idnits 2.17.1 draft-ietf-avtcore-leap-second-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC3550, updated by this document, for RFC5378 checks: 1998-04-07) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (February 19, 2013) is 4056 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 AVTCore K. Gross 3 Internet-Draft AVA Networks 4 Updates: 3550 (if approved) R. van Brandenburg 5 Intended status: Standards Track TNO 6 Expires: August 23, 2013 February 19, 2013 8 RTP and Leap Seconds 9 draft-ietf-avtcore-leap-second-02 11 Abstract 13 This document discusses issues that arise when RTP sessions span 14 Universal Coordinate Time (UTC) leap seconds. It updates RFC 3550 to 15 describe how RTP senders and receivers should behave in the presence 16 of leap seconds. 18 Status of this Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on August 23, 2013. 35 Copyright Notice 37 Copyright (c) 2013 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 3. Leap seconds . . . . . . . . . . . . . . . . . . . . . . . . . 3 55 3.1. UTC behavior during leap second . . . . . . . . . . . . . . 4 56 3.2. NTP behavior during leap second . . . . . . . . . . . . . . 4 57 3.3. POSIX behavior during leap second . . . . . . . . . . . . . 4 58 3.4. Summary of leap-second behaviors . . . . . . . . . . . . . 4 59 4. Recommendations . . . . . . . . . . . . . . . . . . . . . . . . 5 60 4.1. RTP Sender Reports . . . . . . . . . . . . . . . . . . . . 6 61 4.2. RTP Packet Playout . . . . . . . . . . . . . . . . . . . . 6 62 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 63 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 7 64 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 65 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7 66 8.1. Normative References . . . . . . . . . . . . . . . . . . . 7 67 8.2. Informative References . . . . . . . . . . . . . . . . . . 7 68 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 8 70 1. Introduction 72 In some media networking applications, RTP streams are referenced to 73 a wall-clock time (absolute date and time). This is accomplished 74 through use of the NTP timestamp field in the RTCP sender report (SR) 75 to create a mapping between RTP timestamps and the wall clock. When 76 a wall-clock reference is used, the playout time for RTP packets is 77 referenced to the wall clock. Smooth and continuous media playout 78 requires a smooth and continuous time base. The time base used by 79 the wall clock may include leap seconds which are not rendered 80 smoothly. 82 This document updates RFC 3550 [1] providing recommendations for 83 smoothly rendering streamed media referenced to common wall clocks 84 which do not have smooth or continuous behavior in the presence of 85 leap seconds. 87 2. Terminology 89 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 90 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 91 document are to be interpreted as described in RFC 2119 [2] and 92 indicate requirement levels for compliant implementations. 94 3. Leap seconds 96 The world scientific time standard is International Atomic Time (TAI) 97 which is based on vibrations of cesium atoms in an atomic clock. The 98 world civil time is based on the rotation of the Earth. In 1972 the 99 civil time standard, Coordinated Universal Time (UTC), was redefined 100 in terms of TAI and the concept of leap seconds was introduced to 101 allow UTC to remain synchronized with with the rotation of the Earth. 103 Leap seconds are scheduled by the International Earth Rotation and 104 Reference Systems Service. Leap seconds may be scheduled at the last 105 day of any month but are preferentially scheduled for December and 106 June and secondarily March and September.[3] Because Earth's rotation 107 is unpredictable, leap seconds are typically not scheduled more than 108 six months in advance. 110 Leap seconds do not respect local time and always occur at the end of 111 the UTC day. Leap seconds can be scheduled to either add or remove a 112 second from the day. A leap second that adds an extra second is 113 known as a positive leap second. A leap second that skips a second 114 is known as a negative leap second. All leap seconds since their 115 introduction in 1972 have been scheduled in June or December and all 116 have been positive. 