 1/draftietfrmtbbfecldpc07.txt 20080123 16:12:09.000000000 +0100
+++ 2/draftietfrmtbbfecldpc08.txt 20080123 16:12:09.000000000 +0100
@@ 1,22 +1,22 @@
RMT V. Roca
InternetDraft INRIA
Intended status: Standards Track C. Neumann
Expires: May 19, 2008 Thomson
+Expires: July 26, 2008 Thomson
D. Furodet
STMicroelectronics
 November 16, 2007
+ January 23, 2008
Low Density Parity Check (LDPC) Staircase and Triangle Forward Error
Correction (FEC) Schemes
 draftietfrmtbbfecldpc07.txt
+ draftietfrmtbbfecldpc08.txt
Status of this Memo
By submitting this InternetDraft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
InternetDrafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
@@ 27,86 +27,84 @@
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use InternetDrafts as reference
material or to cite them other than as "work in progress."
The list of current InternetDrafts can be accessed at
http://www.ietf.org/ietf/1idabstracts.txt.
The list of InternetDraft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
 This InternetDraft will expire on May 19, 2008.
+ This InternetDraft will expire on July 26, 2008.
Copyright Notice
 Copyright (C) The IETF Trust (2007).
+ Copyright (C) The IETF Trust (2008).
Abstract
This document describes two FullySpecified FEC Schemes, LDPC
Staircase and LDPCTriangle, and their application to the reliable
delivery of data objects on the packet erasure channel (i.e., a
communication path where packets are either received without any
corruption or discarded during transmission). These systematic FEC
codes belong to the well known class of ``Low Density Parity Check''
(LDPC) codes, and are large block FEC codes in the sense of RFC3453.
Table of Contents
 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
 2. Requirements notation . . . . . . . . . . . . . . . . . . . . 5
 3. Definitions, Notations and Abbreviations . . . . . . . . . . . 6
 3.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 6
 3.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 6
 3.3. Abbreviations . . . . . . . . . . . . . . . . . . . . . . 7
 4. Formats and Codes . . . . . . . . . . . . . . . . . . . . . . 8
 4.1. FEC Payload IDs . . . . . . . . . . . . . . . . . . . . . 8
 4.2. FEC Object Transmission Information . . . . . . . . . . . 8
 4.2.1. Mandatory Element . . . . . . . . . . . . . . . . . . 8
 4.2.2. Common Elements . . . . . . . . . . . . . . . . . . . 8
 4.2.3. SchemeSpecific Elements . . . . . . . . . . . . . . . 9
 4.2.4. Encoding Format . . . . . . . . . . . . . . . . . . . 9
 5. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 12
 5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 12
 5.2. Determining the Maximum Source Block Length (B) . . . . . 13
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
+ 2. Requirements notation . . . . . . . . . . . . . . . . . . . . 6
+ 3. Definitions, Notations and Abbreviations . . . . . . . . . . . 7
+ 3.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 7
+ 3.2. Notations . . . . . . . . . . . . . . . . . . . . . . . . 7
+ 3.3. Abbreviations . . . . . . . . . . . . . . . . . . . . . . 8
+ 4. Formats and Codes . . . . . . . . . . . . . . . . . . . . . . 9
+ 4.1. FEC Payload IDs . . . . . . . . . . . . . . . . . . . . . 9
+ 4.2. FEC Object Transmission Information . . . . . . . . . . . 9
+ 4.2.1. Mandatory Element . . . . . . . . . . . . . . . . . . 9
+ 4.2.2. Common Elements . . . . . . . . . . . . . . . . . . . 9
+ 4.2.3. SchemeSpecific Elements . . . . . . . . . . . . . . . 10
+ 4.2.4. Encoding Format . . . . . . . . . . . . . . . . . . . 10
+ 5. Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . 13
+ 5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 13
+ 5.2. Determining the Maximum Source Block Length (B) . . . . . 14
5.3. Determining the Encoding Symbol Length (E) and Number
 of Encoding Symbols per Group (G) . . . . . . . . . . . . 14
+ of Encoding Symbols per Group (G) . . . . . . . . . . . . 15
5.4. Determining the Maximum Number of Encoding Symbols
 Generated for Any Source Block (max_n) . . . . . . . . . . 15
+ Generated for Any Source Block (max_n) . . . . . . . . . . 16
5.5. Determining the Number of Encoding Symbols of a Block
 (n) . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
