Network Working Group D. Ellard Internet-Draft Raytheon BBN Technologies Intended status: Experimental February 24, 2010 Expires: August 28, 2010 Extending the Bundle Protocol with Relative Time and Hops to Live draft-ellard-dtnrg-reltime-htl-00 Abstract This draft presents two extensions to the DTN bundle protocol. The first extension is the use of relative time rather than absolute time to address situations where the DTN nodes cannot achieve loosely synchronized clocks, as required by the current DTN bundle protocol. The second extension is the addition of a "hops-to-live" field to the bundle header, which specifies how many node-to-node hops each instance of a bundle is permitted to make before it expires. These two extensions are separable; either may be used independently of the other. Used together, however, they provide a powerful way to constrain resources consumed by the handling of a DTN bundle despite the absence of synchronized clocks or the presence of incomplete knowledge of the network topology (which may lead to the presence of hazards such as routing loops). Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 28, 2010. Ellard Expires August 28, 2010 [Page 1] Internet-Draft Relative Time and Hops to Live in DTN February 2010 Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Problems Establishing a Real-time Clock . . . . . . . . . 3 1.2. Requirements Notation . . . . . . . . . . . . . . . . . . 4 1.3. Scope of This Document . . . . . . . . . . . . . . . . . . 4 2. Changes to the DTN Bundle Header . . . . . . . . . . . . . . . 5 2.1. The Version . . . . . . . . . . . . . . . . . . . . . . . 5 2.2. Bundle Processing Flags . . . . . . . . . . . . . . . . . 5 2.3. Creation Timestamp Time . . . . . . . . . . . . . . . . . 5 2.4. Bundle Lifetime . . . . . . . . . . . . . . . . . . . . . 6 2.5. Remaining Lifetime . . . . . . . . . . . . . . . . . . . . 6 2.6. Hops to Live . . . . . . . . . . . . . . . . . . . . . . . 7 2.7. Primary Block Diagram . . . . . . . . . . . . . . . . . . 7 3. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 9 3.1. The Granularity of the Remaining Lifetime . . . . . . . . 9 3.2. Compatibility with the Bundle Security Protocol . . . . . 9 3.3. Startup Issues . . . . . . . . . . . . . . . . . . . . . . 9 3.4. Compatibility with DTNv6 . . . . . . . . . . . . . . . . . 10 3.4.1. Changing from AT to RT mode . . . . . . . . . . . . . 10 3.4.2. Translation between RT mode and AT mode . . . . . . . 11 3.4.3. Discussion . . . . . . . . . . . . . . . . . . . . . . 11 3.5. Bundle Status Reports . . . . . . . . . . . . . . . . . . 11 4. Security Considerations . . . . . . . . . . . . . . . . . . . 13 4.1. Incompatibility with the Bundle Security Protocol . . . . 13 4.2. Bundle Lifetime Limits and Incorrect Creation Times . . . 13 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15 7. Informative References . . . . . . . . . . . . . . . . . . . . 16 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 17 Ellard Expires August 28, 2010 [Page 2] Internet-Draft Relative Time and Hops to Live in DTN February 2010 1. Introduction 1.1. Problems Establishing a Real-time Clock Delay/Disruption-Tolerant Networking (DTN) is an architecture and a set of protocols that enable communication in environments with intermittent connectivity and long delays. An architecture for disruption tolerant networks [RFC4838] has been defined. This architecture describes disruption tolerant networks in terms of DTN nodes that create, relay, and deliver units of information termed bundles. Each bundle is defined to have a finite lifetime, after which it is deemed to be expired. A full definition of the protocol for creating, interpreting, and handling bundles by DTN nodes has also been defined [RFC5050]. One issue that has been raised about the bundle protocol is that it assumes that every node in the network has access to a realtime clock, and all of these realtime clocks are synchronized to a reasonable degree (typically within a small number of seconds). This assumption, when it holds, provides the convenience that the timing of both future events (i.e., when a bundle should expire because it is no longer needed, or no longer relevant) and past events (i.e., when a bundle was created or delivered) may be represented using this common, absolute frame of reference. Unfortunately, our experiences in deploying disruption tolerant networks have shown that the problem of establishing a common realtime clock is currently intractable in some real-world scenarios. The reason is usually a combination of several factors: o DTN nodes may have reliable, inaccurate clocks. These clocks might not have been initialized to the correct time or may have lost power since their initialization, or may drift significantly over time. o The links between the DTN nodes may often be disrupted. The nodes might not be able to communicate with an accurate time source