idnits 2.17.1 draft-ietf-raw-ldacs-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (17 February 2021) is 1157 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-08) exists of draft-ietf-raw-technologies-00 == Outdated reference: A later version (-11) exists of draft-ietf-raw-use-cases-00 == Outdated reference: A later version (-11) exists of draft-ietf-ipsecme-g-ikev2-02 Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 RAW N. Maeurer, Ed. 3 Internet-Draft T. Graeupl, Ed. 4 Intended status: Informational German Aerospace Center (DLR) 5 Expires: 21 August 2021 C. Schmitt, Ed. 6 Research Institute CODE, UniBwM 7 17 February 2021 9 L-band Digital Aeronautical Communications System (LDACS) 10 draft-ietf-raw-ldacs-07 12 Abstract 14 This document provides an overview of the architecture of the L-band 15 Digital Aeronautical Communications System (LDACS), which provides a 16 secure, scalable and spectrum efficient terrestrial data link for 17 civil aviation. LDACS is a scheduled, reliable multi-application 18 cellular broadband system with support for IPv6. LDACS SHALL provide 19 a data link for IP network-based aircraft guidance. High reliability 20 and availability for IP connectivity over LDACS are therefore 21 essential. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on 21 August 2021. 40 Copyright Notice 42 Copyright (c) 2021 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 47 license-info) in effect on the date of publication of this document. 48 Please review these documents carefully, as they describe your rights 49 and restrictions with respect to this document. Code Components 50 extracted from this document must include Simplified BSD License text 51 as described in Section 4.e of the Trust Legal Provisions and are 52 provided without warranty as described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 57 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 4 58 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 59 3. Motivation and Use Cases . . . . . . . . . . . . . . . . . . 5 60 3.1. Voice Communications Today . . . . . . . . . . . . . . . 5 61 3.2. Data Communications Today . . . . . . . . . . . . . . . . 6 62 4. Provenance and Documents . . . . . . . . . . . . . . . . . . 7 63 5. Applicability . . . . . . . . . . . . . . . . . . . . . . . . 8 64 5.1. Advances Beyond the State-of-the-Art . . . . . . . . . . 8 65 5.1.1. Priorities . . . . . . . . . . . . . . . . . . . . . 8 66 5.1.2. Security . . . . . . . . . . . . . . . . . . . . . . 8 67 5.1.3. High Data Rates . . . . . . . . . . . . . . . . . . . 9 68 5.2. Application . . . . . . . . . . . . . . . . . . . . . . . 9 69 5.2.1. Air-to-Ground Multilink . . . . . . . . . . . . . . . 9 70 5.2.2. Air-to-Air Extension for LDACS . . . . . . . . . . . 9 71 5.2.3. Flight Guidance . . . . . . . . . . . . . . . . . . . 10 72 5.2.4. Business Communication of Airlines . . . . . . . . . 11 73 5.2.5. LDACS Navigation . . . . . . . . . . . . . . . . . . 11 74 6. Requirements to LDACS . . . . . . . . . . . . . . . . . . . . 11 75 7. Characteristics of LDACS . . . . . . . . . . . . . . . . . . 13 76 7.1. LDACS Sub-Network . . . . . . . . . . . . . . . . . . . . 13 77 7.2. Topology . . . . . . . . . . . . . . . . . . . . . . . . 14 78 7.3. LDACS Physical Layer . . . . . . . . . . . . . . . . . . 14 79 7.4. LDACS Data Link Layer . . . . . . . . . . . . . . . . . . 15 80 7.5. LDACS Mobility . . . . . . . . . . . . . . . . . . . . . 15 81 8. Reliability and Availability . . . . . . . . . . . . . . . . 15 82 8.1. Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . . 15 83 8.2. Beyond Layer 2 . . . . . . . . . . . . . . . . . . . . . 18 84 9. Protocol Stack . . . . . . . . . . . . . . . . . . . . . . . 18 85 9.1. MAC Entity Services . . . . . . . . . . . . . . . . . . . 19 86 9.2. DLS Entity Services . . . . . . . . . . . . . . . . . . . 21 87 9.3. VI Services . . . . . . . . . . . . . . . . . . . . . . . 22 88 9.4. LME Services . . . . . . . . . . . . . . . . . . . . . . 22 89 9.5. SNP Services . . . . . . . . . . . . . . . . . . . . . . 22 90 10. Security Considerations . . . . . . . . . . . . . . . . . . . 22 91 10.1. Reasons for Wireless Digital Aeronautical 92 Communications . . . . . . . . . . . . . . . . . . . . . 22 93 10.2. LADACS Requirements . . . . . . . . . . . . . . . . . . 23 94 10.3. LDACS Security Objectives . . . . . . . . . . . . . . . 24 95 10.4. LDACS Security Functions . . . . . . . . . . . . . . . . 24 96 10.5. LDACS Security Architecture . . . . . . . . . . . . . . 25 97 10.5.1. Entities . . . . . . . . . . . . . . . . . . . . . . 25 98 10.5.2. Entity Identification . . . . . . . . . . . . . . . 25 99 10.5.3. Entity Authentication and Key Negotiation . . . . . 25 100 10.5.4. Message-in-transit Confidentiality, Integrity and 101 Authenticity . . . . . . . . . . . . . . . . . . . . 26 102 10.6. LDACS Security Modules . . . . . . . . . . . . . . . . . 26 103 10.6.1. Placements of Security Functionality in Protocol 104 Stack . . . . . . . . . . . . . . . . . . . . . . . . 26 105 10.6.2. Trust . . . . . . . . . . . . . . . . . . . . . . . 27 106 10.6.3. Mutual Authentication and Key Exchange (MAKE) . . . 27 107 10.6.4. Key Derivation and Key Hierarchy . . . . . . . . . . 28 108 10.6.5. User Data Security . . . . . . . . . . . . . . . . . 28 109 10.6.6. Control Data Security . . . . . . . . . . . . . . . 28 110 11. Privacy Considerations . . . . . . . . . . . . . . . . . . . 29 111 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 112 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 29 113 14. Normative References . . . . . . . . . . . . . . . . . . . . 29 114 15. Informative References . . . . . . . . . . . . . . . . . . . 30 115 Appendix A. Selected Information from DO-350A . . . . . . . . . 34 116 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36 118 1. Introduction 120 One of the main pillars of the modern Air Traffic Management (ATM) 121 system is the existence of a communication infrastructure that 122 enables efficient aircraft control and safe separation in all phases 123 of flight. Current systems are technically mature but suffering from 124 the VHF band's increasing saturation in high-density areas and the 125 limitations posed by analogue radio communications. Therefore, 126 aviation globally and the European Union (EU) in particular, strives 127 for a sustainable modernization of the aeronautical communication 128 infrastructure. 130 In the long-term, ATM communication SHALL transition from analogue 131 VHF voice and VDLM2 communication to more spectrum efficient digital 132 data communication. The European ATM Master Plan foresees this 133 transition to be realized for terrestrial communications by the 134 development (and potential implementation) of the L-band Digital 135 Aeronautical Communications System (LDACS). LDACS SHALL enable IPv6 136 based air- ground communication related to the aviation safety and 137 regularity of flight. The particular challenge is that no additional 138 spectrum can be made available for terrestrial aeronautical 139 communication. It was thus necessary to develop co-existence 140 mechanism/procedures to enable the interference free operation of 141 LDACS in parallel with other aeronautical services/systems in the 142 same frequency band. 144 Since LDACS SHALL be used for aircraft guidance, high reliability and 145 availability for IP connectivity over LDACS are essential. 147 1.1. Requirements Language 149 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 150 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 151 document are to be interpreted as described in RFC 2119 [RFC2119]. 153 2. Terminology 155 The following terms are used in the context of RAW in this document: 157 A2A Air-to-Air 158 AeroMACS Aeronautical Mobile Airport Communication System 159 A2G Air-to-Ground 160 ACARS Aircraft Communications Addressing and Reporting System 161 ADS-C Automatic Dependent Surveillance - Contract 162 AM(R)S Aeronautical Mobile (Route) Service 163 ANSP Air Traffic Network Service Provider 164 AOC Aeronautical Operational Control 165 AS Aircraft Station 166 ATC Air-Traffic Control 167 ATM Air-Traffic Management 168 ATN Aeronautical Telecommunication Network 169 ATS Air Traffic Service 170 CCCH Common Control Channel 171 COTS IP Commercial Off-The-Shelf 172 CM Context Management 173 CNS Communication Navigation Surveillance 174 CPDLC Controller Pilot Data Link Communication 175 DCCH Dedicated Control Channel 176 DCH Data Channel 177 DLL Data Link Layer 178 DLS Data Link Service 179 DME Distance Measuring Equipment 180 DSB-AM Double Side-Band Amplitude Modulation 181 FCI Future Communication Infrastructure 182 FL Forward Link 183 GNSS Global Navigation Satellite System 184 GS Ground-Station 185 G2A Ground-to-Air 186 HF High Frequency 187 ICAO International Civil Aviation Organization 188 IP Internet Protocol 189 kbit/s kilobit per second 190 LDACS L-band Digital Aeronautical Communications System 191 LLC Logical Link Control 192 LME LDACS Management Entity 193 MAC Medium Access Layer 194 MF Multi Frame 195 OFDM Orthogonal Frequency-Division Multiplexing 196 OFDMA Orthogonal Frequency-Division Multiplexing Access 197 OSI Open Systems Interconnection 198 PHY Physical Layer 199 RL Reverse Link 200 SF Super-Frame 201 SNP Sub-Network Protocol 202 TDMA Time-Division Multiplexing-Access 203 VDLM1 VHF Data Link mode 1 204 VDLM2 VHF Data Link mode 2 205 VHF Very High Frequency 206 VI Voice Interface 208 3. Motivation and Use Cases 210 Aircraft are currently connected to Air-Traffic Control (ATC) and 211 Aeronautical Operational Control (AOC) via voice and data 212 communications systems through all phases of a flight. Within the 213 airport terminal, connectivity is focused on high bandwidth 214 communications, while during en-route high reliability, robustness, 215 and range is the main focus. Voice communications MAY use the same 216 or different equipment as data communications systems. In the 217 following the main differences between voice and data communications 218 capabilities are summarized. The assumed use cases for LDACS 219 completes the list of use cases stated in [RAW-USE-CASES] and the 220 list of reliable and available wireless technologies presented in 221 [RAW-TECHNOS]. 