 5.6. Identifying the G Symbols of an Encoding Symbol Group . . 16
 5.7. Pseudo Random Number Generator . . . . . . . . . . . . . . 20
 6. Full Specification of the LDPCStaircase Scheme . . . . . . . 22
 6.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 22
 6.2. Parity Check Matrix Creation . . . . . . . . . . . . . . . 22
 6.3. Encoding . . . . . . . . . . . . . . . . . . . . . . . . . 24
 6.4. Decoding . . . . . . . . . . . . . . . . . . . . . . . . . 24
 7. Full Specification of the LDPCTriangle Scheme . . . . . . . . 26
 7.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 26
 7.2. Parity Check Matrix Creation . . . . . . . . . . . . . . . 26
 7.3. Encoding . . . . . . . . . . . . . . . . . . . . . . . . . 26
 7.4. Decoding . . . . . . . . . . . . . . . . . . . . . . . . . 27
 8. Security Considerations . . . . . . . . . . . . . . . . . . . 28
 8.1. Problem Statement . . . . . . . . . . . . . . . . . . . . 28
 8.2. Attacks Against the Data Flow . . . . . . . . . . . . . . 28
 8.2.1. Access to Confidential Objects . . . . . . . . . . . . 28
 8.2.2. Content Corruption . . . . . . . . . . . . . . . . . . 29
 8.3. Attacks Against the FEC Parameters . . . . . . . . . . . . 30
 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31
 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 32
 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 33
 11.1. Normative References . . . . . . . . . . . . . . . . . . . 33
 11.2. Informative References . . . . . . . . . . . . . . . . . . 33
 Appendix A. Pseudo Random Number Generator Example
 Implementation (Informative Only) . . . . . . . . . . 35
 Appendix B. Trivial Decoding Algorithm (Informative Only) . . . . 37
+ (n) . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
+ 5.6. Identifying the G Symbols of an Encoding Symbol Group . . 17
+ 5.7. Pseudo Random Number Generator . . . . . . . . . . . . . . 21
+ 6. Full Specification of the LDPCStaircase Scheme . . . . . . . 23
+ 6.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 23
+ 6.2. Parity Check Matrix Creation . . . . . . . . . . . . . . . 23
+ 6.3. Encoding . . . . . . . . . . . . . . . . . . . . . . . . . 25
+ 6.4. Decoding . . . . . . . . . . . . . . . . . . . . . . . . . 25
+ 7. Full Specification of the LDPCTriangle Scheme . . . . . . . . 27
+ 7.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 27
+ 7.2. Parity Check Matrix Creation . . . . . . . . . . . . . . . 27
+ 7.3. Encoding . . . . . . . . . . . . . . . . . . . . . . . . . 28
+ 7.4. Decoding . . . . . . . . . . . . . . . . . . . . . . . . . 28
+ 8. Security Considerations . . . . . . . . . . . . . . . . . . . 29
+ 8.1. Problem Statement . . . . . . . . . . . . . . . . . . . . 29
+ 8.2. Attacks Against the Data Flow . . . . . . . . . . . . . . 29
+ 8.2.1. Access to Confidential Objects . . . . . . . . . . . . 29
+ 8.2.2. Content Corruption . . . . . . . . . . . . . . . . . . 30
+ 8.3. Attacks Against the FEC Parameters . . . . . . . . . . . . 31
+ 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 32
+ 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 33
+ 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 34
+ 11.1. Normative References . . . . . . . . . . . . . . . . . . . 34
+ 11.2. Informative References . . . . . . . . . . . . . . . . . . 34
+ Appendix A. Trivial Decoding Algorithm (Informative Only) . . . . 37
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 39
Intellectual Property and Copyright Statements . . . . . . . . . . 40
1. Introduction
[RFC3453] introduces large block FEC codes as an alternative to small
block FEC codes like ReedSolomon. The main advantage of such large
block codes is the possibility to operate efficiently on source
blocks of size several tens of thousands (or more) source symbols.
The present document introduces the FullySpecified FEC Encoding ID 3
@@ 124,22 +122,21 @@
some of them are missing. These codes are systematic, in the sense
that the encoding symbols include the source symbols in addition to
the repair symbols.
Since the encoder and decoder must operate on the same parity check
matrix, information must be communicated between them as part of the
FEC Object Transmission Information.
