[Docs] [txt|pdf] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 07 08 09 10 RFC 5326

Delay Tolerant Networking Research Group                      M. Ramadas
Internet Draft                                           Ohio University
<draft-irtf-dtnrg-ltp-02.txt>                                S. Burleigh
December 2004                             NASA/Jet Propulsion Laboratory
Expires June 2005                                             S. Farrell
                                                  Trinity College Dublin

            Licklider Transmission Protocol - Specification

Status of this Memo

   By submitting this Internet-Draft, we certify that any applicable
   patent or other IPR claims of which we are aware have been disclosed,
   or will be disclosed, and any of which we become aware will be
   disclosed, in accordance with RFC 3668.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than a "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/1id-abstracts.html

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [B97].

   Discussions on this internet-draft are being made in the Delay
   Tolerant Networking Research Group (DTNRG) mailing list. More
   information can be found in the DTNRG web-site at
   http://www.dtnrg.org

Abstract

   This document describes the Licklider Transmission Protocol (LTP)
   designed to provide retransmission-based reliability over links
   characterized by extremely long message round-trip times (RTTs)


Ramadas et al.             Expires - June 2005                  [Page 1]

Internet Draft             LTP - Specification             December 2004

   and/or frequent interruptions in connectivity.  Since communication
   across interplanetary space is the most prominent example of this
   sort of environment, LTP is principally aimed at supporting "long-
   haul" reliable transmission in interplanetary space, but has
   applications in other environments as well.

   In an Interplanetary Internet setting deploying the Bundling protocol
   being developed by the Delay Tolerant Networking Research Group, LTP
   is intended to serve as a reliable convergence layer over single hop
   deep-space RF links. LTP does ARQ of data transmissions by soliciting
   selective-acknowledgment reception reports.  It is stateful, and has
   no negotiation or handshakes.

Table of Contents

    1. Introduction .................................................  3
    2. Terminology ..................................................  3
    3. Segment Structure ............................................  8
       3.1 Segment Header ...........................................  9
          3.1.1 Segment Type Flags .................................. 10
          3.1.2 Segment Type Codes .................................. 10
          3.1.3 Segment Class Masks ................................. 11
          3.1.4 Extensions Field .................................... 12
       3.2 Segment Content .......................................... 13
          3.2.1 Data Segment ........................................ 13
          3.2.2 Report Segment ...................................... 14
          3.2.3 Report Acknowledgment Segment ....................... 16
          3.2.4 Session Management Segments ......................... 16
       3.3 Segment Trailer .......................................... 17
    4. Requests from Client Service ................................. 17
       4.1 Transmission Request ..................................... 17
       4.2 Cancellation Request ..................................... 18
    5. Internal Procedures .......................................... 19
       5.1 Start Transmission ....................................... 19
       5.2 Start Checkpoint Timer ................................... 19
       5.3 Start RS Timer ........................................... 20
       5.4 Stop Transmission ........................................ 20
       5.5 Suspend Timers ........................................... 20
       5.6 Resume Timers ............................................ 21
       5.7 Retransmit Checkpoint .................................... 21
       5.8 Retransmit RS ............................................ 22
       5.9 Signify Red-Part Reception ............................... 22
       5.10 Signify Green-Part Segment Arrival ...................... 22
       5.11 Send Reception Report ................................... 23
       5.12 Signify Transmission Completion ......................... 24
       5.13 Retransmit Data ......................................... 25
       5.14 Stop RS Timer ........................................... 26
       5.15 Start Cancel Timer ...................................... 26


Ramadas et al.             Expires - June 2005                  [Page 2]

Internet Draft             LTP - Specification             December 2004

       5.16 Retransmit Cancellation Segment ......................... 26
       5.17 Acknowledge Cancellation ................................ 26
       5.18 Stop Cancel Timer ....................................... 27
       5.19 Cancel Session .......................................... 27
       5.20 Close Session ........................................... 27
       5.21 Handle Miscolored Segment ............................... 27
   6.  Notices to Client Service .................................... 28
      6.1 Session Start ............................................. 28
      6.2 Green-Part Segment Arrival ................................ 28
      6.3 Red-Part Reception ........................................ 29
      6.4 Transmission Completion ................................... 29
      6.5 Transmission Cancellation ................................. 29
      6.6 Reception Cancellation .................................... 30
   7. State Transition Diagrams ..................................... 30
      7.1 Sender .................................................... 32
      7.2 Receiver .................................................. 37
   8. Requirements from the Operating Environment ................... 41
   9. Security Considerations ....................................... 42
      9.1 Security Mechanisms and Layering Considerations ........... 43
      9.2 Denial of Service Considerations .......................... 44
      9.3 Replay Handling ........................................... 45
      9.4 Implementation Considerations ............................. 46
   10. IANA Considerations .......................................... 46
   11. Acknowledgments .............................................. 47
   12. References ................................................... 47
      12.1 Normative References ..................................... 47
      12.2 Informative References ................................... 47
   13. Author's Addresses ........................................... 48
   14. Copyright Statement .......................................... 48

1. Introduction

   This document serves as the main protocol specification of LTP, and
   is part of a series of documents describing LTP. Other documents in
   this series include the motivation document [LTPMOTIVE]  and the
   protocol extensions document [LTPEXT] respectively. We strongly
   recommend reading the protocol motivation document before reading the
   following document to establish sufficient background and motivation
   for the contents that follow in this document.

2. Terminology

(1) Engine ID

   A number that uniquely identifies a given LTP engine, within some
   closed set of communicating LTP engines.  Note that when LTP is
   operating underneath the DTN Bundling protocol [BP][DTN], the
   convergence layer adapter mediating between the two will be


Ramadas et al.             Expires - June 2005                  [Page 3]

Internet Draft             LTP - Specification             December 2004

   responsible for translating between DTN endpoint IDs and LTP engine
   IDs in an implementation-specific manner.

(2) Block

   An array of contiguous octets of application data handed down by the
   upper layer protocol (typically Bundling) to be transmitted via LTP
   from one client service instance to another.

   Any subset of a block comprising contiguous octets that begins at the
   start of the block is termed a "block prefix" and any such subset of
   the block that ends with the end of the block is termed a "block
   suffix".

(3) Red-Part

   The block prefix that is to be transmitted reliably, i.e., subject to
   acknowledgement and retransmission.

(4) Green-Part

   The block suffix that is to be transmitted unreliably, i.e., not
   subject to acknowledgments or retransmissions. If present, the green-
   part of a block begins at the octet following the end of the red-
   part.

(5) Session

   A thread of LTP protocol activity conducted for the purpose of
   transmitting a block.

(6) Segment

   The unit of LTP data transmission activity.  It is the data structure
   transmitted from one LTP engine to another in the course of a
   session.  An LTP segment is either a data segment, a report segment,
   a report-acknowledgment segment, a cancel segment, or a cancel-
   acknowledgment segment.

(7) Reception Claim

   An assertion of reception of some number of contiguous octets of
   application data (a subset of a block) characterized by the offset of
   the first received octet and the number of contiguous octets
   received.

(8) Scope


Ramadas et al.             Expires - June 2005                  [Page 4]

Internet Draft             LTP - Specification             December 2004

   Scope identifies a subset of a block and comprises two numbers -
   upper bound and lower bound.

   For a data segment, lower bound is the offset of the segment's
   application data from the start of the block (in octets), while upper
   bound is the sum of the offset and length of the segment's
   application data (in octets).  For example, a segment with block
   offset 1000 and length 500 would have a lower bound 1000 and upper
   bound 1500.

   For a report segment, upper bound is the end of the block prefix to
   which the reception claims in the report apply, while lower bound is
   the end of the (smaller) interior block prefix to which the reception
   claims in the report do *not* apply.  That is, data at any offset
   equal to or greater than the report's lower bound but less than its
   upper bound and not designated as "received" by any of the report's
   reception claims must be assumed not received and therefore eligible
   for retransmission. For example, if a report segment carried a lower
   bound of 1000 and an upper bound of 5000, and the reception claims
   indicated reception of data within offsets 1000-1999 and 3000-4999,
   data within the block offsets 2000-2999 can be considered eligible
   for retransmission.

   Reception reports (which may comprise multiple report segments) also
   have scope, as defined in Section 5.11.

(9) End of Block (EOB)

   The last data segment transmitted as part of the original
   transmission of a block.  This data segment also indicates that the
   segment's upper bound is the total length of the block (in octets).

(10) End of Red-Part (EORP)

   That segment transmitted as part of the original transmission of a
   block which contains the last octet of the block's red-part.  This
   data segment also indicates that the segment's upper bound is the
   length of the block's red-part (in octets).

(11) Checkpoint

   A data segment soliciting a reception report from the receiving LTP
   engine.  The EORP segment must be flagged as a checkpoint, as must
   the last segment of any retransmission; these are "mandatory
   checkpoints".  All other checkpoints are "discretionary checkpoints".

(12) Reception Report


Ramadas et al.             Expires - June 2005                  [Page 5]

Internet Draft             LTP - Specification             December 2004

   A sequence of one or more report segments reporting on all block data
   reception within some scope.

(13) Synchronous Reception Report

   A reception report that is issued in response to a checkpoint.

(14) Asynchronous Reception Report

   A reception report that is issued in response to some implementation-
   defined event other than the arrival of a checkpoint.

(15) Primary Reception Report

   A reception report that is issued in response to some event other
   than the arrival of a checkpoint segment that was itself issued in
   response to a reception report.  Primary reception reports include
   all asynchronous reception reports and all synchronous reception
   reports that are sent in response to discretionary checkpoints or to
   the EORP segment for a session.

(16) Secondary Reception Report

   A reception report that is issued in response to the arrival of a
   checkpoint segment that was itself issued in response to a reception
   report.

(17) Self-Delimiting Numeric Value (SDNV)

   The design of LTP attempts to reconcile minimal consumption of
   transmission bandwidth with

      (a) extensibility to satisfy requirements not yet identified and
      (b) scalability across a very wide range of network sizes and
          transmission payload sizes.

   A key strategic element in the design is the use of self-delimiting
   numeric values (SDNVs) that are similar in design to the Abstract
   Syntax Notation One [ASN1] encoding of data structures.  SDNVs are of
   two basic types, SDNV-8 and SDNV-16.  An SDNV-8 can be used to encode
   a variable length number from 1 to 128 octets in length; an SDNV-16
   can be used to encode a variable length number from 2 to 128 octets
   in length.  The first octet of an SDNV - the "discriminant" - fully
   characterizes the SDNV's value.

   SDNV-8

      If the most significant bit of the discriminant is zero, the


Ramadas et al.             Expires - June 2005                  [Page 6]

Internet Draft             LTP - Specification             December 2004

      length of the SDNV-8 is 1 octet and the contents of the remaining
      7 bits of the discriminant viewed as an unsigned integer is the
      value of the SDNV. An integer in the range of 0 to 127 can be
      encoded this way.

