RAW                                                      N. Maeurer, Ed.
Internet-Draft                                           T. Graeupl, Ed.
Intended status: Informational             German Aerospace Center (DLR)
Expires: 11 November 2021                                C. Schmitt, Ed.
                                         Research Institute CODE, UniBwM
                                                             10 May 2021

       L-band Digital Aeronautical Communications System (LDACS)


   This document provides an overview of the architecture of the L-band
   Digital Aeronautical Communications System (LDACS), which provides a
   secure, scalable and spectrum efficient terrestrial data link for
   civil aviation.  LDACS is a scheduled, reliable multi-application
   cellular broadband system with support for IPv6.  LDACS shall provide
   a data link for IP network-based aircraft guidance.  High reliability
   and availability for IP connectivity over LDACS are therefore

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 11 November 2021.

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights

Maeurer, et al.         Expires 11 November 2021                [Page 1]

Internet-Draft                    LDACS                         May 2021

   and restrictions with respect to this document.  Code Components
   extracted from this document must include Simplified BSD License text
   as described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Motivation and Use Cases  . . . . . . . . . . . . . . . . . .   5
     3.1.  Voice Communications Today  . . . . . . . . . . . . . . .   6
     3.2.  Data Communications Today . . . . . . . . . . . . . . . .   6
   4.  Provenance and Documents  . . . . . . . . . . . . . . . . . .   7
   5.  Applicability . . . . . . . . . . . . . . . . . . . . . . . .   8
     5.1.  Advances Beyond the State-of-the-Art  . . . . . . . . . .   8
       5.1.1.  Priorities  . . . . . . . . . . . . . . . . . . . . .   8
       5.1.2.  Security  . . . . . . . . . . . . . . . . . . . . . .   9
       5.1.3.  High Data Rates . . . . . . . . . . . . . . . . . . .   9
     5.2.  Application . . . . . . . . . . . . . . . . . . . . . . .   9
       5.2.1.  Air-to-Ground Multilink . . . . . . . . . . . . . . .   9
       5.2.2.  Air-to-Air Extension for LDACS  . . . . . . . . . . .  10
       5.2.3.  Flight Guidance . . . . . . . . . . . . . . . . . . .  10
       5.2.4.  Business Communication of Airlines  . . . . . . . . .  11
       5.2.5.  LDACS Navigation  . . . . . . . . . . . . . . . . . .  11
   6.  Requirements to LDACS . . . . . . . . . . . . . . . . . . . .  12
   7.  Characteristics of LDACS  . . . . . . . . . . . . . . . . . .  13
     7.1.  LDACS Sub-Network . . . . . . . . . . . . . . . . . . . .  13
     7.2.  Topology  . . . . . . . . . . . . . . . . . . . . . . . .  14
     7.3.  LDACS Physical Layer  . . . . . . . . . . . . . . . . . .  14
     7.4.  LDACS Data Link Layer . . . . . . . . . . . . . . . . . .  15
     7.5.  LDACS Mobility  . . . . . . . . . . . . . . . . . . . . .  15
   8.  Reliability and Availability  . . . . . . . . . . . . . . . .  15
     8.1.  Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . .  15
     8.2.  Beyond Layer 2  . . . . . . . . . . . . . . . . . . . . .  18
   9.  Protocol Stack  . . . . . . . . . . . . . . . . . . . . . . .  18
     9.1.  Medium Access Control (MAC) Entity Services . . . . . . .  19
     9.2.  Data Link Service (DLS) Entity Services . . . . . . . . .  21
     9.3.  Voice Interface (VI) Services . . . . . . . . . . . . . .  22
     9.4.  LDACS Management Entity (LME) Services  . . . . . . . . .  22
     9.5.  Sub-Network Protocol (SNP) Services . . . . . . . . . . .  22
   10. Security Considerations . . . . . . . . . . . . . . . . . . .  22
     10.1.  Reasons for Wireless Digital Aeronautical
            Communications . . . . . . . . . . . . . . . . . . . . .  23
     10.2.  LADACS Requirements  . . . . . . . . . . . . . . . . . .  24
     10.3.  LDACS Security Objectives  . . . . . . . . . . . . . . .  24
     10.4.  LDACS Security Functions . . . . . . . . . . . . . . . .  25
     10.5.  LDACS Security Architecture  . . . . . . . . . . . . . .  25
       10.5.1.  Entities . . . . . . . . . . . . . . . . . . . . . .  25

Maeurer, et al.         Expires 11 November 2021                [Page 2]

Internet-Draft                    LDACS                         May 2021

       10.5.2.  Entity Identification  . . . . . . . . . . . . . . .  25
       10.5.3.  Entity Authentication and Key Negotiation  . . . . .  26
       10.5.4.  Message-in-transit Confidentiality, Integrity and
               Authenticity  . . . . . . . . . . . . . . . . . . . .  26
     10.6.  LDACS Security Modules . . . . . . . . . . . . . . . . .  27
       10.6.1.  Placements of Security Functionality in Protocol
               Stack . . . . . . . . . . . . . . . . . . . . . . . .  27
       10.6.2.  Trust  . . . . . . . . . . . . . . . . . . . . . . .  27
       10.6.3.  Mutual Authentication and Key Exchange (MAKE)  . . .  28
       10.6.4.  Key Derivation and Key Hierarchy . . . . . . . . . .  28
       10.6.5.  User Data Security . . . . . . . . . . . . . . . . .  28
       10.6.6.  Control Data Security  . . . . . . . . . . . . . . .  29
   11. Privacy Considerations  . . . . . . . . . . . . . . . . . . .  29
   12. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  29
   13. Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  29
   14. Normative References  . . . . . . . . . . . . . . . . . . . .  30
   15. Informative References  . . . . . . . . . . . . . . . . . . .  31
   Appendix A.  Selected Information from DO-350A  . . . . . . . . .  35
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  37

1.  Introduction

   One of the main pillars of the modern Air Traffic Management (ATM)
   system is the existence of a communication infrastructure that
   enables efficient aircraft control and safe separation in all phases
   of flight.  Current systems are technically mature but suffering from
   the Very High Frequency (VHF) band's increasing saturation in high-
   density areas and the limitations posed by analogue radio
   communications.  Therefore, aviation globally and the European Union
   (EU) in particular, strives for a sustainable modernization of the
   aeronautical communication infrastructure.

