This document describes an end to end protocol over UDP or direct over IP. This protocol specifies an approach of providing the STANAG 5066 service over UDP/IP. This is to enable STANAG 5066 to be used over IP and in particular to make of IP Crypto including IPsec and HAIPE.
This document is part of the STANAG 5066 Application Protocol (S5066-APP) series. The complete set of documents in the series are:
Black Side IP over HF is provided using a black side STANAG 5066 system. To provide the full service, this protocol needs to be used with two other capabilities to communicate service elements with the black side STANAG 5066 system:
It is anticipated that the black side STANAG 5066 system will provide TRANSEC using AES and the mechanism defined in [STANAG 5066 TRANSEC Crypto Layer using AES and other Protocols (S5066-EP14)].
This specification specifies behavior of a SIS server, as shown in the diagram above. Notes:
The natural and simplest way to deploy IP Crypto is in an environment where all applications run over IP. This is not viable for HF. Many IP applications, particularly bulk applications and HTTP over TCP will not run efficiently when IP is mapped directly only HF as an IP subnet using STANAG 5066 F.12 IP Client. This is discussed in the Isode whitepaper [Measuring and Analysing STANAG 5066 F.12 IP Client].
A number of applications built for HF have optimized protocols over STANAG 5066 and it is highly desirable to use these protocols.
As a consequence, IP Crypto needs to be used in a special manner.
The architecture described here provides an extended IP service by:
This extended IP service is contrasted to standard IP in the following table.
Capability | Extended IP Service | Standard IP Service |
---|---|---|
IPv4/IPv6 Source and Destination Addressing | Yes | Yes |
Unreliable (non-ARQ) data | Yes | Yes |
Reliable (ARQ) data | Yes | No |
Handling black side data loss | Yes | No |
Priority | Yes | No |
Flow Control | Yes | No |
The following STANAG 5066 Services are not provided by this specification:
For Unidata, the “Non-ARQ with Errors” service is not provided.
Omitting these services is not expected to have any practical impact.
Only destination SAP is used. There does not appear to be operational benefit of allowing source SAP to be different.
This STANAG 5066 SIS services are provided as follows.
Bind services are provided locally by the SIS server. The server shall enforce a maximum of one connection per SAP.
The MTU will be determined based on constraints of the underlying system. For older systems, it may need to be reduced to ensure no IP fragmentation. Each PDU will need to be included in a U_PDU of max size likely to be 2048 in the black side STANAG 5066 system. There will be overheads from IP transport and IP crypto. As a consequence the MTU is expected to be set to a value slightly less that 2048 to allow for these overheads.
The SIS server shall send Keep Alives at intervals.
Flow control shall be provided to SIS clients based on information from the HF subsystem, provided by a mechanism following S5066-APP7 or equivalent.
Unidata requests and indications and client confirmation are provided by the UDP protocol specified below.
Node confirmation and rejects shall be provided to SIS clients based on information from the HF subsystem, provided by a mechanism such as the one specified in S5066-APP7.
Unidata priority, “in order”, and ARQ/non-ARQ information is included in the protocol defined below, so that this information can be supplied to the receiving system in S_UNIDATA_INDICATION. This information shall also be communicated to the HF subsystem following S5066-APP6 or equivalent procedure.
Unidata is carried in UDP using the following format.
MSB 7 |
6 | 5 | 4 | 3 | 2 | 1 | LSB 0 |
|
---|---|---|---|---|---|---|---|---|
0 | Version = 0 | Not Used | ARQ | Client Confirm | Type=0 | |||
1 | SAP |
Priority |
||||||
2 3 |
Confirmation ID (optional) |
|||||||
4 n |
U_PDU |
The PDU is encoded as follows:
Client Confirm/Reject is provided using the following PDU, when client confirmation is requested and the U_PDU is delivered to the client or when the U_PDU is rejected. Note that rejects are only sent when the sender requests client confirmation.
MSB 7 |
6 | 5 | 4 | 3 | 2 | 1 | LSB 0 |
|
---|---|---|---|---|---|---|---|---|
0 | Version = 0 | Not Used | Reason |
Type=1 | ||||
2 3 |
Confirmation ID |
Type value is set to 1 for the Client Confirm/Reject. Confirmation ID shall be the value taken from the arriving U_PDU. Reason has values according to the following table:
Reason | Code | Description |
---|---|---|
Confirm | 0 | Confirmation of passing Data PDU to SIS Client |
Not Bound | 1 | SIS Client not bound on SAP |
Version Error | 2 | Version of protocol in Data PDU not supported |
Protocol Error | 3 | Protocol Error in data PDU |
These PDUs shall be sent over UDP. The UDP destination port shall be 95066 or another value agreed for the deployment. IP fragmentation shall not be used.
IPv4 or IPv6 may be used. Note that no STANAG 5066 addressing is used in protocol. SIS servers must map provided STANAG 5066 source and destination addresses into equivalent IPv4 or IPv6 addresses.
The provided Rank of Unidata is ignored.
The provided TTL of Unidata is used to set a timer if Node or Client confirmation is requested. In the event of the timer expiring and no reject or confirmation for the Unidata being received, the SIS server shall reject the Unidata with reason “TTL expired”.