      Otherwise (if the most significant bit of the discriminant is 1),
      the remaining 7 bits encode the length of the SDNV's value. If the
      content of the remaining 7 bits viewed as an unsigned integer has
      the value N, the encoded number is N+1 octets long and has the
      value found by concatenating octets 2 through N+2 of the SDNV-8,
      viewed as an unsigned integer. For example, if N were 0, the
      following single octet would contain the value of the SDNV-8; if N
      were 127, the following 128 octets would contain the encoded
      unsigned number.

   SDNV-16

      If the most significant bit of the discriminant is zero, then the
      length of the SDNV-16 is 2 octets and the contents of the
      remaining 7 bits of the discriminant concatenated with the
      following octet, viewed as a 15-bit unsigned integer, is the value
      encoded. An integer in the range of 0 to 32767 can be encoded this
      way.

      Otherwise (if the most significant bit of the discriminant is 1),
      the encoding is similar to SDNV-8. If the content of the remaining
      7 bits viewed as an unsigned integer has the value N, the encoded
      number is N+1 octets long and has the value found by concatenating
      octets 2 through N+2 of the SDNV-16, viewed as an unsigned
      integer.

   An SDNV can therefore be used to represent both very large and very
   small integer values.  For example, the maximum size of an SDNV - a
   1024-bit number - is large enough to contain a fairly safe encryption
   key, while any whole-degree Celsius temperature in the range in which
   water is a liquid can be represented in a single-octet SDNV-8.

   In the LTP header specification that follows, various fields in the
   header are defined to be of types SDNV-8 or SDNV-16 depending on the
   typical range of values expected for the field. If a field in the
   header carries a number that typically requires 16 bits to encode,
   but under certain infrequent conditions may grow longer and require,
   say, 32 bits to encode, it might be optimal to specify it as an
   SDNV-16 instead of specifying the field as a fixed 32 bit integer.

   However, SDNV is clearly not the best way to represent every numeric
   value.  When the maximum possible value of a number is known without
   question, the cost of an additional 8 bits of discriminant may not be


Ramadas et al.             Expires - June 2005                  [Page 7]

Internet Draft             LTP - Specification             December 2004

   justified.  For example, an SDNV-8 is a poor way to represent an
   integer whose value typically falls in the range 128 to 255.

   In general, though, we believe that SDNV representation of selected
   numeric values in LTP segments yields the smallest segment sizes
   without sacrificing scalability.

(18) Client Service Instance

   A software entity, such as an application or a higher-layer protocol
   implementation, that is using LTP to transfer data.

3.  Segment Structure

   Each LTP segment comprises

   (a) a "header" in the format defined below.

   (b) zero or more octets of "content".

   (c) zero or more octets of "trailer" as indicated by information in
   the "extensions field" of the header.

   LTP segments are of four general types depending on the nature of the
   content carried:

      Data segments carry client service (application) data, together
      with metadata enabling the receiving client service instance to
      receive and make use of that data.

      A report segment carries data reception claims together with the
      upper and lower bounds of the data block scope to which the claims
      pertain.

      A report-acknowledgment segment carries only the serial number of
      the report being acknowledged.

      Session management segments are of two general subtypes:
      Cancellation and Cancellation-acknowledgment. A Cancellation
      segment carries a single byte reason-code to indicate the reason
      for the cancellation. Cancellation-acknowledgment segments have no
      content.

   The overall segment structure is illustrated below :




Ramadas et al.             Expires - June 2005                  [Page 8]

Internet Draft             LTP - Specification             December 2004

              Bit    0     1     2     3     4     5     6     7
         ^        +-----+-----+-----+-----+-----+-----+-----+-----+
         |        |    Version number     |  Segment Type Flags   |
         |        +-----------------------+-----------------------+
         |        |                                               |
         |        /                 Session ID                    \
         |        \                                               /
       Header     +-----------------------+-----------------------+
         |        | Header Extension Cnt. | Trailer Extension Cnt.|
         |        +-----------------------+-----------------------+
         |        |                                               |
         |        /              Header Extensions                \
         |        \                                               /
         V        +-----------------------------------------------+
                  |                                               |
                  |                                               |
                  |                                               |
                  |              Segment Content                  |
                  /                                               \
                  \                                               /
                  |                                               |
                  |                                               |
                  |                                               |
         ^        +-----------------------------------------------+
         |        |                                               |
      Trailer     /              Trailer Extensions               \
         |        \                                               /
         V        +-----------------------------------------------+

3.1  Segment Header

   An LTP segment header comprises three data items: a single-octet
   control byte, a session ID, and an extensions field.

   Control byte comprises the following:

      Version number (4 bits): MUST be set to the binary value 0000 for
      this version of the protocol.

      Segment type flags (4 bits): described below.

   Session ID uniquely identifies, among all transmissions between the
   segment's sender and receiver, the session of which the segment is
   one token.  It comprises the following:

      Session originator: the engine ID of the LTP engine that initiated
      the session, in SDNV-8 representation.


Ramadas et al.             Expires - June 2005                  [Page 9]

Internet Draft             LTP - Specification             December 2004

      Session number: a number in SDNV-16 representation, typically a
      random number (for anti-DoS reasons), generated by the LTP engine
      identified as the session originator.

      The format and resolution of session number are matters that are
      private to the session-originating engine; the only requirement
      imposed by LTP is that every session initiated by an LTP engine
      MUST be uniquely identified by the session ID.

   The extensions field is described in Section 3.1.4.

3.1.1  Segment Type Flags

   The last four bits of the control byte in the segment header are
   flags that indicate the nature of the segment.  In order (most
   significant bit first), these flags are CTRL, EXC, Flag 1 and Flag 0.

   A value of 0 in the CTRL (Control) flag identifies the segment as a
   data segment while a value of 1 identifies it as a control segment. A
   data segment with the EXC (Exception) flag set to 0 is a red-part
   segment; a data segment with EXC set to 1 is a green-part segment.
   For a control segment, having the EXC flag set to 1 indicates that
   the segment pertains to session cancellation activity.  Any data
   segment (whether red-part or green-part) with both Flag 1 and Flag 0
   set to 1 indicates end of block.  Any data segment (whether red-part
   or green-part) with both Flag 1 and Flag 0 set to 0 indicates data
   without any additional protocol significance.  Any red-part data
   segment with either Flag bit non-zero is a checkpoint.  Any red-part
   data segment with Flag 1 set to 1 indicates the end of the red-part
   of the block.

3.1.2  Segment Type Codes

   Combinations of the settings of the segment type flags CTRL, EXC,
   Flag 1 and Flag 0 constitute segment type codes which serve as
   concise representations of detailed segment nature.

   CTRL EXC Flag 1 Flag 0 Code  Nature of segment
   ---- --- ------ ------ ----  -----------------------------------------
     0   0     0      0     0   Red data, NOT {Checkpoint or EORP or EOB}
     0   0     0      1     1   Red data, Checkpoint, NOT {EORP or EOB}
     0   0     1      0     2   Red data, Checkpoint, EORP, NOT EOB
     0   0     1      1     3   Red data, Checkpoint, EORP, EOB

     0   1     0      0     4   Green data, NOT EOB
     0   1     0      1     5   Undefined
     0   1     1      0     6   Undefined
     0   1     1      1     7   Green data, EOB


Ramadas et al.             Expires - June 2005                 [Page 10]

Internet Draft             LTP - Specification             December 2004

     1   0     0      0     8   Report segment
     1   0     0      1     9   Report-acknowledgment segment
     1   0     1      0    10   Undefined
     1   0     1      1    11   Undefined

     1   1     0      0    12   Cancel segment from block sender
     1   1     0      1    13   Cancel-acknowledgment segment
                                to block sender

     1   1     1      0    14   Cancel segment from block receiver
     1   1     1      1    15   Cancel-acknowledgment segment
                                to block receiver

3.1.3  Segment Class Masks

   For the purposes of this specification, some bit patterns in the
   segment type flags field correspond to "segment classes" that are
   designated by mnemonics.  The mnemonics are intended to evoke the
   characteristics shared by all types of segments characterized by
   these flag bit patterns.

   CTRL EXC Flag 1 Flag 0  Mnemonic  Description
   ---- --- ------ ------  --------  ---------------------------
     0   0     -      1
        -- or --
     0   0     1      -      CP      Checkpoint

     0   0     1      -      EORP    End of red-part;
                                     red-part size = offset + length

     0   -     1      1      EOB     End of block;
                                     block size = offset + length

     1   0     0      0      RS      Report segment;
                                     carries reception claims

     1   0     0      1      RA      Report-acknowledgment segment

     1   1     0      0      CS      Cancel segment from block sender

     1   1     0      1      CAS     Cancel-acknowledgment segment
                                     to block sender

     1   1     1      0      CR      Cancel segment from block receiver

     1   1     1      1      CAR     Cancel-acknowledgment segment
                                     to block receiver


Ramadas et al.             Expires - June 2005                 [Page 11]

Internet Draft             LTP - Specification             December 2004

     1   1     -      0      Cx      Cancel segment (generic)

     1   1     -      1      CAx     Cancel-acknowledgment segment
                                     (generic)

3.1.4  Extensions field

   The extension field enables the inclusion of zero or more functional
   extensions to the basic LTP segment, each in type-length-value (TLV)
   representation as explained below.

   The first octet of the extensions field indicates the number of
   extensions present in the segment: the high-order 4 bits indicate the
   number of extension TLVs in the header (immediately following the
   extensions count octet and preceding the segment's content) while the
   low-order 4 bits indicate the number of extension TLVs in the trailer
   (immediately following the segment's content).  That is, each segment
   may have from 0 to 15 extension TLVs in its header and from 0 to 15
   extension TLVs in its trailer.  In the absence of any extension TLVs,
   all bits of this extensions count octet MUST be set to zero.

   Each extension consists of a one-octet tag identifying the type of
   extension (the "T" of the extension TLV), followed by an extension
   specification in SDNV-8 format.  [Since an SDNV-8 comprises both a
   numeric data value and the length of that value, the extension
   specification serves to supply both the "L" and the "V" of the
   extension TLV.]

   The diagram below illustrates the extension TLVs as they may occur in
   the header or trailer.

               +--------+---------------///-+
               |ext-tag | SDNV-8 spec       |
               +--------+-------------------////-+
               |ext-tag | SDNV-8 spec            |
               +--------+-------------------////-+
               |ext-tag | SDNV-8 spec       |
               +--------+------------////-+-+
               |ext-tag | SDNV-8 spec       |
               +--------+--------------////-+

   One extension type is defined at this time.

      Extension tag     Meaning
      -------------     -------
      0x00              LTP authentication extension [LTPEXT]
      0x01              LTP cookie estension [LTPEXT]
      0x02-0xff         Reserved


Ramadas et al.             Expires - June 2005                 [Page 12]

Internet Draft             LTP - Specification             December 2004

3.2  Segment Content

3.2.1  Data Segment (DS)

   The content of a data segment includes client service data and
   metadata enabling the receiving client service instance to receive
   and make use of that data.

   Client service ID [SDNV-8]

      The client service ID number identifies the upper-level service to
      which the segment is to be delivered by the destination LTP
      engine.  It is functionally analogous to a well-known TCP port
      number.  If multiple instances of the client service are present
      at the destination, multiplexing must be done by the client
      service itself on the basis of information encoded within the
      transmitted block.