   In the long-term, ATM communication shall transition from analogue
   VHF voice [KAMA2010] and VHF Data Linke mode 2 (VDLM2) communication
   to more spectrum efficient digital data communication.  The European
   ATM Master Plan foresees this transition to be realized for
   terrestrial communications by the development (and potential
   implementation) of the L-band Digital Aeronautical Communications
   System (LDACS).  LDACS shall enable IPv6 based air- ground
   communication related to the aviation safety and regularity of flight
   [ICAO20152].  The particular challenge is that no additional spectrum
   can be made available for terrestrial aeronautical communication.  It
   was thus necessary to develop co-existence mechanism/procedures to
   enable the interference free operation of LDACS in parallel with
   other aeronautical services/systems in the same frequency band.

   Since LDACS shall be used for aircraft guidance, high reliability and
   availability for IP connectivity over LDACS are essential.

Maeurer, et al.         Expires 11 November 2021                [Page 3]

Internet-Draft                    LDACS                         May 2021

2.  Terminology

   The following terms are used in the context of RAW in this document:

   A2A  Air-to-Air
   AeroMACS  Aeronautical Mobile Airport Communication System
   A2G  Air-to-Ground
   ACARS  Aircraft Communications Addressing and Reporting System
   ADS-C  Automatic Dependent Surveillance - Contract
   AM(R)S  Aeronautical Mobile (Route) Service
   ANSP  Air Traffic Network Service Provider
   AOC  Aeronautical Operational Control
   AS  Aircraft Station
   ATC  Air Traffic Control
   ATM  Air Traffic Management
   ATN  Aeronautical Telecommunication Network
   ATS  Air Traffic Service
   CCCH  Common Control Channel
   COTS IP  Commercial Off-The-Shelf
   CM  Context Management
   CNS  Communication Navigation Surveillance
   CPDLC  Controller Pilot Data Link Communication
   DCCH  Dedicated Control Channel
   DCH  Data Channel
   DLL  Data Link Layer
   DLS  Data Link Service
   DME  Distance Measuring Equipment
   DSB-AM  Double Side-Band Amplitude Modulation
   FCI  Future Communication Infrastructure
   FL  Forward Link
   GBAS  Ground Based Augmentation System
   GNSS  Global Navigation Satellite System
   GS  Ground-Station
   G2A  Ground-to-Air
   HF  High Frequency
   ICAO  International Civil Aviation Organization
   IP  Internet Protocol
   IPS  Internet Protocol Suite
   kbit/s  kilobit per second
   LDACS  L-band Digital Aeronautical Communications System
   LLC  Logical Link Control
   LME  LDACS Management Entity
   MAC  Medium Access Layer
   MF  Multi Frame
   OFDM  Orthogonal Frequency-Division Multiplexing
   OFDMA  Orthogonal Frequency-Division Multiplexing Access
   OSI  Open Systems Interconnection
   PHY  Physical Layer

Maeurer, et al.         Expires 11 November 2021                [Page 4]

Internet-Draft                    LDACS                         May 2021

   RL  Reverse Link
   SF  Super-Frame
   SN  Serving Network
   SNP  Sub-Network Protocol
   STS  Station-to-Station
   TDMA  Time-Division Multiplexing-Access
   VDLM1  VHF Data Link mode 1
   VDLM2  VHF Data Link mode 2
   VHF  Very High Frequency
   VI  Voice Interface

3.  Motivation and Use Cases

   Aircraft are currently connected to Air Traffic Control (ATC) and
   Aeronautical Operational Control (AOC) via voice and data
   communications systems through all phases of a flight.  AOC is a
   generic term referring to the business communication of airlines.
   Within the airport terminal, connectivity is focused on high
   bandwidth communications, while during en-route high reliability,
   robustness, and range is the main focus.  Voice communications may
   use the same or different equipment as data communications systems.
   In the following the main differences between voice and data
   communications capabilities are summarized.  The assumed use cases
   for LDACS completes the list of use cases stated in [RAW-USE-CASES]
   and the list of reliable and available wireless technologies
   presented in [RAW-TECHNOS].

Maeurer, et al.         Expires 11 November 2021                [Page 5]

Internet-Draft                    LDACS                         May 2021

3.1.  Voice Communications Today

   Voice links are used for Air-to-Ground (A2G) and Air-to-Air (A2A)
   communications.  The communication equipment is either ground-based
   working in the High Frequency (HF) or VHF frequency band or
   satellite-based.  All VHF and HF voice communications are operated
   via open broadcast channels without authentication, encryption or
   other protective measures.  The use of well-proven communication
   procedures via broadcast channels can help to enhance the safety of
   communications.  The main voice communications media is still the
   analogue VHF Double Side-Band Amplitude Modulation (DSB-AM)
   communications technique, supplemented by HF Single Side-Band
   Amplitude Modulation and satellite communications for remote and
   oceanic areas.  DSB-AM has been in use since 1948, works reliably and
   safely, and uses low-cost communication equipment.  These are the
   main reasons why VHF DSB-AM communications are still in use, and it
   is likely that this technology will remain in service for many more
   years.  This however results in current operational limitations and
   impediments in deploying new Air Traffic Management (ATM)
   applications, such as flight-centric operation with Point-to-Point

3.2.  Data Communications Today

   Like for voice, data communications into the cockpit is currently
   provided by ground-based equipment operating either on HF or VHF
   radio bands or by legacy satellite systems.  All these communication
   systems are using narrowband radio channels with a data throughput
   capacity in order of kilobits per second.  While the aircraft is on
   ground some additional communications systems are available, like the
   Aeronautical Mobile Airport Communication System (AeroMACS) or public
   cellular networks, operating in the Airport (APT) domain and able to
   deliver broadband communication capability.

   The data communication networks used for the transmission of data
   relating to the safety and regularity of the flight must be strictly
   isolated from those providing entertainment services to passengers.
   This leads to a situation that the flight crews are supported by
   narrowband services during flight while passengers have access to
   inflight broadband services.  The current HF and VHF data links
   cannot provide broadband services now or in the future, due to the
   lack of available spectrum.  This technical shortcoming is becoming a
   limitation to enhanced ATM operations, such as Trajectory-Based
   Operations and 4D trajectory negotiations.

