Time-Variant Routing (TVR) Requirements
draft-ietf-tvr-requirements-08
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Active".
|
|
|---|---|---|---|
| Authors | Daniel King , Luis M. Contreras , Brian Sipos , Li Zhang | ||
| Last updated | 2026-04-16 (Latest revision 2026-03-02) | ||
| Replaces | draft-kcs-tvr-requirements | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Reviews |
INTDIR Telechat review
by Darren Dukes
Ready w/nits
OPSDIR IETF Last Call review
(of
-07)
by Bo Wu
Clarification Needed
|
||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | Submitted to IESG for Publication | |
| Associated WG milestone |
|
||
| Document shepherd | Edward J. Birrane | ||
| Shepherd write-up | Show Last changed 2025-11-30 | ||
| IESG | IESG state | IESG Evaluation::Revised I-D Needed | |
| Consensus boilerplate | Yes | ||
| Telechat date |
(None)
Has 2 DISCUSSes. Has enough positions to pass once DISCUSS positions are resolved. |
||
| Responsible AD | Gunter Van de Velde | ||
| Send notices to | edward.birrane@jhuapl.edu | ||
| IANA | IANA review state | IANA OK - No Actions Needed |
draft-ietf-tvr-requirements-08
Network Working Group D. King
Internet-Draft Lancaster University
Intended status: Informational L. M. Contreras
Expires: 3 September 2026 Telefonica
B. Sipos
JHU/APL
L. Zhang
Huawei
2 March 2026
Time-Variant Routing (TVR) Requirements
draft-ietf-tvr-requirements-08
Abstract
Time-Variant Routing (TVR) refers to calculating a path or subpath
through a network where the time of message transmission (or receipt)
is part of the overall route computation. This means that, all
things being equal, a TVR computation might produce different results
depending on the time that the computation is performed without other
detectable changes to the network topology or other cost functions
associated with the route.
This document introduces requirements for the design and
implementation of systems which perform TVR computations. It also
explains different aspects of a TVR system which need to be
considered during its design.
About This Document
This note is to be removed before publishing as an RFC.
Status information for this document may be found at
https://datatracker.ietf.org/doc/draft-ietf-tvr-requirements/.
Discussion of this document takes place on the Time Variant Routing
Working Group mailing list (mailto:tvr@ietf.org), which is archived
at https://mailarchive.ietf.org/arch/browse/tvr/. Subscribe at
https://www.ietf.org/mailman/listinfo/tvr/.
Source for this draft and an issue tracker can be found at
https://github.com/danielkinguk/tvr-requirements.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
King, et al. Expires 3 September 2026 [Page 1]
Internet-Draft TVR Requirements March 2026
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 3 September 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Conventions and Definitions . . . . . . . . . . . . . . . 4
2. Overview of Time-Variant Networks . . . . . . . . . . . . . . 6
2.1. Resource Scheduling . . . . . . . . . . . . . . . . . . . 7
2.1.1. Schedule Domains . . . . . . . . . . . . . . . . . . 7
2.1.2. Schedule Visibility . . . . . . . . . . . . . . . . . 8
2.1.3. Generation Locality . . . . . . . . . . . . . . . . . 9
2.1.4. Execution Locality . . . . . . . . . . . . . . . . . 9
2.1.5. Configuration and Operational State . . . . . . . . . 12
2.2. General Temporality . . . . . . . . . . . . . . . . . . . 12
2.2.1. Scope of Time-Variability . . . . . . . . . . . . . . 12
2.2.2. Time Horizon . . . . . . . . . . . . . . . . . . . . 13
2.2.3. Time Precision and Accuracy . . . . . . . . . . . . . 13
2.2.4. Time Synchronization and Margin . . . . . . . . . . . 14
2.2.5. Validity in a Schedule . . . . . . . . . . . . . . . 14
2.2.6. Periodicity in a Schedule . . . . . . . . . . . . . . 15
2.2.7. Continuity in a Schedule . . . . . . . . . . . . . . 15
2.2.8. Time-Overlap and Priority . . . . . . . . . . . . . . 15
2.2.9. Property Value Interpolation . . . . . . . . . . . . 16
2.2.10. Changes to Model State . . . . . . . . . . . . . . . 16
King, et al. Expires 3 September 2026 [Page 2]
Internet-Draft TVR Requirements March 2026
2.3. Topologies . . . . . . . . . . . . . . . . . . . . . . . 17
2.3.1. Nodes . . . . . . . . . . . . . . . . . . . . . . . . 17
2.3.2. Termination Points . . . . . . . . . . . . . . . . . 17
2.3.3. Links . . . . . . . . . . . . . . . . . . . . . . . . 18
2.3.4. Network Layering . . . . . . . . . . . . . . . . . . 18
2.4. Routing Strategies . . . . . . . . . . . . . . . . . . . 18
2.4.1. Centralized . . . . . . . . . . . . . . . . . . . . . 19
2.4.2. Distributed . . . . . . . . . . . . . . . . . . . . . 19
2.4.3. Hybrid . . . . . . . . . . . . . . . . . . . . . . . 20
2.4.4. Constraints . . . . . . . . . . . . . . . . . . . . . 20
2.5. Integrity Considerations . . . . . . . . . . . . . . . . 21
3. Time-Variant Use Case Requirements . . . . . . . . . . . . . 21
3.1. Resource Preservation Use Case . . . . . . . . . . . . . 21
3.2. Operating Efficiency Use Case . . . . . . . . . . . . . . 22
3.3. Dynamic Reachability Use Case . . . . . . . . . . . . . . 22
4. Requirements Summary . . . . . . . . . . . . . . . . . . . . 23
4.1. Support the Identification and Advertisement of Entity
Property Changes . . . . . . . . . . . . . . . . . . . . 23
4.2. Support Proxy Advertisement . . . . . . . . . . . . . . . 24
4.3. Support Identification and Classification of Node
Properties . . . . . . . . . . . . . . . . . . . . . . . 24
4.4. Support System Schedule and Time Interval Changes . . . . 24
4.5. Support Appropriate Time Accuracy . . . . . . . . . . . . 24
4.6. Support Robust Security . . . . . . . . . . . . . . . . . 24
5. Operational Considerations . . . . . . . . . . . . . . . . . 25
5.1. Schedule Domain Consistency . . . . . . . . . . . . . . . 25
5.2. Incremental Deployment . . . . . . . . . . . . . . . . . 26
6. Security Considerations . . . . . . . . . . . . . . . . . . . 27
6.1. Denial-of-Service (DoS) Attack . . . . . . . . . . . . . 27
6.2. Traffic Analysis and Path Prediction . . . . . . . . . . 28
6.3. Activity Identification and Privacy . . . . . . . . . . . 28
6.4. Spoofing and Manipulation of Time Information . . . . . . 28
6.5. Replay Attacks on Time-Sensitive Data . . . . . . . . . . 29
6.6. Compromised Time Sources . . . . . . . . . . . . . . . . 29
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 29
Contributors . . . . . . . . . . . . . . . . . . . . . . . . . . 30
References . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Normative References . . . . . . . . . . . . . . . . . . . . . 30
Informative References . . . . . . . . . . . . . . . . . . . . 30
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 32
King, et al. Expires 3 September 2026 [Page 3]
Internet-Draft TVR Requirements March 2026
1. Introduction
This document is an informational specification meant to inform the
design and implementation of systems that manage time-variant routing
(TVR) information, and to characterize those systems using design
aspects understandable to network operators. The terms discussed in
this document are intentionally general and are intended to be
tailored for specifics of those individual TVR systems.