118 NOTE- The ITU is studying a proposal which could eventually eliminate 119 leap seconds from UTC. As of January 2012, this proposal is expected 120 to be decided no earlier than 2015.[4] 122 3.1. UTC behavior during leap second 124 UTC clocks insert a 61st second at the end of the day when a leap 125 second is scheduled. The leap second is designated "23h 59m 60s". 127 3.2. NTP behavior during leap second 129 Under NTP [5] a leap second is inserted at the beginning of the last 130 second of the day. This results in the clock freezing or slowing for 131 one second immediately prior to the last second of the affected day. 132 This results in the last second of the day having a real-time 133 duration of two seconds. Timestamp accuracy is compromised during 134 this period because the clock's rate is not well defined. 136 3.3. POSIX behavior during leap second 138 Most POSIX systems insert the leap second at the end of the last 139 second of the day. This results in repetition of the last second. A 140 timestamp within the last second of the day is therefore ambiguous in 141 that it can refer to a moment in time in either of the last two 142 seconds of a day containing a leap second. 144 3.4. Summary of leap-second behaviors 146 Table 1 summarizes behavior across a leap second for the wall clocks 147 discussed above. 149 Table 1 illustrates the leap second that occurred June 30, 2012 when 150 the offset between International Atomic time (TAI) and UTC changed 151 from 34 to 35 seconds. The first column shows RTP timestamps for an 152 8 kHz audio stream. The second column shows the TAI reference. 153 Following columns show behavior for the leap-second-bearing wall 154 clocks described above. Time values are shown at half-second 155 intervals. 157 +-------+--------------+--------------+--------------+--------------+ 158 | RTP | TAI | UTC | POSIX | NTP | 159 +-------+--------------+--------------+--------------+--------------+ 160 | 8000 | 00:00:32.500 | 23:59:58.500 | 23:59:58.500 | 23:59:58.500 | 161 | 12000 | 00:00:33.000 | 23:59:59.000 | 23:59:59.000 | 23:59:59.000 | 162 | 16000 | 00:00:33.500 | 23:59:59.500 | 23:59:59.500 | 23:59:59.500 | 163 | 20000 | 00:00:34.000 | 23:59:60.000 | 23:59:59.000 | 00:00:00.000 | 164 | 24000 | 00:00:34.500 | 23:59:60.500 | 23:59:59.500 | 00:00:00.000 | 165 | 28000 | 00:00:35.000 | 00:00:00.000 | 00:00:00.000 | 00:00:00.000 | 166 | 32000 | 00:00:35.500 | 00:00:00.500 | 00:00:00.500 | 00:00:00.500 | 167 +-------+--------------+--------------+--------------+--------------+ 169 Table 1 171 NOTE- Some NTP implementations do not entirely freeze the clock while 172 the leap second is inserted. Successive calls to retrieve system 173 time return infinitesimally larger (e.g. 1 microsecond or 1 174 nanosecond) time values. This behavior is designed to satisfy 175 assumptions applications may make that time increases monotonically. 176 This behavior occurs in the least-significant bits of the time value 177 and so is not typically visible in the human-readable format shown in 178 the table. 180 4. Recommendations 182 Senders and receivers which are not referenced to a wall clock are 183 not affected by issues associated with leap seconds and no special 184 accommodation is required. 186 RTP implementation using a wall-clock reference is simplified by 187 using a clock with a timescale which does not include leap seconds. 188 IEEE 1588,[6] GPS [7] and other TAI [8] references do not include 189 leap seconds. NTP time, operating system clocks and other UTC 190 references include leap seconds. 192 All participants working to a leap-second-bearing reference SHOULD 193 recognize leap seconds and have a working communications channel to 194 receive notification of leap second scheduling. Without prior 195 knowledge of leap second schedule, NTP servers and clients may become 196 offset by exactly one second with respect to their UTC reference. 197 This potential discrepancy begins when a leap second occurs and ends 198 when all participants receive a time update from a server or peer. 199 Depending on the system implementation, the offset can last anywhere 200 from a few seconds to a few days. A long-lived discrepancy can be 201 particularly disruptive to RTP operation. 