   Satellite-based communications are currently under investigation and
   enhanced capabilities are under development which will be able to
   provide inflight broadband services and communications supporting the

Maeurer, et al.         Expires 11 November 2021                [Page 6]

Internet-Draft                    LDACS                         May 2021

   safety and regularity of flight.  In parallel, the ground-based
   broadband data link technology LDACS is being standardized by ICAO
   and has recently shown its maturity during flight tests [SCH20191].
   The LDACS technology is scalable, secure and spectrum efficient and
   provides significant advantages to the users and service providers.
   It is expected that both - satellite systems and LDACS - will be
   deployed to support the future aeronautical communication needs as
   envisaged by the ICAO Global Air Navigation Plan.

4.  Provenance and Documents

   The development of LDACS has already made substantial progress in the
   Single European Sky ATM Research framework, short SESAR, and is
   currently being continued in the follow-up program SESAR2020
   [RIH2018].  A key objective of the these activities is to develop,
   implement and validate a modern aeronautical data link able to evolve
   with aviation needs over long-term.  To this end, an LDACS
   specification has been produced [GRA2019] and is continuously
   updated; transmitter demonstrators were developed to test the
   spectrum compatibility of LDACS with legacy systems operating in the
   L-band [SAJ2014]; and the overall system performance was analyzed by
   computer simulations, indicating that LDACS can fulfil the identified
   requirements [GRA2011].

   LDACS standardization within the framework of the ICAO started in
   December 2016.  The ICAO standardization group has produced an
   initial Standards and Recommended Practices document [ICA2018].  It
   defines the general characteristics of LDACS.  The ICAO
   standardization group plans to produce an ICAO technical manual - the
   ICAO equivalent to a technical standard - within the next years.
   Generally, the group is open to input from all sources and develops
   LDACS in the open.

   Up to now LDACS standardization has been focused on the development
   of the physical layer and the data link layer, only recently have
   higher layers come into the focus of the LDACS development
   activities.  There is currently no "IPv6 over LDACS" specification
   publicly available; however, SESAR2020 has started the testing of
   IPv6-based LDACS testbeds.

   The IPv6 architecture for the aeronautical telecommunication network
   is called the Future Communications Infrastructure (FCI).  FCI shall
   support quality of service, diversity, and mobility under the
   umbrella of the "multi-link concept".  This work is conducted by ICAO
   Communication Panel working group WG-I.

Maeurer, et al.         Expires 11 November 2021                [Page 7]

Internet-Draft                    LDACS                         May 2021

   In addition to standardization activities several industrial LDACS
   prototypes have been built.  One set of LDACS prototypes has been
   evaluated in flight trials confirming the theoretical results
   predicting the system performance [GRA2018] [SCH20191].

5.  Applicability

   LDACS is a multi-application cellular broadband system capable of
   simultaneously providing various kinds of Air Traffic Services (ATS)
   including ATS-B3 and AOC communications services from deployed
   Ground-Stations (GS).  The A2G sub-system physical layer and data
   link layer of LDACS are optimized for data link communications, but
   the system also supports digital air-ground voice communications.

   LDACS supports communication in all airspaces (airport, terminal
   maneuvering area, and en-route), and on the airport surface.  The
   physical LDACS cell coverage is effectively de-coupled from the
   operational coverage required for a particular service.  This is new
   in aeronautical communications.  Services requiring wide-area
   coverage can be installed at several adjacent LDACS cells.  The
   handover between the involved LDACS cells is seamless, automatic, and
   transparent to the user.  Therefore, the LDACS A2G communications
   concept enables the aeronautical communication infrastructure to
   support future dynamic airspace management concepts.

5.1.  Advances Beyond the State-of-the-Art

   LDACS offers several capabilities that are not provided in
   contemporarily deployed aeronautical communication systems.

5.1.1.  Priorities

   LDACS is able to manage services priorities, an important feature not
   available in some of the current data link deployments.  Thus, LDACS
   guarantees bandwidth, low latency, and high continuity of service for
   safety critical ATS applications while simultaneously accommodating
   less safety-critical AOC services.

Maeurer, et al.         Expires 11 November 2021                [Page 8]

Internet-Draft                    LDACS                         May 2021

5.1.2.  Security

   LDACS is a secure data link with built-in security mechanisms.  It
   enables secure data communications for ATS and AOC services,
   including secured private communications for aircraft operators and
   ANSPs (Air Traffic Network Service Providers).  This includes
   concepts for key and trust management, mutual authenticated key
   exchange protocols, key derivation measures, user and control
   message-in-transit confidentiality and authenticity protection,
   secure logging and availability and robustness measures [MAE20181],
   [MAE20191], [MAE20192].

5.1.3.  High Data Rates

   The user data rate of LDACS is 315 kbit/s to 1428 kbit/s on the
   forward link (FL) for the connection Ground-to-Air (G2A), and 294
   kbit/s to 1390 kbit/s on the reverse link (RF) for the connection
   A2G, depending on coding and modulation.  This is 50 times the amount
   terrestrial digital aeronautical communications systems such as VDLM2
   provide [SCH20191].

5.2.  Application

   LDACS shall be used by several aeronautical applications ranging from
   enhanced communication protocol stacks (multi-homed mobile IPv6
   networks in the aircraft and potentially ad-hoc networks between
   aircraft) to classical communication applications (sending Ground
   Based Augmentation System (GBAS) correction data) and integration
   with other service domains (using the communication signal for

5.2.1.  Air-to-Ground Multilink

   It is expected that LDACS together with upgraded satellite-based
   communications systems will be deployed within the FCI and constitute
   one of the main components of the multilink concept within the FCI.

   Both technologies, LDACS and satellite systems, have their specific
   benefits and technical capabilities which complement each other.
   Especially, satellite systems are well-suited for large coverage
   areas with less dense air traffic, e.g. oceanic regions.  LDACS is
   well-suited for dense air traffic areas, e.g. continental areas or
   hot-spots around airports and terminal airspace.  In addition, both
   technologies offer comparable data link capacity and, thus, are well-
   suited for redundancy, mutual back-up, or load balancing.