A publicly available reference implementation of these codes is
available and distributed under a GNU/LGPL license [LDPCcodec].
 Besides, the code extracts included in this document (except
 Appendix A that is only provided as an example) are directly
+ Besides, the code extracts included in this document are directly
contributed to the IETF process by the authors of this document and
by Radford M. Neal.
2. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Definitions, Notations and Abbreviations
@@ 193,36 +190,34 @@
symbols generated for a source block
E denotes the encoding symbol length in bytes
B denotes the maximum source block length in symbols, i.e., the
maximum number of source symbols per source block
N denotes the number of source blocks into which the object shall
be partitioned
 G denotes the number of encoding symbols per group, i.e. the
+ G denotes the number of encoding symbols per group, i.e., the
number of symbols sent in the same packet
CR denotes the "code rate", i.e., the k/n ratio
max_n denotes the maximum number of encoding symbols generated for
any source block. This is in particular the number of encoding
symbols generated for a source block of size B
H denotes the parity check matrix
 srand(s) denotes the initialization function of the pseudorandom
 number generator, where s is the seed (s > 0)

 rand(m) denotes a pseudorandom number generator that returns a
 new random integer in [0; m1] each time it is called
+ pmms_rand(m) denotes the pseudorandom number generator defined in
+ Section 5.7 that returns a new random integer in [0; m1] each
+ time it is called
3.3. Abbreviations
This document uses the following abbreviations:
ESI: Encoding Symbol ID
FEC OTI: FEC Object Transmission Information
FPI: FEC Payload ID
@@ 368,22 +363,22 @@
o FECOTIEncodingSymbolLength
o FECOTIMaximumSourceBlockLength
o FECOTIMaxNumberofEncodingSymbols
o FECOTISchemeSpecificInfo
The FECOTISchemeSpecificInfo contains the string resulting from
 the Base64 encoding (in the XML Schema xs:base64Binary sense) of the
 following value:
+ the Base64 encoding (in the XML Schema xs:base64Binary sense)
+ [RFC4648] of the following value:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+++++++++++++++++++++++++++++++++
 PRNG seed 
+++++++++++++++++++++++++++++++++
 G 
+++++++++
Figure 3: FEC OTI Scheme Specific Information to be Included in the
@@ 612,21 +607,21 @@
Algorithm:
n = floor(k * max_n / B);
5.6. Identifying the G Symbols of an Encoding Symbol Group
When multiple encoding symbols are sent in the same packet, the FEC
Payload ID information of the packet MUST refer to the first encoding
symbol. It MUST then be possible to identify each symbol from this
single FEC Payload ID. To that purpose, the symbols of an Encoding
 Symbol Group (i.e. packet):
+ Symbol Group (i.e., packet):
o MUST all be either source symbols, or repair symbols. Therefore
only source packets and repair packets are permitted, not mixed
ones.
o are identified by a function, sender(resp.
receiver)_find_ESIs_of_group(), that takes as argument:
* for a sender, the index of the Encoding Symbol Group (i.e.,
packet) that the application wants to create,
@@ 660,29 +655,31 @@
*/
void
initialize_tables ()
{
int i;
int randInd;
int backup;
txseqToID = malloc((nk) * sizeof(int));
IDtoTxseq = malloc((nk) * sizeof(int));
+ if (txseqToID == NULL  IDtoTxseq == NULL)
+ handle the malloc failures as appropriate...
/* initialize the two tables that map ID
* (i.e., ESIk) to/from TxSequence. */
for (i = 0; i < n  k; i++) {
IDtoTxseq[i] = i;
txseqToID[i] = i;
}
/* now randomize everything */
for (i = 0; i < n  k; i++) {
 randInd = rand(n  k);
+ randInd = pmms_rand(n  k);
backup = IDtoTxseq[i];
IDtoTxseq[i] = IDtoTxseq[randInd];
IDtoTxseq[randInd] = backup;
txseqToID[IDtoTxseq[i]] = i;
txseqToID[IDtoTxseq[randInd]] = randInd;
}
return;
}
It is then possible, at the sender, to determine the sequence of G
@@ 752,136 +749,174 @@
}
}
}
5.7. Pseudo Random Number Generator
The FEC Encoding IDs 3 and 4 rely on a pseudorandom number generator
(PRNG) that must be fully specified, in particular in order to enable
the receivers and the senders to build the same parity check matrix.