223 3.1. Voice Communications Today 225 Voice links are used for Air-to-Ground (A2G) and Air-to-Air (A2A) 226 communications. The communication equipment is either ground-based 227 working in the High Frequency (HF) or Very High Frequency (VHF) 228 frequency band or satellite-based. All VHF and HF voice 229 communications is operated via open broadcast channels without 230 authentication, encryption or other protective measures. The use of 231 well-proven communication procedures via broadcast channels helps to 232 enhance the safety of communications by taking into account that 233 other users MAY encounter communication problems and MAY be 234 supported, if REQUIRED. The main voice communications media is still 235 the analogue VHF Double Side-Band Amplitude Modulation (DSB-AM) 236 communications technique, supplemented by HF Single Side-Band 237 Amplitude Modulation and satellite communications for remote and 238 oceanic areas. DSB-AM has been in use since 1948, works reliably and 239 safely, and uses low-cost communication equipment. These are the 240 main reasons why VHF DSB-AM communications is still in use, and it is 241 likely that this technology will remain in service for many more 242 years. This however results in current operational limitations and 243 impediments in deploying new Air-Traffic Management (ATM) 244 applications, such as flight-centric operation with Point-to-Point 245 communications. 247 3.2. Data Communications Today 249 Like for voice, data communications into the cockpit is currently 250 provided by ground-based equipment operating either on HF or VHF 251 radio bands or by legacy satellite systems. All these communication 252 systems are using narrowband radio channels with a data throughput 253 capacity in order of kilobits per second. While the aircraft is on 254 ground some additional communications systems are available, like the 255 Aeronautical Mobile Airport Communication System (AeroMACS) or public 256 cellular networks, operating in the Airport (APT) domain and able to 257 deliver broadband communication capability. 259 The data communication networks used for the transmission of data 260 relating to the safety and regularity of the flight MUST be strictly 261 isolated from those providing entertainment services to passengers. 262 This leads to a situation that the flight crews are supported by 263 narrowband services during flight while passengers have access to 264 inflight broadband services. The current HF and VHF data links 265 cannot provide broadband services now or in the future, due to the 266 lack of available spectrum. This technical shortcoming is becoming a 267 limitation to enhanced ATM operations, such as Trajectory-Based 268 Operations and 4D trajectory negotiations. 270 Satellite-based communications are currently under investigation and 271 enhanced capabilities are under development which will be able to 272 provide inflight broadband services and communications supporting the 273 safety and regularity of flight. In parallel, the ground-based 274 broadband data link technology LDACS is being standardized by ICAO 275 and has recently shown its maturity during flight tests [SCH20191]. 276 The LDACS technology is scalable, secure and spectrum efficient and 277 provides significant advantages to the users and service providers. 278 It is expected that both - satellite systems and LDACS - will be 279 deployed to support the future aeronautical communication needs as 280 envisaged by the ICAO Global Air Navigation Plan. 282 4. Provenance and Documents 284 The development of LDACS has already made substantial progress in the 285 Single European Sky ATM Research framework, short SESAR, and is 286 currently being continued in the follow-up program SESAR2020 287 [RIH2018]. A key objective of the this activities is to develop, 288 implement and validate a modern aeronautical data link able to evolve 289 with aviation needs over long-term. To this end, an LDACS 290 specification has been produced [GRA2019] and is continuously 291 updated; transmitter demonstrators were developed to test the 292 spectrum compatibility of LDACS with legacy systems operating in the 293 L-band [SAJ2014]; and the overall system performance was analyzed by 294 computer simulations, indicating that LDACS can fulfil the identified 295 requirements [GRA2011]. 297 LDACS standardization within the framework of the ICAO started in 298 December 2016. The ICAO standardization group has produced an 299 initial Standards and Recommended Practices document [ICA2018]. It 300 defines the general characteristics of LDACS. The ICAO 301 standardization group plans to produce an ICAO technical manual - the 302 ICAO equivalent to a technical standard - within the next years. 303 Generally, the group is open to input from all sources and develops 304 LDACS in the open. 306 Up to now LDACS standardization has been focused on the development 307 of the physical layer and the data link layer, only recently have 308 higher layers come into the focus of the LDACS development 309 activities. There is currently no "IPv6 over LDACS" specification 310 publicly available; however, SESAR2020 has started the testing of 311 IPv6-based LDACS testbeds. 313 The IPv6 architecture for the aeronautical telecommunication network 314 is called the Future Communications Infrastructure (FCI). FCI SHALL 315 support quality of service, diversity, and mobility under the 316 umbrella of the "multi-link concept". This work is conducted by ICAO 317 Communication Panel working group WG-I. 319 In addition to standardization activities several industrial LDACS 320 prototypes have been built. One set of LDACS prototypes has been 321 evaluated in flight trials confirming the theoretical results 322 predicting the system performance [GRA2018] [SCH20191]. 324 5. Applicability 326 LDACS is a multi-application cellular broadband system capable of 327 simultaneously providing various kinds of Air Traffic Services 328 (including ATS-B3) and AOC communications services from deployed 329 Ground-Stations (GS). The A2G sub-system physical layer and data 330 link layer of LDACS are optimized for data link communications, but 331 the system also supports digital air-ground voice communications. 333 LDACS supports communication in all airspaces (airport, terminal 334 maneuvering area, and en-route), and on the airport surface. The 335 physical LDACS cell coverage is effectively de-coupled from the 336 operational coverage REQUIRED for a particular service. This is new 337 in aeronautical communications. Services requiring wide-area 338 coverage can be installed at several adjacent LDACS cells. The 339 handover between the involved LDACS cells is seamless, automatic, and 340 transparent to the user. Therefore, the LDACS A2G communications 341 concept enables the aeronautical communication infrastructure to 342 support future dynamic airspace management concepts. 344 5.1. Advances Beyond the State-of-the-Art 346 LDACS offers several capabilities that are not provided in 347 contemporarily deployed aeronautical communication systems. 349 5.1.1. Priorities 351 LDACS is able to manage services priorities, an important feature not 352 available in some of the current data link deployments. Thus, LDACS 353 guarantees bandwidth, low latency, and high continuity of service for 354 safety critical ATS applications while simultaneously accommodating 355 less safety-critical AOC services. 357 5.1.2. Security 359 LDACS is a secure data link with built-in security mechanisms. It 360 enables secure data communications for ATS and AOC services, 361 including secured private communications for aircraft operators and 362 ANSPs (Air Traffic Network Service Providers). This includes 363 concepts for key and trust management, mutual authenticated key 364 exchange protocols, key derivation measures, user and control 365 message-in-transit confidentiality and authenticity protection, 366 secure logging and availability and robustness measures [MAE20181], 367 [MAE20191], [MAE20192]. 369 5.1.3. High Data Rates 371 The user data rate of LDACS is 315 kbit/s to 1428 kbit/s on the 372 forward link (FL) for the connection Ground-to-Air (G2A), and 294 373 kbit/s to 1390 kbit/s on the reverse link (RF) for the connection 374 A2G, depending on coding and modulation. This is 50 times the amount 375 terrestrial digital aeronautical communications systems such as VDLM2 376 provide [SCH20191]. 378 5.2. Application 380 LDACS SHALL be used by several aeronautical applications ranging from 381 enhanced communication protocol stacks (multi-homed mobile IPv6 382 networks in the aircraft and potentially ad-hoc networks between 383 aircraft) to classical communication applications (sending GBAS 384 correction data) and integration with other service domains (using 385 the communication signal for navigation). 387 5.2.1. Air-to-Ground Multilink 389 It is expected that LDACS together with upgraded satellite-based 390 communications systems will be deployed within the FCI and constitute 391 one of the main components of the multilink concept within the FCI. 393 Both technologies, LDACS and satellite systems, have their specific 394 benefits and technical capabilities which complement each other. 395 Especially, satellite systems are well-suited for large coverage 396 areas with less dense air traffic, e.g. oceanic regions. LDACS is 397 well-suited for dense air traffic areas, e.g. continental areas or 398 hot-spots around airports and terminal airspace. In addition, both 399 technologies offer comparable data link capacity and, thus, are well- 400 suited for redundancy, mutual back-up, or load balancing. 