The motivation for this work is explained in the TVR Use Cases
document [RFC9657], which justifies why there is value in having some
form of time-variance in a system. This document discusses technical
detail of aspects that designers and operators could adopt and
considerations for when (or when not) to need to incorporate each of
these aspects in a system design.
This document starts with an overview of TVR networks and aspects of
their time variance in Section 2 and elaborates on TVR use cases in
Section 3. Requirements on the design of TVR systems are then
categorized and summarized in Section 4 with operational
considerations for those systems in Section 5, and security
considerations in Section 6.
1.1. Conventions and Definitions
Specific terms used within this document are as follows:
Model: The universe being modeled, which defines a parameter state
space.
Entity: A single separable item within the model. Each entity has a
stable identity which is time-invariant.
Property: A single attribute of an entity which is used to
parameterize that entity. The notion of a property is not time-
variant, the property always exists within an entity but its value
may be time-variant.
Property Value: The specific value of a property, both as a planned
state within the schedule timeline and as a realized state in
wall-clock time.
Schedule: The method of parameterizing time-variance intrinsic to a
time-variant model. The parameters of a schedule are within the
state space of the model.
Schedule Time: An idealized timeline within a time-variant model
King, et al. Expires 3 September 2026 [Page 4]
Internet-Draft TVR Requirements March 2026
over which entities and property values may change without a
difference of state in the model itself. The notion of schedule
time is intrinsic to the model.
Wall-Clock Time: The true timeline, measured in some time scale by
some local ticker. The notion of wall-clock time is extrinsic to
the model; even non-time-variant models allow for changes over
wall-clock time, just as different model states rather than a
change _within_ the model itself.
Time Instant: A single instant of time, consistent with the concepts
of date-time in [RFC3339].
Timeline: A discrete or continuous sequence of time defined over a
specific time datum.
Time Horizon: A bounded interval of time used to limit the
applicability of a schedule or timeline, consistent with the
concepts of period in [RFC3339].
Subsequent: A time instant which is later in a timeline than some
reference time instant.
Snapshot: A way to transform a model with scheduled time-variance
into one that is time-invariant and applies only to a single time
instant. That instant need not be the current wall-clock time.
The term snapshot can be used as a verb, to mean the
transformation itself, or as a noun, to mean the output of the
transformation.
Schedule Domain: A set of time-variant entities that are expected to
be configured and operated jointly on the same timeline with a
bounded synchronization of execution in wall-clock time.
Orchestrator: The subsystem of a managing device which centralizes
control of a network and applies policy to manage a network. A
Path Computation Element (PCE) [RFC4655] is an example of an
Orchestrator.
Manager: The subsystem in a managing device which operates a
management protocol to control an Agent.
Agent: The subsystem in a managed device which operates a management
protocol to be controlled by a Manager.
Management Protocol: The mechanism used to exchange data between
Managing and Managed devices, goverened by a data model shared by
the two devices.
King, et al. Expires 3 September 2026 [Page 5]
Internet-Draft TVR Requirements March 2026
(Routing) Application: The subsystem of a managed device which
performs the functions of a routing protocol and/or algorithm.
+--------------------+ +-------------------+
| Managing Device | | Managed Device |
| | | |
| +--------------+ | | +-------------+ |
| | Orchestrator | | | | Application | |
| +--------------+ | | +-------------+ |
| | | Management | | |
| +--------------+ | Protocol | +-------------+ |
| | Manager | |------+------| | Agent | |
| +--------------+ | : | +-------------+ |
+--------------------+ : +-------------------+
:
+-------------+
| Data Model |
+-------------+
Figure 1: Management Entities
As a concrete example for the use of Figure 1 when applied to
existing IETF standards, the management protocol could be NETCONF
[RFC6241] which would be governed by a set of YANG data models
[RFC7950] known to the Manager and its Orchestrator and implemented
on the Agent and its Application. In this example, if the system
uses all _extrinsic schedules_ the data model does not need to be
time-variant and all schedule execution would occur within the
Orchestrator. If the system uses any _intrinsic schedules_ then
those need to be present within the data model, which would be
communicated to and executed within the Application.
2. Overview of Time-Variant Networks
Existing Internet routing techniques maintain end-to-end connected
paths across a network. Routing mechanisms exist to recover
connectivity and resume normal traffic forwarding as the topology
changes. Occasionally, optimization of routes may also be requested,
especially post-topology changes due to disruptive events. However,
there are a growing number of use cases where changes to the routing
topology are an expected part of network operations. In these
scenarios, the pre-planned loss and restoration of an adjacency, or
formation of an alternate adjacency, should be seen as a non-
disruptive event.
TVR refers to calculating a path or subpath through a network where
the time of message transmission (or receipt) is part of the overall
route computation. Therefore, a TVR computation might produce
King, et al. Expires 3 September 2026 [Page 6]
Internet-Draft TVR Requirements March 2026
different results depending on the time a calculation is performed
without other detectable changes to the network topology or other
cost functions associated with the route.
This section is organized into the following: Section 2.1 includes
some basic definitions for when and how schedules would relate to a
general data model, Section 2.2 discusses the temporal aspects within
a schedule itself, Section 2.3 explains the entities of an IETF
network model expected to benefit from a schedule, Section 2.4
discusses complex routing behaviors enabled by a network model with
intrinsic schedules, and Section 2.5 discusses considerations needed
when schedules are present in a data model.
2.1. Resource Scheduling
Planned resource scheduling is essential for various scenarios,
including networks with mobile entities such as unmanned aerial
vehicles and orbiting satellite constellations [RFC9657]. In these
scenarios, links are lost and re-established as a function of the
mobility of the platforms. Furthermore, link activity might be
restricted to certain times of the day in networks without reliable
access to power, such as networks harvesting energy from tidal, wind,
and solar resources. Similarly, network traffic might be planned
around energy costs or expected user data volumes in networks
prioritising green computing and energy efficiency over data rate.
2.1.1. Schedule Domains
The concept of a schedule domain is to allow partitioning the
universe of managed entities into separate sets of entities, each
with independent timelines having independent schedule execution
(Section 2.1.4) and likely independent schedule generation
(Section 2.1.3). Within each domain, all schedules need to use the
same timeline, need synchronized execution, and joint schedule
generation.
Two extremes of how a system can organize schedule domains are:
Universal Domain: This extreme is to combine all scheduled state
together into a single domain and single timeline. For cases
where all nodes in a network have time-varying properties that
affect their topological neighbors, all of the nodes need to be
scheduled in the same domain to avoid misaligned configuration
between devices. The orchestration and management burden in this
case is the need to consider all schedules jointly and the
operational burden is the need for synchronization of schedule
execution across managed devices.