 The minimal standard generator [PM88] MUST be used. It defines a
 simple multiplicative congruential algorithm: Ij+1 = A * Ij (modulo
 M), with the following choices: A = 7^^5 = 16807 and M = 2^^31  1 =
 2147483647. Several implementations of this PRNG are known and
 discussed in the literature. All of them provide the same sequence
 of pseudo random numbers. A validation criteria of such a PRNG is
 the following: if seed = 1, then the 10,000th value returned MUST be
+ The ParkMiler "minimal standard" PRNG [PM88] MUST be used. It
+ defines a simple multiplicative congruential algorithm: Ij+1 = A * Ij
+ (modulo M), with the following choices: A = 7^^5 = 16807 and M =
+ 2^^31  1 = 2147483647. A validation criteria of such a PRNG is the
+ following: if seed = 1, then the 10,000th value returned MUST be
equal to 1043618065.
 An optimized implementation of this algorithm, using only 32 bit
 mathematics which does not require any division, is provided, as an
 example, in Appendix A. Yet any other implementation of the PRNG
 algorithm that matches the above validation criteria is appropriate.
+ Several implementations of this PRNG are known and discussed in the
+ literature. An optimized implementation of this algorithm, using
+ only 32 bit mathematics and which does not require any division, can
+ be found in [rand31pmc]. It uses the Park and Miller algorithm
+ [PM88] with the optimization suggested by D. Carta in [CA90]. The
+ history behind this algorithm is detailed in [WI08]. Yet any other
+ implementation of the PRNG algorithm that matches the above
+ validation criteria, like the ones detailed in [PM88], is
+ appropriate.
 This PRNG produces a 31 bit value between 1 and 0x7FFFFFFE (2^^312)
 inclusive. When it is desired to scale the pseudo random number
 between 0 and maxv1 inclusive, one must keep the most significant
 bits of the value returned by the PRNG (the least significant bits
 are known to be less random and modulo based solutions should be
 avoided [PTVF92]). The following algorithm MUST be used:
+ This PRNG produces natively a 31 bit value between 1 and 0x7FFFFFFE
+ (2^^312) inclusive. Since it is desired to scale the pseudo random
+ number between 0 and maxv1 inclusive, one must keep the most
+ significant bits of the value returned by the PRNG (the least
+ significant bits are known to be less random and modulo based
+ solutions should be avoided [PTVF92]). The following algorithm MUST
+ be used:
Input:
raw_value: random integer generated by the inner PRNG algorithm,
between 1 and 0x7FFFFFFE (2^^312) inclusive.
maxv: upper bound used during the scaling operation.
Output:
scaled_value: random integer between 0 and maxv1 inclusive.
Algorithm:
scaled_value = (unsigned long) ((double)maxv * (double)raw_value /
(double)0x7FFFFFFF);
(NB: the above C type casting to unsigned long is equivalent to
using floor() with positive floating point values)
+ In this document, pmms_rand(maxv) denotes the PRNG function that
+ implements the ParkMiller "minimal standard" algorithm defined above
+ and that scales the raw value between 1 and maxv1 inclusive, using
+ the above scaling algorithm. Additionally, a function should be
+ provided to enable the initialization of the PRNG with a seed (i.e.,
+ a 31 bit interger between 1 and 0x7FFFFFFE inclusive) before calling
+ pmms_rand(maxv) the first time.
+
6. Full Specification of the LDPCStaircase Scheme
6.1. General
The LDPCStaircase scheme is identified by the FullySpecified FEC
Encoding ID 3.
The PRNG used by the LDPCStaircase scheme must be initialized by a
seed. This PRNG seed is an instancespecific FEC OTI attribute
(Section 4.2.3).
6.2. Parity Check Matrix Creation
The LDPCStaircase matrix can be divided into two parts: the left
side of the matrix defines in which equations the source symbols are
involved; the right side of the matrix defines in which equations the
repair symbols are involved.
 The left side is generated with the following algorithm:
+ The left side MUST be generated by using the following function:
 /* initialize a list of all possible choices in order to
+/*
+ * Initialize the left side of the parity check matrix.
+ * This function assumes that an empty matrix of size nk * k has
+ * previously been allocated/reset and that the matrix_has_entry(),
+ * matrix_insert_entry() and degree_of_row() functions can access it.