to find the current time, or to run a time synchronization protocol such as NTP [RFC2030] to negotiate a shared time reference. o Bundle lifetimes may be short. If bundle lifetimes are comparable with the amount of clock drift that can accumulate between good clock settings, bundles may appear to have expired before they are sent. There have been other discussions of extensions to the bundle protocol to address the problem of unsynchronized clocks in the context of DTN [I-D.farrell-dtnrg-alt-time]. Ellard Expires August 28, 2010 [Page 3] Internet-Draft Relative Time and Hops to Live in DTN February 2010 1.2. Requirements Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 1.3. Scope of This Document This document describes extensions to version six of the DTN bundle protocol (DTNv6) [RFC5050]. With respect to DTNv6, this document does not: o describe details of the DTNv6 protocol, except where needed to compare or contrast with the proposed extensions. o modify the specification of the DTNv6 protocol. Ellard Expires August 28, 2010 [Page 4] Internet-Draft Relative Time and Hops to Live in DTN February 2010 2. Changes to the DTN Bundle Header The changes described in this document are relative to version 6 ("DTNv6") of the DTN bundle protocol [RFC5050]. Fields of the bundle header that are not mentioned in this section should be assumed to have the identical format and meaning as described in RFC5050. 2.1. The Version We propose that version number 7 be assigned to represent bundles that include any of the new fields described in this proposal. In order to differentiate bundles represented in the proposed format, it is customary to choose a different version number than that employed any past or current version of the bundle protocol. Although this is optional in our proposal (because version 6 bundles may be interpreted as a subset of version 7 bundles, with the difference being determined entirely via the Bundle Processing Flags, as described in Section 2.2), this approach is extremely likely to lead to problems with backwards compatibility. Current implementations of DTN do not check for the new Bundle Processing Flag values, and therefore would misinterpret bundles that used any of the new functionality proposed here. 2.2. Bundle Processing Flags Bits 0-19 There are no changes to the lower 20 bits of the bundle processing flags. Bit 20 (the RT bit) If bit 20 is 1, then use relative time (RT) instead of absolute time (AT). If 0, then use absolute time, in a manner compatible with DTNv6, and the Remaining Lifetime (RL) field (described in Section 2.5 MUST be omitted. Bit 21 (the HTL bit) If bit 21 is 1, then use the Hops to Live (HTL) field to determine whether a bundle should be discarded because it has traversed too many hops. If 0, then the Hops to Live field is ignored, and the Hops to Live field (described in Section 2.6) MUST be omitted. 2.3. Creation Timestamp Time If the RT bit in the bundle processing flags is 0, then this field is initialized, interpreted, and used exactly as in DTNv6. When the RT bit in the bundle processing flags is 1, then this field is not used to determine when a bundle expires. Ellard Expires August 28, 2010 [Page 5] Internet-Draft Relative Time and Hops to Live in DTN February 2010 Note that the Creation Timestamp SHOULD be initialized with the current local time because the Creation Timestamp is often used for additional purposes, such as creating unique bundle identifiers. If the node does not have a reliable source of local time (at minimum, a monotonically increasing counter) then this implies that the Creation Timestamp Sequence Number must be created in such a way that it alone suffices to ensure uniqueness across all bundles created on the local node. This property is not guaranteed by the method for choosing the Creation Timestamp sequence number described in DTNv6, which relies upon the existence of a good, monotonically-increasing local clock, but may be guaranteed via other methods. 2.4. Bundle Lifetime This field represents the number of seconds that a bundle may exist between its creation and expiration. This meaning is the same as in DTNv6, and is the same for both AT and RT modes. The only difference between AT and RT modes is how the calculation of the age of a bundle is performed. In AT mode, the local clock is assumed to be synchronized (or nearly synchronized) with the clock of the node that created the bundle, and therefore the calculation is performed by comparing the difference between the of the local clock and the Creation Timestamp of the bundle. If this difference is greater than the Lifetime, then the bundle has expired. In RT mode, the Creation Timestamp field is not used to perform this calculation, but is only used as a reference for the sake of backwards compatibility with AT mode. The Remaining Lifetime field (described in Section 2.5 is used to determine whether or not a bundle has expired. When the Remaining Lifetime reaches zero, the bundle has expired. 