   Offset [SDNV-16]

      Offset indicates the location of the segment's client service data
      within the session's transmitted block.  It is the number of bytes
      in the block prior to the byte from which the first octet of the
      segment's client service data was copied.

   Length [SDNV-16]

      The length of the ensuing client service data, in octets.

   If the data segment is a checkpoint, the segment MUST additionally
   include the following two serial numbers (Checkpoint serial number
   and Report serial number) to support efficient retransmission. Data
   segments that are not checkpoints MUST NOT have these two fields in
   the header and MUST continue on directly with the client service
   data.

   Checkpoint serial number [SDNV-8]

      The checkpoint serial number uniquely identifies the checkpoint
      among all checkpoints issued by the block sender in a session.
      The first checkpoint issued by the sender MUST have this serial
      number chosen randomly for security reasons, and it is RECOMMENDED
      that the sender use the guidelines in [ECS94] for this. Any
      subsequent checkpoints issued by the sender MUST have the serial
      number value found by incrementing the prior checkpoint serial
      number by 1.  When a checkpoint segment is retransmitted, however,
      its serial number MUST be the same as when it was originally


Ramadas et al.             Expires - June 2005                 [Page 13]

Internet Draft             LTP - Specification             December 2004

      transmitted.

   Report serial number [SDNV-8]

      If the checkpoint was queued for transmission in response to the
      reception of an RS [Sec 5.13], then its value MUST be the report
      serial number value of the RS that caused the data segment to be
      queued for transmission.

      Otherwise, the value of report serial number MUST be zero.

   Client service data [array of octets]

      The client service data carried in the segment is a copy of a
      subset of the bytes in the original client service data block,
      starting at the indicated offset.

3.2.2  Report Segment (RS)

   The content of an RS comprises one or more data reception claims,
   together with the upper and lower bounds of the scope within the data
   block to which the claims pertain.  It also includes two serial
   numbers to support efficient retransmission.

   Report serial number [SDNV-8]

      The report serial number uniquely identifies the report among all
      reports issued by the block receiver in a session.  The first
      report issued by the receiver MUST have this serial number chosen
      randomly for security reasons, and it is RECOMMENDED that the
      receiver use the guidelines in [ECS94] for this. Any subsequent RS
      issued by the receiver MUST have the serial number value found by
      incrementing the last report serial number by 1.  When an RS is
      retransmitted however, its serial number MUST be the same as when
      it was originally transmitted.

   Checkpoint serial number [SDNV-8]

      The value of checkpoint serial number MUST be zero if the report
      segment is NOT a response to reception of a checkpoint, i.e., the
      reception report is asynchronous; otherwise it is the checkpoint
      serial number of the checkpoint that caused the RS to be issued.

   Upper bound [SDNV-16]

      The upper bound of a report segment is the size of the block
      prefix to which the segment's reception claims pertain.


Ramadas et al.             Expires - June 2005                 [Page 14]

Internet Draft             LTP - Specification             December 2004

   Lower bound [SDNV-16]

      The lower bound of a report segment is the size of the (interior)
      block prefix to which the segment's reception claims do NOT
      pertain.

   Reception claim count [SDNV-8]

      The number of data reception claims in this report segment.

   Reception claims

      Each reception claim comprises two elements: offset and length.

      Offset [SDNV-16]

         The offset indicates the successful reception of data beginning
         at the indicated offset from the lower bound of the RS. The
         offset within the entire block can be calculated by summing
         this offset with the lower bound of the RS.

      Length [SDNV-16]

         The length of a reception claim indicates the number of
         contiguous octets of block data starting at the indicated
         offset (within the scope of the report) that have been
         successfully received so far.

      Reception claims MUST conform to the following rules:

         A reception claim's length shall never be less than 1 and shall
         never exceed the difference between the upper and lower bounds
         of the report segment.

         The offset of a reception claim shall always be greater than
         the sum of the offset and length of the prior claim, if any.

         The sum of a reception claim's offset and length and the lower
         bound of the report segment shall never exceed the upper bound
         of the report segment.

   Implied requests for retransmission of client service data can be
   inferred from an RS's data reception claims.  However, *nothing* can
   be inferred regarding reception of block data at any offset equal to
   or greater than the segment's upper bound or at any offset less than
   the segment's lower bound.

   For example, if the scope of a report segment has lower bound 0 and


Ramadas et al.             Expires - June 2005                 [Page 15]

Internet Draft             LTP - Specification             December 2004

   upper bound 6000, and the report contains a single data reception
   claim with offset 0 and length 6000, then the report signifies
   successful reception of the first 6000 bytes of the block.  If the
   total length of the block is 6000, then the report additionally
   signifies successful reception of the entire block.

   If on the other hand, the scope of a report segment has lower bound
   1000 and upper bound 6000, and the report contains two data reception
   claims, one with offset 0 and length 2000 and the other with offset
   3000 and length 500, then the report signifies successful reception
   only of bytes 1000-2999 and  4000-4499 of the block.  From this we
   can infer that bytes 3000-3999 and 4500-5999 of the block need to be
   retransmitted, but we cannot infer anything about reception of the
   first 1000 bytes.

3.2.3  Report Acknowledgment Segment

   The content of an RA is simply the report serial number of the RS in
   response to which the segment was generated.

   Report serial number [SDNV-8]

      This field returns the report serial number of the RS being
      acknowledged.

3.2.4  Session Management Segments

   Note: the reason we use different cancel segment types for the
   originator and recipient is to allow a loopback mode to work without
   disturbing any replay protection mechanism in use.

   Cancel segments (Cx) carry a single byte reason-code with the
   following semantics :

      Reason-Code    Mnemonic    Semantics
      -----------    --------    ---------------------------------------
          00         CNCLD       Client Service canceled session.

          01         UNREACH     Unreachable Client Service.

          02         RLEXC       Retransmission limit exceeded.

          03         MISCOLORED  Received either a red-part data segment
                                 at block offset above any green-part
                        data segment offset or a green-part
                        data segment at block offset below any
                        red-part data segment offset.


Ramadas et al.             Expires - June 2005                 [Page 16]

Internet Draft             LTP - Specification             December 2004

         04-FF       Undefined

   The Cancel-acknowledgments (CAx) have no content.

3.3  Segment Trailer

   The segment trailer consists of a sequence of from zero to 15
   extension TLVs as described in Section 3.1.4 above.

4.  Requests from Client Service

   In all cases the representation of request parameters is a local
   implementation matter, as are validation of parameter values and
   notification of the client service in the event that a request is
   found to be invalid.

4.1  Transmission Request

   In order to request transmission of a block of client service data,
   the client service MUST provide the following parameters to LTP:

      Client service ID

      Destination LTP engine ID

      Client service data to send, as an array of bytes.

      Length of the data to be sent.  This value MUST NOT exceed the
      largest numeric value that can be represented in an SDNV-8.

      Length of the red-part of the data.  This value MUST be in the
      range from zero to the total length of data to be sent.

   On reception of a valid transmission request from a client service,
   LTP proceeds as follows.

   First the array of data to be sent is subdivided as necessary, with
   each subdivision serving as the client service data of a single new
   LTP data segment.  The algorithm used for subdividing the data is a
   local implementation matter; it is expected that data size
   constraints imposed by the underlying communication service, if any,
   will be accommodated in this algorithm.

   The last (and only the last) of the resulting data segments must be
   marked as the EOB.

   Note that segment type indicates that the client service data in a
   given LTP segment either is or is not in the red-part of the block.


Ramadas et al.             Expires - June 2005                 [Page 17]

Internet Draft             LTP - Specification             December 2004

   To prevent segment type ambiguity, each data segment MUST contain
   either only red-part data or only green-part data.  Note that this
   implies that, when the length of the block's red-part is N and the
   total length of the block M, and N is not equal to M, the (N+1)st
   byte of the block MUST be the first byte of client service data in
   some green-part data segment.

   If the length of the block's red-part is greater than zero, then the
   last data segment containing red-part data must be marked as the EORP
   segment by setting the appropriate segment type flag bits [Sec
   3.1.2]. Zero or more preceding data segments containing red-part data
   (selected according to an algorithm that is a local implementation
   matter) MAY additionally be marked to serve as additional
   discretionary checkpoints [Sec 3.1.2].

   All data segments are appended to the (conceptual) application data
   queue for transmission.

   Finally, a session start notice [Sec 6.1] is sent back to the client
   service that requested the transmission.

4.2  Cancellation Request

   In order to request cancellation of a session, either as sender or as
   receiver of the associated data block, the client service must
   provide to LTP the session ID of the session to be canceled.

   On reception of a valid cancellation request from a client service,
   LTP proceeds as follows.

   First the internal "Cancel session" procedure [Sec 5.19] is invoked.

   Next, if the session is being canceled by the block sender (i.e., the
   session originator part of the session ID supplied in the
   cancellation request is the local LTP engine ID):

      If none of the data segments previously queued for transmission as
      part of this session have yet been de-queued and radiated - i.e.,
      if the destination engine cannot possibly be aware of this session
      - then the session is simply closed; the "Close session" procedure
      [Sec 5.20] is invoked.

      Otherwise, a CS with reason-code CNCLD MUST be queued for
      transmission to the destination LTP engine specified in the
      transmission request that started this session.

   Otherwise (i.e., the session is being canceled by the block
   receiver):


Ramadas et al.             Expires - June 2005                 [Page 18]

Internet Draft             LTP - Specification             December 2004

      If there is no transmission queue-set bound for the block sender
      (possibly because the local LTP engine is running on a receive-
      only device), then the session is simply closed; the "Close
      session" procedure [Sec 5.20] is invoked.

      Otherwise, a CR with reason-code CNCLD MUST be queued for
      transmission to the block sender.

5.  Internal Procedures

   This section describes the internal procedures that are triggered by
   the occurrence of various events during the life-time of the LTP
   session.

   Whenever the content of any of the fields of the header of any
   received LTP segment does not conform to this specification document,
   the segment is assumed to be corrupt and MUST be discarded
   immediately and processed no further.  This procedure supersedes all
   other procedures described below.

   All internal procedures described below that are triggered by the
   arrival of a data segment are superseded by the following procedure
   in the event that the client service identified by the data segment
   does not exist at the local LTP engine:

      If there is no transmission queue-set bound for the block sender
      (possibly because the local LTP engine is running on a receive-
      only device), then the received data segment is simply discarded.

      Otherwise, if the data segment contains data from the red-part of
      the block, a CR with reason-code UNREACH MUST be enqueued for
      transmission to the block sender.  A CR with reason-code UNREACH
      SHOULD be similarly enqueued for transmission to the data sender
      even if the data segment contained data from the green-part of the
      block; note however that (for example) in the case where the block
      receiver knows that the sender of this green-part data is
      functioning in a "beacon" (transmit-only) fashion, a CR need not
      be sent.  In either case the received data segment is discarded.

5.1  Start Transmission

   This procedure is triggered by arrival of a link state cue indicating
   the start of transmission to a specified remote LTP engine.