+ * (IN): the k and n parameters.
+ */
+void left_matrix_init (int k, int n)
+{
+ int i; /* row index or temporary variable */
+ int j; /* column index */
+ int h;
+ int t; /* left limit within the list of possible choices u[] */
+ int u[3*MAX_K]; /* table used to have a homogeneous 1 distrib. */
+
+ /* Initialize a list of all possible choices in order to
* guarantee a homogeneous "1" distribution */
for (h = 3*k1; h >= 0; h) {
u[h] = h % (nk);
}
 /* left limit within the list of possible choices, u[] */
 t = 0;
+ /* Initialize the matrix with 3 "1s" per column, homogeneously */
+ t = 0;
for (j = 0; j < k; j++) { /* for each source symbol column */
for (h = 0; h < 3; h++) { /* add 3 "1s" */
/* check that valid available choices remain */
for (i = t; i < 3*k && matrix_has_entry(u[i], j); i++);

if (i < 3*k) {
/* choose one index within the list of possible
* choices */
do {
 i = t + rand(3*kt);
+ i = t + pmms_rand(3*kt);
} while (matrix_has_entry(u[i], j));
matrix_insert_entry(u[i], j);
/* replace with u[t] which has never been chosen */
u[i] = u[t];
t++;
} else {
/* no choice left, choose one randomly */
do {
 i = rand(nk);
+ i = pmms_rand(nk);
} while (matrix_has_entry(i, j));
matrix_insert_entry(i, j);
}
}
}
/* Add extra bits to avoid rows with less than two "1s".
* This is needed when the code rate is smaller than 2/5. */
for (i = 0; i < nk; i++) { /* for each row */
if (degree_of_row(i) == 0) {
 j = rand(k);
+ j = pmms_rand(k);
matrix_insert_entry(i, j);
}
if (degree_of_row(i) == 1) {
do {
 j = rand(k);
+ j = pmms_rand(k);
} while (matrix_has_entry(i, j));
matrix_insert_entry(i, j);
}
}
 The right side (the staircase) is generated by the following
 algorithm:
+}
+
+ The right side (the staircase) MUST be generated by using the
+ following function:
+
+ /*
+ * Initialize the right side of the parity check matrix with a
+ * staircase structure.
+ * (IN): the k and n parameters.
+ */
+ void right_matrix_staircase_init (int k, int n)
+ {
+ int i; /* row index */
matrix_insert_entry(0, k); /* first row */
for (i = 1; i < nk; i++) { /* for the following rows */
matrix_insert_entry(i, k+i); /* identity */
matrix_insert_entry(i, k+i1); /* staircase */
}
+ }
Note that just after creating this parity check matrix, when encoding
symbol groups are used (i.e., G > 1), the function initializing the
two random permutation tables (Section 5.6) MUST be called. This is
true both at a sender and at a receiver.
6.3. Encoding
Thanks to the staircase matrix, repair symbol creation is
straightforward: each repair symbol is equal to the sum of all source
@@ 900,21 +935,21 @@
To that purpose, many techniques are possible. One of them is the
following trivial algorithm [ZP74]: given a set of linear equations,
if one of them has only one remaining unknown variable, then the
value of this variable is that of the constant term. So, replace
this variable by its value in all the remaining linear equations and
reiterate. The value of several variables can therefore be found
recursively. Applied to LDPC FEC codes working over an erasure
channel, the parity check matrix defines a set of linear equations
whose variables are the source symbols and repair symbols. Receiving
or decoding a symbol is equivalent to having the value of a variable.
 Appendix B sketches a possible implementation of this algorithm.
+ Appendix A sketches a possible implementation of this algorithm.
A Gaussian elimination (or any optimized derivative) is another
possible decoding technique. Hybrid solutions that start by using
the trivial algorithm above and finish with a Gaussian elimination
are also possible.
Because interoperability does not depend on the decoding algorithm
used, the current document does not recommend any particular
technique. This choice is left to the codec developer.
@@ 936,37 +971,49 @@
seed. This PRNG seed is an instancespecific FEC OTI attribute
(Section 4.2.3).
7.2. Parity Check Matrix Creation
The LDPCTriangle matrix can be divided into two parts: the left side
of the matrix defines in which equations the source symbols are
involved; the right side of the matrix defines in which equations the
repair symbols are involved.