Maeurer, et al.         Expires 11 November 2021                [Page 9]

Internet-Draft                    LDACS                         May 2021

   Technically the FCI multilink concept shall be realized by multi-
   homed mobile IPv6 networks in the aircraft.  The related protocol
   stack is currently under development by ICAO and the Single European
   Sky ATM Research framework.

5.2.2.  Air-to-Air Extension for LDACS

   A potential extension of the multi-link concept is its extension to
   ad-hoc networks between aircraft.

   Direct A2A communication between aircrafts in terms of ad-hoc data
   networks is currently considered a research topic since there is no
   immediate operational need for it, although several possible use
   cases are discussed (digital voice, wake vortex warnings, and
   trajectory negotiation) [BEL2019].  It should also be noted that
   currently deployed analog VHF voice radios support direct voice
   communication between aircraft, making a similar use case for digital
   voice plausible.

   LDACS direct A2A is currently not part of standardization.

5.2.3.  Flight Guidance

   The FCI (and therefore LDACS) shall be used to host flight guidance.
   This is realized using three applications:

   1.  Context Management (CM): The CM application shall manage the
      automatic logical connection to the ATC center currently
      responsible to guide the aircraft.  Currently this is done by the
      air crew manually changing VHF voice frequencies according to the
      progress of the flight.  The CM application automatically sets up
      equivalent sessions.
   2.  Controller Pilot Data Link Communication (CPDLC): The CPDLC
      application provides the air crew with the ability to exchange
      data messages similar to text messages with the currently
      responsible ATC center.  The CPDLC application shall take over
      most of the communication currently performed over VHF voice and
      enable new services that do not lend themselves to voice
      communication (e.g., trajectory negotiation).
   3.  Automatic Dependent Surveillance - Contract (ADS-C): ADS-C
      reports the position of the aircraft to the currently active ATC
      center.  Reporting is bound to "contracts", i.e. pre-defined
      events related to the progress of the flight (i.e. the
      trajectory).  ADS-C and CPDLC are the primary applications used to
      implement in-flight trajectory management.

   CM, CPDLC, and ADS-C are available on legacy datalinks, but not
   widely deployed and with limited functionality.

Maeurer, et al.         Expires 11 November 2021               [Page 10]

Internet-Draft                    LDACS                         May 2021

   Further ATC applications may be ported to use the FCI or LDACS as
   well.  A notable application is GBAS for secure, automated landings:
   The Global Navigation Satellite System (GNSS) based GBAS is used to
   improve the accuracy of GNSS to allow GNSS based instrument landings.
   This is realized by sending GNSS correction data (e.g., compensating
   ionospheric errors in the GNSS signal) to the aircraft's GNSS
   receiver via a separate data link.  Currently the VDB data link is
   used.  VDB is a narrow-band single-purpose datalink without advanced
   security only used to transmit GBAS correction data.  This makes VDB
   a natural candidate for replacement by LDACS.

5.2.4.  Business Communication of Airlines

   In addition to air traffic services AOC services shall be transmitted
   over LDACS.  AOC is a generic term referring to the business
   communication of airlines.  Regulatory this is considered related to
   the safety and regularity of flight and may therefore be transmitted
   over LDACS.

   AOC communication is considered the main business case for LDACS
   communication service providers since modern aircraft generate
   significant amounts of data (e.g., engine maintenance data).

5.2.5.  LDACS Navigation

   Beyond communication radio signals can always also be used for
   navigation.  LDACS takes this into account.

   For future aeronautical navigation, ICAO RECOMMENDS the further
   development of GNSS based technologies as primary means for
   navigation.  However, the drawback of GNSS is its inherent single
   point of failure - the satellite.  Due to the large separation
   between navigational satellites and aircraft, the received power of
   GNSS signals on the ground is very low.  As a result, GNSS
   disruptions might occasionally occur due to unintentional
   interference, or intentional jamming.  Yet the navigation services
   must be available with sufficient performance for all phases of
   flight.  Therefore, during GNSS outages, or blockages, an alternative
   solution is needed.  This is commonly referred to as Alternative
   Positioning, Navigation, and Timing (APNT).

   One of such APNT solution consists of integrating the navigation
   functionality into LDACS.  The ground infrastructure for APNT is
   deployed through the implementation of LDACS's GSs and the navigation
   capability comes "for free".

   LDACS navigation has already been demonstrated in practice in a
   flight measurement campaign [SCH20191].

Maeurer, et al.         Expires 11 November 2021               [Page 11]

Internet-Draft                    LDACS                         May 2021

6.  Requirements to LDACS

   The requirements to LDACS are mostly defined by its application area:
   Communication related to safety and regularity of flight.

   A particularity of the current aeronautical communication landscape
   is that it is heavily regulated.  Aeronautical data links (for
   applications related to safety and regularity of flight) may only use
   spectrum licensed to aviation and data links endorsed by ICAO.
   Nation states can change this locally, however, due to the global
   scale of the air transportation system adherence to these practices
   is to be expected.

   Aeronautical data links for the Aeronautical Telecommunication
   Network (ATN) are therefore expected to remain in service for
   decades.  The VDLM2 data link currently used for digital terrestrial
   internetworking was developed in the 1990es (the use of the Open
   Systems Interconnection (OSI) stack indicates that as well).  VDLM2
   is expected to be used at least for several decades.  In this respect
   aeronautical communication (for applications related to safety and
   regularity of flight) is more comparable to industrial applications
   than to the open Internet.

   Internetwork technology is already installed in current aircraft.
   Current ATS applications use either the Aircraft Communications
   Addressing and Reporting System (ACARS) or the OSI stack.  The
   objective of the development effort LDACS as part of the FCI is to
   replace legacy OSI stack and proprietary ACARS internetwork
   technologies with industry standard IP technology.  It is anticipated
   that the use of Commercial Off-The-Shelf (COTS) IP technology mostly
   applies to the ground network.  The avionics networks on the aircraft
   will likely be heavily modified or proprietary.

   AOC applications currently mostly use the same stack (although some
   applications, like the graphical weather service may use the
   commercial passenger network).  This creates capacity problems
   (resulting in excessive amounts of timeouts) since the underlying
   terrestrial data links (VDLM1/2) do not provide sufficient bandwidth.
   The use of non-aviation specific data links is considered a security
   problem.  Ideally the aeronautical IP internetwork and the Internet
   should be completely separated.