King, et al. Expires 3 September 2026 [Page 7]
Internet-Draft TVR Requirements March 2026
Per-Device Domains: This extreme is to consider each managed device
as a separate scheduled domain, where property changes between
devices need not be synchronized. This simplifies aspects of
schedule execution but would likely rely on control plane
communication between devices to avoid mismatch between the actual
configuration of any node and how it is assumed to be configured
by other nodes. The orchestration of schedules within a device in
this case would likely be based on device-local needs such as for
power control.
In cases where there does not need to be tight synchronization
between some schedules, they can be managed in separate domains and
effectively form separate timelines where the schedule time in one
domain has little to no relation with any other domain.
A system design can choose to make some "edge" nodes or some
properties of edge nodes intentionally time-invariant in order to
form a logical boundary around schedule domains or possibly aligning
schedule domains with routing domains so that schedule edge nodes
correspond with routing edge nodes. This would allow routing control
protocols to be used for online negotiation at domain boundaries.
2.1.2. Schedule Visibility
Because scheduled time-variance is not a part of existing routing
algorithms and managed data models, not all routing applications will
be made to handle schedules as part of the routing parameters
intrinsically.
Two extremes of schedules being associated with routing data are:
Intrinsic Schedule: In this situation, the schedule is an intrinsic
part of the managed data model which is visible to the routing
application and used as part of the routing algorithms. When the
schedule is intrinsic, there is not necessarily the notion of a
schedule being "executed" as a single activity in wall-clock time
because the time-varying parameters are ingested as part of the
routing algorithm functioning (see Section 2.4) when routing is
needed.
Extrinsic Schedule: In this situation, the schedule is not part of
the managed data model for the Managed Device but maintained
within the Orchestrator; the routing application only sees the
effects of changes in routing parameters as the schedule is
executed (in wall-clock time) by the Orchestrator.
King, et al. Expires 3 September 2026 [Page 8]
Internet-Draft TVR Requirements March 2026
There is also the possibility of an intermediate situation where the
schedule is still part of the managed data model but is visible only
to, and executed in wall-clock time by, the management Agent. This
allows a more distributed use of scheduled data than centralizing its
processing in an Orchestrator.
2.1.3. Generation Locality
The generation of a scheduled data model depends on collecting source
data (which likely has some temporal information in it to begin
with), choosing a time horizon to schedule within, and then
processing the source data into an overall schedule.
Two extremes for locality of schedule generation are:
Centralized Generation: In this situation, all schedule generation
is centralized within a network Orchestrator and changes are sent
to routing applications in wall-clock time via a management
interface. Even though the generation of the schedule is
centralized, both the schedule visibility (within the data model)
and the locality of how the schedule is executed are
unconstrained.
For example, a schedule could be generated in a central
orchestrator synchronized to all managed devices which then
execute the schedule in a distributed manner.
Distributed Generation: This situation corresponds with the
intrinsic or intermediate schedule visibility. Where a schedule
(with a potentially limited time horizon from what is known at the
orchestrator) is part of the managed data which is distributed to
managed devices to be handled either by the Agent or by the
routing Application itself.
2.1.4. Execution Locality
Depending on the visibility of schedules within a data model (see
Section 2.1.2) there are different options for where the schedule may
be executed, and ultimately influence a time-varying configuration on
a managed device.
Two extremes for locality of schedule execution are:
Centralized Execution: In this situation, all schedule execution is
King, et al. Expires 3 September 2026 [Page 9]
Internet-Draft TVR Requirements March 2026
centralized within a network Orchestrator and changes are sent to
routing applications in wall-clock time via a management
interface. This situation can apply to any type of schedule
visibility, but only to centralized generation because the full
scheduled data model needs to be available to the entity
performing the execution.
Distributed Execution: In this situation, schedules are executed on
each managed device independently but based on synchronized
clocks. This situation corresponds with the Intrinsic or
intermediate schedule visibility, where a schedule (with a
potentially limited time horizon from what is known at the
Orchestrator) is part of the managed data which is distributed to
managed devices to be handled either by the Agent or by the
routing Application itself.
When schedules are distributed to the managed devices, it
necessarily increases the amount of data that the managing device
needs to synchronize across the network. The ratio of increased
size can be mitigated by only distributing a limited time horizon
to each device within a sliding window that moves forward in non-
real-time.
When schedules are both generated and executed centrally, there is a
consistency risk between different managed devices because if one
device fails to be reconfigured in wall-clock time its configuration
will no longer align with the other devices which are supposed to all
operate on the same schedule. To recover from this kind of
situation, either reattempt to configure the misaligned device may be
made to bring it back into alignment with the other devices or the
other devices' configurations must be rolled-back into consistency
which will then cause all the devices to be off-schedule.
When schedules are executed on each device, there is a risk that
clocks on different devices become de-synchronized beyond the time
precision required of the schedule. Because real-time clocks are
necessary for more than just schedule execution, and because accurate
and precise time sources exist outside of network time (_e.g._, GPS
time) this risk can be made to have a low probability.
King, et al. Expires 3 September 2026 [Page 10]
Internet-Draft TVR Requirements March 2026
With distributed execution there is also a risk that a Manager loses
connectivity with the managed device and the device eventually runs
out of time horizon in the schedule which is known to it. This risk
can be mitigated by trading between the size and the horizon end-time
of schedules distributed to managed devices. This trade can be
different for different devices, where some well-connected devices
operate closer to just-in-time with short horizons while other
devices can be given a longer horizon to allow it to execute in the
absence of near-continuous Manager connectivity.
One possible combination of these options is depicted in Figure 2,
where inputs are collected in a centralized schedule generator, the
schedule is executed on that centralized entity by taking a snapshot
(periodically or as-needed when model state changes over schedule
time) and distributing the time-invariant snapshot configuration.
Schedule Schedule Config
Generation Execution Distribution
| | |
--inputs-->| | |--config-->
--inputs-->|---schedule--->|---snapshot--->|--config-->
--inputs-->| | |--config-->
<----------------------------------------------------->
Information Configuration
Sources Consumers
Figure 2: Centralized Generation with Centralized Execution
An alternative combination is depicted in Figure 3, where inputs are
also collected in and a schedule generated by a centralized entity,
but in this alternative the scheduled data model (or some filtered
time horizon of it) is distributed to the managed devices to be
executed independently on each device.
Schedule Schedule Schedule
Generation Distribution Execution
| | |
--inputs-->| |---schedule--->|--config-->
--inputs-->|---schedule--->|---schedule--->|--config-->
--inputs-->| |---schedule--->|--config-->
<----------------------------------------------------->
Information Configuration
Sources Consumers
Figure 3: Centralized Generation with Distributed Execution
King, et al. Expires 3 September 2026 [Page 11]
Internet-Draft TVR Requirements March 2026
2.1.5. Configuration and Operational State
Most of the discussion in this document treats scheduling as the
means for influencing when configuration on some managed device is
planned to be updated. But as explained in [X.731] devices are
expected to have an operational state alongside many administrative
states being configured. For example, a known delay between enabling
the modem supporting a termination point or link and the modem
actually being usable for sending traffic.
Strategies for modeling time margins around changes of configuration
are discussed in Section 2.2.4. Even when time margins are taken
into account, the schedules are still being applied to cascading
subsequent changes of administrative state within configurations.