2.5. Remaining Lifetime This is a new field that does not exist in DTNv6. The "Remaining Lifetime" (RL) field is an SDNV field that specifies how many seconds the bundle can remain in the system before it expires. The RL is expressed in seconds, as an SDNV. It is decremented as the bundle is processed, and the bundle expires when it reaches zero. If the bundle is created in RT mode, then the initial value of the Remaining Lifetime field MUST be identical to the value of the Lifetime field. At each hop, the Remaining Lifetime is decremented Ellard Expires August 28, 2010 [Page 6] Internet-Draft Relative Time and Hops to Live in DTN February 2010 by the length of time that has elapsed since the previous hop, rounded down to the nearest second. There are several points in the handling of a bundle where the Remaining Lifetime may be decremented by the BPA. These include: o When the bundle is received by a convergence layer adapter (CLA). The CLA may have knowledge about the time required for the bundle to traverse the link, given the size of the bundle, the effective bandwidth of the channel, and the latency or propagation delay of the channel (which may be the most significant factor in the case of links between DTN nodes separated by light-seconds or light- minutes of distance). o When the bundle is retrieved from local storage. o When the bundle is idle in the BPA for a significant period of time, for any reason, such as waiting for a router to compute a route and choose a CLA. For some applications, such as using DTN to move small bundles within a MANET, the effective processing and transmission delay may generally be small enough so that the only time that the Remaining Lifetime field needs to be decremented is when a bundle is retrieved from local storage. For other applications, such moving large bundles between deep space nodes, the channel latency and transmission delays must also be considered. 2.6. Hops to Live This is a new field that does not exist in DTNv6. The Hops to Live (HTL) field is an SDNV field that specifies the number of "hops" (transitions from one DTN node to another) that the bundle is permitted to make before the bundle expires. If the HTL bit is not set in the Bundle Processing Flag, then this field is omitted. 2.7. Primary Block Diagram Ellard Expires August 28, 2010 [Page 7] Internet-Draft Relative Time and Hops to Live in DTN February 2010 +----------------+----------------+----------------+----------------+ | Version | Bundle Processing Flags (*) | +----------------+----------------+----------------+----------------+ | Block length (*) | +----------------+----------------+---------------------------------+ | Destination scheme offset (*) | Destination SSP offset (*) | +----------------+----------------+----------------+----------------+ | Source scheme offset (*) | Source SSP offset (*) | +----------------+----------------+----------------+----------------+ | Report-to scheme offset (*) | Report-to SSP offset (*) | +----------------+----------------+----------------+----------------+ | Custodian scheme offset (*) | Custodian SSP offset (*) | +----------------+----------------+----------------+----------------+ | Creation Timestamp time (*) | +---------------------------------+---------------------------------+ | Creation Timestamp sequence number (*) | +---------------------------------+---------------------------------+ | Lifetime (*) | +----------------+----------------+----------------+----------------+ | [(NEW) Remaining Lifetime (*)] | +----------------+----------------+----------------+----------------+ | [(NEW) Hops to Live (*)] | +----------------+----------------+----------------+----------------+ | Dictionary Length (*) | +----------------+----------------+----------------+----------------+ | Dictionary byte array (variable) | +----------------+----------------+---------------------------------+ | [Fragment offset (*)] | +----------------+----------------+---------------------------------+ | [Total application data unit length (*)] | +----------------+----------------+---------------------------------+ Figure 1 Note that in Figure 1 all of the fields in the primary block, with the exception of the 8-bit Version field, are variable length (either SNDV, or in the case of the Dictionary, a string of bytes whose length is defined by the SDNV Dictionary Length. The alignments shown here are simply for the sake of notational convenience. See RFC 5050 [RFC5050] for more detail. Ellard Expires August 28, 2010 [Page 8] Internet-Draft Relative Time and Hops to Live in DTN February 2010 3. Discussion 3.1. The Granularity of the Remaining Lifetime If a bundle is forwarded "quickly" through a node, and the transfer time is small, then its RL might not be decremented (since the elapsed time is always rounded down to the nearest second, and many bundles will require less than one second to receive and forward). Therefore a bundle may survive for many seconds longer than its RL, as long as it continues to make steady progress hops. The only time that the RL will be decremented is if the bundle is "stalled" in a node and remains there for longer than one second. Is this what we want, or should the RL be measured in a finer unit (milliseconds? microseconds? nanoseconds?), so that it is decremented even when a bundle is forwarded without only a very small amount of delay, and bundles can still expire even if they are never stalled? 