   The objective of LDACS is to provide a next generation terrestrial
   data link designed to support IP and provide much higher bandwidth to
   avoid the currently experienced operational problems.

   The requirement for LDACS is therefore to provide a terrestrial high-
   throughput data link for IP internetworking in the aircraft.

Maeurer, et al.         Expires 11 November 2021               [Page 12]

Internet-Draft                    LDACS                         May 2021

   In order to fulfil the above requirement LDACS needs to be
   interoperable with IP (and IP-based services like Voice-over-IP) at
   the gateway connecting the LDACS network to other aeronautical ground
   networks (the totality of them being the ATN).  On the avionics side
   in the aircraft aviation specific solutions are to be expected.

   In addition to the functional requirements LDACS and its IP stack
   need to fulfil the requirements defined in RTCA DO-350A/EUROCAE ED-
   228A [DO350A].  This document defines continuity, availability, and
   integrity requirements at different scopes for each air traffic
   management application (CPDLC, CM, and ADS-C).  The scope most
   relevant to IP over LDACS is the CSP (Communication Service Provider)

   Continuity, availability, and integrity requirements are defined in
   [DO350A] volume 1 Table 5-14, and Table 6-13.  Appendix A presents
   the required information.

   In a similar vein, requirements to fault management are defined in
   the same tables.

7.  Characteristics of LDACS

   LDACS will become one of several wireless access networks connecting
   aircraft to the ATN implemented by the FCI and possibly ACARS/FANS
   networks [FAN2019].

   The current LDACS design is focused on the specification of layer 2.

   Achieving stringent the continuity, availability, and integrity
   requirements defined in [DO350A] will require the specification of
   layer 3 and above mechanisms (e.g. reliable crossover at the IP
   layer).  Fault management mechanisms are similarly undefined.  Input
   from the working group will be appreciated here.

7.1.  LDACS Sub-Network

   An LDACS sub-network contains an Access Router (AR) and several GS,
   each of them providing one LDACS radio cell.

   User plane interconnection to the ATN is facilitated by the AR
   peering with an A2G Router connected to the ATN.

   The internal control plane of an LDACS sub-network interconnects the
   GS.  An LDACS sub-network is illustrated in Figure 1.

Maeurer, et al.         Expires 11 November 2021               [Page 13]

Internet-Draft                    LDACS                         May 2021

   wireless      user
   link          plane
                    .                |   Router
                    . control        |
                    . plane          |
                    .                |
                    .                |
                    .                |

           Figure 1: LDACS sub-network with three GSs and one AS

7.2.  Topology

   LDACS operating in A2G mode is a cellular point-to-multipoint system.
   The A2G mode assumes a star-topology in each cell where Aircraft
   Stations (AS) belonging to aircraft within a certain volume of space
   (the LDACS cell) is connected to the controlling GS.  The LDACS GS is
   a centralized instance that controls LDACS A2G communications within
   its cell.  The LDACS GS can simultaneously support multiple bi-
   directional communications to the ASs under its control.  LDACS's GSs
   themselves are connected to each other and the AR.

   Prior to utilizing the system an AS has to register with the
   controlling GS to establish dedicated logical channels for user and
   control data.  Control channels have statically allocated resources,
   while user channels have dynamically assigned resources according to
   the current demand.  Logical channels exist only between the GS and
   the AS.

   The LDACS wireless link protocol stack defines two layers, the
   physical layer and the data link layer.

7.3.  LDACS Physical Layer

   The physical layer provides the means to transfer data over the radio
   channel.  The LDACS GS supports bi-directional links to multiple
   aircraft under its control.  The FL direction at the G2A connection
   and the RL direction at the A2G connection are separated by Frequency
   Division Duplex.  FL and RL use a 500 kHz channel each.  The GS
   transmits a continuous stream of Orthogonal Frequency-Division
   Multiplexing (OFDM) symbols on the FL.  In the RL different aircraft
   are separated in time and frequency using a combination of Orthogonal

Maeurer, et al.         Expires 11 November 2021               [Page 14]

Internet-Draft                    LDACS                         May 2021

   Frequency-Division Multiple-Access (OFDMA) and Time-Division
   Multiple-Access (TDMA).  Aircraft thus transmit discontinuously on
   the RL with radio bursts sent in precisely defined transmission
   opportunities allocated by the GS.

7.4.  LDACS Data Link Layer

   The data-link layer provides the necessary protocols to facilitate
   concurrent and reliable data transfer for multiple users.  The LDACS
   data link layer is organized in two sub-layers: The medium access
   sub-layer and the Logical Link Control (LLC) sub-layer.  The medium
   access sub-layer manages the organization of transmission
   opportunities in slots of time and frequency.  The LLC sub-layer
   provides acknowledged point-to-point logical channels between the
   aircraft and the GS using an automatic repeat request protocol.
   LDACS supports also unacknowledged point-to-point channels and G2A

7.5.  LDACS Mobility

   LDACS supports layer 2 handovers to different LDACS channels.
   Handovers may be initiated by the aircraft (break-before-make) or by
   the GS (make-before-break).  Make-before-break handovers are only
   supported for GSs connected to each other.

   External handovers between non-connected LDACS sub-networks or
   different aeronautical data links shall be handled by the FCI multi-
   link concept.

8.  Reliability and Availability

8.1.  Layer 2

   LDACS has been designed with applications related to the safety and
   regularity of flight in mind.  It has therefore been designed as a
   deterministic wireless data link (as far as this is possible).

   Based on channel measurements of the L-band channel [SCHN2016] and
   respecting the specific nature of the area of application, LDACS was
   designed from the PHY layer up with robustness in mind.

   In order to maximize the capacity per channel and to optimally use
   the available spectrum, LDACS was designed as an OFDM-based Frequency
   Division Duplex system, supporting simultaneous transmissions in FL
   at the G2A connection and RF at the A2G connection.  The legacy
   systems already deployed in the L-band limit the bandwidth of both
   channels to approximately 500 kHz.