Those changes can motivate subsequent changes in operational states.
While the administrative changes follow the schedule times, the
operational states could be effective at different times across
devices (_e.g._, because of different implementations or other
device-specific reasons).
2.2. General Temporality
This section covers different aspects of how temporality applies to
any potential TVR data model or TVR augmentation of a time-invarient
data model. Each aspect is roughly independent and informs how a
model can choose to include temporality in its parameter state space.
Each of these aspects can be different across different schedule
domains (Section 2.1.1), but are expected to be consistent within a
single schedule domain. Also, just because an entire model or domain
allows high granularity (Section 2.2.1) or high precision
(Section 2.2.3) does not mean that every single entity needs to make
use of those aspects (or even that every entity needs to have time-
variance at all). It is perfectly valid for some entities to have
time-variance and others to have none.
2.2.1. Scope of Time-Variability
One aspect of any time-variant data model is the scope of what may be
time-variable. Two extremes of this aspect are:
* A model that is entirely time-invariant, where time exists
conceptually but has no impact on any of the model's entities.
* A model in which every entity has some kind of schedule applied.
King, et al. Expires 3 September 2026 [Page 12]
Internet-Draft TVR Requirements March 2026
It is expected that an application of time-variability to real world
data models will keep some entities within the model time-invariant
and allow scheduling of other, specific entities.
Another aspect of any time-variant data model is the granularity of
state to which a schedule can be applied. Two extremes of this
aspect are:
* A model where one single schedule applies to the entire universe
(_i.e._ indicating when the time-variant entities are valid or
invalid).
* A model where every property of every entity can be scheduled
independently. This is the temporality model of [AIXM].
It is expected that the use of time-variability in data models will
fit within these extremes. One possibility is to apply a schedule to
each entity indicating when that entire entity is valid or invalid.
Another possibility is to apply a schedule to groups of properties
within an entity (while leaving other properties time-invariant).
2.2.2. Time Horizon
In an idealized model the schedules will apply indefinitely far in
the past and the future, but in a realizable data model with both
processing and storage limitations there will need to be a time
horizon within which the model applies and outside of which the model
has no meaning. In some cases this horizon will be intrinsic to the
data model itself, with an explicit model parameter indicating the
horizon. In other cases the data model may allow indefinitely-large
schedules but the processing of the schedule timeline is bounded to
limit resource needs.
One possible rationale for separating schedule domains
(Section 2.1.1) is the duration of the time horizon needed for
entities in each domain.
2.2.3. Time Precision and Accuracy
Different time-variant models will require different granularities of
planning time, either because of limitations or assumptions about
wall-clock time or because of requirements within the modeled domain.
It is up to specific models to define the precision of time values
and the required accuracy and precision of wall-clocks which execute
the schedules.
King, et al. Expires 3 September 2026 [Page 13]
Internet-Draft TVR Requirements March 2026
One possible rationale for separating schedule domains
(Section 2.1.1) is the level of time precision or accuracy of
execution time able to be upheld across entities in each domain.
2.2.4. Time Synchronization and Margin
Any schedule execution and device configuration (see locality options
in Section 2.1.4) will necessarily have some misalignment in the
synchronization of time across all devices operating in the same
timeline. This misalignment is hopefully bounded by design and able
to be characterized statistically.
It is important for the activity of schedule generation (see
Section 2.1.3) to take the misalignment into account as some form of
margin around the instants of scheduled change. The exact form that
this margin would take depends on the specific time-varying
properties.
Another source of time margin in a time-varying system can be due to
a desire to model the time delay between changing the administrative
state of some subsystem and a subsequent change to its operational
state as a consequence.
Regardless of the reason for a schedule margin being accounted for,
it is critical that the margin is not double-counted by different
activities in the schedule processing chain.
2.2.5. Validity in a Schedule
Within a single schedule over its timeline there will likely be a
need to have multiple discrete intervals of validity over absolute
schedule time. The time instants at which a schedule is invalid
indicate an undefined property value, so it is important for a model
to be able to accommodate multiple schedules as necessary to ensure
that some properties can have values at all times.
A model which restricts itself to a single interval of validity could
run into difficulties over a long enough time horizon and would need
to resort to having multiple model entities represent the same
modeled "thing" which can lead to confusion and inefficiency.
King, et al. Expires 3 September 2026 [Page 14]
Internet-Draft TVR Requirements March 2026
2.2.6. Periodicity in a Schedule
Separate from the concept of intervals of validity in absolute
schedule time, there can be a need to model repetitive states in a
concise way. One way to model a periodic change of state is to
combine a set of absolute time intervals with a periodic
parameterization (duration valid and duration invalid); this is the
model of [AIXM].
A model which does not include the notion of periodicity within a
schedule could be used in situations where discrete intervals of
validity are needed to handle periodic state changes which is neither
storage nor processing efficient. Periodicity can also be seen as
unnecessary when the time horizon will always be small enough
compared to any schedule time period that only one repetition is ever
seen within the horizon in one state.
2.2.7. Continuity in a Schedule
A schedule which includes a sequence of time intervals needs to
ensure that the interpretation of those intervals in the schedule
timeline does not leave any "gaps" at the interval boundaries. For
that reason, it is important that the model uses half-open intervals
of time so that time-adjacent intervals leave no gap. In keeping
with the terminology of [RFC3339], intervals are bounded by their
"start" and "end" instants. It is suggested that any time-varying
model use schedules with intervals closed on their start time and
open on their end time. This behavior lends to the interpretation,
in the schedule timeline, that the scheduled state takes effect at an
interval's start and continues until the subsequent state.
2.2.8. Time-Overlap and Priority
In an ideal situation a model would be guaranteed by design to
contain only contiguous and non-overlapping schedules for each time-
variant scope. In a realized model this kind of invariant might not
be enforceable or might lead to overly complex schedule structures.
One way a model can handle this is to establish a concept of schedule
priority, where some intervals of the schedule timeline contain
overlapping schedules for the same properties and only the highest-
priority schedule applies. When priorities are allowed by a model,
it enables the concept of an "overlay" where a long-duration state
can be temporarily (in schedule time) superseded by a short-duration
state.
King, et al. Expires 3 September 2026 [Page 15]
Internet-Draft TVR Requirements March 2026
2.2.9. Property Value Interpolation
When a schedule is applied to an entity in a way which is more
granular (Section 2.2.1) than just indicating when that whole entity
is valid or invalid, the model needs to consider how individual
properties are to be treated between scheduled instants. Some of the
possible behaviors are:
Zero-order hold: From the instant a scheduled value applies to a
property until the subsequent-in-schedule-time value supersedes
it. This is simple from a logical standpoint, but discontinuities
in the value over schedule time could cause issues with the model
itself. For some models, though, the constant values between
change instants are actually beneficial by allowing the entire
timeline to be compressed into a sequence of discrete state-change
instants. This is the behavior implied in models such as [AIXM].
Linear interpolation: At the instants of time defined in the
schedule the property takes the exact values, but between those
instants the property is interpolated linearly over time. This
results in a state that is continuous over time, which is
beneficial for some kinds of model but also means that there is no
simple discrete sequence of states.