   Response: the de-queuing and delivery of segments to the LTP engine
   specified in the link state cue begins.

5.2  Start Checkpoint Timer


Ramadas et al.             Expires - June 2005                 [Page 19]

Internet Draft             LTP - Specification             December 2004

   This procedure is triggered by arrival of a link state cue indicating
   the de-queuing (for transmission) of a CP segment.

   Response: the expected arrival time of the RS that will be produced
   on reception of this CP segment is computed, and a countdown timer
   for this arrival time is started.  However, if it is known that the
   remote LTP engine has ceased transmission [Sec 5.5], then this timer
   is immediately suspended, because the computed expected arrival time
   may require an adjustment that cannot yet be computed.

5.3  Start RS Timer

   This procedure is triggered by arrival of a link state cue indicating
   the de-queuing (for transmission) of an RS.

   Response: the expected arrival time of the RA that will be produced
   on reception of this RS is computed, and a countdown timer for this
   arrival time is started.  However, if it is known that the remote LTP
   engine has ceased transmission [Sec 5.5], then this timer is
   immediately suspended, because the computed expected arrival time may
   require an adjustment that cannot yet be computed.

5.4  Stop Transmission

   This procedure is triggered by arrival of a link state cue indicating
   the cessation of transmission to a specified remote LTP engine.

   Response: the de-queuing and delivery to the underlying communication
   system of segments from traffic queues bound for the LTP engine
   specified in the link state cue ceases.

5.5  Suspend Timers

   This procedure is triggered by arrival of a link state cue indicating
   the cessation of transmission from a specified remote LTP engine to
   the local LTP engine.  Normally, this event is inferred from advance
   knowledge of the remote engine's planned transmission schedule.

   Response: countdown timers for the acknowledging segments that the
   remote engine is expected to return are suspended as necessary based
   on the following procedure.

   The nominal acknowledge transmission time is computed as the sum of
   the transmission time of the original segment (to which the
   acknowledging segment will respond) and the one-way light time to the
   remote engine, plus N seconds of "additional anticipated latency"
   (AAL) encompassing anticipated transmission delays other than signal
   propagation time.  N is determined in an implementation-specific


Ramadas et al.             Expires - June 2005                 [Page 20]

Internet Draft             LTP - Specification             December 2004

   manner.  For example, when LTP is deployed in deep space vehicles,
   the one-way light time to the remote engine may be very large while N
   normally need only reflect processing and queuing delay margin; it
   can be a network management parameter, for which 2 seconds seems to
   be a reasonable default value.  As another example, when LTP is
   deployed in a terrestrial "data mule" environment, one-way light time
   latency is effectively zero while N may need to be some dynamically
   computed function of the data mule circulation schedule.

   If the nominal acknowledge transmission time is greater than or equal
   to the current time (i.e., the acknowledging segment may be presented
   for transmission during the time that transmission at the remote
   engine is suspended), then the countdown timer for this acknowledging
   segment is suspended.

5.6  Resume Timers

   This procedure is triggered by arrival of a link state cue indicating
   the start of transmission from a specified remote LTP engine to the
   local LTP engine.  Normally, this event is inferred from advance
   knowledge of the remote engine's planned transmission schedule.

   Response: expected arrival time is adjusted for every acknowledging
   segment that the remote engine is expected to return, for which the
   countdown timer has been suspended.  In each case, expected arrival
   time is increased by a transmission delay interval that is calculated
   as follows:

      The nominal acknowledge transmission time is computed as the sum
      of the transmission time of the original segment (to which the
      acknowledging segment will respond) and the one-way light time to
      the remote engine, plus N seconds of AAL [Sec 5.5].

      If the nominal acknowledge transmission time is greater than the
      current time i.e., the remote engine resumed transmission prior to
      presentation of the acknowledging segment for transmission, then
      the transmission delay interval is zero.

      Otherwise, the transmission delay interval is computed as the
      current time less the nominal acknowledge transmission time.

   After adjustment of expected arrival time, each of the suspended
   countdown timers is resumed.

5.7  Retransmit Checkpoint

   This procedure is triggered by the expiration of a countdown timer
   associated with a CP segment.


Ramadas et al.             Expires - June 2005                 [Page 21]

Internet Draft             LTP - Specification             December 2004

   Response: if the number of times this CP segment has been queued for
   transmission exceeds the checkpoint retransmission limit established
   for the local LTP engine by network management, then the session of
   which the segment is one token is canceled: the "Cancel session"
   procedure [Sec 5.19] is invoked, a CS with reason-code RLEXC is
   appended to the (conceptual) application data queue, and a
   transmission cancellation notice [Sec 6.5] is sent back to the client
   service that requested the transmission.

   Otherwise, a new copy of the CP segment is appended to the
   (conceptual) application data queue.

5.8  Retransmit RS

   This procedure is triggered by either (a) expiration of a countdown
   timer associated with an RS or (b) reception of a CP segment whose
   checkpoint serial number is equal to that of one or more previously
   issued RSs for the same session -- an unnecessarily retransmitted
   checkpoint.

   Response: if the number of times any affected RS has been queued for
   transmission exceeds the report retransmission limit established for
   the local LTP engine by network management, then the session of which
   the segment is one token is canceled: the "Cancel session" procedure
   [Sec 5.19] is invoked, a CR with reason-code RLEXC is queued for
   transmission to the LTP engine that originated the session, and a
   reception cancellation notice [Sec 6.6] is sent to the client service
   identified in each of the data segments received in this session.

   Otherwise, a new copy of each affected RS is queued for transmission
   to the LTP engine that originated the session.

5.9  Signify Red-Part Reception

   This procedure is triggered by the arrival of a CP segment when the
   EORP for this session has been received (ensuring that the size of
   the data block's red-part is known; this includes the case where the
   CP segment itself is the EORP segment) and all data in the red-part
   of the block being transmitted in this session have been received.

   Response: a red-part reception notice [Sec 6.3] is sent to the
   specified client service.

5.10  Signify Green-Part Segment Arrival

   This procedure is triggered by the arrival of a data segment whose
   content is a portion of the green-part of a block.


Ramadas et al.             Expires - June 2005                 [Page 22]

Internet Draft             LTP - Specification             December 2004

   Response: a green-part segment arrival notice [Sec 6.2] is sent to
   the specified client service.

5.11  Send Reception Report

   This procedure is triggered by either (a) reception of a CP segment
   whose checkpoint serial number is not equal to that of any previously
   issued RS or (b) an implementation-specific circumstance pertaining
   to a particular block reception session for which no EORP has yet
   been received ("asynchronous" reception reporting).

   Response: if the number of reception problems detected for this
   session exceeds a limit established for the local LTP engine by
   network management, then the affected session is canceled: the
   "Cancel session" procedure [Sec 5.19] is invoked, a CR with reason-
   code RLEXC is issued and is, in concept, appended to the queue of
   internal operations traffic bound for the LTP engine that originated
   the session, and a reception cancellation notice [Sec 6.6] is sent to
   the client service identified in each of the data segments received
   in this session.  One possible limit on reception problems would be
   the maximum number of reception reports which can be issued for any
   single session.

   If such limit is not reached, a reception report is issued as
   follows.

   If production of the reception report was triggered by reception of a
   checkpoint:

      The upper bound of the report SHOULD be the upper bound (the sum
      of the offset and length) of the checkpoint data segment, to
      minimize unnecessary retransmission.  Note: For deployments where
      bandwidth economy is not critical, the upper bound of a
      synchronous reception report MAY be the maximum upper bound value
      among all red-part data segments received so far in the affected
      session.

      If the checkpoint was itself issued in response to a report
      segment, then this report is a "secondary" reception report.  In
      that case the lower bound of the report SHOULD be the lower bound
      of the report segment to which the triggering checkpoint was
      itself a response, to minimize unnecessary retransmission.  Note:
      For deployments where bandwidth economy is not critical, the lower
      bound of the report MAY instead be zero.

      If the checkpoint was not issued in response to a report segment,
      this report is a "primary" reception report.  The lower bound of
      the first primary reception report issued for any session MUST be


Ramadas et al.             Expires - June 2005                 [Page 23]

Internet Draft             LTP - Specification             December 2004

      zero.  The lower bound of each subsequent primary reception report
      issued for the same session SHOULD be the upper bound of the prior
      primary reception report issued for the session, to minimize
      unnecessary retransmission.  Note: For deployments where bandwidth
      economy is not critical, the lower bound of every primary
      reception report MAY be zero.

   If production of the reception report is "asynchronous" as noted
   above:

      The upper bound of the report MUST be the maximum upper bound
      among all red-part data segments received so far for this session.

      The lower bound of the first asynchronous reception report issued
      for any session for which no other primary reception reports have
      yet been issued MUST be zero.  The lower bound of each subsequent
      asynchronous reception report SHOULD be the upper bound of the
      prior primary reception report issued for the session, to minimize
      unnecessary retransmission.  Note: For deployments where bandwidth
      economy is not critical, the lower bound of every asynchronous
      reception report MAY be zero.

   In all cases, if the applicable lower bound of the scope of a report
   is determined to be greater than or equal to the applicable upper
   bound (e.g., due to out-of-order arrival of discretionary
   checkpoints) then the reception report MUST NOT be issued. Otherwise:

   As many RSs must be produced as are needed in order to report on all
   data reception within the scope of the report, given whatever data
   size constraints are imposed by the underlying communication service.
   The RSs are, in concept, appended to the queue of internal operations
   traffic bound for the LTP engine that originated the indicated
   session.  The lower bound of the first RS of the report MUST be the
   reception report's lower bound.  The upper bound of the last RS of
   the report MUST be the reception report's upper bound.

5.12  Signify Transmission Completion

   This procedure is triggered at the earliest time at which (a) all
   data in the block are known to have been transmitted *and* (b) the
   entire red-part of the block - if of non-zero length - is known to
   have been successfully received.  Condition (a) is signaled by
   arrival of a link state cue indicating the de-queuing (for
   transmission) of the EOB segment for the block.  Condition (b) is
   signaled by reception of an RS whose reception claims, taken together
   with the reception claims of all other RSs previously received in the
   course of this session, indicate complete reception of the red-part
   of the block.


Ramadas et al.             Expires - June 2005                 [Page 24]

Internet Draft             LTP - Specification             December 2004

   Response: a transmission completion notice [Sec 6.4] is sent to the
   client service that requested the transmission identified in the
   segment header and the session is closed: the "Close session"
   procedure [Sec 5.20] is invoked.

5.13  Retransmit Data

   This procedure is triggered by reception of an RS.

   Response: first, an RA with the same report serial number as the RS
   is issued and is, in concept, appended to the queue of internal
   operations traffic bound for the LTP engine that originated the
   indicated session.  If the RS is redundant -- i.e., either the
   indicated session is unknown (for example, the RS is received after
   the session has been completed or canceled), or the RS's report
   serial number is equal to that of a previously received report
   segment for this session -- then no further action is taken.
   Otherwise the procedure below is followed.