Maeurer, et al.         Expires 11 November 2021               [Page 15]

Internet-Draft                    LDACS                         May 2021

   The LDACS physical layer design includes propagation guard times
   sufficient for the operation at a maximum distance of 200 nautical
   miles from the GS.  In actual deployment, LDACS can be configured for
   any range up to this maximum range.

   The LDACS FL physical layer is a continuous OFDM transmission.  LDACS
   RL transmission is based on OFDMA-TDMA bursts, with silence between
   such bursts.  The RL resources (i.e. bursts) are assigned to
   different ASs on demand by the GS.

   The LDACS physical layer supports adaptive coding and modulation for
   user data.  Control data is always encoded with the most robust
   coding and modulation (QPSK coding rate 1/2).

   LDACS medium access on top of the physical layer uses a static frame
   structure to support deterministic timer management.  As shown in
   Figure 3 and Figure 4, LDACS framing structure is based on Super-
   Frames (SF) of 240ms duration corresponding to 2000 OFDM symbols.  FL
   and RL boundaries are aligned in time (from the GS perspective)
   allowing for deterministic sending windows for KEEP ALIVE messages
   and control and data channels in general.

   LDACS medium access is always under the control of the GS of a radio
   cell.  Any medium access for the transmission of user data has to be
   requested with a resource request message stating the requested
   amount of resources and class of service.  The GS performs resource
   scheduling on the basis of these requests and grants resources with
   resource allocation messages.  Resource request and allocation
   messages are exchanged over dedicated contention-free control

   The purpose of Quality-of-Service in LDACS medium access is to
   provide prioritized medium access at the bottleneck (the wireless
   link).  The signaling of higher layer Quality-of-Service requirements
   to LDACS is yet to be defined.  A DiffServ-based solution with a
   small number of priorities is to be expected.

   LDACS has two mechanisms to request resources from the scheduler in
   the GS.

   Resources can either be requested "on demand" with a given priority.
   On the FL, this is done locally in the GS, on the RL a dedicated
   contention-free control channel is used called Dedicated Control
   Channel (DCCH), which is roughly 83 bit every 60 ms.  A resource
   allocation is always announced in the control channel of the FL,
   short Common Control Channel (CCCH) having variable size.  Due to the
   spacing of the RL control channels every 60 ms, a medium access delay
   in the same order of magnitude is to be expected.

Maeurer, et al.         Expires 11 November 2021               [Page 16]

Internet-Draft                    LDACS                         May 2021

   Resources can also be requested "permanently".  The permanent
   resource request mechanism supports requesting recurring resources in
   given time intervals.  A permanent resource request has to be
   canceled by the user (or by the GS, which is always in control).

   User data transmissions over LDACS are therefore always scheduled by
   the GS, while control data uses statically (i.e. at cell entry)
   allocated recurring resources (DCCH and CCCH).  The current
   specification specifies no scheduling algorithm.  Scheduling of RL
   resources is done in physical Protocol Data Units of 112 bit (or
   larger if more aggressive coding and modulation is used).  Scheduling
   on the FL is done Byte-wise since the FL is transmitted continuously
   by the GS.

   In addition to having full control over resource scheduling, the GS
   can send forced Handover commands for off-loading or RF channel
   management, e.g. when the signal quality declines and a more suitable
   GS is in the AS reach.  With robust resource management of the
   capacities of the radio channel, reliability and robustness measures
   are therefore also anchored in the LDACS management entity.

   In addition, to radio resource management, the LDACS control channels
   are also used to send keep-alive messages, when they are not
   otherwise used.  Since the framing of the control channels is
   deterministic, missing keep-alive messages can thus be immediately
   detected.  This information is made available to the multi-link
   protocols for fault management.

   The protocol used to communicate faults is not defined in the LDACS
   specification.  It is assumed that vendors would use industry
   standard protocols like the Simple Network Management Protocol or the
   Network Configuration Protocol where security permits.

   The LDACS data link layer protocol running on top of the medium
   access sub-layer uses ARQ to provide reliable data transmission on
   layer 2.

   It employs selective repeat ARQ with transparent fragmentation and
   reassembly to the resource allocation size to achieve low latency and
   a low overhead without losing reliability.  It ensures correct order
   of packet delivery without duplicates.  In case of transmission
   errors it identifies lost fragments with deterministic timers synced
   to the medium access frame structure and initiates retransmission.
   Additionally, the priority mechanism of LDACS ensures the timely
   delivery of messages with high importance.

Maeurer, et al.         Expires 11 November 2021               [Page 17]

Internet-Draft                    LDACS                         May 2021

8.2.  Beyond Layer 2

   LDACS availability can be increased by appropriately deploying LDACS
   infrastructure: This means proliferating the number of terrestrial
   base stations.  However, the scarcity of aeronautical spectrum for
   data link communication (in the case of LDACS: tens of MHz in the
   L-band) and the long range (in the case of LDACS: up to 400 km) make
   this quite hard.  The deployment of a larger number of small cells is
   certainly possible, suffers, however, also from the scarcity of
   spectrum.  An additional constraint to consider, is that Distance
   Measuring Equipment (DME) is the primary user of the aeronautical
   L-band.  That is, any LDACS deployment has to take DME frequency
   planning into account, too.

   The aeronautical community has therefore decided not to rely on a
   single communication system or frequency band.  It is envisioned to
   have multiple independent data link technologies in the aircraft
   (e.g., terrestrial and satellite communications) in addition to
   legacy VHF voice.

   However, as of now no reliability and availability mechanisms that
   could utilize the multi-link have been specified on Layer 3 and
   above.  Even if LDACS has been designed for reliability, the wireless
   medium presents significant challenges to achieve deterministic
   properties such as low packet error rate, bounded consecutive losses,
   and bounded latency.  Support for high reliability and availability
   for IP connectivity over LDACS is therefore highly desirable, needs,
   however, be adapted to the specific use case.

   Below Layer 2 aeronautics usually relies on hardware redundancy.  To
   protect availability of the LDACS link, an aircraft equipped with
   LDACS will have access to two L-band antennae with triple redundant
   radio systems as required for any safety relevant aeronautical
   systems by ICAO.