Higher-order or spline interpolation: Higher order interpolations
can result in properties that vary over schedule time in ways that
are more or less beneficial to different types of models.
Regardless of the types of interpolation used, a model can choose to
apply interpolation globally or per-property. Since different
properties represent different physical or logical metrics of a
network it is expected that different types of interpolation will be
needed for different represented quantities.
2.2.10. Changes to Model State
Separate from how a time-variant model can contain a schedule
timeline within the model state, a model design will need to consider
how changes to the model state itself (over wall-clock time) are
handled. This aspect is actually not specific to a time-variant
model but is important to consider in this context.
Two extremes of this aspect are:
* A model which can only be changed wholesale, superseded by an
entire new model state. This is easy to keep consistent but has
inefficiencies of storage and transport if the model state is to
be shared or exchanged between real entities.
King, et al. Expires 3 September 2026 [Page 16]
Internet-Draft TVR Requirements March 2026
* A model which has an intrinsic notion of fine-grained superseding
changes, possibly scoped to individual entities, individual
schedules, or more complex groupings.
2.3. Topologies
The primary entities of a topological network model, as realized in
the IETF [RFC8345] and similar predecessors, are _nodes_ and
unidirectional _links_, with a secondary entity representing the
_termination point_ for each side of a link at a node. Following the
concepts described in Section 2.1 these are the entities to which an
intrinsic schedule can be applied. Since TVR is focused on the
routing aspect of scheduled systems, relating schedules to entities
in an network model used for routing is meant to give concrete
guidance about where there is value to put a schedule in a TVR
system.
2.3.1. Nodes
When a schedule is applied to a node the granularity could at least
be at the individual node. In cases where the properties of a node
have time-variable values the model may define an interpolation
method, either globally or per-property.
A node is just a named entity in Layer 3 [RFC8346] and Layer 2
[RFC8944] topologies. Schedules on a node could be used to indicate
the validity of the entire node or changing properties of that
entity. When a schedule indicates that a node is not valid for a
schedule time instant, that validity could apply to all of its
termination points and links as well. This logic allows a schedule
to represent, for example, the expected power-on state of a node at a
specific layer.
2.3.2. Termination Points
When a schedule is applied to a termination point the granularity
should at least be at the individual entity. In cases where the
properties of a termination point have time-variable values the model
may define an interpolation method, either globally or per-property.
King, et al. Expires 3 September 2026 [Page 17]
Internet-Draft TVR Requirements March 2026
A termination point is associated with an IP address in Layer 3
[RFC8346] and a MAC address in Layer 2 [RFC8944] topologies.
Schedules on a termination point could be used to indicate the
validity of the layer-2/3 interface represented by the entity or
changing properties of that entity. When a schedule indicates that a
termination point is not valid for a schedule time instant, that
validity may apply to all of its links as well. This logic allows a
schedule to represent, for example, the expected power-on or
administrative-enabled state of an attached network interface card
(NIC) or virtual private network (VPN) endpoint.
2.3.3. Links
When a schedule is applied to a link the granularity should at least
be at the individual link. In cases where the properties of a link
have time-variable values the model should define an interpolation
method, either globally or per-property.
A link is associated with link metric properties in Layer 3 [RFC8346]
and Layer 2 [RFC8944] topologies. Schedules on a link should be used
to indicate the validity of the entire link or changing properties of
that entity. When a schedule indicates that a link is not valid for
a schedule time instant, that validity should not apply to its
termination points and nodes. This logic allows a schedule to
represent, for example, the expected connectivity state, data
throughput/rate, and latency/delay of a link.
2.3.4. Network Layering
When a schedule indicates that an entity is not valid for a schedule
time instant, that validity should not apply to any of its associated
overlay or underlay network entities. The effects of scheduled
administrative disabling or enabling of an entity at one layer do not
imply a change in administrative enabled state at any other layer.
Likewise, the assigning of an address property at one layer does not
imply the presence or absence of an address assignment at that same
time instant for any other layer.
2.4. Routing Strategies
Traditional network routing techniques typically use link bandwidth
and delay for path calculation, and do not consider time-based
factors. TVR should be capable of improving network performance and
reliability in environments where entities liveness and link
availability is a time-based consideration, with various factors,
including power availability, interface line of sight or expected
demand.
King, et al. Expires 3 September 2026 [Page 18]
Internet-Draft TVR Requirements March 2026
However, even if some adjacency failures are predictable, others are
not, including link failures and entity outages. Therefore, any new
technique or routing protocol extension for TVR environments must be
capable of handling planned and unexpected resource losses or other
changes.
TVR introduces a scenario of calculating a path, or sub-path within a
network, taking into account the timing of message transmission or
receipt as an integral part of the overall route computation.
Furthermore, synchronization of network time across TVR-capable
entities is critical.
Three scenarios are currently considered when computing TVR-enabled
paths and described in the following subsections.
2.4.1. Centralized
The network entities will receive the time variable information and
traffic forwarding rules directly from a logically centralized
source, an Orchestrator or network controller. The time-variable
data may then be processed locally by the entity entered into the
scheduled routing table and specific forwarding rules applied.
Furthermore, a centralized approach could also be used to extend
existing tunnel and path delivery mechanisms and protocols to
distribute traffic forwarding rules along with time-variable
information. However, in certain environments, a logically
centralized source may lose connectivity with network entities (as
described in Section 2.1.4), preventing timely delivery of traffic
forwarding rules. To mitigate this risk, the time horizon for time-
variable information should be extended accordingly.
2.4.2. Distributed
Network entities may participate in a routing scheme where time
variable information is propagated through the network via capability
and variability advertisements. This could be achieved using
extensions to existing routing schemes and techniques so that link,
adjacency, cost, and schedule may be considered when making
forwarding decisions for per-hop packets or calculating traffic
engineered end-to-end paths. It should be noted that schedule
distribution and entity computation latency may exist in some network
environments.
In some environments, scheduling information may distributed through
a management plane mechanism, such as NETCONF [RFC6241] or gNMI (gRPC
Network Management Interface) [gNMI], instead of the routing scheme.
King, et al. Expires 3 September 2026 [Page 19]
Internet-Draft TVR Requirements March 2026
2.4.3. Hybrid
In this scenario, mixed-entity TVR capability exists. Some entities
will require a schedule provided by a centralized source, and others
will be capable of advertising and learning scheduled information via
a distributed mechanism.
This scenario presents time and schedule synchronization and source
verification challenges and will require further study, but are out
of scope for this document.
2.4.4. Constraints
Time-variant network constraints may be based on dynamic factors that
will influence how the network is managed and how network resources
are scheduled. These constraints are influenced by real-time data
and can vary significantly depending on multiple factors. By
considering time-variant constraints, network operators can enhance
the efficiency, reliability, and performance of telecom networks.
The main factors influencing these constraints include:
1. Predicted Traffic Demand: Network usage patterns fluctuate
throughout the day, with peak times typically occurring during
business hours and in the evening. Predicting these patterns
accurately allows for proactive resource allocation, ensuring
that sufficient bandwidth is available during high-demand periods
without over-provisioning during low-demand times.