3.2. Compatibility with the Bundle Security Protocol We can reuse the bundle header canonical format used by the Bundle Security Protocol (BSP) [I-D.irtf-dtnrg-bundle-security] of DTNv6 for this proposed format. The only question is whether there is any need to protect the Hops to Live or Remaining Lifetime fields in a way more powerful than provided by the current hop-by-hop security. 3.3. Startup Issues If the BPA is shut down (or crashes, etc) or for some other reason loses track of the passage of time, it may not be able to update the RL properly for bundles that it has in its storage system. This problem is particularly difficult if there is no reliable way to determine whether the clock has changed when the BPA was down. There are several possible approaches: 1. If the device has access to an accurate clock, or can reliably measure the passage of time even when it is shut down, the receipt time of all bundles could be recorded and used normally, as if the shutdown had not occurred. 2. Assume that no time has passed since the shut down and that the local clock has not been altered. The remaining RL of bundles stored locally is not impacted by the reboot. Ellard Expires August 28, 2010 [Page 9] Internet-Draft Relative Time and Hops to Live in DTN February 2010 3. Assume that a period of time equal to the expected time required to shut down and restart the node has elapsed. This assumes that the node was not actually halted, but simply reset. 4. Assume that an unknown and potentially large period of time has elapsed since the system was shut down. This period of time may be chosen arbitrarily (i.e., it may reduce to the previous case). 5. Assume that a period of time greater than the longest remaining lifetime of any bundle in storage has elapsed since the system was shut down, and therefore all stored bundles with an RL have expired. 3.4. Compatibility with DTNv6 In this section, we outline how bundles may be translated between the proposed protocol and DTNv6. We note that the reviewers of this draft feel that the utility of backward compatibility with DTNv6 is questionable and agree that it adds complexity in implementation. In Section 3.4.3 we discuss some of the obstacles to complete compatibility. There is a mechanical way to rewrite bundle headers traversing from nodes that implement DTNv6 to nodes that implement the proposed protocol and vice versa, assuming that all the intermediate nodes between the trans-protocol frontiers share a common clock (which is a valid assumption in some cases). Two DTN nodes that share a common clock may correctly communicate via either DTNv6 or the proposed protocol, using either RT or AT mode, but two nodes that do not share a common clock must use the proposed protocol in RT mode (or some equivalent mechanism) in order to ensure correct communication. 3.4.1. Changing from AT to RT mode This section specifies an algorithm for transforming an AT mode bundle header to an RT mode bundle header. 1. Calculate the value of the Remaining Lifetime field by computing the difference between the expiration time of the bundle (the sum of the Creation Timestamp and the Lifetime fields) and the current lifetime. 2. Create a new bundle header, with the same contents as the current header, but set the RT mode bit in the Bundle Processing Flags field, and insert the Remaining Lifetime field. Ellard Expires August 28, 2010 [Page 10] Internet-Draft Relative Time and Hops to Live in DTN February 2010 3.4.2. Translation between RT mode and AT mode This section specifies an algorithm for transforming an RT mode bundle header to an AT mode bundle header. If the DTN nodes have synchronized clocks, then all that is necessary is to remove the Remaining Lifetime field and clear the RT bit from the Bundle Processing Flags field. This algorithm handles the case when the clocks on the two nodes are not synchronized. 1. Compute the current age of the bundle by subtracting the Lifetime field from the Remaining Lifetime field. 2. Compute the effective creation timestamp of the bundle by subtracting the current age of the bundle from the current clock value. 3. Create a new AT-mode bundle header, using the effective creation timestamp as the value of the Creation Timestamp. 