9.  Protocol Stack

   The protocol stack of LDACS is implemented in the AS and GS: It
   consists of the Physical Layer (PHY) with five major functional
   blocks above it.  Four are placed in the Data Link Layer (DLL) of the
   AS and GS: (1) Medium Access Layer (MAC), (2) Voice Interface (VI),
   (3) Data Link Service (DLS), and (4) LDACS Management Entity (LME).
   The last entity resides within the Sub-Network Layer: Sub-Network
   Protocol (SNP).  The LDACS network is externally connected to voice
   units, radio control units, and the ATN Network Layer.

   Figure 2 shows the protocol stack of LDACS as implemented in the AS
   and GS.

Maeurer, et al.         Expires 11 November 2021               [Page 18]

Internet-Draft                    LDACS                         May 2021

            IPv6                   Network Layer
   +------------------+  +----+
   |        SNP       |--|    |   Sub-Network
   |                  |  |    |   Layer
   +------------------+  |    |
             |           | LME|
   +------------------+  |    |
   |        DLS       |  |    |   Logical Link
   |                  |  |    |   Control Layer
   +------------------+  +----+
             |             |
            DCH         DCCH/CCCH
             |          RACH/BCCH
             |             |
   |           MAC            |   Medium Access
   |                          |   Layer
   |           PHY            |   Physical Layer
              FL/RL              radio channels
                                 separated by
                                 Frequency Division Duplex

                Figure 2: LDACS protocol stack in AS and GS

9.1.  Medium Access Control (MAC) Entity Services

   The MAC time framing service provides the frame structure necessary
   to realize slot-based Time Division Multiplex (TDM) access on the
   physical link.  It provides the functions for the synchronization of
   the MAC framing structure and the PHY Layer framing.  The MAC time
   framing provides a dedicated time slot for each logical channel.

   The MAC Sub-Layer offers access to the physical channel to its
   service users.  Channel access is provided through transparent
   logical channels.  The MAC Sub-Layer maps logical channels onto the
   appropriate slots and manages the access to these channels.  Logical
   channels are used as interface between the MAC and LLC Sub-Layers.

Maeurer, et al.         Expires 11 November 2021               [Page 19]

Internet-Draft                    LDACS                         May 2021

   The LDACS framing structure for FL and RL is based on Super-Frames
   (SF) of 240 ms duration.  Each SF corresponds to 2000 OFDM symbols.
   The FL and RL SF boundaries are aligned in time (from the view of the

   In the FL, an SF contains a Broadcast Frame of duration 6.72 ms (56
   OFDM symbols) for the Broadcast Control Channel (BCCH), and four
   Multi-Frames (MF), each of duration 58.32 ms (486 OFDM symbols).

   In the RL, each SF starts with a Random Access (RA) slot of length
   6.72 ms with two opportunities for sending RL random access frames
   for the Random Access Channel (RACH), followed by four MFs.  These
   MFs have the same fixed duration of 58.32 ms as in the FL, but a
   different internal structure

   Figure 3 and Figure 4 illustrate the LDACS frame structure.

   |     +------+------------+------------+------------+------------+
   |  FL | BCCH |     MF     |     MF     |     MF     |     MF     |
   F     +------+------------+------------+------------+------------+
   r     <---------------- Super-Frame (SF) - 240ms ---------------->
   q     +------+------------+------------+------------+------------+
   u  RL | RACH |     MF     |     MF     |     MF     |     MF     |
   e     +------+------------+------------+------------+------------+
   n     <---------------- Super-Frame (SF) - 240ms ---------------->
   ----------------------------- Time ------------------------------>

                      Figure 3: SF structure for LDACS

Maeurer, et al.         Expires 11 November 2021               [Page 20]

Internet-Draft                    LDACS                         May 2021

   |     +-------------+------+-------------+
   |  FL |     DCH     | CCCH |     DCH     |
   F     +-------------+------+-------------+
   r     <---- Multi-Frame (MF) - 58.32ms -->
   q     +------+---------------------------+
   u  RL | DCCH |             DCH           |
   e     +------+---------------------------+
   n     <---- Multi-Frame (MF) - 58.32ms -->
   -------------------- Time ------------------>

                      Figure 4: MF structure for LDACS

9.2.  Data Link Service (DLS) Entity Services

   The DLS provides acknowledged and unacknowledged (including broadcast
   and packet mode voice) bi-directional exchange of user data.  If user
   data is transmitted using the acknowledged DLS, the sending DLS
   entity will wait for an acknowledgement from the receiver.  If no
   acknowledgement is received within a specified time frame, the sender
   may automatically try to retransmit its data.  However, after a
   certain number of failed retries, the sender will suspend further
   retransmission attempts and inform its client of the failure.

   The DLS uses the logical channels provided by the MAC:

   1.  A GS announces its existence and access parameters in the
      Broadcast Channel (BC).
   2.  The RA channel enables AS to request access to an LDACS cell.
   3.  In the FL the CCCH is used by the GS to grant access to data
      channel resources.
   4.  The reverse direction is covered by the RL, where ASs need to
      request resources before sending.  This happens via the DCCH.
   5.  User data itself is communicated in the Data Channel (DCH) on the
      FL and RL.

   Access to the FL and RL data channel is granted by the scheduling
   mechanism implemented in the LME discussed below.

Maeurer, et al.         Expires 11 November 2021               [Page 21]

Internet-Draft                    LDACS                         May 2021

9.3.  Voice Interface (VI) Services

   The VI provides support for virtual voice circuits.  Voice circuits
   may either be set-up permanently by the GS (e.g., to emulate voice
   party line) or may be created on demand.  The creation and selection
   of voice circuits is performed in the LME.  The VI provides only the
   transmission services.

9.4.  LDACS Management Entity (LME) Services

   The mobility management service in the LME provides support for
   registration and de-registration (cell entry and cell exit), scanning
   RF channels of neighboring cells and handover between cells.  In
   addition, it manages the addressing of aircraft/ ASs within cells.

   The resource management service provides link maintenance (power,
   frequency and time adjustments), support for adaptive coding and
   modulation, and resource allocation.