203 Because of the timestamp ambiguity, positive leap seconds can 204 introduce and the inconsistent manner in which different systems 205 accommodate leap seconds, generating or using NTP timestamps during 206 the entire last second of a day on which a positive leap second has 207 been scheduled SHOULD be avoided. Note that the period to be avoided 208 has a real-time duration of two seconds. In the Table 1 example, the 209 region to be avoided is indicated by RTP timestamps 12000 through 210 28000 212 Negative leap seconds do not introduce timestamp ambiguity or other 213 complications. No special treatment with respect to RTP timestamps 214 is required in the presence of a negative leap second. 216 4.1. RTP Sender Reports 218 RTP Senders working to a leap-second-bearing reference SHOULD NOT 219 generate sender reports containing an originating NTP timestamp in 220 the vicinity of a positive leap second. To maintain a consistent 221 RTCP schedule and avoid the risk of unintentional timeouts, such 222 senders MAY send receiver reports in place of sender reports in the 223 vicinity of the leap second. 225 For the purpose of suspending sender reports in the vicinity of a 226 leap second, senders MAY assume a positive leap second occurs at the 227 end of the last day of every month. 229 Receivers working to a leap-second-bearing reference SHOULD ignore 230 timestamps in any sender reports generated in the vicinity of a 231 positive leap second. 233 For the purpose of ignoring sender reports in the vicinity of a leap 234 second, receivers MAY assume a positive leap second occurs at the end 235 of the last day of every month. 237 4.2. RTP Packet Playout 239 Receivers working to a leap-second-bearing reference SHOULD take both 240 positive and negative leap seconds in the reference into account in 241 determining playout time based on RTP timestamps for data in RTP 242 packets. 244 5. Security Considerations 246 RTP streams using a wall-clock reference as discussed here present an 247 additional attack vector compared to self-clocking streams. 248 Manipulation of the wall clock at either sender or receiver can 249 potentially disrupt streaming. 251 For an RTP stream operating to an leap-seocnd-bearing reference to 252 operate reliably across a leap second, sender and receive must both 253 be aware of the leap second. It is possible to disrupt a stream by 254 blocking or delaying leap second notification to one of the 255 participants. Streaming can be similarly affected if one of the 256 participants can be tricked into believing a leap second has been 257 scheduled where there is not one. These vulnerabilities are present 258 in RFC 3550 [1] and these new recommendations neither heighten or 259 diminish them. Integrity of the leap second schedule is the 260 responsibility of the operating system and time distribution 261 mechanism both of which are outside the scope of RFC 3550 [1] and 262 these recommendations. 264 6. IANA Considerations 266 This document has no actions for IANA. 268 7. Acknowledgements 270 The authors would like to thank Steve Allen for his valuable comments 271 in helping to improve this document. 273 8. References 275 8.1. Normative References 277 [1] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, 278 "RTP: A Transport Protocol for Real-Time Applications", STD 64, 279 RFC 3550, July 2003. 281 [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement 282 Levels", BCP 14, RFC 2119, March 1997. 284 8.2. Informative References 286 [3] ITU-R, "Recommendation ITU-R TF.460-4 - Standard-frequency and 287 time-signal emissions", February 2002. 289 [4] ITU-R Working Party 7A, "Question SG07.236", February 2012. 291 [5] Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network Time 292 Protocol Version 4: Protocol and Algorithms Specification", 293 RFC 5905, June 2010. 295 [6] IEEE, "IEEE Standard for a Precision Clock Synchronization 296 Protocol for Networked Measurement and Control Systems", 297 July 2008. 299 [7] Global Positioning Systems Directorate, "Navstar GPS Space 300 Segment/Navigation User Segment Interfaces", September 2011. 302 [8] BIPM, "Circular T", May 2012. 304 Authors' Addresses 306 Kevin Gross 307 AVA Networks 308 Boulder, CO 309 US 311 Email: kevin.gross@avanw.com 313 Ray van Brandenburg 314 TNO 315 Brassersplein 2 316 Delft 2612CT 317 the Netherlands 319 Phone: +31-88-866-7000 320 Email: ray.vanbrandenburg@tno.nl