 The left side is generated with the same algorithm as that of LDPC
 Staircase (Section 6.2).
+ The left side MUST be generated by using the same left_matrix_init()
+ function as with LDPCStaircase (Section 6.2).
 The right side (the triangle) is generated with the following
 algorithm:
+ The right side (the triangle) MUST be generated by using the
+ following function:
+
+ /*
+ * Initialize the right side of the parity check matrix with a
+ * triangle structure.
+ * (IN): the k and n parameters.
+ */
+ void right_matrix_staircase_init (int k, int n)
+ {
+ int i; /* row index */
+ int j; /* randomly chosen column indexes in 0..nk2 */
+ int l; /* limitation of the # of "1s" added per row */
matrix_insert_entry(0, k); /* first row */
for (i = 1; i < nk; i++) { /* for the following rows */
matrix_insert_entry(i, k+i); /* identity */
matrix_insert_entry(i, k+i1); /* staircase */
/* now fill the triangle */
j = i1;
for (l = 0; l < j; l++) { /* limit the # of "1s" added */
 j = rand(j);
+ j = pmms_rand(j);
matrix_insert_entry(i, k+j);
}
}
+ }
Note that just after creating this parity check matrix, when encoding
symbol groups are used (i.e., G > 1), the function initializing the
two random permutation tables (Section 5.6) MUST be called. This is
true both at a sender and at a receiver.
7.3. Encoding
Here also repair symbol creation is straightforward: each repair
symbol of ESI i is equal to the sum of all source and repair symbols
@@ 1018,28 +1065,28 @@
(e.g., by sending forged symbols) or against the FEC parameters that
are sent either inband (e.g., in an EXT_FTI or FDT Instance) or out
ofband (e.g., in a session description).
8.2. Attacks Against the Data Flow
First of all, let us consider the attacks against the data flow.
8.2.1. Access to Confidential Objects
 Access control to the object being transmitted is typically provided
 by means of encryption. This encryption can be done over the whole
 object (e.g., by the content provider, before the FEC encoding
 process), or be done on a packet per packet basis (e.g., when IPSec/
 ESP is used [RFC4303]). If access control is a concern, it is
 RECOMMENDED that one of these solutions be used. Even if we mention
 these attacks here, they are not related nor facilitated by the use
 of FEC.
+ Access control to a confidential object being transmitted is
+ typically provided by means of encryption. This encryption can be
+ done over the whole object (e.g., by the content provider, before the
+ FEC encoding process), or be done on a packet per packet basis (e.g.,
+ when IPsec/ESP is used [RFC4303]). If confidentiality is a concern,
+ it is RECOMMENDED that one of these solutions be used. Even if we
+ mention these attacks here, they are not related nor facilitated by
+ the use of FEC.
8.2.2. Content Corruption
Protection against corruptions (e.g., after sending forged packets)
is achieved by means of a content integrity verification/sender
authentication scheme. This service can be provided at the object
level, but in that case a receiver has no way to identify which
symbol(s) is(are) corrupted if the object is detected as corrupted.
This service can also be provided at the packet level. In this case,
after removing all forged packets, the object may be in some case
@@ 1048,83 +1095,82 @@
o at the object level, the object MAY be digitally signed (with
public key cryptography), for instance by using RSASSAPKCS1v1_5
[RFC3447]. This signature enables a receiver to check the object
integrity, once this latter has been fully decoded. Even if
digital signatures are computationally expensive, this calculation
occurs only once per object, which is usually acceptable;
o at the packet level, each packet can be digitally signed. A major
limitation is the high computational and transmission overheads
 that this solution requires (unless Elliptic Curve Cryptography
 (ECC) is used). To avoid this problem, the signature may span a
 set of symbols (instead of a single one) in order to amortize the
 signature calculation. But if a single symbol is missing, the
 integrity of the whole set cannot be checked;
+ that this solution requires (unless perhaps if Elliptic Curve
+ Cryptography (ECC) is used). To avoid this problem, the signature
+ may span a set of symbols (instead of a single one) in order to
+ amortize the signature calculation. But if a single symbol is
+ missing, the integrity of the whole set cannot be checked;
o at the packet level, a Group Message Authentication Code (MAC)
[RFC2104] scheme can be used, for instance by using HMACSHA1
with a secret key shared by all the group members, senders and
receivers. This technique creates a cryptographically secured
(thanks to the secret key) digest of a packet that is sent along
with the packet. The Group MAC scheme does not create prohibitive
processing load nor transmission overhead, but it has a major
limitation: it only provides a group authentication/integrity
service since all group members share the same secret group key,
which means that each member can send a forged packet. It is
therefore restricted to situations where group members are fully
trusted (or in association with another technique as a precheck);
 o at the packet level, TESLA [RFC4082] is a very attractive and
 efficient solution that is robust to losses, provides a true
 authentication/integrity service, and does not create any
 prohibitive processing load or transmission overhead. Yet
 checking a packet requires a small delay (a second or more) after
 its reception;
+ o at the packet level, TESLA [RFC4082] is an attractive solution
+ that is robust to losses, provides a true authentication/integrity
+ service, and does not create any prohibitive processing load or
+ transmission overhead. Yet checking a packet requires a small
+ delay (a second or more) after its reception;
Techniques relying on public key cryptography (digital signatures and
TESLA during the bootstrap process, when used) require that public
keys be securely associated to the entities. This can be achieved by
a Public Key Infrastructure (PKI), or by a PGP Web of Trust, or by
predistributing the public keys of each group member.