3.4.3. Discussion The process of conversion between RT and AT mode may break central assumptions about how bundles may be uniquely identified. For example, some DTN implementations use the Creation Timestamp as part of their check to see whether a given bundle has already been seen. If there are two versions of the bundle (one in RT mode, and the other in AT mode) then this test will not reliably detect duplicates unless additional steps are taken to normalize the bundle header fields before comparison. An additional problem is that this rewriting is not backwards- compatible with BSP, because it changes the length of the bundle header and also modifies the value of the Creation Timestamp field, which is part of the canonical representation of the bundle header [I-D.irtf-dtnrg-bundle-security]. Is it worth providing this mechanism, even though we know that it doesn't work with BSP? To work with BSP, one practical alternative is to use Bundle-in- Bundle, with a special (to-be-defined) tag, but this has issues as well. 3.5. Bundle Status Reports Timestamps appear in bundle status reports (i.e., time when a bundle was deleted or delivered). In DTNv6, these are all specified in Ellard Expires August 28, 2010 [Page 11] Internet-Draft Relative Time and Hops to Live in DTN February 2010 absolute time, because it is assumed that any node or app that reads the timestamps will be in the same frame of reference as the writer. If this assumption is false, then these timestamps have no useful interpretation. One possible modification, whose interpretation makes sense in "relative time" mode, is to replace these timestamps with the value of the time-to-live field on the bundle at the moment that the status change occurred (e.g., "this bundle was delivered five seconds before it would have expired"), or the lifetime field minus the time-to-live field (e.g., "this bundle was delivered twelve seconds after it was created"). Ellard Expires August 28, 2010 [Page 12] Internet-Draft Relative Time and Hops to Live in DTN February 2010 4. Security Considerations 4.1. Incompatibility with the Bundle Security Protocol As mentioned in Section 3.2 and Section 3.4.3, the changes proposed in this document may require changes to BSP as well. 4.2. Bundle Lifetime Limits and Incorrect Creation Times A malicious or incorrect DTN node may create bundles with excessive lifetimes. This consideration is not unique to the proposed protocol, but already exists in DTNv6. If a DTN node creates a bundle with a very long Lifetime (in RT or AT mode), or a Creation Timestamp in the future (in AT mode), then the bundle may consume DTN resources for a very long time. It is possible to imagine a denial- of-service attack on a DTN by an attacker who slowly clogs the network with many immortal bundles that consume resources until the network is unable to accept any new bundles. Every DTN node should have a policy about how it will handle a bundle with a Creation Timestamp from the future (for AT mode), an excessive Lifetime (in AT or RT mode) or Remaining Lifetime (in RT mode). How such a policy is specified is beyond the scope of this document. Ellard Expires August 28, 2010 [Page 13] Internet-Draft Relative Time and Hops to Live in DTN February 2010 5. IANA Considerations If a IANA registry for bundle protocol version numbers is ever created, then it will need to be updated to assign a new number to the protocol described by this document. Ellard Expires August 28, 2010 [Page 14] Internet-Draft Relative Time and Hops to Live in DTN February 2010 6. Acknowledgments This document incorporates suggestions and ideas from many members of the DTN community. This draft incorporates significant improvements suggested by John Zinky, Brenton Walker, and William Ivancic. Ellard Expires August 28, 2010 [Page 15] Internet-Draft Relative Time and Hops to Live in DTN February 2010 7. Informative References [I-D.farrell-dtnrg-alt-time] Farrell, S., Mahon, A., and J. Ott, "Handling Issues with Real Time in the Bundle Protocol", draft-farrell-dtnrg-alt-time-00 (work in progress), November 2009. [I-D.irtf-dtnrg-bundle-security] Symington, S., Farrell, S., Weiss, H., and P. Lovell, "Bundle Security Protocol Specification", draft-irtf-dtnrg-bundle-security-15 (work in progress), February 2010. [RFC2030] Mills, D., "Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI", RFC 2030, October 1996. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC4838] Cerf, V., Burleigh, S., Hooke, A., Torgerson, L., Durst, R., Scott, K., Fall, K., and H. Weiss, "Delay-Tolerant Networking Architecture", RFC 4838, April 2007. [RFC5050] Scott, K. and S. Burleigh, "Bundle Protocol Specification", RFC 5050, November 2007. Ellard Expires August 28, 2010 [Page 16] Internet-Draft Relative Time and Hops to Live in DTN February 2010 Author's Address Daniel Ellard Raytheon BBN Technologies 10 Moulton Street Cambridge, MA 02138 US Phone: +1 617 873 8004 Email: dellard@bbn.com Ellard Expires August 28, 2010 [Page 17]