   If the report's checkpoint serial number is not zero, then the
   countdown timer associated with the indicated checkpoint segment is
   deleted.

   Note: All retransmission buffer space occupied by data whose
   reception is claimed in the report segment can be released.

   If the segment's reception claims indicate incomplete data reception
   within the scope of the report segment:

      If the number of transmission problems for this session exceeds a
      limit established for the local LTP engine by network management,
      then the session of which the segment is one token is canceled:
      the "Cancel session" procedure [Sec 5.19] is invoked, a CS with
      reason-code RLEXC is appended to the transmission queue specified
      in the transmission request that started this session, and a
      transmission cancellation notice [Sec 6.5] is sent back to the
      client service that requested the transmission.  One possible
      limit on transmission problems would be the maximum number of
      retransmission CP segments which may be issued for any single
      session.

      If the number of transmission problems for this session has not
      exceeded any limit, new data segments encapsulating all block data
      whose non-reception is implied by the reception claims are
      appended to the transmission queue specified in the transmission
      request that started this session.  The last - and only the last -
      such segment must be marked as a CP segment and must contain the
      report serial number of the received RS.


Ramadas et al.             Expires - June 2005                 [Page 25]

Internet Draft             LTP - Specification             December 2004

5.14  Stop RS Timer

      This procedure is triggered by reception of an RA.

      Response: the countdown timer associated with the original RS
      (identified by the report serial number of the RA segment) is
      deleted.  If no other countdown timers associated with RSs exist
      for this session, then the session is closed: the "Close session"
      procedure [Sec 5.20] is invoked.

5.15  Start Cancel Timer

      This procedure is triggered by arrival of a link state cue
      indicating the de-queuing (for transmission) of a Cx.

      Response: the expected arrival time of the CAx that will be
      produced on reception of this Cx is computed and a countdown timer
      for this arrival time is started.  However, if it is known that
      the remote LTP engine has ceased transmission [Sec 5.5] then this
      timer is immediately suspended, because the computed expected
      arrival time may require an adjustment that cannot yet be
      computed.

5.16  Retransmit Cancellation Segment

      This procedure is triggered by the expiration of a countdown timer
      associated with a Cx.

      Response: if the number of times this Cx has been queued for
      transmission exceeds the cancellation retransmission limit
      established for the local LTP engine by network management, then
      the session of which the segment is one token is simply closed:
      the "Close session" procedure [Sec 5.20] is invoked.

      Otherwise, a copy of the cancellation segment (retaining the same
      reason-code) is queued for transmission to the appropriate LTP
      engine.

5.17  Acknowledge Cancellation

      This procedure is triggered by the reception of a Cx.

      Response: in the case of a CS where there is no transmission
      queue-set bound for the engine that originated the segment's
      session (possibly because the local LTP engine is running on a
      receive-only device), then no action is taken. Otherwise:

         If the received segment is a CS, a CAS is issued and is, in


Ramadas et al.             Expires - June 2005                 [Page 26]

Internet Draft             LTP - Specification             December 2004

         concept, appended to the queue of internal operations traffic
         bound for the LTP engine that sent the CS.

         If the received segment is a CR, a CAR is issued and is, in
         concept appended to the queue of internal operations traffic
         bound for the LTP engine that sent the CR.

      It is possible that the Cx has been retransmitted because a
      previous responding acknowledgment CAx was lost, in which case
      there will no longer be any record of the session of which the
      segment is one token. If so, no further action is taken.

      Otherwise: the "Cancel session" procedure [Sec 5.19] is invoked
      and a reception cancellation notice [Sec 6.6] is sent to the
      client service identified in each of the data segments received in
      this session.  Finally, the session is closed: the "Close session"
      procedure [Sec 5.20] is invoked.

5.18  Stop Cancel Timer

      This procedure is triggered by reception of a CAx.

      Response: the session of which the segment is one token is closed,
      i.e., the "Close session" procedure [Sec 5.20] is invoked.

5.19  Cancel Session

      This procedure is triggered internally by one of the other
      procedures described above.

      Response: all segments of the affected session that are currently
      queued for transmission can be deleted from the outbound traffic
      queues.  All countdown timers currently associated with the
      session are deleted.  Note: If the local LTP engine is the
      originator of the session, then all remaining data retransmission
      buffer space allocated to the session can be released.

5.20  Close Session

      This procedure is triggered internally by one of the other
      procedures described above.

      Response: any remaining countdown timers associated with the
      session (such as the timer associated with a Cx) are deleted.  The
      session state record (SSR|RSR) for the session is deleted;
      existence of the session is no longer recognized.

5.21  Handle Miscolored Segment


Ramadas et al.             Expires - June 2005                 [Page 27]

Internet Draft             LTP - Specification             December 2004

      This procedure is triggered by the arrival of either (a) a red-
      part data segment whose block offset begins at an offset higher
      than the offset of any green-part data segment previously received
      for the same session or (b) a green-part data segment whose block
      offset begins at an offset lower than the offset of any red-part
      data segment previously received for the same session.

      Response: the received data segment is simply discarded.

      The Cancel Session procedure [Sec 5.19] is invoked and a CR with
      reason-code MISCOLORED SHOULD be enqueued for transmission to the
      data sender. Note : If there is no transmission queue-set bound
      for the block sender (possibly because the local LTP engine is
      running on a receive-only device), or if the block receiver knows
      that the sender of this green-part data is functioning in a
      "beacon" (transmit-only) fashion, a CR need not be sent. A
      Reception Cancellation Notice [Sec 6.6] is sent to the client
      service.

6.  Notices to Client Service

      In all cases the representation of notice parameters is a local
      implementation matter.

6.1  Session Start

      The LTP engine returns the session ID of the new transmission
      session when a session start notice is delivered.

      A session start notice informs the client service of the
      initiation of a transmission session in response to a transmission
      request from that client service.  On receiving this notice the
      client service may, for example, release resources of its own that
      are allocated to the block being transmitted, or remember the
      session ID so that the session can be canceled in the future if
      necessary.

6.2  Green-Part Segment Arrival

      The following parameters are provided by the LTP engine when a
      green-part segment arrival notice is delivered:

         Session ID of the transmission session.

         Array of client service data bytes contained in the data
         segment.

         Offset of the data segment's content from the start of the


Ramadas et al.             Expires - June 2005                 [Page 28]

Internet Draft             LTP - Specification             December 2004

         block.

         Length of the data segment's content.

         Indication as to whether or not the last byte of this data
         segment's content is also the end of the block.

         Source LTP engine ID.

6.3  Red-Part Reception

      The following parameters are provided by the LTP engine when a
      red-part reception notice is delivered:

         Session ID of the transmission session.

         Array of client service data bytes that constitute the red-part
         of the block.

         Length of the red-part of the block.

         Indication as to whether or not the last byte of the red-part
         is also the end of the block.

         Source LTP engine ID.

6.4  Transmission Completion

      The sole parameter provided by the LTP engine when a transmission
      completion notice is delivered is the session ID of the
      transmission session.

      A transmission completion notice informs the client service that
      all bytes of the indicated data block have been transmitted and
      the destination LTP engine has received the red-part of the block.

6.5  Transmission Cancellation

      The parameters provided by the LTP engine when a transmission
      cancellation notice is delivered are:

         Session ID of the transmission session.

         The reason-code sent or received in the Cx segment that
         initiated the cancellation sequence.

      A transmission cancellation notice informs the client service that
      the indicated session was terminated, either by decision of the


Ramadas et al.             Expires - June 2005                 [Page 29]

Internet Draft             LTP - Specification             December 2004

      destination client service instance or due to violation of a
      retransmission limit in the local LTP engine.  There is no
      assurance that the destination client service instance received
      the critical part of the data block.

6.6  Reception Cancellation

      The parameters provided by the LTP engine when a reception
      cancellation notice is delivered are:

         Session ID of the transmission session.

         The reason-code explaining the cancellation.

      A reception cancellation notice informs the client service that
      the indicated session was terminated, either by decision of the
      source client service instance or due to error conditions at the
      local LTP engine.  No subsequent delivery notices will be issued
      for this session.

7.  State Transition Diagrams

        The following mnemonics have been used in the sender and
      receiver LTP state transition diagrams that follow :

          TE      Timer Expiry
          RDS     Regular Red Data Segment (NOT {CP|EORP|EOB})
          GDS     Regular Green Data Segment (NOT EOB)
          RL EXC  Retransmission Limit Exceeded

      Both the diagrams have been specified in two parts such that
      sequence of state transitions that occur multiple times in the
      main diagram have been presented in the second part. Note that
      blocks represented in rectangles as in

              +---------+
              | FG_XMIT |
              +---------+

      specify actual states in the state-transition diagrams, while
      blocks represented as in

               /\/\/\/\
              | Cncld  |
               \/\/\/\/

      are not actual states but merely pointers to a state or a sequence
      of state transitions represented elsewhere in the state transition


Ramadas et al.             Expires - June 2005                 [Page 30]

Internet Draft             LTP - Specification             December 2004

      diagram (to avoid having multiple copies of a sequence of state
      transitions, thus accomodating space constraints).

























Ramadas et al.             Expires - June 2005                 [Page 31]

Internet Draft             LTP - Specification             December 2004

7.1  Sender
                    LTP Sender State Transition Diagram

                                     /\/\/\/\
                                    | Cncld  |
                                     \/\/\/\/
                          +--------+    |     +------+
                 Rcv CR;  |        V    V     V      | Rcv RS;
                 Snd CAR  |       +-------------+    | Snd RA
                          +-------+   CLOSED    +----+
    +---------------------------->+------+------+
    |                                    | Blk. Trans. Req
    |                       Zero RP      +
    |  Xmit     ________________________/ \  Non-Zero RP
    |  GDS;    /                           \
    | +---+   |       +------------------+  |  +------+
    | |   V   V       |   /\/\   Rcv RS  V  V  V      |
    | |  +---------+  +<-| RX |<---+   +---------+    |
    | +<-+ FG_XMIT |  |   \/\/     +---+         +--->+ Xmit RDS;
    |    +----+----+  |                | RP_XMIT |    |
    |         |       |   /\/\     +---+         +--->+ Xmit {RDS, CP};
    +<--------+       +<-| CP |<---+   +-----+---+      Start CP Tmr
    |    Xmit             \/\/   CP TE       |    \
    | {GDS, EOB};                            |     |
    |                  Xmit {RDS, CP, EORP}; |     +-------+
    |                  Start CP Tmr          |             |
    |                                        |             |
    |                 +------------------+   |  +---+      | Xmit {RDS,
    |                 |   /\/\  Rcv RS   V   V  V   |      | CP, EORP,
    |                 +<-| RX |<---+   +---------+  |      | EOB};
    |                 |   \/\/     +---+         |  |      | Start
    |                 |                | GP_XMIT +->+      | CP Tmr
    |                 |   /\/\     +---+         | Xmit    |
    |                 +<-| CP |<---+   +-----+---+ GDS;    |
    |                     \/\/  CP TE        |             |
    |                                        |             |
    |                       Xmit {GDS, EOB}; |   +---------+
    |                                        |   |
    |                 +------------------+   |   |
    |                 |   /\/\  Rcv RS   V   V   V
    |                 +<-| RX |<---+   +-------------+
    |                 |   \/\/     +---+             |
    |                 |                | WAIT_RP_ACK |
    |                 |   /\/\     +---+             |
    |                 +<-| CP |<---+   +-----+-------+
    |                     \/\/  CP TE        | RP acknowledged fully;
    |                                        V
    +----------------------------------------+


Ramadas et al.             Expires - June 2005                 [Page 32]

Internet Draft             LTP - Specification             December 2004

                LTP Sender State Transition Diagram (contd.)