Techniques relying on symmetric key cryptography (group MAC) require
that a secret key be shared by all group members. This can be
achieved by means of a group key management protocol, or simply by
predistributing the secret key (but this manual solution has many
limitations).
 It is up to the developer and deployer, who know the security
 requirements and features of the target application area, to define
 which solution is the most appropriate. Nonetheless, in case there
 is any concern of the threat of object corruption, it is RECOMMENDED
 that at least one of these techniques be used.
+ It is up to the CDP developer, who knows the security requirements
+ and features of the target application area, to define which solution
+ is the most appropriate. Nonetheless, in case there is any concern
+ of the threat of object corruption, it is RECOMMENDED that at least
+ one of these techniques be used.
8.3. Attacks Against the FEC Parameters
Let us now consider attacks against the FEC parameters (or FEC OTI).
The FEC OTI can either be sent inband (i.e., in an EXT_FTI or in an
FDT Instance containing FEC OTI for the object) or outofband (e.g.,
in a session description). Attacks on these FEC parameters can
prevent the decoding of the associated object: for instance modifying
the B parameter will lead to a different block partitioning.
It is therefore RECOMMENDED that security measures be taken to
guarantee the FEC OTI integrity. To that purpose, the packets
carrying the FEC parameters sent inband in an EXT_FTI header
extension SHOULD be protected by one of the perpacket techniques
described above: digital signature, group MAC, or TESLA. When FEC
OTI is contained in an FDT Instance, this object SHOULD be protected,
for instance by digitally signing it with XML digital signatures
[RFC3275]. Finally, when FEC OTI is sent outofband (e.g., in a
session description) this latter SHOULD be protected, for instance by
 digitally signing it.
+ digitally signing it with [RFC3852].
The same considerations concerning the key management aspects apply
here also.
9. IANA Considerations
Values of FEC Encoding IDs and FEC Instance IDs are subject to IANA
registration. For general guidelines on IANA considerations as they
apply to this document, see [RFC5052].
@@ 1132,22 +1178,23 @@
"ietf:rmt:fec:encoding" namespace to "LDPC Staircase Codes".
This document assigns the FullySpecified FEC Encoding ID 4 under the
"ietf:rmt:fec:encoding" namespace to "LDPC Triangle Codes".
10. Acknowledgments
Section 5.5 is derived from a previous InternetDraft, and we would
like to thank S. Peltotalo and J. Peltotalo for their contribution.
We would also like to thank Pascal Moniot, Laurent Fazio, Aurelien
 Francillon, Shao Wenjian, Brian Carpenter, Magnus Westerlund, and
 Alfred Hoenes for their comments.
+ Francillon, Shao Wenjian, Magnus Westerlund, Brian Carpenter, Tim
+ Polk, Jari Arkko, Chris Newman, Robin Whittle and Alfred Hoenes for
+ their comments.
Last but not least, the authors are grateful to Radford M. Neal
(University of Toronto) whose LDPC software
(http://www.cs.toronto.edu/~radford/ldpc.software.html) inspired this
work.
11. References
11.1. Normative References
@@ 1192,20 +1239,29 @@
642981, 2003.