402 Technically the FCI multilink concept SHALL be realized by multi- 403 homed mobile IPv6 networks in the aircraft. The related protocol 404 stack is currently under development by ICAO and the Single European 405 Sky ATM Research framework. 407 5.2.2. Air-to-Air Extension for LDACS 409 A potential extension of the multi-link concept is its extension to 410 ad-hoc networks between aircraft. 412 Direct A2A communication between aircrafts in terms of ad-hoc data 413 networks is currently considered a research topic since there is no 414 immediate operational need for it, although several possible use 415 cases are discussed (digital voice, wake vortex warnings, and 416 trajectory negotiation) [BEL2019]. It SHOULD also be noted that 417 currently deployed analog VHF voice radios support direct voice 418 communication between aircraft, making a similar use case for digital 419 voice plausible. 421 LDACS direct A2A is currently not part of standardization. 423 5.2.3. Flight Guidance 425 The FCI (and therefore LDACS) SHALL be used to host flight guidance. 426 This is realized using three applications: 428 1. Context Management (CM): The CM application SHALL manage the 429 automatic logical connection to the ATC center currently 430 responsible to guide the aircraft. Currently this is done by the 431 air crew manually changing VHF voice frequencies according to the 432 progress of the flight. The CM application automatically sets up 433 equivalent sessions. 434 2. Controller Pilot Data Link Communication (CPDLC): The CPDLC 435 application provides the air crew with the ability to exchange 436 data messages similar to text messages with the currently 437 responsible ATC center. The CPDLC application SHALL take over 438 most of the communication currently performed over VHF voice and 439 enable new services that do not lend themselves to voice 440 communication (e.g., trajectory negotiation). 441 3. Automatic Dependent Surveillance - Contract (ADS-C): ADS-C 442 reports the position of the aircraft to the currently active ATC 443 center. Reporting is bound to "contracts", i.e. pre-defined 444 events related to the progress of the flight (i.e. the 445 trajectory). ADS-C and CPDLC are the primary applications used to 446 implement in-flight trajectory management. 448 CM, CPDLC, and ADS-C are available on legacy datalinks, but not 449 widely deployed and with limited functionality. 451 Further ATC applications MAY be ported to use the FCI or LDACS as 452 well. A notable application is GBAS for secure, automated landings: 453 The Global Navigation Satellite System (GNSS) based Ground Based 454 Augmentation System (GBAS) is used to improve the accuracy of GNSS to 455 allow GNSS based instrument landings. This is realized by sending 456 GNSS correction data (e.g., compensating ionospheric errors in the 457 GNSS signal) to the aircraft's GNSS receiver via a separate data 458 link. Currently the VDB data link is used. VDB is a narrow-band 459 single-purpose datalink without advanced security only used to 460 transmit GBAS correction data. This makes VDB a natural candidate 461 for replacement by LDACS. 463 5.2.4. Business Communication of Airlines 465 In addition to air traffic services AOC services SHALL be transmitted 466 over LDACS. AOC is a generic term referring to the business 467 communication of airlines. Regulatory this is considered related to 468 the safety and regularity of flight and MAY therefore be transmitted 469 over LDACS. 471 AOC communication is considered the main business case for LDACS 472 communication service providers since modern aircraft generate 473 significant amounts of data (e.g., engine maintenance data). 475 5.2.5. LDACS Navigation 477 Beyond communication radio signals can always also be used for 478 navigation. LDACS takes this into account. 480 For future aeronautical navigation, ICAO RECOMMENDS the further 481 development of GNSS based technologies as primary means for 482 navigation. However, the drawback of GNSS is its inherent single 483 point of failure - the satellite. Due to the large separation 484 between navigational satellites and aircraft, the received power of 485 GNSS signals on the ground is very low. As a result, GNSS 486 disruptions might occasionally occur due to unintentional 487 interference, or intentional jamming. Yet the navigation services 488 MUST be available with sufficient performance for all phases of 489 flight. Therefore, during GNSS outages, or blockages, an alternative 490 solution is needed. This is commonly referred to as Alternative 491 Positioning, Navigation, and Timing (APNT). 493 One of such APNT solution consists of integrating the navigation 494 functionality into LDACS. The ground infrastructure for APNT is 495 deployed through the implementation of LDACS's GSs and the navigation 496 capability comes "for free". 498 LDACS navigation has already been demonstrated in practice in a 499 flight measurement campaign [SCH20191]. 501 6. Requirements to LDACS 503 The requirements to LDACS are mostly defined by its application area: 504 Communication related to safety and regularity of flight. 506 A particularity of the current aeronautical communication landscape 507 is that it is heavily regulated. Aeronautical data links (for 508 applications related to safety and regularity of flight) MAY only use 509 spectrum licensed to aviation and data links endorsed by ICAO. 510 Nation states can change this locally, however, due to the global 511 scale of the air transportation system adherence to these practices 512 is to be expected. 514 Aeronautical data links for the Aeronautical Telecommunication 515 Network (ATN) are therefore expected to remain in service for 516 decades. The VDLM2 data link currently used for digital terrestrial 517 internetworking was developed in the 1990es (the use of the Open 518 Systems Interconnection (OSI) stack indicates that as well). VDLM2 519 is expected to be used at least for several decades. In this respect 520 aeronautical communication (for applications related to safety and 521 regularity of flight) is more comparable to industrial applications 522 than to the open Internet. 524 Internetwork technology is already installed in current aircraft. 525 Current ATS applications use either the Aircraft Communications 526 Addressing and Reporting System (ACARS) or the OSI stack. The 527 objective of the development effort LDACS as part of the FCI is to 528 replace legacy OSI stack and proprietary ACARS internetwork 529 technologies with industry standard IP technology. It is anticipated 530 that the use of Commercial Off-The-Shelf (COTS) IP technology mostly 531 applies to the ground network. The avionics networks on the aircraft 532 will likely be heavily modified or proprietary. 534 AOC applications currently mostly use the same stack (although some 535 applications, like the graphical weather service MAY use the 536 commercial passenger network). This creates capacity problems 537 (resulting in excessive amounts of timeouts) since the underlying 538 terrestrial data links (VDLM1/2) do not provide sufficient bandwidth. 539 The use of non-aviation specific data links is considered a security 540 problem. Ideally the aeronautical IP internetwork and the Internet 541 SHOULD be completely separated. 543 The objective of LDACS is to provide a next generation terrestrial 544 data link designed to support IP and provide much higher bandwidth to 545 avoid the currently experienced operational problems. 547 The requirement for LDACS is therefore to provide a terrestrial high- 548 throughput data link for IP internetworking in the aircraft. 550 In order to fulfil the above requirement LDACS needs to be 551 interoperable with IP (and IP-based services like Voice-over-IP) at 552 the gateway connecting the LDACS network to other aeronautical ground 553 networks (the totality of them being the ATN). On the avionics side 554 in the aircraft aviation specific solutions are to be expected. 556 In addition to the functional requirements LDACS and its IP stack 557 need to fulfil the requirements defined in RTCA DO-350A/EUROCAE ED- 558 228A [DO350A]. This document defines continuity, availability, and 559 integrity requirements at different scopes for each air traffic 560 management application (CPDLC, CM, and ADS-C). The scope most 561 relevant to IP over LDACS is the CSP (Communication Service Provider) 562 scope. 564 Continuity, availability, and integrity requirements are defined in 565 [DO350A] volume 1 Table 5-14, and Table 6-13. Appendix A presents 566 the REQUIRED information. 568 In a similar vein, requirements to fault management are defined in 569 the same tables. 571 7. Characteristics of LDACS 573 LDACS will become one of several wireless access networks connecting 574 aircraft to the ATN implemented by the FCI and possibly ACARS/FANS 575 networks [FAN2019]. 577 The current LDACS design is focused on the specification of layer 2. 579 Achieving stringent the continuity, availability, and integrity 580 requirements defined in [DO350A] will require the specification of 581 layer 3 and above mechanisms (e.g. reliable crossover at the IP 582 layer). Fault management mechanisms are similarly undefined. Input 583 from the working group will be appreciated here. 585 7.1. LDACS Sub-Network 587 An LDACS sub-network contains an Access Router (AR) and several GS, 588 each of them providing one LDACS radio cell. 590 User plane interconnection to the ATN is facilitated by the AR 591 peering with an A2G Router connected to the ATN. 593 The internal control plane of an LDACS sub-network interconnects the 594 GS. An LDACS sub-network is illustrated in Figure 1. 596 wireless user 597 link plane 598 AS-------------GS---------------AR---A2G-----ATN 599 . | Router 600 . control | 601 . plane | 602 . | 603 GS...............