               /\/\                               /\/\
              | CP |                             | CX |
               \/\/                               \/\/
                | |                                 | Snd CS,
                | | RL EXC;                         | Start CS Tmr;
                | |                                 |
                | |        /\/\                     |  +---+
                | +------>| CX |                    V  V   |
                |          \/\/                +---------+ | CS TE,
                |                              | CS_SENT | | RL NOT EXC;
                V  RL NOT EXC;                 +-+--+--+-+ | Rxmt CS,
                   Rxmt CP,                      |  |  |   | Restart
                   Start CP Tmr;         CS TE,  |  |  +---+ CS Tmr
                                         RL EXC; |  |
                                                 |  | Rcv CAS;
                                                 V  V
                                                 /\/\/\/\
                                                | Cncld  |
                                                 \/\/\/\/

                   /\/\
                  | RX |
                   \/\/
                     |  Cncl CP Tmr (if any)
                     V  Snd RA
               +---------+                                +----+
               | CHK_RPT |                                |    |
               +-+--+----+       RP in scope              V    |
                 |  |     \     NOT rcvd. fully   +---------+  | Rxmt
       Redundant |  | RP   +--------------------->| RP_RXMT |  | missing
       RS rcvd;  |  | in scope                    +----+--+-+  | RDS;
                 |  | rcvd. fully                      |  |    |
                 V  V                    Rxmt last     |  +----+
                                         missing RDS   |
                                         (marked CP)   |
                                         Start CP Tmr; |
                                                       V






Ramadas et al.             Expires - June 2005                 [Page 33]

Internet Draft             LTP - Specification             December 2004

         The sender LTP stays in the CLOSED state until receiving a
      Block Transmission Request (Blk. Trans. Req) from the client
      service instance. Upon receiving the request it either moves to
      the Fully Green Transmission State (FG_XMIT) if no portion of the
      block was requested to be transmitted as red, or moves to the Red-
      Part Transmission State (RP_XMIT) state if a non-zero block-prefix
      was requested to be transmitted red.

         In the FG_XMIT state, the block is segmented as multiple green
      LTP data segments respecting the link MTU size and the segments
      are queued for transmission to the remote engine. The last such
      segment is marked as EOB and the sender LTP returns to the CLOSED
      state after queuing it for transmission.

         Similarly, from the RP_XMIT state multiple red data segments
      are queued for transmission. The sender LTP may optionally mark
      some of the red data segments as asynchronous checkpoints; the
      internal procedure Start Checkpoint Timer [Sec 5.2] is followed
      upon receiving a link-state cue indicating the actual beginning of
      transmission of such segments.  The sender LTP marks the last red-
      data segment of the block as both CP and EORP, and after queuing
      it for transmission moves to the Green Part Transmission (GP_XMIT)
      state. If the block transmission was fully red however, the last
      red-data segment is marked as CP, EORP, and EOB and the sender LTP
      moves to the Wait-for-Red-Part-Acknowledgment (WAIT_RP_ACK) state
      instead. For both the above state-transitions, the internal
      procedure Start Checkpoint Timer [Sec 5.2] is followed upon
      receiving a link-state cue indicating the beginning of
      transmission of the queued CP segments.  If the sender LTP entered
      the GP_XMIT state, the remaining green-part of the block is
      segmented as green data segments and queued for transmission to
      the receiver LTP; the last green segment of the block is
      additionally marked as EOB and the sender LTP moves to the
      WAIT_RP_ACK state.

         While the sender LTP is at any of the RP_XMIT, GP_XMIT, or
      WAIT_RP_ACK states, it might be interrupted by the following two
      events asynchronously:

         1. An RS might be received from the receiver LTP (either in
         response to a previously transmitted CP segment or sent
         asynchronously for accelerated retransmission).  The sender LTP
         then moves to perform the sequence of state transitions
         beginning at the RX marker (second-part of the diagram), and
         retransmits data if necessary, illustrating the internal
         procedure Retransmit Data [Sec 5.13]:

         First, if the RS had a non-zero CP serial number, the


Ramadas et al.             Expires - June 2005                 [Page 34]

Internet Draft             LTP - Specification             December 2004

         corresponding CP timer is canceled. Then, an RA segment
         acknowledging the received RS is queued for transmission to the
         receiver LTP and the sender LTP moves to the Check Report state
         (CHK_RPT). If the RS was redundantly transmitted by the
         receiver LTP (possibly because either the last transmitted RA
         got lost or the RS timer expired prematurely at the receiver),
         the sender LTP does nothing more and returns back to the
         interrupted state. Similarly, if all red-data within the scope
         of the RS is reported as received, there is no work to be done
         and the sender LTP returns to the interrupted state. However,
         if the RS indicated incomplete reception of data within its
         scope, the sender LTP moves to the Red-part Retransmit state
         (RP_RXMT) where missing red data-segments within scope are
         queued for transmission. The last such segment is marked as a
         CP, and the sender LTP returns to the interrupted state. The
         internal procedure [Sec 5.2] is followed  upon receiving a
         link-state cue indicating beginning of transmission of the CP
         segment.

         2. A previously set CP timer might expire. Now the sender LTP
         follows the states beginning at the CP marker (second-part of
         the diagram), and follows the internal procedure Retransmit
         Checkpoint [Sec 5.7]:

         If the CP Retransmission Limit set by network management for
         the session has been exceeded, the sender LTP proceeds towards
         canceling the session (with reason-code RLEXC) as indicated by
         the sequence of state transitions following the CX marker.
         Otherwise (if the Retransmission Limit is not exceeded yet),
         the CP segment is queued for retransmission and the sender LTP
         returns to the interrupted state. The Start Checkpoint Timer
         internal procedure [Sec 5.2] is started again upon receiving a
         link-state cue indicating the beginning of transmission of the
         segment.

        The sender LTP stays at the WAIT_RP_ACK state after reaching it
      until the red-part data is fully acknowledged as received by the
      receiver LTP, and then returns to the CLOSED state following the
      internal procedure Close Session [Sec 5.20].

      <<Talk about 2 MSL here??>> Note that while at the CLOSED state,
      the sender LTP might receive an RS (if the last transmitted RA
      before session close got lost or if the receiver LTP retransmitted
      the RS prematurely), in which case it retransmits an acknowledging
      RA and stays in the CLOSED state. If the session was canceled by
      the Receiver by issuing a CR segment, the receiver may retransmit
      the CR (either prematurely or because the acknowledging CAR got
      lost). In this case, the sender LTP retransmits the acknowledging


Ramadas et al.             Expires - June 2005                 [Page 35]

Internet Draft             LTP - Specification             December 2004

      CAR and stays in the CLOSED state.

      Asynchronous cancel request may be received from the local client
      service while the sender LTP was in any of the states mentioned.
      If it was not already in the sequence of state transitions
      beginning at the CX marker, the internal procedure Cancel Session
      [Sec 5.19] is followed, and the sender LTP moves from its current
      state into the sequence beginning at the CX marker initiating
      session cancellation with reason-code CNCLD. From the CX marker,
      the CS segment with appropriate reason-code (CNCLD or RLEXC
      depending on how the CX sequence was entered) is queued for
      transmission to the receiver LTP and the sender enters the Cancel-
      from-Sender Sent(CS_SENT) state. The internal procedure Start
      Cancel Timer [Sec 5.15] is started upon receiving a link-state cue
      indicating the beginning of transmission of the CS segment.  Upon
      receiving the acknowledging CAS from the receiver, the sender LTP
      moves to the CLOSED state (via the Cncld marker). If the CS Timer
      expires, the internal procedure Retransmit Cancellation Segment
      [Sec 5.16] is followed:

         If the network management set retransmission limit is exceeded,
         the session is simply closed and the sender LTP follows the
         Cncld marker to the CLOSED state. If the retransmission limit
         is not exceeded however, the CS segment is queued for a
         retransmission and the sender LTP stays in the CS_SENT state.
         The CS Timer is started upon receiving a link-state cue
         indicating the beginning of actual transmission according to
         the internal procedure Start Cancel Timer [Sec 5.15].

      Asynchronous cancel request may also be received from the receiver
      LTP in the form of a CR segment when the sender LTP is in any of
      the states. Upon receiving such a CR segment, the internal
      procedure Acknowledge Cancellation [Sec 5.17] is invoked: The
      sender LTP sends a CAR segment in response and returns to the
      CLOSED state.








Ramadas et al.             Expires - June 2005                 [Page 36]

Internet Draft             LTP - Specification             December 2004

7.2  Receiver
                     LTP Receiver State Transition Diagram

                                                /\/\/\/\
                             +----+       +----+ Cncld  |
                     Rcv CS; |    V       V     \/\/\/\/
                     Snd CAS |  +-------------+
                             +--+    CLOSED   +<--------------------------+
                                +------+------+                           |
                               +----+  | Rcv first DS                     |
                    Rcv RA;    |    V  V                                  |
                   Cncl RS Tmr |   +--------+                             |
                               +---+ DS_REC |                             |
    +----------------------------->+-+--+-+-+<----------------------+---+ |
    |          Svc. does not exist   |  | | RS TE                   |   | |
    |   /\/\  or Rcv miscolored seg. |  | |               /\/\      |   | |
    |  | CX |<-----------------------+  | +------------->| RX |---->+   | |
    |   \/\/                            |                 \/\/          | |
    |                        Rcv RDS;   |   Rcv GDS;                    | |
    |                       +-----------+------------+                  | |
    |                       V                        V                  | |
    |   /\/\  RS TE +--------------+             +--------+             | |
    +<-| RX |<------+    RCV_RP    |             | RCV_GP |             | |
    |   \/\/        +-+----+--+--+-+             +--+-+-+-+             | |
    |                 |    |  |  |                  | | |               | |
    |    Rcvd RDS;    |    |  |  | Rcvd {RDS, CP,   | | | RS TE  /\/\   | |
    |                 |    |  |  | EORP, EOB};      | | +------>| RX |->+ |
    +<----------------+    |  |  | Snd RS,          | |          \/\/   | |
    |                      |  |  | Start RS Tmr     | | Rcvd GDS;       | |
    | Rcvd {RDS, CP};      |  |  |                  | +---------------->+ |
    | Snd RS, Start RS Tmr |  |  +-------+    +-----+                     |
    +<---------------------+  |          |    | Rcvd {GDS, EOB};          |
    |                         |          |    |                           |
    |                         | +-----+  |    |   +------+                |
    | Rcvd {RDS, CP, EORP};   | |     V  V    V   V      |                |
    | Snd RS, Start RS Tmr    | |   +----------------+   | Rcv RDS;       |
    |                         | |   |                +-->+                |
    |                         | |   |   WAIT_RP_REC  |   | Rcv {RDS, CP}; |
    |                         | |   |                +-->+ Snd RS, Start  |
    +<------------------------+ |   +---+--+-+-+-----+   |        RS Tmr  |
                                | RS TE |  | |  | Rcv RA; |               |
                                |       V  | |  | Cncl    |               |
                                |    /\/\  | |  | RS Tmr  |               |
                                +---| RX | | |  +-------->+               |
                                     \/\/  | |                            |
             /\/\                          | |                            |
            | CX |<------------------------+ |  RP rcvd. fully            |
             \/\/      Rcv miscolored seg.   +--------------------------->+


Ramadas et al.             Expires - June 2005                 [Page 37]

Internet Draft             LTP - Specification             December 2004

                LTP Receiver State Transition Diagram (contd.)