2. Energy Efficiency: The energy consumption of network equipment
can be optimized based on the current load. By scheduling
resources and adjusting power levels or shutting down
underutilized equipment, telecom networks can significantly
reduce energy costs and carbon footprints, contributing to
sustainability goals.
3. Weather Conditions: Weather can impact network performance,
especially for wireless and satellite communications. Adverse
weather conditions such as heavy rain, snow, or extreme
temperatures can degrade signal quality. Incorporating predicted
and real-time weather data into network management strategies can
help in adjusting transmission power, rerouting traffic, or
preemptively switching to more resilient pathways.
4. Network Maintenance and Upgrades: Scheduled maintenance or
unexpected faults can introduce temporary constraints. By
planning maintenance activities during off-peak hours and having
real-time monitoring systems to quickly detect and address
faults, network downtime can be minimized.
King, et al. Expires 3 September 2026 [Page 20]
Internet-Draft TVR Requirements March 2026
2.5. Integrity Considerations
Time-variant network relies on accurate and timely dissemination of
time-variant routing and forwarding information. However, the
presence of malicious or unintended divergent information introduces
risks that can impact network stability and operational correctness.
An adversary could manipulate scheduled routing updates to introduce
black holes, persistent loops, or denial-of-service conditions by
injecting false time-sensitive state changes. Even in non-malicious
scenarios, incorrect or misaligned scheduling or misconfiguration, or
time de-synchronization, may lead to unintended forwarding behavior,
potentially degrading performance or causing service disruptions.
To mitigate these risks, TVR solution mechanisms should incorporate
integrity validation and trust enforcement to ensure the correctness
and authenticity of time-sensitive routing updates. This may include
cryptographic techniques to verify the source and integrity of
schedule updates, consistency checks against expected network state,
and mechanisms to detect and reject anomalous scheduling data.
Additionally, fallback strategies should be considered to allow
continued operation in cases where unexpected or inconsistent
information is detected.
Specific security considerations are discussed in the Section 6.
later in this document.
3. Time-Variant Use Case Requirements
Several TVR use cases have been identified and discussed in
[RFC9657]. This section provides further detail on specific
requirements to meet use case needs.
3.1. Resource Preservation Use Case
This use case is about managed devices being reactive to sensed
conditions, but also providing feedback to an Orchestrator to allow
coarse schedules of expected resource availability. Its requirements
include:
Temporality tailored to system dynamics: Because managed devices are
either powered-off or severely degraded in performance when
preserving resources, the schedules governing expected topology
must be of sufficient precision and synchronization to capture the
dynamics of the managed devices.
Parameterization of periodicity: Resource availability based on
King, et al. Expires 3 September 2026 [Page 21]
Internet-Draft TVR Requirements March 2026
diurnal activity on Earth fits well into a periodicity based
strictly on time-of-day. But when resources are available based
on other natural phenomina (_e.g._, orbital periods) the schedules
must have a periodicity which is parameterized in such a way that
allows matching the resource dynamics (_e.g._, repeating
subsequent intervals of durations of seconds available and seconds
unavailable).
Time horizon tailored to uncertainty: Even when periodicity is well
understood, characterized, and parameterized in a data model,
there must be allowance for uncertainty of expected resource
availability. This operates both in the sense of having a large
enough time horizon to enable a device to "ride out" times of low
resources without needing schedule updates, as well as the horizon
being limited to avoid large schedules which far exceed the point
where actual system state will diverge from the model state.
3.2. Operating Efficiency Use Case
This use case is about scheduling resources proactively to improve
efficiencies. Its requirements include:
Distribution of Predicted Topology-change: The predicted topology-
change information may include the valid time, invalid time, link
costs at different times, and change periods.
Topology Changes: The predicted topology-change information may
change due to forecasted or unforecasted changes. The managing
entity should be capable of providing a partial or full topology
update as often as needed.
Minimum Route Recalculation Interval and Threshold: Although some
cases may assume that the cost persists for a sufficient amount of
time, considering that each route contains multiple links, the
change frequency of the path may be much higher than the cost. In
this case, the minimum recalculation interval or cost change
threshold is needed to determine when a route recalculation is
required. Of course, scheduled topology connection changes must
be considered when path calculation is required.
3.3. Dynamic Reachability Use Case
This use case is about geometric and kinematic constraints of mobile
devices influencing their ability to establish or maintain links to
neighbors. Its requirements include:
Pairwise consideration of synchronization and margins: When
King, et al. Expires 3 September 2026 [Page 22]
Internet-Draft TVR Requirements March 2026
scheduling links, the execution clock synchronization of its two
endpoints as well as any margin needed on each of those endpoints
must be considered when generating schedules for those links.
Additionally, schedules on long-distance (_i.e._, interplanetary
scale) links must consider the effects of light-speed delays for
distribution and execution.
Schedule independence from external conditions: An important concept
of distributed schedule execution in TVR is that a consistent
shared timeline and a wall-clock ticker across managed devices is
the unified mechanism to synchronize state across devices.
Schedule entries should not depend on externally sensed conditions
such as location, orientation, or other geometric or kinematic
properties. Changes arising from such external conditions that
are not captured in the schedules are outside the scope of TVR and
are handled reactively by the network. Schedule-based TVR and
condition-based reactive mechanisms can coexist within the same
network and within its devices.
4. Requirements Summary
4.1. Support the Identification and Advertisement of Entity Property
Changes
In Time-Variant Routing, scheduling of available entity resources is
expected. In practical situations, however, the properties of
entities can be converted back and forth between Time-Variant and
Non-Time-Variant nodes.
An entity must support the identification and advertisement of non-
scheduled property changes.
Besides, if there are abnormal changes in the system, it is necessary
to advertise them through the existing routing protocols in time to
achieve the stability of Time-Variant Routing and avoid redundant
advertisements. For example, an entity in the system is suddenly
damaged due to external factors. Changes in entity state outside of
a schedule are communicated to other entities in a network through
existing routing protocol mechanism, where they exist.
A Manager should provide an advertisement methodology for responding
to abnormal changes in the system.
King, et al. Expires 3 September 2026 [Page 23]
Internet-Draft TVR Requirements March 2026
4.2. Support Proxy Advertisement
Proxies can help to improve the efficiency of the network. There are
some entities in the network that do not have routing functions.
When their properties change, they are unable to notify other
entities in the network. Proxy nodes can help nodes without routing
functions to advertise information, thus improving the efficiency of
the network. Therefore,
Systems must support proxy entities to help non-routing nodes
implement information advertisement.
4.3. Support Identification and Classification of Node Properties
The entity properties of the network may change as described in 3.1.
If the system cannot timely identify and classify in a processing
manner after the entity properties change, it will lead to suboptimal
routing decisions. Therefore,
Systems must provide a discovery and resolving methodology for the
identification and classification of entity schedule changes.
4.4. Support System Schedule and Time Interval Changes
The system's schedule may change, requiring entity configuration
updates rather than being fixed and unmodifiable. Additionally,
time-variant intervals in the system may also vary. Therefore,
Systems must support system schedule changes.
Systems must support time interval changes.
4.5. Support Appropriate Time Accuracy
The accuracy of the time cannot be too large or too small; otherwise,
convergence may not be possible. Therefore,
Systems must support appropriate time tolerance.