| 604 . | 605 . | 606 GS---------------+ 608 Figure 1: LDACS sub-network with three GSs and one AS 610 7.2. Topology 612 LDACS operating in A2G mode is a cellular point-to-multipoint system. 613 The A2G mode assumes a star-topology in each cell where Aircraft 614 Stations (AS) belonging to aircraft within a certain volume of space 615 (the LDACS cell) is connected to the controlling GS. The LDACS GS is 616 a centralized instance that controls LDACS A2G communications within 617 its cell. The LDACS GS can simultaneously support multiple bi- 618 directional communications to the ASs under its control. LDACS's GSs 619 themselves are connected to each other and the AR. 621 Prior to utilizing the system an AS has to register with the 622 controlling GS to establish dedicated logical channels for user and 623 control data. Control channels have statically allocated resources, 624 while user channels have dynamically assigned resources according to 625 the current demand. Logical channels exist only between the GS and 626 the AS. 628 The LDACS wireless link protocol stack defines two layers, the 629 physical layer and the data link layer. 631 7.3. LDACS Physical Layer 633 The physical layer provides the means to transfer data over the radio 634 channel. The LDACS GS supports bi-directional links to multiple 635 aircraft under its control. The FL direction at the G2A connection 636 and the RL direction at the A2G connection are separated by Frequency 637 Division Duplex. FL and RL use a 500 kHz channel each. The GS 638 transmits a continuous stream of Orthogonal Frequency-Division 639 Multiplexing (OFDM) symbols on the FL. In the RL different aircraft 640 are separated in time and frequency using a combination of Orthogonal 641 Frequency-Division Multiple-Access (OFDMA) and Time-Division 642 Multiple-Access (TDMA). Aircraft thus transmit discontinuously on 643 the RL with radio bursts sent in precisely defined transmission 644 opportunities allocated by the GS. 646 7.4. LDACS Data Link Layer 648 The data-link layer provides the necessary protocols to facilitate 649 concurrent and reliable data transfer for multiple users. The LDACS 650 data link layer is organized in two sub-layers: The medium access 651 sub-layer and the Logical Link Control (LLC) sub-layer. The medium 652 access sub-layer manages the organization of transmission 653 opportunities in slots of time and frequency. The LLC sub-layer 654 provides acknowledged point-to-point logical channels between the 655 aircraft and the GS using an automatic repeat request protocol. 656 LDACS supports also unacknowledged point-to-point channels and G2A 657 broadcast. 659 7.5. LDACS Mobility 661 LDACS supports layer 2 handovers to different LDACS channels. 662 Handovers MAY be initiated by the aircraft (break-before-make) or by 663 the GS (make-before-break). Make-before-break handovers are only 664 supported for GSs connected to each other. 666 External handovers between non-connected LDACS sub-networks or 667 different aeronautical data links SHALL be handled by the FCI multi- 668 link concept. 670 8. Reliability and Availability 672 8.1. Layer 2 674 LDACS has been designed with applications related to the safety and 675 regularity of flight in mind. It has therefore been designed as a 676 deterministic wireless data link (as far as this is possible). 678 Based on channel measurements of the L-band channel [SCHN2016] and 679 respecting the specific nature of the area of application, LDACS was 680 designed from the PHY layer up with robustness in mind. 682 In order to maximize the capacity per channel and to optimally use 683 the available spectrum, LDACS was designed as an OFDM-based Frequency 684 Division Duplex system, supporting simultaneous transmissions in FL 685 at the G2A connection and RF at the A2G connection. The legacy 686 systems already deployed in the L-band limit the bandwidth of both 687 channels to approximately 500 kHz. 689 The LDACS physical layer design includes propagation guard times 690 sufficient for the operation at a maximum distance of 200 nautical 691 miles from the GS. In actual deployment, LDACS can be configured for 692 any range up to this maximum range. 694 The LDACS FL physical layer is a continuous OFDM transmission. LDACS 695 RL transmission is based on OFDMA-TDMA bursts, with silence between 696 such bursts. The RL resources (i.e. bursts) are assigned to 697 different ASs on demand by the GS. 699 The LDACS physical layer supports adaptive coding and modulation for 700 user data. Control data is always encoded with the most robust 701 coding and modulation (QPSK coding rate 1/2). 703 LDACS medium access on top of the physical layer uses a static frame 704 structure to support deterministic timer management. As shown in 705 Figure 3 and Figure 4, LDACS framing structure is based on Super- 706 Frames (SF) of 240ms duration corresponding to 2000 OFDM symbols. FL 707 and RL boundaries are aligned in time (from the GS perspective) 708 allowing for deterministic sending windows for KEEP ALIVE messages 709 and control and data channels in general. 711 LDACS medium access is always under the control of the GS of a radio 712 cell. Any medium access for the transmission of user data has to be 713 requested with a resource request message stating the requested 714 amount of resources and class of service. The GS performs resource 715 scheduling on the basis of these requests and grants resources with 716 resource allocation messages. Resource request and allocation 717 messages are exchanged over dedicated contention-free control 718 channels. 720 The purpose of Quality-of-Service in LDACS medium access is to 721 provide prioritized medium access at the bottleneck (the wireless 722 link). The signaling of higher layer Quality-of-Service requirements 723 to LDACS is yet to be defined. A DiffServ-based solution with a 724 small number of priorities is to be expected. 726 LDACS has two mechanisms to request resources from the scheduler in 727 the GS. 729 Resources can either be requested "on demand" with a given priority. 730 On the FL, this is done locally in the GS, on the RL a dedicated 731 contention-free control channel is used called Dedicated Control 732 Channel (DCCH), which is roughly 83 bit every 60 ms. A resource 733 allocation is always announced in the control channel of the FL, 734 short Common Control Channel (CCCH) having variable size. Due to the 735 spacing of the RL control channels every 60 ms, a medium access delay 736 in the same order of magnitude is to be expected. 738 Resources can also be requested "permanently". The permanent 739 resource request mechanism supports requesting recurring resources in 740 given time intervals. A permanent resource request has to be 741 canceled by the user (or by the GS, which is always in control). 743 User data transmissions over LDACS are therefore always scheduled by 744 the GS, while control data uses statically (i.e. at cell entry) 745 allocated recurring resources (DCCH and CCCH). The current 746 specification specifies no scheduling algorithm. Scheduling of RL 747 resources is done in physical Protocol Data Units of 112 bit (or 748 larger if more aggressive coding and modulation is used). Scheduling 749 on the FL is done Byte-wise since the FL is transmitted continuously 750 by the GS. 752 In addition to having full control over resource scheduling, the GS 753 can send forced Handover commands for off-loading or RF channel 754 management, e.g. when the signal quality declines and a more suitable 755 GS is in the AS reach. With robust resource management of the 756 capacities of the radio channel, reliability and robustness measures 757 are therefore also anchored in the LDACS management entity. 759 In addition, to radio resource management, the LDACS control channels 760 are also used to send keep-alive messages, when they are not 761 otherwise used. Since the framing of the control channels is 762 deterministic, missing keep-alive messages can thus be immediately 763 detected. This information is made available to the multi-link 764 protocols for fault management. 766 The protocol used to communicate faults is not defined in the LDACS 767 specification. It is assumed that vendors would use industry 768 standard protocols like the Simple Network Management Protocol or the 769 Network Configuration Protocol where security permits. 771 The LDACS data link layer protocol running on top of the medium 772 access sub-layer uses ARQ to provide reliable data transmission on 773 layer 2. 775 It employs selective repeat ARQ with transparent fragmentation and 776 reassembly to the resource allocation size to achieve low latency and 777 a low overhead without losing reliability. It ensures correct order 778 of packet delivery without duplicates. In case of transmission 779 errors it identifies lost fragments with deterministic timers synced 780 to the medium access frame structure and initiates retransmission. 781 Additionally, the priority mechanism of LDACS ensures the timely 782 delivery of messages with high importance. 784 8.2. Beyond Layer 2 786 LDACS availability can be increased by appropriately deploying LDACS 787 infrastructure: This means proliferating the number of terrestrial 788 base stations. However, the scarcity of aeronautical spectrum for 789 data link communication (in the case of LDACS: tens of MHz in the 790 L-band) and the long range (in the case of LDACS: up to 400 km) make 791 this quite hard. The deployment of a larger number of small cells is 792 certainly possible, suffers, however, also from the scarcity of 793 spectrum. An additional constraint to take into account, is that 794 Distance Measuring Equipment (DME) is the primary user of the 795 aeronautical L-band. That is, any LDACS deployment has to take DME 796 frequency planning into account, too. 798 The aeronautical community has therefore decided not to rely on a 799 single communication system or frequency band. It is envisioned to 800 have multiple independent data link technologies in the aircraft 801 (e.g., terrestrial and satellite communications) in addition to 802 legacy VHF voice. 804 However, as of now no reliability and availability mechanisms that 805 could utilize the multi-link have been specified on Layer 3 and 806 above. 808 Below Layer 2 aeronautics usually relies on hardware redundancy. To 809 protect availability of the LDACS link, an aircraft equipped with 810 LDACS will have access to two L-band antennae with triple redundant 811 radio systems as REQUIRED for any safety relevant aeronautical 812 systems by ICAO. 814 9. Protocol Stack 816 The protocol stack of LDACS is implemented in the AS and GS: It 817 consists of the Physical Layer (PHY) with five major functional 818 blocks above it. Four are placed in the Data Link Layer (DLL) of the 819 AS and GS: (1) Medium Access Layer (MAC), (2) Voice Interface (VI), 820 (3) Data Link Service (DLS), and (4) LDACS Management Entity (LME). 821 The last entity resides within the Sub-Network Layer: Sub-Network 822 Protocol (SNP). The LDACS network is externally connected to voice 823 units, radio control units, and the ATN Network Layer. 825 Figure 2 shows the protocol stack of LDACS as implemented in the AS 826 and GS. 828 IPv6 Network Layer 829 | 830 | 831 +------------------+ +----+ 832 | SNP |--| | Sub-Network 833 | | | | Layer 834 +------------------+ | | 835 | | LME| 836 +------------------+ | | 837 | DLS | | | Logical Link 838 | | | | Control Layer 839 +------------------+ +----+ 840 | | 841 DCH DCCH/CCCH 842 | RACH/BCCH 843 | | 844 +--------------------------+ 845 | MAC | Medium Access 846 | | Layer 847 +--------------------------+ 848 | 849 +--------------------------+ 850 | PHY | Physical Layer 851 +--------------------------+ 852 | 853 | 854 ((*)) 855 FL/RL radio channels 856 separated by 857 Frequency Division Duplex 859 Figure 2: LDACS protocol stack in AS and GS 861 9.1. MAC Entity Services 863 The MAC time framing service provides the frame structure necessary 864 to realize slot-based Time Division Multiplex (TDM) access on the 865 physical link. It provides the functions for the synchronization of 866 the MAC framing structure and the PHY Layer framing. The MAC time 867 framing provides a dedicated time slot for each logical channel. 869 The MAC Sub-Layer offers access to the physical channel to its 870 service users. Channel access is provided through transparent 871 logical channels. The MAC Sub-Layer maps logical channels onto the 872 appropriate slots and manages the access to these channels. Logical 873 channels are used as interface between the MAC and LLC Sub-Layers. 875 The LDACS framing structure for FL and RL is based on Super-Frames 876 (SF) of 240 ms duration. Each SF corresponds to 2000 OFDM symbols. 877 The FL and RL SF boundaries are aligned in time (from the view of the 878 GS). 880 In the FL, an SF contains a Broadcast Frame of duration 6.72 ms (56 881 OFDM symbols) for the Broadcast Control Channel (BCCH), and four 882 Multi-Frames (MF), each of duration 58.32 ms (486 OFDM symbols). 884 In the RL, each SF starts with a Random Access (RA) slot of length 885 6.72 ms with two opportunities for sending RL random access frames 886 for the Random Access Channel (RACH), followed by four MFs. These 887 MFs have the same fixed duration of 58.32 ms as in the FL, but a 888 different internal structure 890 Figure 3 and Figure 4 illustrate the LDACS frame structure. 892 ^ 893 | +------+------------+------------+------------+------------+ 894 | FL | BCCH | MF | MF | MF | MF | 895 F +------+------------+------------+------------+------------+ 896 r <---------------- Super-Frame (SF) - 240ms ----------------> 897 e 898 q +------+------------+------------+------------+------------+ 899 u RL | RACH | MF | MF | MF | MF | 900 e +------+------------+------------+------------+------------+ 901 n <---------------- Super-Frame (SF) - 240ms ----------------> 902 c 903 y 904 | 905 ----------------------------- Time ------------------------------> 906 | 908 Figure 3: SF structure for LDACS 910 ^ 911 | +-------------+------+-------------+ 912 | FL | DCH | CCCH | DCH | 913 F +-------------+------+-------------+ 914 r <---- Multi-Frame (MF) - 58.32ms --> 915 e 916 q +------+---------------------------+ 917 u RL | DCCH | DCH | 918 e +------+---------------------------+ 919 n <---- Multi-Frame (MF) - 58.32ms --> 920 c 921 y 922 | 923 -------------------- Time ------------------> 924 | 926 Figure 4: MF structure for LDACS 928 9.2. DLS Entity Services 930 The DLS provides acknowledged and unacknowledged (including broadcast 931 and packet mode voice) bi-directional exchange of user data. If user 932 data is transmitted using the acknowledged DLS, the sending DLS 933 entity will wait for an acknowledgement from the receiver. If no 934 acknowledgement is received within a specified time frame, the sender 935 MAY automatically try to retransmit its data. However, after a 936 certain number of failed retries, the sender will suspend further 937 retransmission attempts and inform its client of the failure. 939 The DLS uses the logical channels provided by the MAC: 941 1. A GS announces its existence and access parameters in the 942 Broadcast Channel (BC). 943 2. The RA channel enables AS to request access to an LDACS cell. 944 3. In the FL the CCCH is used by the GS to grant access to data 945 channel resources. 946 4. The reverse direction is covered by the RL, where ASs need to 947 request resources before sending. This happens via the DCCH. 948 5. User data itself is communicated in the Data Channel (DCH) on the 949 FL and RL. 951 9.3. VI Services 953 The VI provides support for virtual voice circuits. Voice circuits 954 MAY either be set-up permanently by the GS (e.g., to emulate voice 955 party line) or MAY be created on demand. The creation and selection 956 of voice circuits is performed in the LME. The VI provides only the 957 transmission services. 959 9.4. LME Services 961 The mobility management service in the LME provides support for 962 registration and de-registration (cell entry and cell exit), scanning 963 RF channels of neighboring cells and handover between cells. In 964 addition, it manages the addressing of aircraft/ ASs within cells. 966 The resource management service provides link maintenance (power, 967 frequency and time adjustments), support for adaptive coding and 968 modulation, and resource allocation. 970 9.5. SNP Services 972 The DLS provides functions REQUIRED for the transfer of user plane 973 data and control plane data over the LDACS sub-network. 975 The security service provides functions for secure communication over 976 the LDACS sub-network. Note that the SNP security service applies 977 cryptographic measures as configured by the GS. 979 10. Security Considerations 981 10.1. Reasons for Wireless Digital Aeronautical Communications 983 Aviation will require secure exchanges of data and voice messages for 984 managing the air-traffic flow safely through the airspaces all over 985 the world. Historically Communication Navigation Surveillance (CNS) 986 wireless communications technology emerged from military and a threat 987 landscape where inferior technological and financial capabilities of 988 adversaries were assumed [STR2016]. The main communication method 989 for ATC today is still an open analogue voice broadcast within the 990 aeronautical VHF band. Currently, the information security is purely 991 procedural based by using well-trained personnel and proven 992 communications procedures. This communication method has been in 993 service since 1948. However, since the emergence of civil 994 aeronautical CNS application and today, the world has changed. Civil 995 applications have significant lower spectrum available than military 996 applications. This means several military defence mechanisms such as 997 frequency hopping or pilot symbol scrambling and, thus, a defense-in- 998 depth approach starting at the physical layer is infeasible for civil 999 systems. With the rise of cheap Software Defined Radios, the 1000 previously existing financial barrier is almost gone and open source 1001 projects such as GNU radio [GNU2012] allow the new type of 1002 unsophisticated listeners and possible attackers. Most CNS 1003 technology developed in ICAO relies on open standards, thus syntax 1004 and semantics of wireless digital aeronautical communications SHOULD 1005 be expected to be common knowledge for attackers. With increased 1006 digitization and automation of civil aviation the human as control 1007 instance is being taken gradually out of the loop. Autonomous 1008 transport drones or single piloted aircraft demonstrate this trend. 1009 However, without profound cybersecurity measures such as authenticity 1010 and integrity checks of messages in-transit on the wireless link or 1011 mutual entity authentication, this lack of a control instance can 1012 prove disastrous. Thus, future digital communications waveforms will 1013 need additional embedded security features to fulfill modern 1014 information security requirements like authentication and integrity. 1015 These security features require sufficient bandwidth which is beyond 1016 the capabilities of a VHF narrowband communications system. For 1017 voice and data communications, sufficient data throughput capability 1018 is needed to support the security functions while not degrading 1019 performance. LDACS is a data link technology with sufficient 1020 bandwidth to incorporate security without losing too much user 1021 throughput. 1023 As digitalization progresses even further with LDACS and automated 1024 procedures such as 4D-Trajectories allowing semi-automated en-route 1025 flying of aircraft, LDACS requires stronger cybersecurity measures. 1027 10.2. LADACS Requirements 1029 Overall there are several business goals for cybersecurity to protect 1030 in FCI in civil aviation: 1032 1. Safety: The system MUST sufficiently mitigate attacks, which 1033 contribute to safety hazards. 1034 2. Flight regularity: The system MUST sufficiently mitigate attacks, 1035 which contribute to delays, diversions, or cancellations of 1036 flights. 1037 3. Protection of business interests: The system MUST sufficiently 1038 mitigate attacks which result in financial loss, reputation 1039 damage, disclosure of sensitive proprietary information, or 1040 disclosure of personal information. 1042 To further analyze assets and derive threats and thus protection 1043 scenarios several Threat-and Risk Analysis were performed for LDACS 1044 [MAE20181] , [MAE20191]. These results allowed deriving security 1045 scope and objectives from the requirements and the conducted Threat- 1046 and Risk Analysis. 1048 10.3. LDACS Security Objectives 1050 Security considerations for LDACS are defined by the official 1051 Standards And Recommended Practices (SARPS) document by ICAO 1052 [ICA2018]: 1054 1. LDACS SHALL provide a capability to protect the availability and 1055 continuity of the system. 1056 2. LDACS SHALL provide a capability including cryptographic 1057 mechanisms to protect the integrity of messages in transit. 1058 3. LDACS SHALL provide a capability to ensure the authenticity of 1059 messages in transit. 1060 4. LDACS SHOULD provide a capability for nonrepudiation of origin 1061 for messages in transit. 1062 5. LDACS SHOULD provide a capability to protect the confidentiality 1063 of messages in transit. 1064 6. LDACS SHALL provide an authentication capability. 1065 7. LDACS SHALL provide a capability to authorize the permitted 1066 actions of users of the system and to deny actions that are not 1067 explicitly authorized. 1068 8. If LDACS provides interfaces to multiple domains, LDACS SHALL 1069 provide capability to prevent the propagation of intrusions within 1070 LDACS domains and towards external domains. 1072 10.4. LDACS Security Functions 1074 These objectives were used to derive several security functions for 1075 LDACS REQUIRED to be integrated in the LDACS cybersecurity 1076 architecture: (1) Identification, (2) Authentication, (3) 1077 Authorization, (4) Confidentiality, (5) System Integrity, (6) Data 1078 Integrity, (7) Robustness, (8) Reliability, (9) Availability, and 1079 (10) Key and Trust Management. Several works investigated possible 1080 measures to implement these security functions [BIL2017], [MAE20181], 1081 [MAE20191]. Having identified security requirements, objectives and 1082 functions it MUST be ensured that they are applicable. 1084 10.5. LDACS Security Architecture 1086 The requirements lead to a LDACS security model including different 1087 entities for identification, authentication and authorization 1088 purposes ensuring integrity, authenticity and confidentiality of data 1089 in-transit especially. 1091 10.5.1. Entities 1093 A simplified LDACS architectural modelrequires the following 1094 entities: Network operators such as the Societe Internationale de 1095 Telecommunications Aeronautiques (SITA) [SIT2020] and ARINC [ARI2020] 1096 are providing access to the (1) Ground IPS network via an (2) A2G 1097 LDACS Router. This router is attached to a closed off LDACS Access 1098 Network, (3) which connects via further (4) Access Routers to the 1099 different (5) LDACS Cell Ranges, each controlled by a (6) GS (serving 1100 one LDACS cell), with several interconnected GS (7) spanning a local 1101 LDACS access network. Via the (8) A2G wireless LDACS data link (9) 1102 AS the aircraft is connected to the ground network and via the (10) 1103 aircrafts's VI and (11) aircraft's network interface, aircraft's data 1104 can be sent via the AS back to the GS and the forwarded back via GSC, 1105 LDACS local access network, access routers, LDACS access network, A2G 1106 LDACS router to the ground IPS network. 1108 10.5.2. Entity Identification 1110 LDACS needs specific identities for (1) the AS, (2) the GS, (3) the 1111 GS, and (4) the Network Operator. The aircraft itself can be 1112 identified using the ICAO unique address of an aircraft, the call 1113 sign of that aircraft or the recently founded Privacy ICAO Address 1114 (PIA) program [FAA2020]. It is conceivable that the LDACS AS will 1115 use a combination of aircraft identification, radio component 1116 identification such as MAC addresses and even operator features 1117 identification to create a unique AS LDACS identification tag. 1118 Similar to a 4G's eNodeB Serving Network (SN) Identification tag, a 1119 GS could be identified using a similar field. The identification of 1120 the network operator is again similar to 4G (e.g., E-Plus, AT&T, and 1121 TELUS), in the way that the aeronautical network operators are listed 1122 (e.g., ARINC [ARI2020] and SITA [SIT2020]). 1124 10.5.3. Entity Authentication and Key Negotiation 1126 In order to anchor Trust within the system all LDACS entities 1127 connected to the ground IPS network SHALL be rooted in an LDACS 1128 specific chain-of-trust and PKI solution, quite similar to AeroMACS 1129 approach [CRO2016]. These X.509 certificates [RFC5280] residing at 1130 the entities and incorporated in the LDACS PKI proof the ownership of 1131 their respective public key, include information about the identity 1132 of the owner and the digital signature of the entity that has 1133 verified the certificate's content. First all ground infrastructures 1134 MUST mutually authenticate to each other, negotiate and derive keys 1135 and, thus, secure all ground connections. How this process is 1136 handled in detail is still an ongoing discussion. However, 1137 established methods to secure user plane by IPSec [RFC4301] and IKEv2 1138 [RFC7296] or the application layer via TLS 1.3 [RFC8446] are 1139 conceivable. The LDACS PKI with their chain-of-trust approach, 1140 digital certificates and public entity keys lay the groundwork for 1141 this step. In a second step the AS with the LDACS radio approaches 1142 an LDACS cell and performs a cell entry with the corresponding GS. 1143 Similar to the LTE cell attachment process [TS33.401], where 1144 authentication happens after basic communication has been enabled 1145 between AS and GS (step 5a in the UE attachment process [TS33.401]), 1146 the next step is mutual authentication and key exchange. Hence, in 1147 step three using the identity-based Station-to-Station (STS) protocol 1148 with Diffie-Hellman Key Exchange [MAE2020], AS and GS establish 1149 mutual trust by authenticating each other, exchanging key material 1150 and finally, both ending up with derived key material. A key 1151 confirmation is mandatory before the communication channel between 1152 the AS and the GS can be opened for user-data communications. 1154 10.5.4. Message-in-transit Confidentiality, Integrity and Authenticity 1156 The subsequent key material from the previous step can then be used 1157 to protect LDACS Layer 2 communications via applying encryption and 1158 integrity protection measures on the SNP layer of the LDACS protocol 1159 stack. As LDACS transports AOC and ATS data, the integrity of that 1160 data is most important, while confidentiality only needs to be 1161 applied to AOC data to protect business interests [ICA2018]. This 1162 possibility of providing low layered confidentiality and integrity 1163 protection ensures a secure delivery of user data over the air gap. 1164 Furthermore, it ensures integrity protection of LDACS control data. 1166 10.6. LDACS Security Modules 1168 A draft of the cybersecurity architecture of LDACS can be found in 1169 [ICA2018] and [MAE20182] and respective updates in [MAE20191], 1170 [MAE20192], and [MAE2020]. 1172 10.6.1. Placements of Security Functionality in Protocol Stack 1174 Placing protection mechanisms in the LME and SNP entities within the 1175 protocol stack of LDACS will be most efficient in securing LDACS. 1176 MAC and DLS will also receive new tasks like the measurement 1177 performance for control channel protection. Security endpoints for 1178 secure user data communication, control data protection and primary 1179 entity authentication are the AS and GS. 1181 10.6.2. Trust 1183 The LDACS security concept requires all entities in an LDACS network 1184 to authenticate to each other to ascertain that only trusted 1185 participants can use the system. To establish trust within the 1186 network, inter-operations between all FCI candidates must be 1187 possible, thus LDACS will follow AeroMACS lead and also use an FCI 1188 specific PKI [RFC5280]. A PKI can solve the problem of having to 1189 trust a communication's partner identity claim via involving a 1190 trusted third party who verifies the identities of the parties who 1191 wish to engage in communication via issuing a digital certificate. 1192 As aviation operates worldwide, a hierarchical PKI will have to be 1193 deployed with several sub-CAs being distributed over the world. 1195 Basically, there are two proposals on how to achieve worldwide trust 1196 coverage: 1198 1. One root CA is installed per geographic region and then it 1199 performs cross-certification with distributed root-CAs of all 1200 other geo-graphic regions around the world. Subdomains can exist 1201 within ATM organizations. Here trust emerges from the assured 1202 trustworthiness of each regional root CA cross-certifying other 1203 and being cross-certified by other regional CAs 1204 2. The other idea is to have one worldwide (probably offline) root 1205 CA, hosted by a trusted worldwide entity, such as ICAO, with 1206 several regions sub-CAs distributed around the world. That way, 1207 the ICAO hosted root CA serves as trust bridge. 1209 10.6.3. Mutual Authentication and Key Exchange (MAKE) 1211 Via a modified, identity-based STS procedure and digital certificate 1212 and public keys pre-deployed during maintenance at the respective 1213 end-entities, the MAKE procedure can guarantee (1) Mutual 1214 Authentication, (2) Secure Key Agreement, (3) Prefect Forward Secrecy 1215 and (4) Key Confirmation [MAE2020]. As Diffie-Hellman Key Exchange 1216 (DHKE) procedure, we are currently evaluating the classic ephemeral 1217 DHKE [DIF1976] with 3072bit keys, Elliptic Curve DHKE (ECDH) with 1218 256bit keys [KOB1987] and the Supersingular Isogeny DHKE (SIDH) with 1219 2624bit key sizes [JAO2011]. As minimization of security data on the 1220 datalink is key, ECDH is currently the favorite way forward. 1221 Assuming that an LDACS security header consists of TYPE, ID, UA and 1222 PRIO fields, the entire header is of length 48bit [GRA2019]. 1223 Cryptographic nonces are 96bit long, signatures 512bit and the public 1224 elliptic curve Diffie-Hellman keys 256bit. With these bit sizes, the 1225 entire STS-MAKE procedure between AS and GS requires a total of 4 1226 messages and 1920bit [MAE2021]. 1228 10.6.4. Key Derivation and Key Hierarchy 1230 Once all parties within the network have successfully authenticated 1231 to each other, key derivation is necessary to generate different keys 1232 for different purposes. We need different keys for user data 1233 protection and keys for control data protection. As key derivation 1234 function, we propose the Hash-based Message Authentication Code 1235 (HMAC) Key Derivation Function (KDF) - HKDF [RFC5869]. First the 1236 input keying material (here: master key/static Diffie Hellman shared 1237 key) is taken and a fixed-length pseudo-random key is extracted. We 1238 extract a pseudorandom key from the master key by adding a salt 1239 value, which can be any fixed non-secret string chosen at random. In 1240 the process the pseudo random key becomes indistinguishable from a 1241 uniform distribution of bits. As LDACS will be deployed in 2024 with 1242 a recommendation of a minimum-security level of 128bit. 1244 10.6.5. User Data Security 1246 It is proposed to secure LDACS Sub-Network Packet Data Units (SN- 1247 PDU)s, as their size can vary from 128 to 1536 Byte [GRA2019], which 1248 makes them possibly the largest PDUs within LDACS. This helps 1249 minimizing security data overhead, in case a Message Authentication 1250 Code (MAC) tag is attached to the SN-PDU. For confidentiality 1251 protection, it is RECOMMENDED symmetric approaches for data 1252 encryption, due to low computational overhead and fast operation 1253 times. As encryption algorithm, it is RECOMMENDED to use AES-128- 1254 GCM/AES-256-GCM [RFC5288] with Galois Counter Mode (GCM) being a mode 1255 of operation on symmetric key block. It provides authenticated 1256 encryption and decryption operations and it proves robust against 1257 currently known quantum-computer-based algorithms [BER2017]. For 1258 message integrity/authenticity protection, it is RECOMMENDED either 1259 to use the aforementioned AES-GCM with tag lengths of at least 128bit 1260 or HMAC with hash-functions from the SHA-3 family [PRI2014]. At 1261 least HMAC-SHA3-128 with a tag length of 128bit is RECOMMENDED. This 1262 way the tag security data overhead ranges from 1.04 to 12.50% for 1263 user data, depending on the SN-PDU size. 1265 10.6.6. Control Data Security 1267 LDACS has four control channels: AS announce their existence in the 1268 RA, at the beginning of each SF in the RL, where each AS can transmit 1269 56bit. GS announce their existence in the BC, at the beginning of 1270 each SF in the FL, where the GS can transmit a total of 2304bit. AS 1271 can request resources in the DC, where each AS has an 83bit long slot 1272 and GS can grant those resources in the CC, with 728bit per CC-PHY- 1273 SDU. As the control channels of LDACS are very small-size, it is 1274 obvious that protection is challenging. Having security requirements 1275 in mind it is RECOMMENDED to introduce group key mechanisms for 1276 LDACS. Thus, after the MAKE procedure of LDACS, a control plane 1277 related group key is derived by the GS and shared with all AS in a 1278 protected manner. As group key procedure, several approaches are 1279 investigated (e.g., G-IKEv2 [I-D.ietf-ipsecme-g-ikev2], CRGT 1280 [ZHE2007], CAKE [GUG2018], LKH [SAK2014], and OFT [KUM2020]). As OFT 1281 has the least requirements on network operations compared to the 1282 other, LDACS will use OFT with a fixed tree of 512-member nodes for a 1283 maximum of 512 supported AS in an LDACS cell. All AS and GS use this 1284 group key to protect the exchanged control data in the CC/DC slots. 1285 As these messages remain valid for a time period in the order of 10 1286 ms and the transmission is distance bound by the MAC protocol of 1287 LDACS, very small digest tags of 16 or 32bit can suffice to protect a 1288 minimum of integrity of control messages of LDACS. To that end, it 1289 is proposed to use blake2b or blake2s and to trim the tag after 4 1290 bytes [RFC7693]. 1292 11. Privacy Considerations 1294 LDACS provides a Quality-of-Service, and the generic considerations 1295 for such mechanisms apply. 1297 12. IANA Considerations 1299 This memo includes no request to IANA. 1301 13. Acknowledgements 1303 Thanks to all contributors to the development of LDACS and ICAO PT-T. 1305 Thanks to Klaus-Peter Hauf, Bart Van Den Einden, and Pierluigi 1306 Fantappie for further input to this draft. 1308 Thanks to SBA Research Vienna for fruitful discussions on 1309 aeronautical communications concerning security incentives for 1310 industry and potential economic spillovers. 1312 14. Normative References 1314 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1315 Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, 1316 December 2005, . 1318 [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., 1319 Housley, R., and W. Polk, "Internet X.509 Public Key 1320 Infrastructure Certificate and Certificate Revocation List 1321 (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008, 1322 . 1324 [RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. 1325 Kivinen, "Internet Key Exchange Protocol Version 2 1326 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October 1327 2014, . 1329 [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol 1330 Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, 1331 . 1333 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1334 Requirement Levels", BCP 14, RFC 2119, 1335 DOI 10.17487/RFC2119, March 1997, 1336 . 1338 [RFC5869] Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand 1339 Key Derivation Function (HKDF)", RFC 5869, 1340 DOI 10.17487/RFC5869, May 2010, 1341 . 1343 [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois 1344 Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, 1345 DOI 10.17487/RFC5288, August 2008, 1346 . 1348 [RFC7693] Saarinen, M-J., Ed. and J-P. Aumasson, "The BLAKE2 1349 Cryptographic Hash and Message Authentication Code (MAC)", 1350 RFC 7693, DOI 10.17487/RFC7693, November 2015, 1351 . 1353 15. Informative References 1355 [SCHN2016] Schneckenburger, N., Jost, T., Shutin, D., Walter, M., 1356 Thiasiriphet, T., Schnell, M., and U.C. Fiebig, 1357 "Measurement of the L-band Air-to-Ground Channel for 1358 Positioning Applications", IEEE Transactions on Aerospace 1359 and Electronic Systems, 52(5), pp.2281-229 , 2016. 1361 [MAE20191] Maeurer, N., Graeupl, T., and C. Schmitt, "Evaluation of 1362 the LDACS Cybersecurity Implementation", IEEE 38th Digital 1363 Avionics Systems Conference (DACS), pp. 1-10, San Diego, 1364 CA, USA , 2019. 1366 [MAE20192] Maeurer, N. and C. Schmitt, "Towards Successful 1367 Realization of the LDACS Cybersecurity Architecture: An 1368 Updated Datalink Security Threat- and Risk Analysis", IEEE 1369 Integrated Communications, Navigation and Surveillance 1370 Conference (ICNS), pp. 1-13, Herndon, VA, USA , 2019. 1372 [GRA2019] Graeupl, T., Rihacek, C., and B. Haindl, "LDACS A/G 1373 Specification", SESAR2020 PJ14-02-01 D3.3.030 , 2019. 1375 [FAN2019] Pierattelli, S., Fantappie, P., Tamalet, S., van den 1376 Einden, B., Rihacek, C., and T. Graeupl, "LDACS Deployment 1377 Options and Recommendations", SESAR2020 PJ14-02-01 1378 D3.4.020 , 2019. 1380 [MAE20182] Maeurer, N. and A. Bilzhause, "A Cybersecurity 1381 Architecture for the L-band Digital Aeronautical 1382 Communications System (LDACS)", IEEE 37th Digital Avionics 1383 Systems Conference (DASC), pp. 1-10, London, UK , 2017. 1385 [GRA2011] Graeupl, T. and M. Ehammer, "L-DACS1 Data Link Layer 1386 Evolution of ATN/IPS", 30th IEEE/AIAA Digital Avionics 1387 Systems Conference (DASC), pp. 1-28, Seattle, WA, USA , 1388 2011. 1390 [GRA2018] Graeupl, T., Schneckenburger, N., Jost, T., Schnell, M., 1391 Filip, A., Bellido-Manganell, M.A., Mielke, D.M., Maeurer, 1392 N., Kumar, R., Osechas, O., and G. Battista, "L-band 1393 Digital Aeronautical Communications System (LDACS) flight 1394 trials in the national German project MICONAV", Integrated 1395 Communications, Navigation, Surveillance Conference 1396 (ICNS), pp. 1-7, Herndon, VA, USA , 2018. 1398 [SCH20191] Schnell, M., "DLR Tests Digital Communications 1399 Technologies Combined with Additional Navigation Functions 1400 for the First Time", 2019. 1402 [ICA2018] International Civil Aviation Organization (ICAO), "L-Band 1403 Digital Aeronautical Communication System (LDACS)", 1404 International Standards and Recommended Practices Annex 10 1405 - Aeronautical Telecommunications, Vol. III - 1406 Communication Systems , 2018. 1408 [SAJ2014] Haindl, B., Meser, J., Sajatovic, M., Mueller, S., 1409 Arthaber, H., Faseth, T., and M. Zaisberger, "LDACS1 1410 Conformance and Compatibility Assessment", IEEE/AIAA 33rd 1411 Digital Avionics Systems Conference (DASC), pp. 1-11, 1412 Colorado Springs, CO, USA , 2014. 1414 [RIH2018] Rihacek, C., Haindl, B., Fantappie, P., Pierattelli, S., 1415 Graeupl, T., Schnell, M., and N. Fistas, "L-band Digital 1416 Aeronautical Communications System (LDACS) Activities in 1417 SESAR2020", Integrated Communications Navigation and 1418 Surveillance Conference (ICNS), pp. 1-8, Herndon, VA, 1419 USA , 2018. 1421 [BEL2019] Bellido-Manganell, M. A. and M. Schnell, "Towards Modern 1422 Air-to-Air Communications: the LDACS A2A Mode", IEEE/AIAA 1423 38th Digital Avionics Systems Conference (DASC), pp. 1-10, 1424 San Diego, CA, USA , 2019. 1426 [TS33.401] Zhang, D., "3GPP System Architecture Evolution (SAE); 1427 Security architecture", T33.401, 3GPP , 2012. 1429 [CRO2016] Crowe, B., "Proposed AeroMACS PKI Specification is a Model 1430 for Global and National Aeronautical PKI Deployments", 1431 WiMAX Forum at 16th Integrated Communications, Navigation 1432 and Surveillance Conference (ICNS), pp. 1-19, New York, 1433 NY, USA , 2016. 1435 [MAE2020] Maeurer, N., Graeupl, T., and C. Schmitt, "Comparing 1436 Different Diffie-Hellman Key Exchange Flavors for LDACS", 1437 IEEE/AIAA 39th Digital Avionics Systems Conference (DASC), 1438 pp. 1-10, San Antonio, TX, USA , 2020. 1440 [STR2016] Strohmeier, M., Schaefer, M., Pinheiro, R., Lenders, V., 1441 and I. Martinovic, "On Perception and Reality in Wireless 1442 Air Traffic Communication Security", IEEE Transactions on 1443 Intelligent Transportation Systems, 18(6), pp. 1338-1357, 1444 New York, NY, USA , 2016. 1446 [BIL2017] Bilzhause, A., Belgacem, B., Mostafa, M., and T. Graeupl, 1447 "Datalink Security in the L-band Digital Aeronautical 1448 Communications System (LDACS) for Air Traffic Management", 1449 IEEE Aerospace and Electronic Systems Magazine, 32(11), 1450 pp. 22-33, New York, NY, USA , 2017. 1452 [MAE20181] Maeurer, N. and A. Bilzhause, "Paving the Way for an IT 1453 Security Architecture for LDACS: A Datalink Security 1454 Threat and Risk Analysis", IEEE Integrated Communications, 1455 Navigation, Surveillance Conference (ICNS), pp. 1-11, New 1456 York, NY, USA , 2018. 1458 [FAA2020] FAA, "Federal Aviation Administration. ADS-B Privacy.", 1459 August 2020, 1460 . 1462 [GNU2012] GNU Radio project, "GNU radio", August 2012, 1463 . 1465 [SIT2020] SITA, "Societe Internationale de Telecommunications 1466 Aeronautiques", August 2020, . 1468 [ARI2020] ARINC, "Aeronautical Radio Incorporated", August 2020, 1469 . 1471 [DO350A] RTCA SC-214, "Safety and Performance Standard for Baseline 1472 2 ATS Data Communications (Baseline 2 SPR Standard)", May 1473 2016, . 1476 [DIF1976] Diffie, W. and M. Hellman, "New Directions in 1477 Cryptography", IEEE Transactions on Information Theory, 1478 22(6):644-654 , November 1976. 1480 [KOB1987] Koblitz, N. and M. Hellman, "Elliptic Curve 1481 Cryptosystems", Mathematics of Computation, 1482 48(177):203-209. , January 1987. 1484 [JAO2011] Jao, D. and L. De Feo, "Towards Quantum-Resistant 1485 Cryptosystems from Super-singular Elliptic Curve 1486 Isogenies", 4th International Workshop on Post-Quantum 1487 Cryptography, Springer, Heidelberg, Germany, pp. 19-34 , 1488 November 2011. 1490 [MAE2021] Maeurer, N., Graeupl, T., and C. Schmitt, "Cybersecurity 1491 for the L-band DigitalAeronautical Communications System 1492 (LDACS)", Aviation Cybersecurity: Foundations, Principles, 1493 and Applications. H. Song, K. Hopkinson, T. De Cola, T. 1494 Alexandrovich, and D. Liu (Eds.), Chapter 07, in printing 1495 process , 2021. 1497 [BER2017] Bernstein, D.J. and T. Lange, "Post-Quantum Cryptography", 1498 Nature, 549(7671):188-194 , 2017. 1500 [PRI2014] Pritzker, P. and P.D. Gallagher, "SHA-3 standard: 1501 Permutation-Based Hash and Extendable-Output Functions", 1502 Information Tech Laboratory National Institute of 1503 Standards and Technology, pp. 1-35 , 2014. 1505 [ZHE2007] Zheng, X., Huang, C.T., and M. Matthews, "Chinese 1506 Remainder Theorem-Based Group Key Management", 45th Annual 1507 Southeast Regional Conference, ACM, New York, NY, USA, pp. 1508 266-271 , March 2007. 1510 [GUG2018] Guggemos, T., Streit, K., Knuepfer, M., gentsche Felde, 1511 N., and P. Hillmann, "No Cookies, Just CAKE: CRTbased Key 1512 Hierarchy for Efficient Key Management in Dynamic Groups", 1513 International Conference for Internet Technology and 1514 Secured Transactions, Cambridge, UK, pp. 25-32 , December 1515 2018. 1517 [SAK2014] Sakamoto, N., "An Efficient Structure for LKH Key Tree on 1518 Secure Multi-Cast Communications", 15th IEEE/ACIS 1519 International Conference on Software Engineering, 1520 Artificial Intelligence, Networking and Parallel/ 1521 Distributed Computing, New York, NY, USA, pp. 1-7 , 1522 November 2014. 1524 [KUM2020] Kumar, V., Kumar, R., and S.K. Pandey, "A Computationally 1525 Efficient Centralized Group Key Distribution Protocol for 1526 Secure Multicast Communications Based Upon RSA Public Key 1527 Cryptosystem", Journal of King Saud University - Computer 1528 and Information Sciences, 32(9):1081-1094 , 2020. 1530 [RAW-TECHNOS] 1531 Thubert, P., Cavalcanti, D., Vilajosana, X., Schmitt, C., 1532 and J. Farkas, "Reliable and Available Wireless 1533 Technologies", Work in Progress, Internet-Draft, draft- 1534 ietf-raw-technologies-00, 20 October 2020, 1535 . 1538 [RAW-USE-CASES] 1539 Papadopoulos, G., Thubert, P., Theoleyre, F., and C. 1540 Bernardos, "RAW use cases", Work in Progress, Internet- 1541 Draft, draft-ietf-raw-use-cases-00, 23 October 2020, 1542 . 1544 [I-D.ietf-ipsecme-g-ikev2] 1545 Smyslov, V. and B. Weis, "Group Key Management using 1546 IKEv2", Work in Progress, Internet-Draft, draft-ietf- 1547 ipsecme-g-ikev2-02, 11 January 2021, 1548 . 1551 Appendix A. Selected Information from DO-350A 1553 This appendix includes the continuity, availability, and integrity 1554 requirements interesting for LDACS defined in [DO350A]. 1556 The following terms are used here: 1558 CPDLC Controller Pilot Data Link Communication 1559 DT Delivery Time (nominal) value for RSP 1560 ET Expiration Time value for RCP 1561 FH Flight Hour 1562 MA Monitoring and Alerting criteria 1563 OT Overdue Delivery Time value for RSP 1564 RCP Required Communication Performance 1565 RSP Required Surveillance Performance 1566 TT Transaction Time (nominal) value for RCP 1568 +========================+=============+=============+ 1569 | | ECP 130 | ECP 130 | 1570 +========================+=============+=============+ 1571 | Parameter | ET | TT95% | 1572 +------------------------+-------------+-------------+ 1573 | Transaction Time (sec) | 130 | 67 | 1574 +------------------------+-------------+-------------+ 1575 | Continuity | 0.999 | 0.95 | 1576 +------------------------+-------------+-------------+ 1577 | Availability | 0.989 | 0.989 | 1578 +------------------------+-------------+-------------+ 1579 | Integrity | 1E-5 per FH | 1E-5 per FH | 1580 +------------------------+-------------+-------------+ 1582 Table 1: CPDLC Requirements for ECP 1584 +==============+==========+==============+=========+=========+ 1585 | | RCP 240 | RCP 240 | RCP 400 | RCP 400 | 1586 +==============+==========+==============+=========+=========+ 1587 | Parameter | ET | TT95% | ET | TT95% | 1588 +--------------+----------+--------------+---------+---------+ 1589 | Transaction | 240 | 210 | 400 | 350 | 1590 | Time (sec) | | | | | 1591 +--------------+----------+--------------+---------+---------+ 1592 | Continuity | 0.999 | 0.95 | 0.999 | 0.95 | 1593 +--------------+----------+--------------+---------+---------+ 1594 | Availability | 0.989 | 0.989 | 0.989 | 0.989 | 1595 | | (safety) | (efficiency) | | | 1596 +--------------+----------+--------------+---------+---------+ 1597 | Integrity | 1E-5 per | 1E-5 per FH | 1E-5 | 1E-5 | 1598 | | FH | | per FH | per FH | 1599 +--------------+----------+--------------+---------+---------+ 1601 Table 2: CPDLC Requirements for RCP 1603 RCP Monitoring and Alerting Criteria in case of CPDLC: 1605 - MA-1: The system SHALL be capable of detecting failures and 1606 configuration changes that would cause the communication service 1607 no longer meet the RCP specification for the intended use. 1608 - MA-2: When the communication service can no longer meet the RCP 1609 specification for the intended function, the flight crew and/or 1610 the controller SHALL take appropriate action. 1612 +==============+=====+=====+==========+==============+======+=======+ 1613 | | RSP | RSP | RSP 180 | RSP 180 | RSP |RSP 400| 1614 | | 160 | 160 | | | 400 | | 1615 +==============+=====+=====+==========+==============+======+=======+ 1616 | Parameter | OT |DT95%| OT | DT95% | OT | DT95% | 1617 +--------------+-----+-----+----------+--------------+------+-------+ 1618 | Transaction | 160 | 90 | 180 | 90 | 400 | 300 | 1619 | Time (sec) | | | | | | | 1620 +--------------+-----+-----+----------+--------------+------+-------+ 1621 | Continuity |0.999| 0.95| 0.999 | 0.95 |0.999 | 0.95 | 1622 +--------------+-----+-----+----------+--------------+------+-------+ 1623 | Availability |0.989|0.989| 0.989 | 0.989 |0.989 | 0.989 | 1624 | | | | (safety) | (efficiency) | | | 1625 +--------------+-----+-----+----------+--------------+------+-------+ 1626 | Integrity | 1E-5| 1E-5| 1E-5 per | 1E-5 per FH | 1E-5 | 1E-5 | 1627 | | per | per | FH | |per FH| per FH| 1628 | | FH | FH | | | | | 1629 +--------------+-----+-----+----------+--------------+------+-------+ 1631 Table 3: ADS-C Requirements 1633 RCP Monitoring and Alerting Criteria: 1635 - MA-1: The system SHALL be capable of detecting failures and 1636 configuration changes that would cause the ADS-C service no longer 1637 meet the RSP specification for the intended function. 1638 - MA-2: When the ADS-C service can no longer meet the RSP 1639 specification for the intended function, the flight crew and/or 1640 the controller SHALL take appropriate action. 1642 Authors' Addresses 1644 Nils Maeurer (editor) 1645 German Aerospace Center (DLR) 1646 Muenchner Strasse 20 1647 82234 Wessling 1648 Germany 1650 Email: Nils.Maeurer@dlr.de 1652 Thomas Graeupl (editor) 1653 German Aerospace Center (DLR) 1654 Muenchner Strasse 20 1655 82234 Wessling 1656 Germany 1657 Email: Thomas.Graeupl@dlr.de 1659 Corinna Schmitt (editor) 1660 Research Institute CODE, UniBwM 1661 Werner-Heisenberg-Weg 28 1662 85577 Neubiberg 1663 Germany 1665 Email: corinna.schmitt@unibw.de