                                     /\/\
                                    | RX |
                                     \/\/
                                     |  |
                                     |  | RL EXC;    /\/\
                        RL NOT EXC;  |  +---------->| CX |
                        Rxmt RS,     |               \/\/
                        Start RS Tmr |
                                     V




                                     /\/\
                                    | CX |
                                     \/\/
                                       | Snd CR,
                                       | Start CR Tmr;
                                       |
                                       |  +----+
                                       V  V    |
                                   +---------+ | CR TE,
                                   | CR_SENT | | RL NOT EXC;
                                   +-+--+--+-+ | Rxmt CR,
                                     |  |  |   | Restart
                             CR TE,  |  |  +---+ CR Tmr
                             RL EXC; |  |
                                     |  | Rcv CAR;
                                     V  V
                                     /\/\/\/\
                                    | Cncld  |
                                     \/\/\/\/






Ramadas et al.             Expires - June 2005                 [Page 38]

Internet Draft             LTP - Specification             December 2004

      The receiver LTP begins at the CLOSED state and enters the Data
      Segment Reception (DS_REC) state upon receiving the first data
      segment. If the client service ID referenced in the data segment
      was non-existent, a CX segment with reason-code UNREACH SHOULD be
      sent to the sender LTP with the Cancellation sequence beginning
      with the CX marker (second part of the diagram). If the received
      segment was found to be miscolored (a red-part data segment whose
      block offset begins at an offset higher than the offset of any
      green-part data segment previously received, or a green-part data
      segment whose block offset begins at an offset lower than the
      offset of any red-part data segment previously received), the
      internal procedure Handle Miscolored Segment [Sec 5.21] is
      followed; a CX segment with reason-code MISCOLORED SHOULD be sent
      to the sender LTP with the Cancellation sequence beginning with
      the CX marker.

      Otherwise, the receiver LTP enters the Receive Red-Part state
      (RCV_RP) or the Receive Green-Part state (RCV_GP) depending on
      whether the segment received was red or green respectively.

      In the RCV_RP state, a check is made of the nature of the received
      red DS.  If the segment was a regular red data segment, the
      receiver LTP just returns to the DS_REC state. For red data
      segments marked also as CP and as CP & EORP, a responding RS is
      queued for transmission to the sender following either the
      internal procedure Retransmit RS [Sec 5.8] or Send Reception
      Report [Sec 5.11] depending on whether the CP segment was a
      retransmission (An RS corresponding to the Checkpoint Serial
      Number in the CP was previously issued)  or not, respectively.
      The receiver LTP then returns to the DS_REC state.  If the block
      transmission was fully red and the segment was marked as CP, EORP,
      and EOB, the receiver LTP enters the Wait-for-Red-Part-Reception
      state (WAIT_RP_REC). In all cases the internal procedure Start RS
      Timer [Sec 5.3] is followed upon receiving link-state cues
      indicating beginning of transmission of the RS segments.

      In the RCV_GP state, if the received green data segment was not
      marked EOB, the receiver LTP returns to the DS_REC state.
      Otherwise it enters the WAIT_RP_REC state to receive the red-part
      of the block fully.

      A previously set RS timer may expire asynchronously while the
      receiver LTP was in the DS_REC, RCV_RP, RCV_GP, or WAIT_RP_REC
      states. If so, the internal procedure Retransmit RS [Sec 5.8] is
      followed as illustrated in the states beginning at the RX marker
      (shown in the second part of the diagram) before returning to the
      interrupted state:


Ramadas et al.             Expires - June 2005                 [Page 39]

Internet Draft             LTP - Specification             December 2004

         A check is made here to see if the retransmission limit set by
         the network management has been exceeded in the number of RSs
         sent in the session. If so, a CR segment with reason-code RLEXC
         SHOULD be sent to the sender LTP and the sequence following the
         CX marker is followed. Otherwise, the RS is queued for
         retransmission and the associated RS timer is started following
         the internal procedure Start RS Timer [Sec 5.3] upon receiving
         a link-state cue indicating the beginning of its transmission.

      The receiver LTP may also receive RA segments from the sender in
      response to the RSs sent while in the DS_REC state. If so, then
      the RS timer corresponding to the report serial number mentioned
      in the RA segment is canceled following the internal procedure
      Stop RS Timer [Sec 5.14].

      The receiver LTP stays in the WAIT_RP_REC state until the entire
      red-part of the block is received, and moves to the CLOSED state
      upon full red-part reception. In this state, a check is made upon
      reception of every red-part DS to see if it is at a block offset
      higher than any green-part DS received. If so, the Handle
      Miscolored Segment internal procedure [Sec 5.21] is invoked and
      the sequence of state transitions beginning with the CX marker is
      followed; a CX segment with reason-code MISCOLORED SHOULD be sent
      to the sender LTP with the Cancellation sequence beginning with
      the CX marker.

      Note that if there were no red data segments received in the
      session yet, including the case where the session was indeed fully
      green or the pathological case where the entire red-part of the
      block gets lost but at least the green data segment marked EOB is
      received (the receiver LTP has no indication of whether the
      session had a red-part transmission), the receiver LTP assumes the
      "RP rcvd. fully" condition to be true and moves to the CLOSED
      state from the WAIT_RP_REC state.

      In the WAIT_RP_REC state, the receiver LTP may receive the
      retransmitted red data segments. Upon receiving red data segments
      marked CP, it queues the responding RS for transmission based on
      either internal procedure Retransmit RS [Sec 5.8] or Send
      Reception Report [Sec 5.11] depending on whether the CP was found
      to be a retransmission or not, respectively. The Start RS Timer
      internal procedure is invoked upon receiving a link-state cue
      indicating the beginning of transmission of the RS.  If an RA
      segment is received, the RS timer corresponding to the report
      segment mentioned is canceled and the receiver LTP stays in the
      state until the entire red-part is received.

      In the sequence of state transitions beginning at the CX marker,


Ramadas et al.             Expires - June 2005                 [Page 40]

Internet Draft             LTP - Specification             December 2004

      the CR segment with the given reason-code (depending on how the
      sequence is entered) is queued for transmission, and the CR timer
      is started upon reception of the link-state cue indicating actual
      transmission following internal procedure Start Cancel Timer [Sec
      5.15].  If the CAR is received from the sender LTP, the receiver
      LTP returns to the CLOSED state (via the Cncld marker) following
      the Stop Cancel Timer internal procedure [Sec 5.18]. If the CR
      timer expires asynchronously, the internal procedure Retransmit
      Cancellation Segment [Sec 5.16] is followed :
         A check is made to see if the retransmission limit set by the
         network management for the number of CRs per session has been
         exceeded.  If so, the receiver LTP returns to the CLOSED state
         following the Cncld marker. Otherwise, a CR segment is
         scheduled for retransmission with the CR timer being started
         following the internal procedure Start Cancel Timer [Sec 5.15]
         upon reception of a link-state cue indicating actual
         transmission.

      <<Talk about 2 MSL here??>> The receiver LTP might also receive a
      retransmitted CS at the CLOSED state (either if the CAS segment
      previously transmitted was lost or if the CS timer expired
      prematurely at the sender LTP). In such a case the CAS is
      scheduled for retransmission.

      Asynchronous cancel requests are handled similar to the way they
      are handled in the sender LTP. If the cancel request was made from
      the local client service instance and the receiver LTP was not
      already in the CR_SENT state, a CR with reason-code CNCLD SHOULD
      be sent to the sender LTP following the sequence of state
      transitions beginning at the CX marker as described above.  If the
      asynchronous cancel request is received from the sender LTP, a CAS
      segment is sent and the receiver LTP moves to the CLOSED state
      (independent of the state the receiver LTP may be in).

8.  Requirements from the Operating Environment

      LTP requires support from its operating environment (which
      includes network management activities) and link-state cues from
      the data-link layer for its operations.

      The local data-link layer needs to inform LTP whenever the link to
      a specific LTP destination is brought up or torn down.  Similarly,
      the operating environment needs to inform the local LTP engine
      whenever it is known that a remote LTP engine is set to begin or
      stop communication with the local engine based on the operating
      schedules. LTP requires link state cues from the datalink layer
      upon transmission of the CP, RS, EORP, EOB, and Cx segments.  LTP
      also needs to be able to query the current distance (in light


Ramadas et al.             Expires - June 2005                 [Page 41]

Internet Draft             LTP - Specification             December 2004

      seconds) to any peer engine in order to calculate timeout
      intervals in a typical deep-space environment.

      A MIB (Management Information Base), with the above parameters
      filled in by the local data-link layer and the operating
      environment periodically, should be made available to the LTP
      engine for its operations. The exact details of the MIB are,
      however, beyond the scope of this document.

      The underlying data-link layer is required to never deliver
      incompletely received LTP segments to LTP.  In the absence of the
      use of LTP authentication [LTPEXT] LTP also requires the
      underlying data-link layer to perform data integrity check of the
      segments received. Specifically, the data-link layer is expected
      to detect any corrupted segments received and to silently discard
      them.

9.  Security Considerations

      <<Note : The LTP-Auth security mechanism defined in [LTPEXT] may
      be moved back into this section if there was community consensus
      in having it as a critical feature that ought to be implemented in
      all implementations of the protocol.>>

      There is a clear risk that unintended receivers can listen in on
      LTP transmissions over satellite and other radio broadcast
      datalinks.   Such unintended recipients of LTP transmissions may
      also be able to manipulate LTP segments at will.

      Hence there is a potential requirement for confidentiality,
      integrity and anti-DoS (Denial of Service) security services and
      mechanisms.

      In particular, DoS problems are more severe for LTP compared to
      other typical internet protocols because LTP inherently retains
      state for long periods, and has very high time-out values.
      Further, it could be difficult to reset LTP nodes to recover from
      an attack.  Thus any adversary who can actively attack an LTP
      transmission has the potential to create severe DoS conditions for
      the LTP receiver.

      To give a terrestrial example - were LTP to be used in a sparse
      sensor network, DoS attacks could be mounted resulting in nodes
      missing critical information, for example, communications schedule
      updates.  In such cases, a single successful DoS attack could take
      a node entirely off the network until the node is physically
      visited and reset.