4.6. Support Robust Security
Implementations must address security risks associated with time-
variant information to ensure the reliability and integrity of
scheduled network operations. The following security-related
requirements should be considered,
Integrity Protection: Mechanisms must be in place to ensure that
King, et al. Expires 3 September 2026 [Page 24]
Internet-Draft TVR Requirements March 2026
time-sensitive routing updates are protected from unauthorized
modification.
Authentication and Authorization: Entities generating or modifying
TVR schedules must be authenticated, and only authorized entities
should be permitted to inject, update, or override scheduled
routing information.
Resilience Against Malicious or Erroneous Inputs: A TVR network must
be resilient against the injection of incorrect or maliciously
crafted scheduling information.
Time Synchronization Robustness: Since TVR relies on time-sensitive
operations, it must ensure the trustworthiness of external time
sources. Protection against time-based attacks, such as replay
attacks or clock manipulation, should also be considered.
Rollback and Recovery: In the event of conflicting, missing, or
compromised time-variant routing data, TVR implementations should
include fallback mechanisms to maintain network stability.
By integrating these security requirements into TVR implementations,
networks can mitigate risks associated with malicious actors,
misconfigurations, or unintended disruptions, ensuring the robustness
of time-sensitive routing decisions. Specific security scenarios and
negation and mitigation methods are discussed in Section 6.
5. Operational Considerations
Introducing time-variance to network operations and management in any
capacity adds complexity to those areas of system design and
implementations. This section discusses considerations for those
areas in the spirit of [RFC5706] but without concrete details of a
specific TVR system design.
5.1. Schedule Domain Consistency
As explained in Section 2.1.1, the purpose of a schedule domain is to
organize managed devices based on their time-variant needs and
capabilities. The choice of which devices to include in a domain is
subjective, but should take into consideration the schedule-awareness
capabilities of the devices and temporal sensitivities of their
configurations.
For example, including in a single domain devices which can handle
data models with intrinsic schedules and devices which cannot will
increase the burden on the network orchestrator to validate the joint
configurations of those devices. Segmenting into different schedule
King, et al. Expires 3 September 2026 [Page 25]
Internet-Draft TVR Requirements March 2026
domains would allow for a more simple validation of the time-
invariant device configurations and a more narrow but complex
validation of the time-variant device configurations.
Another important consideration for schedule domains is the required
wall-clock time precision and accuracy of devices in each domain, as
explained in Section 2.2.3. A single domain which includes devices
needing only coarse time precision as well as those needing tight
precision can add unnecessary burden to planning and validation of
schedules for the coarse-precision devices.
Similarly, the required time synchronization for devices in each
domain, as explained in Section 2.2.4, affects the amount of and
types of analysis that a network orchestrator needs to validate
configurations of those devices. A single domain which includes some
devices needing only loose synchronization and some with very tight
requirements adds burden to planning and validation of schedules.
5.2. Incremental Deployment
There is an expectation that the intentionally simplified view of
Figure 1 would actually contain a large number of separate but
possibly inter-related data models being managed for even a modestly
complex managed device. And that figure shows only a single managed
device while a real network is expected to contain a large number of
managed devices, possibly with a diverse set of management protocols
serving different sets of devices, but under the control of a central
orchestrator. Because of these expectations, the introduction of TVR
into an existing management ecosystem is meant to be able to be
deployed incrementally, possibly along different aspects in different
increments.
Within the aspect of schedule domains (Section 2.1.1) it is possible
to start with a single completely time-invariant domain, add TVR as a
single time-variant domain covering a portion of devices most in need
of scheduled behavior. From there the operator can either grow that
time-variant domain to cover more devices or add other time-variant
domains to suit the operator's needs over deployment increments.
Within the aspect of schedule visibility (Section 2.1.2) it is
possible to deploy TVR first as extrinsic schedules known only to the
network orchestrator and executed centrally there. From there the
operator can transition a portion of those extrinsic schedules to
intrinsic schedules, which requires support for (some form of)
schedule execution on the managed devices. As needs change or device
support is updated, the scope of intrinsic schedules can be grown or
adjusted to suit over deployment increments.
King, et al. Expires 3 September 2026 [Page 26]
Internet-Draft TVR Requirements March 2026
Within the aspect of generation locality (Section 2.1.3) a time-
variant domain can start out as a fully externally-controlled device
and possibly expand to allow managed devices themselves to propose
schedules based on locally-sensed conditions such as traffic
periodicity or resource (_e.g._, power) availability. Managed
devices might propose schedules which can then be simulated and
verified by an orchestrator and augmented as intrinsic schedules back
to those devices.
The complexity and scope of supported schedules can also be adjusted
incrementally, starting with a time-variant domain that operates on
very simple schedules with coarse-grained scope and short time
horizons. From there, an operator can incrementally increase
schedule complexity, make schedule scope more fine grained, or expand
time horizons as device support is updated. These changes can all be
mediated through schedule domains focused based on that device
support.
6. Security Considerations
Using time-variant mechanisms introduces unique security
vulnerabilities that must be carefully considered to ensure the
integrity, availability, and confidentiality of the network.
Networks relying on time-sensitive data for forwarding decisions are
particularly susceptible to attacks that exploit temporal aspects and
timing dependencies.
The following potential security considerations warrant detailed
investigation as solutions are developed and deployed.
6.1. Denial-of-Service (DoS) Attack
Precisely coordinating time information across devices and routers is
critical to maintaining network stability. Malicious actors could
exploit this dependency by disrupting or manipulating the time
synchronization process. For example, an attacker could
intentionally delay or corrupt time signals exchanged within the
network, leading to routing errors and widespread denial-of-service
(DoS) attacks. In this scenario, routers and managed devices may
fail to correctly determine the optimal paths, resulting in dropped
packets, increased latency, or even complete service outages.
Additionally, these attacks could be scaled to affect multiple
devices simultaneously, further amplifying their impact. Given the
critical nature of time in such networks, securing time
synchronization mechanisms, such as Network Time Protocol (NTP) or
Precision Time Protocol (PTP), is essential to mitigate these risks.
King, et al. Expires 3 September 2026 [Page 27]
Internet-Draft TVR Requirements March 2026
6.2. Traffic Analysis and Path Prediction
Time variant networks may involve frequent updates and adjustments to
routing tables based on current and forecasted network conditions.
If time information is not adequately protected, attackers could
conduct traffic analysis to infer routing decisions, network load, or
usage patterns. The schedule ability could enable attackers to
launch highly targeted attacks, such as selectively overloading
certain links or intercepting sensitive communications. Moreover,
long-term analysis of time-variant network data could provide
attackers with insights into the underlying structure of the network,
enabling them to plan more sophisticated attacks. To counter these
threats, it is vital to encrypt time-sensitive data and limit the
exposure of time-related metadata to unauthorized entities.
6.3. Activity Identification and Privacy
In certain scenarios, precise time information exchanged within the
network could be correlated with specific user or device behavior,
inadvertently revealing private information. For instance, time
scheduling decisions could be analyzed to determine when and where
certain devices are active, allowing an attacker to infer user
habits, locations, or preferences. This could pose significant
privacy concerns, particularly in environments where sensitive
personal or organizational data is transmitted. Furthermore,
attackers could use this information to create detailed profiles of
network users, which could be exploited for social engineering
attacks, surveillance, or other malicious activities.