[PM88] Park, S. and K. Miller, "Random Number Generators: Good
Ones are Hard to Find", Communications of the ACM, Vol.
31, No. 10, pp.11921201, 1988.
[CA90] Carta, D., "Two Fast Implementations of the Minimal
Standard Random Number Generator", Communications of the
ACM, Vol. 33, No. 1, pp.8788, January 1990.
+ [WI08] Whittle, R., "ParkMillerCarta PseudoRandom Number
+ Generator", http://www.firstpr.com.au/dsp/rand31/,
+ January 2008.
+
+ [rand31pmc]
+ Whittle, R., "31 bit pseudorandom number generator", htt
+ p://www.firstpr.com.au/dsp/rand31/
+ rand31parkmillercarta.cc.txt, September 2005.
+
[PTVF92] Press, W., Teukolsky, S., Vetterling, W., and B. Flannery,
"Numerical Recipies in C; Second Edition", Cambridge
University Press, ISBN: 0521431085, 1992.
[draftietfrmtpialcrevised]
Luby, M., Watson, M., and L. Vicisano, "Asynchronous
Layered Coding (ALC) Protocol Instantiation",
draftietfrmtpialcrevised04.txt (work in progress),
February 2007.
@@ 1233,74 +1289,27 @@
RFC 2104, February 1997.
[RFC4082] "Timed Efficient Stream LossTolerant Authentication
(TESLA): Multicast Source Authentication Transform
Introduction", RFC 4082, June 2005.
[RFC3275] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup
Language) XMLSignature Syntax and Processing", RFC 3275,
March 2002.
Appendix A. Pseudo Random Number Generator Example Implementation
 (Informative Only)

 The following is an implementation of the minimal standard generator
 defined in Section 5.7 that scales the result between 0 and maxv1
 inclusive. It uses the Park and Miller algorithm [PM88] with the
 optimization suggested by D. Carta in [CA90]. The inner algorithm
 relies on 32 bit mathematics only and does not require any division.

 unsigned long seed;

 /*
 * Initialize the PRNG with a seed between
 * 1 and 0x7FFFFFFE (i.e., 2^^312) inclusive.
 */
 void srand (unsigned long s)
 {
 if ((s > 0) && (s < 0x7FFFFFFF))
 seed = s;
 else
 exit(1);
 }

 /*
 * Returns a random integer in [0; maxv1]
 * Derived from rand31pmc, Robin Whittle,
 * September 20th, 2005.
 * http://www.firstpr.com.au/dsp/rand31/
 * 16807 multiplier constant (7^^5)
 * 0x7FFFFFFF modulo constant (2^^311)
 * The inner PRNG produces a value between 1 and
 * 0x7FFFFFFE (2^^312) inclusive.
 * This value is then scaled between 0 and maxv1
 * inclusive.
 */
 unsigned long
 rand (unsigned long maxv)
 {
 unsigned long hi, lo;
+ [RFC3852] Housley, R., "Cryptographic Message Syntax (CMS)",
+ RFC 3852, July 2004.
 lo = 16807 * (seed & 0xFFFF);
 hi = 16807 * (seed >> 16); /* binary shift to right */
 lo += (hi & 0x7FFF) << 16; /* binary shift to left */
 lo += hi >> 15;
 if (lo > 0x7FFFFFFF)
 lo = 0x7FFFFFFF;
 seed = lo;
 /* don't use modulo, least significant bits are less random
 * than most significant bits [PTVF92] */
 return ((unsigned long)
 ((double)maxv * (double)seed / (double)0x7FFFFFFF));
 }
+ [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data
+ Encodings", RFC 4648, October 2006.
Appendix B. Trivial Decoding Algorithm (Informative Only)
+Appendix A. Trivial Decoding Algorithm (Informative Only)
A trivial decoding algorithm is sketched below (please see
[LDPCcodec] for the details omitted here):
Initialization: allocate a table partial_sum[nk] of buffers, each
buffer being of size the symbol size. There's one
entry per equation since the buffers are meant to
store the partial sum of each equation; Reset all
the buffers to zero;
@@ 1411,21 +1420,21 @@
12, Rue Jules Horowitz
BP217
Grenoble Cedex 38019
France
Email: david.furodet@st.com
URI: http://www.st.com/
Full Copyright Statement
 Copyright (C) The IETF Trust (2007).
+ Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF