial number mentioned in the RA segment is canceled following the internal procedure Stop RS Timer [Sec 5.14]. The receiver LTP stays in the WAIT_RP_REC state until the entire red-part of the block is received, and moves to the CLOSED state upon full red-part reception. In this state, a check is made upon reception of every red-part DS to see if it is at a block offset higher than any green-part DS received. If so, the Handle Miscolored Segment internal procedure [Sec 5.21] is invoked and the sequence of state transitions beginning with the CX marker is followed; a CX segment with reason-code MISCOLORED SHOULD be sent to the sender LTP with the Cancellation sequence beginning with the CX marker. Note that if there were no red data segments received in the session yet, including the case where the session was indeed fully green or the pathological case where the entire red-part of the block gets lost but at least the green data segment marked EOB is received (the receiver LTP has no indication of whether the session had a red-part transmission), the receiver LTP assumes the "RP rcvd. fully" condition to be true and moves to the CLOSED state from the WAIT_RP_REC state. In the WAIT_RP_REC state, the receiver LTP may receive the retransmitted red data segments. Upon receiving red data segments marked CP, it queues the responding RS for transmission based on either internal procedure Retransmit RS [Sec 5.8] or Send Reception Report [Sec 5.11] depending on whether the CP was found to be a retransmission or not, respectively. The Start RS Timer internal procedure is invoked upon receiving a link-state cue indicating the beginning of transmission of the RS. If an RA segment is received, the RS timer corresponding to the report segment mentioned is canceled and the receiver LTP stays in the state until the entire red-part is received. In the sequence of state transitions beginning at the CX marker, Ramadas et al. Expires - June 2005 [Page 40] Internet Draft LTP - Specification December 2004 the CR segment with the given reason-code (depending on how the sequence is entered) is queued for transmission, and the CR timer is started upon reception of the link-state cue indicating actual transmission following internal procedure Start Cancel Timer [Sec 5.15]. If the CAR is received from the sender LTP, the receiver LTP returns to the CLOSED state (via the Cncld marker) following the Stop Cancel Timer internal procedure [Sec 5.18]. If the CR timer expires asynchronously, the internal procedure Retransmit Cancellation Segment [Sec 5.16] is followed : A check is made to see if the retransmission limit set by the network management for the number of CRs per session has been exceeded. If so, the receiver LTP returns to the CLOSED state following the Cncld marker. Otherwise, a CR segment is scheduled for retransmission with the CR timer being started following the internal procedure Start Cancel Timer [Sec 5.15] upon reception of a link-state cue indicating actual transmission. <> The receiver LTP might also receive a retransmitted CS at the CLOSED state (either if the CAS segment previously transmitted was lost or if the CS timer expired prematurely at the sender LTP). In such a case the CAS is scheduled for retransmission. Asynchronous cancel requests are handled similar to the way they are handled in the sender LTP. If the cancel request was made from the local client service instance and the receiver LTP was not already in the CR_SENT state, a CR with reason-code CNCLD SHOULD be sent to the sender LTP following the sequence of state transitions beginning at the CX marker as described above. If the asynchronous cancel request is received from the sender LTP, a CAS segment is sent and the receiver LTP moves to the CLOSED state (independent of the state the receiver LTP may be in). 8. Requirements from the Operating Environment LTP requires support from its operating environment (which includes network management activities) and link-state cues from the data-link layer for its operations. The local data-link layer needs to inform LTP whenever the link to a specific LTP destination is brought up or torn down. Similarly, the operating environment needs to inform the local LTP engine whenever it is known that a remote LTP engine is set to begin or stop communication with the local engine based on the operating schedules. LTP requires link state cues from the datalink layer upon transmission of the CP, RS, EORP, EOB, and Cx segments. LTP also needs to be able to query the current distance (in light Ramadas et al. Expires - June 2005 [Page 41] Internet Draft LTP - Specification December 2004 seconds) to any peer engine in order to calculate timeout intervals in a typical deep-space environment. A MIB (Management Information Base), with the above parameters filled in by the local data-link layer and the operating environment periodically, should be made available to the LTP engine for its operations. The exact details of the MIB are, however, beyond the scope of this document. The underlying data-link layer is required to never deliver incompletely received LTP segments to LTP. In the absence of the use of LTP authentication [LTPEXT] LTP also requires the underlying data-link layer to perform data integrity check of the segments received. Specifically, the data-link layer is expected to detect any corrupted segments received and to silently discard them. 9. Security Considerations <> There is a clear risk that unintended receivers can listen in on LTP transmissions over satellite and other radio broadcast datalinks. Such unintended recipients of LTP transmissions may also be able to manipulate LTP segments at will. Hence there is a potential requirement for confidentiality, integrity and anti-DoS (Denial of Service) security services and mechanisms. In particular, DoS problems are more severe for LTP compared to other typical internet protocols because LTP inherently retains state for long periods, and has very high time-out values. Further, it could be difficult to reset LTP nodes to recover from an attack. Thus any adversary who can actively attack an LTP transmission has the potential to create severe DoS conditions for the LTP receiver. To give a terrestrial example - were LTP to be used in a sparse sensor network, DoS attacks could be mounted resulting in nodes missing critical information, for example, communications schedule updates. In such cases, a single successful DoS attack could take a node entirely off the network until the node is physically visited and reset. Ramadas et al. Expires - June 2005 [Page 42] Internet Draft LTP - Specification December 2004 Even for deep space applications of LTP, we do need to consider certain terrestrial attacks, in particular those involving insertion of messages into an on-going session (usually without having seen the exact bytes of the previous messages in the session). Such attacks are likely in the presence of firewall failures at various nodes in the network, or due to Trojan software running on an authorized host. Many message insertion attacks will depend on the attacker correctly "guessing" something about the state of the LTP peers, but experience shows that successful guesses are easier than might be thought [DDJ]. 9.1 Security Mechanisms and Layering Considerations In this section we consider the appropriate layer(s) at which security mechanisms can best be deployed to increase the security properties of LTP. The Application layer (above-LTP) Higher layer security mechanisms clearly protect LTP payload, but leave LTP headers open. Such mechanisms provide little or no protection against DoS type attacks against LTP, but may well provide sufficient data integrity and ought to be able to provide data confidentiality. The LTP layer An authentication header (similar to IPSEC [AH]) can help protect against replay attacks and other bogus packets. However, an adversary may still see the LTP header of segments passing by in the ether. This approach also requires some key management infrastructure to be in place in order to provide strong authentication, which may not always be an acceptable overhead. Such an authentication header could mitigate many DoS attacks. Similarly, a confidentiality service could be defined for LTP payload and (some) header fields. However, this seems less attractive since (a) confidentiality is arguably better provided either above or below the LTP layer, (b) key management for such a service is harder (in a high-delay context) than for an integrity service, and (c) forcing LTP engines to attempt decryption of incoming segments can in itself provide a DoS opportunity. Further, within the LTP layer we can make various design Ramadas et al. Expires - June 2005 [Page 43] Internet Draft LTP - Specification December 2004 decisions to reduce the probability of successful DoS attacks. In particular, we can mandate that values for certain fields in the header (session numbers, for example) be chosen randomly. The Datalink layer (below-LTP) The lower layers can clearly provide confidentiality and integrity services, although such security may result in unnecessary overhead (if a service provided is not required for all LTP sessions, for example) and loss of flexibility. However, the lower layers may well be the optimal place to do compression and encryption. 9.2 Denial of Service Considerations Implementers SHOULD consider the likelihood of the following DoS attacks : A fake Cx could be inserted, thus bringing down a session. Various acknowledgment segments (RA, RS, etc.) could be deleted, causing timers to expire, and has the potential to disable communication altogether if done with a knowledge of the communications schedule. This could be achieved either by mounting a DoS attack on a lower layer service in order to prevent it from sending an acknowledgment segment, or by simply jamming the transmission (all of which are more likely for terrestrial applications of LTP). An attacker might also flip some bits, which is tantamount to deleting that segment. An attacker may flood a node with segments for the internal operations queue and prevent transmission of legitimate data segments. An attacker could attempt to fill up the storage in a node by sending many large messages to it. In terrestrial LTP applications this may be much more serious since spotting the additional traffic may not be possible from any network management point. <> LTP includes the following anti-DoS mechanisms: Session numbers MUST be partly random making it harder to Ramadas et al. Expires - June 2005 [Page 44] Internet Draft LTP - Specification December 2004 insert valid segments. A node which suspects that either it or its peer is under DoS attack could frequently checkpoint its data segments (if it were the sender) or send asynchronous RSs (if it were the receiver), thus eliciting an earlier response from its peer or timing out earlier due to the failure of an attacker to respond. Serial numbers (checkpoint serial numbers, report serial numbers) MUST begin each session anew using random numbers rather than from 0. The authentication header [LTPEXT]. 9.3 Replay Handling The following algorithm is given as an example of how an LTP implementation MAY handle replays. 1. On receipt of an LTP segment, check against a cache for replay. If this is a replay segment and if a pre-cooked response is available (stored from the last time this segment was processed), then send the pre-cooked response. If there is no pre-cooked response then silently drop the inbound segment. This can all be done without attempting to decode the buffer. 2. If the inbound segment does not decode correctly, then silently drop the segment. If the segment decodes properly, then add its hash to the replay cache and return a handle to the entry. 3. For those cases where a pre-cooked response should be stored, store the response using the handle received from the previous step. These cases include: (a) when the inbound packet is a CP DS the response RS gets stored as pre-cooked; (b) when the incoming packet is an RS the RA is stored as precooked, and, (c) when the incoming packet is a Cx the CAx gets stored precooked. 4. Occasionally clean out the replay cache - how frequently this happens in an implementation issue. The downside of this algorithm is that receiving a totally bogus Ramadas et al. Expires - June 2005 [Page 45] Internet Draft LTP - Specification December 2004 segment still results in a replay cache search and attempted LTP decode operation. It is not clear that it is possible to do much better though, since all an attacker would have to do to get past the replay cache would be to tweak a single bit in the inbound segment each time, which is certainly cheaper than the hash+lookup+decode combination, though also certainly more expensive than simply sending the same octets many times. The benefit of doing this is that implementers no longer need to analyze many bugs/attacks based on replaying packets, which in combination with the use of LTP authentication should defeat many attempted DoS attacks. 9.4 Implementation Considerations SDNV Implementations SHOULD make sanity checks on SDNV length fields and SHOULD check that no SDNV field is too long when compared with the overall segment length. Implementations SHOULD check that SDNV values are within suitable ranges where possible, e.g. <> Byte ranges Various report and other segments contain offset and length fields. Implementations MUST ensure that these are consistent and sane. Randomness Various fields in LTP (e.g. serial numbers) should be initialized using random values. Good sources of randomness which are not easily guessable SHOULD be used [ECS94]. The collision of random values is subject to the birthday paradox, which means that a collision is likely after roughly the square-root of the space has been seen (e.g. 2^16 in the case of a 32-bit random value). Implementers MUST ensure that they use sufficiently long random values so that the birthday paradox doesn't cause a problem in their environment. 10. IANA Considerations At present there are none known. However if someone wanted to run LTP over IP (or even TCP or UDP), then we would want to allocate a port number. <> Ramadas et al. Expires - June 2005 [Page 46] Internet Draft LTP - Specification December 2004 11. Acknowledgments Many thanks to Tim Ray, Vint Cerf, Bob Durst, Kevin Fall, Adrian Hooke, Keith Scott, Leigh Torgerson, Eric Travis, and Howie Weiss for their thoughts on this protocol and its role in Delay-Tolerant Networking architecture. Part of the research described in this document was carried out at the Jet Propulsion laboratory, California Institute of Technology, under a contract with the National Aeronautics and Space Administration. This work was performed under DOD Contract DAA- B07- 00-CC201, DARPA AO H912; JPL Task Plan No. 80-5045, DARPA AO H870; and NASA Contract NAS7-1407. Thanks are also due to Shawn Ostermann, Hans Kruse, and Dovel Myers at Ohio University for their suggestions and advice in making various design decisions. Part of this work was carried out at Trinity College Dublin as part of the SeNDT contract funded by Enterprise Ireland's research innovation fund. 12. References 12.1 Normative References [B97] S. Bradner, "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [LTPMOTIVE] Burleigh, S., Ramadas, M., and Farrell, S., "Licklider Transmission Protocol - Motivation", draft-irtf-dtnrg-ltp- motivation-00.txt (Work in Progress), December 2004. [LTPEXT] Farrell, S., Ramadas, M., and Burleigh, S., "Licklider Transmission Protocol - Extensions", draft-irtf-dtnrg-ltp- extensions-00.txt (Work in Progress), December 2004. 12.2 Informative References [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC 2402, November 1998. [ASN1] Abstract Syntax Notation One (ASN.1). Specification of Basic Notation. ITU-T Rec. X.680 (2002) | ISO/IEC 8824-1:2002. [DDJ] I. Goldberg and E. Wagner, "Randomness and the Netscape Browser", Dr. Dobb's Journal, 1996, (pages 66-70). Ramadas et al. Expires - June 2005 [Page 47] Internet Draft LTP - Specification December 2004 [BP] K. Scott, and S. Burleigh, "Bundle Protocol Specification", Work in Progress, October 2003. [DTN] K. Fall, "A Delay-Tolerant Network Architecture for Challenged Internets", In Proceedings of ACM SIGCOMM 2003, Karlsruhe, Germany, Aug 2003. [IPN] InterPlanetary Internet Special Interest Group web page, "http://www.ipnsig.org". [ECS94] D. Eastlake, S. Crocker, and J. Schiller, "Randomness Recommendations for Security", RFC 1750, December 1994. 13. Author's Addresses Manikantan Ramadas Internetworking Research Group 301 Stocker Center Ohio University Athens, OH 45701 Telephone +1 (740) 593-1562 Email mramadas@irg.cs.ohiou.edu Scott C. Burleigh Jet Propulsion Laboratory 4800 Oak Grove Drive M/S: 179-206 Pasadena, CA 91109-8099 Telephone +1 (818) 393-3353 FAX +1 (818) 354-1075 Email Scott.Burleigh@jpl.nasa.gov Stephen Farrell Distributed Systems Group Computer Science Department Trinity College Dublin Ireland Telephone +353-1-608-3070 Email stephen.farrell@cs.tcd.ie 14. Copyright Statement Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights." This document and the information contained herein are provided on an Ramadas et al. Expires - June 2005 [Page 48] Internet Draft LTP - Specification December 2004 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Ramadas et al. Expires - June 2005 [Page 49]