Ramadas et al.             Expires - June 2005                 [Page 42]

Internet Draft             LTP - Specification             December 2004

      Even for deep space applications of LTP, we do need to consider
      certain terrestrial attacks, in particular those involving
      insertion of messages into an on-going session (usually without
      having seen the exact bytes of the previous messages in the
      session). Such attacks are likely in the presence of firewall
      failures at various nodes in the network, or due to Trojan
      software running on an authorized host.

      Many message insertion attacks will depend on the attacker
      correctly "guessing" something about the state of the LTP peers,
      but experience shows that successful guesses are easier than might
      be thought [DDJ].

9.1  Security Mechanisms and Layering Considerations

      In this section we consider the appropriate layer(s) at which
      security mechanisms can best be deployed to increase the security
      properties of LTP.

      The Application layer (above-LTP)

         Higher layer security mechanisms clearly protect LTP payload,
         but leave LTP headers open.  Such mechanisms provide little or
         no protection against DoS type attacks against LTP, but may
         well provide sufficient data integrity and ought to be able to
         provide data confidentiality.

      The LTP layer

         An authentication header (similar to IPSEC [AH]) can help
         protect against replay attacks and other bogus packets.
         However, an adversary may still see the LTP header of segments
         passing by in the ether. This approach also requires some key
         management infrastructure to be in place in order to provide
         strong authentication, which may not always be an acceptable
         overhead. Such an authentication header could mitigate many DoS
         attacks.

         Similarly, a confidentiality service could be defined for LTP
         payload and (some) header fields. However, this seems less
         attractive since (a) confidentiality is arguably better
         provided either above or below the LTP layer, (b) key
         management for such a service is harder (in a high-delay
         context) than for an integrity service, and (c) forcing LTP
         engines to attempt decryption of incoming segments can in
         itself provide a DoS opportunity.

         Further, within the LTP layer we can make various design


Ramadas et al.             Expires - June 2005                 [Page 43]

Internet Draft             LTP - Specification             December 2004

         decisions to reduce the probability of successful DoS attacks.
         In particular, we can mandate that values for certain fields in
         the header (session numbers, for example) be chosen randomly.

      The Datalink layer (below-LTP)

         The lower layers can clearly provide confidentiality and
         integrity services, although such security may result in
         unnecessary overhead (if a service provided is not required for
         all LTP sessions, for example) and loss of flexibility.
         However, the lower layers may well be the optimal place to do
         compression and encryption.

9.2  Denial of Service Considerations

      Implementers SHOULD consider the likelihood of the following DoS
      attacks :

         A fake Cx could be inserted, thus bringing down a session.

         Various acknowledgment segments (RA, RS, etc.) could be
         deleted, causing timers to expire, and has the potential to
         disable communication altogether if done with a knowledge of
         the communications schedule.  This could be achieved either by
         mounting a DoS attack on a lower layer service in order to
         prevent it from sending an acknowledgment segment, or by simply
         jamming the transmission (all of which are more likely for
         terrestrial applications of LTP).

         An attacker might also flip some bits, which is tantamount to
         deleting that segment.

         An attacker may flood a node with segments for the internal
         operations queue and prevent transmission of legitimate data
         segments.

         An attacker could attempt to fill up the storage in a node by
         sending many large messages to it. In terrestrial LTP
         applications this may be much more serious since spotting the
         additional traffic may not be possible from any network
         management point.

         <<More TBD>>

      LTP includes the following anti-DoS mechanisms:

         Session numbers MUST be partly random making it harder to


Ramadas et al.             Expires - June 2005                 [Page 44]

Internet Draft             LTP - Specification             December 2004

         insert valid segments.

         A node which suspects that either it or its peer is under DoS
         attack could frequently checkpoint its data segments (if it
         were the sender) or send asynchronous RSs (if it were the
         receiver), thus eliciting an earlier response from its peer or
         timing out earlier due to the failure of an attacker to
         respond.

         Serial numbers (checkpoint serial numbers, report serial
         numbers) MUST begin each session anew using random numbers
         rather than from 0.

         The authentication header [LTPEXT].

9.3  Replay Handling

      The following algorithm is given as an example of how an LTP
      implementation MAY handle replays.

      1. On receipt of an LTP segment, check against a cache for replay.
      If this is a replay segment and if a pre-cooked response is
      available (stored from the last time this segment was processed),
      then send the pre-cooked response.  If there is no pre-cooked
      response then silently drop the inbound segment. This can all be
      done without attempting to decode the buffer.

      2. If the inbound segment does not decode correctly, then silently
      drop the segment. If the segment decodes properly, then add its
      hash to the replay cache and return a handle to the entry.

      3. For those cases where a pre-cooked response should be stored,
      store the response using the handle received from the previous
      step. These cases include:

         (a) when the inbound packet is a CP DS the response RS gets
         stored as pre-cooked;

         (b) when the incoming packet is an RS the RA is stored as
         precooked, and,

         (c) when the incoming packet is a Cx the CAx gets stored
         precooked.

      4. Occasionally clean out the replay cache - how frequently this
      happens in an implementation issue.

      The downside of this algorithm is that receiving a totally bogus


Ramadas et al.             Expires - June 2005                 [Page 45]

Internet Draft             LTP - Specification             December 2004

      segment still results in a replay cache search and attempted LTP
      decode operation.  It is not clear that it is possible to do much
      better though, since all an attacker would have to do to get past
      the replay cache would be to tweak a single bit in the inbound
      segment each time, which is certainly cheaper than the
      hash+lookup+decode combination, though also certainly more
      expensive than simply sending the same octets many times.

      The benefit of doing this is that implementers no longer need to
      analyze many bugs/attacks based on replaying packets, which in
      combination with the use of LTP authentication should defeat many
      attempted DoS attacks.

9.4  Implementation Considerations

      SDNV

         Implementations SHOULD make sanity checks on SDNV length fields
         and SHOULD check that no SDNV field is too long when compared
         with the overall segment length.

         Implementations SHOULD check that SDNV values are within
         suitable ranges where possible, e.g. <<TBD>>

      Byte ranges

         Various report and other segments contain offset and length
         fields. Implementations MUST ensure that these are consistent
         and sane.

      Randomness

         Various fields in LTP (e.g. serial numbers) should be
         initialized using random values. Good sources of randomness
         which are not easily guessable SHOULD be used [ECS94].  The
         collision of random values is subject to the birthday paradox,
         which means that a collision is likely after roughly the
         square-root of the space has been seen (e.g. 2^16 in the case
         of a 32-bit random value).  Implementers MUST ensure that they
         use sufficiently long random values so that the birthday
         paradox doesn't cause a problem in their environment.

10.  IANA Considerations

      At present there are none known. However if someone wanted to run
      LTP over IP (or even TCP or UDP), then we would want to allocate a
      port number. <<Considering this is TBD>>


Ramadas et al.             Expires - June 2005                 [Page 46]

Internet Draft             LTP - Specification             December 2004

11.  Acknowledgments

      Many thanks to Tim Ray, Vint Cerf, Bob Durst, Kevin Fall, Adrian
      Hooke, Keith Scott, Leigh Torgerson, Eric Travis, and Howie Weiss
      for their thoughts on this protocol and its role in Delay-Tolerant
      Networking architecture.

      Part of the research described in this document was carried out at
      the Jet Propulsion laboratory, California Institute of Technology,
      under a contract with the National Aeronautics and Space
      Administration. This work was performed under DOD Contract DAA-
      B07- 00-CC201, DARPA AO H912; JPL Task Plan No. 80-5045, DARPA AO
      H870; and NASA Contract NAS7-1407.

      Thanks are also due to Shawn Ostermann, Hans Kruse, and Dovel
      Myers at Ohio University for their suggestions and advice in
      making various design decisions.

      Part of this work was carried out at Trinity College Dublin as
      part of the SeNDT contract funded by Enterprise Ireland's research
      innovation fund.

12.  References

12.1 Normative References

      [B97] S. Bradner, "Key words for use in RFCs to Indicate
      Requirement Levels", BCP 14, RFC 2119, March 1997.

      [LTPMOTIVE] Burleigh, S., Ramadas, M., and Farrell, S., "Licklider
      Transmission Protocol - Motivation", draft-irtf-dtnrg-ltp-
      motivation-00.txt (Work in Progress), December 2004.

      [LTPEXT] Farrell, S., Ramadas, M., and Burleigh, S., "Licklider
      Transmission Protocol - Extensions", draft-irtf-dtnrg-ltp-
      extensions-00.txt (Work in Progress), December 2004.

12.2 Informative References

      [AH] Kent, S., and R. Atkinson, "IP Authentication Header", RFC
      2402, November 1998.

      [ASN1] Abstract Syntax Notation One (ASN.1). Specification of
      Basic Notation. ITU-T Rec. X.680 (2002) | ISO/IEC 8824-1:2002.

      [DDJ]  I. Goldberg and E. Wagner, "Randomness and the Netscape
      Browser", Dr. Dobb's Journal, 1996, (pages 66-70).


Ramadas et al.             Expires - June 2005                 [Page 47]

Internet Draft             LTP - Specification             December 2004

      [BP] K. Scott, and S. Burleigh, "Bundle Protocol Specification",
      Work in Progress, October 2003.

      [DTN] K. Fall, "A Delay-Tolerant Network Architecture for
      Challenged Internets", In Proceedings of ACM SIGCOMM 2003,
      Karlsruhe, Germany, Aug 2003.

      [IPN] InterPlanetary Internet Special Interest Group web page,
      "http://www.ipnsig.org".

      [ECS94] D. Eastlake, S. Crocker, and J. Schiller, "Randomness
      Recommendations for Security", RFC 1750, December 1994.

13.  Author's Addresses

         Manikantan Ramadas
         Internetworking Research Group
         301 Stocker Center
         Ohio University
         Athens, OH 45701
         Telephone +1 (740) 593-1562
         Email mramadas@irg.cs.ohiou.edu

         Scott C. Burleigh
         Jet Propulsion Laboratory
         4800 Oak Grove Drive
         M/S: 179-206
         Pasadena, CA 91109-8099
         Telephone +1 (818) 393-3353
         FAX +1 (818) 354-1075
         Email Scott.Burleigh@jpl.nasa.gov

         Stephen Farrell
         Distributed Systems Group
         Computer Science Department
         Trinity College Dublin
         Ireland
         Telephone +353-1-608-3070
         Email stephen.farrell@cs.tcd.ie

14. Copyright Statement

      Copyright (C) The Internet Society (2004).  This document is subject
      to the rights, licenses and restrictions contained in BCP 78, and
      except as set forth therein, the authors retain all their rights."

      This document and the information contained herein are provided on an


Ramadas et al.             Expires - June 2005                 [Page 48]

Internet Draft             LTP - Specification             December 2004

      "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
      OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
      ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
      INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
      INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
      WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.























Ramadas et al.             Expires - June 2005                 [Page 49]


Html markup produced by rfcmarkup 1.109, available from https://tools.ietf.org/tools/rfcmarkup/