6.4. Spoofing and Manipulation of Time Information
The accuracy and integrity of time information are crucial for making
correct routing decisions. If an attacker were to inject false or
manipulated time data into the network, it could cause routers and
devices to make incorrect decisions, potentially leading to traffic
misrouting, network partitions, or inefficient use of resources.
Such spoofing attacks could divert traffic through malicious nodes,
enabling man-in-the-middle attacks, data interception, or
unauthorized access to network resources. Furthermore, time
manipulation could create persistent disruptions by continuously
altering the perceived time, thereby forcing the network into a
constant state of flux and instability. Robust authentication
mechanisms for time sources and integrity checks on time-related
messages are essential to defend against these types of attacks.
Moreover, implementing redundancy in time synchronization (e.g.,
multiple time sources) can provide resilience against single points
of failure.
King, et al. Expires 3 September 2026 [Page 28]
Internet-Draft TVR Requirements March 2026
6.5. Replay Attacks on Time-Sensitive Data
Replay Attacks on Time-Sensitive Data: Time variant network data and
schedule updates may be susceptible to replay attacks, where a
malicious actor intercepts and retransmits valid time-based data at a
later time. This could cause network devices to act on outdated
information, leading to inconsistent routing decisions, misaligned
schedules, or security gaps. In particular, attackers could exploit
replay attacks to force devices into outdated configurations or
interfere with the synchronization of schedules across the network.
To prevent this type of attack, it is important to use a messaging
protocol for time-variant schedules that mitigates such attacks while
ensuring the validity and timeliness of received information.
6.6. Compromised Time Sources
Compromised Time Sources: The reliance on external time sources for
synchronization purposes presents a potential attack surface for
time-variant networks. If a trusted time source, such as a GPS
signal or an NTP server, is compromised, the attacker could feed
erroneous time information to the entire network, disrupting its
operation. Such an attack could lead to cascading failures as
devices attempt to synchronize with the compromised source,
ultimately resulting in incorrect routing decisions or even the
collapse of the network. To address this, network operators should
implement multiple, redundant time sources and regularly verify the
integrity of these sources. In addition, alerting mechanisms should
be in place to detect significant deviations in time data that could
indicate an attack.
7. IANA Considerations
This document has no IANA actions.
Acknowledgments
This work has benefited from the participation of the TVR working
group and the discussions on the mailing list.
The authors would like to specifically thank Tony Li, Mark Blanchet,
Alexander Petrescu, Ed Birrane, Jie Dong, Abdussalam Baryun and Joel
Halpern
This work is partly supported by the UK Department for Science,
Innovation and Technology under the Future Open Networks Research
Challenge project TUDOR (Towards Ubiquitous 3D Open Resilient
Network).
King, et al. Expires 3 September 2026 [Page 29]
Internet-Draft TVR Requirements March 2026
Contributors
The following authors contributed significantly to this document:
Jing Wang
China Mobile
China
Email: wangjingjc@chinamobile.com
Peng Liu
China Mobile
China
Email: liupengyjy@chinamobile.com
Zheng (Sandy) Zhang
ZTE Corporation
China
Email: zhang.zheng@zte.com.cn
Yuehua Wei
ZTE Corporation
China
Email: wei.yuehua@zte.com.cn
Charalampos (Haris) Rotsos
Lancaster University
United Kingdom
Email: c.rotsos@lancaster.ac.uk
References
Normative References
[RFC9657] Birrane, III, E., Kuhn, N., Qu, Y., Taylor, R., and L.
Zhang, "Time-Variant Routing (TVR) Use Cases", RFC 9657,
DOI 10.17487/RFC9657, October 2024,
<https://www.rfc-editor.org/info/rfc9657>.
Informative References
[AIXM] EUROCONTROL and Federal Aviation Administration, "AIXM 5
Temporality Model", 15 September 2010,
<https://aixm.aero/sites/aixm.aero/files/imce/AIXM51/
aixm_temporality_1.0.pdf>.
King, et al. Expires 3 September 2026 [Page 30]
Internet-Draft TVR Requirements March 2026
[gNMI] Borman, P., Hines, M., Lebsack, C., Morrow, C., Shaikh,
A., Shakir, R., Li, W., and D. Loher, "gRPC Network
Management Interface (gNMI)", Version 10.0, May 2023,
<https://www.openconfig.net/docs/gnmi/gnmi-
specification/>.
[RFC3339] Klyne, G. and C. Newman, "Date and Time on the Internet:
Timestamps", RFC 3339, DOI 10.17487/RFC3339, July 2002,
<https://www.rfc-editor.org/info/rfc3339>.
[RFC4655] Farrel, A., Vasseur, J.-P., and J. Ash, "A Path
Computation Element (PCE)-Based Architecture", RFC 4655,
DOI 10.17487/RFC4655, August 2006,
<https://www.rfc-editor.org/info/rfc4655>.
[RFC5706] Harrington, D., "Guidelines for Considering Operations and
Management of New Protocols and Protocol Extensions",
RFC 5706, DOI 10.17487/RFC5706, November 2009,
<https://www.rfc-editor.org/info/rfc5706>.
[RFC6241] Enns, R., Ed., Bjorklund, M., Ed., Schoenwaelder, J., Ed.,
and A. Bierman, Ed., "Network Configuration Protocol
(NETCONF)", RFC 6241, DOI 10.17487/RFC6241, June 2011,
<https://www.rfc-editor.org/info/rfc6241>.
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>.
[RFC8345] Clemm, A., Medved, J., Varga, R., Bahadur, N.,
Ananthakrishnan, H., and X. Liu, "A YANG Data Model for
Network Topologies", RFC 8345, DOI 10.17487/RFC8345, March
2018, <https://www.rfc-editor.org/info/rfc8345>.
[RFC8346] Clemm, A., Medved, J., Varga, R., Liu, X.,
Ananthakrishnan, H., and N. Bahadur, "A YANG Data Model
for Layer 3 Topologies", RFC 8346, DOI 10.17487/RFC8346,
March 2018, <https://www.rfc-editor.org/info/rfc8346>.
[RFC8944] Dong, J., Wei, X., Wu, Q., Boucadair, M., and A. Liu, "A
YANG Data Model for Layer 2 Network Topologies", RFC 8944,
DOI 10.17487/RFC8944, November 2020,
<https://www.rfc-editor.org/info/rfc8944>.
[X.731] ITU, "Information Technology - Open Systems
Interconnection - System Management: State Management
Function", ITU-T X.731, 31 January 1993,
<https://www.itu.int/rec/T-REC-X.731>.
King, et al. Expires 3 September 2026 [Page 31]
Internet-Draft TVR Requirements March 2026
Authors' Addresses
D. King
Lancaster University
Email: d.king@lancaster.ac.uk
L. M. Contreras
Telefonica
Email: luismiguel.contrerasmurillo@telefonica.com
B. Sipos
JHU/APL
Email: brian.sipos+ietf@gmail.com
L. Zhang
Huawei
Email: zhangli344@huawei.com
King, et al. Expires 3 September 2026 [Page 32]