   The resource management service accepts resource requests from/for
   different AS and issues resource allocations accordingly.  While the
   scheduling algorithm is not specified and a point of possible vendor
   differentiation, it is subject to the following requirements:

   1.  Resource scheduling must provide channel access according to the
      priority of the request
   2.  Resource scheduling must support "one-time" requests
   3.  Resource scheduling must support "permanent" requests that
      reserve a resource until the request is canceled e.g. for digital
      voice circuits.

9.5.  Sub-Network Protocol (SNP) Services

   The DLS provides functions required for the transfer of user plane
   data and control plane data over the LDACS sub-network.

   The security service provides functions for secure communication over
   the LDACS sub-network.  Note that the SNP security service applies
   cryptographic measures as configured by the GS.

10.  Security Considerations

Maeurer, et al.         Expires 11 November 2021               [Page 22]

Internet-Draft                    LDACS                         May 2021

10.1.  Reasons for Wireless Digital Aeronautical Communications

   Aviation will require secure exchanges of data and voice messages for
   managing the air traffic flow safely through the airspaces all over
   the world.  Historically Communication Navigation Surveillance (CNS)
   wireless communications technology emerged from military and a threat
   landscape where inferior technological and financial capabilities of
   adversaries were assumed [STR2016].  The main communication method
   for ATC today is still an open analogue voice broadcast within the
   aeronautical VHF band.  Currently, the information security is purely
   procedural based by using well-trained personnel and proven
   communications procedures.  This communication method has been in
   service since 1948.  However, since the emergence of civil
   aeronautical CNS application and today, the world has changed.  Civil
   applications have significant lower spectrum available than military
   applications.  This means several military defence mechanisms such as
   frequency hopping or pilot symbol scrambling and, thus, a defense-in-
   depth approach starting at the physical layer is infeasible for civil
   systems.  With the rise of cheap Software Defined Radios, the
   previously existing financial barrier is almost gone and open source
   projects such as GNU radio [GNU2012] allow the new type of
   unsophisticated listeners and possible attackers.  Most CNS
   technology developed in ICAO relies on open standards, thus syntax
   and semantics of wireless digital aeronautical communications should
   be expected to be common knowledge for attackers.  With increased
   digitization and automation of civil aviation the human as control
   instance is being taken gradually out of the loop.  Autonomous
   transport drones or single piloted aircraft demonstrate this trend.
   However, without profound cybersecurity measures such as authenticity
   and integrity checks of messages in-transit on the wireless link or
   mutual entity authentication, this lack of a control instance can
   prove disastrous.  Thus, future digital communications waveforms will
   need additional embedded security features to fulfill modern
   information security requirements like authentication and integrity.
   These security features require sufficient bandwidth which is beyond
   the capabilities of a VHF narrowband communications system.  For
   voice and data communications, sufficient data throughput capability
   is needed to support the security functions while not degrading
   performance.  LDACS is a data link technology with sufficient
   bandwidth to incorporate security without losing too much user

   As digitalization progresses even further with LDACS and automated
   procedures such as 4D-Trajectories allowing semi-automated en-route
   flying of aircraft, LDACS requires stronger cybersecurity measures.

Maeurer, et al.         Expires 11 November 2021               [Page 23]

Internet-Draft                    LDACS                         May 2021

10.2.  LADACS Requirements

   Overall there are several business goals for cybersecurity to protect
   in FCI in civil aviation:

   1.  Safety: The system must sufficiently mitigate attacks, which
      contribute to safety hazards.
   2.  Flight regularity: The system must sufficiently mitigate attacks,
      which contribute to delays, diversions, or cancellations of
   3.  Protection of business interests: The system must sufficiently
      mitigate attacks which result in financial loss, reputation
      damage, disclosure of sensitive proprietary information, or
      disclosure of personal information.

   To further analyze assets and derive threats and thus protection
   scenarios several Threat-and Risk Analysis were performed for LDACS
   [MAE20181] , [MAE20191].  These results allowed deriving security
   scope and objectives from the requirements and the conducted Threat-
   and Risk Analysis.

10.3.  LDACS Security Objectives

   Security considerations for LDACS are defined by the official
   Standards And Recommended Practices (SARPS) document by ICAO

   1.  LDACS shall provide a capability to protect the availability and
      continuity of the system.
   2.  LDACS shall provide a capability including cryptographic
      mechanisms to protect the integrity of messages in transit.
   3.  LDACS shall provide a capability to ensure the authenticity of
      messages in transit.
   4.  LDACS should provide a capability for nonrepudiation of origin
      for messages in transit.
   5.  LDACS should provide a capability to protect the confidentiality
      of messages in transit.
   6.  LDACS shall provide an authentication capability.
   7.  LDACS shall provide a capability to authorize the permitted
      actions of users of the system and to deny actions that are not
      explicitly authorized.
   8.  If LDACS provides interfaces to multiple domains, LDACS shall
      provide capability to prevent the propagation of intrusions within
      LDACS domains and towards external domains.

Maeurer, et al.         Expires 11 November 2021               [Page 24]

Internet-Draft                    LDACS                         May 2021

10.4.  LDACS Security Functions

   These objectives were used to derive several security functions for
   LDACS required to be integrated in the LDACS cybersecurity
   architecture: (1) Identification, (2) Authentication, (3)
   Authorization, (4) Confidentiality, (5) System Integrity, (6) Data
   Integrity, (7) Robustness, (8) Reliability, (9) Availability, and
   (10) Key and Trust Management.  Several works investigated possible
   measures to implement these security functions [BIL2017], [MAE20181],
   [MAE20191].  Having identified security requirements, objectives and
   functions it must be ensured that they are applicable.

10.5.  LDACS Security Architecture

   The requirements lead to a LDACS security model including different
   entities for identification, authentication and authorization
   purposes ensuring integrity, authenticity and confidentiality of data
   in-transit especially.

10.5.1.  Entities

   A simplified LDACS architectural modelrequires the following
   entities: Network operators such as the Societe Internationale de
   Telecommunications Aeronautiques (SITA) [SIT2020] and ARINC [ARI2020]
   are providing access to the (1) Ground IPS network via an (2) A2G
   LDACS Router.  This router is attached to a closed off LDACS Access
   Network, (3) which connects via further (4) Access Routers to the
   different (5) LDACS Cell Ranges, each controlled by a (6) GS (serving
   one LDACS cell), with several interconnected GS (7) spanning a local
   LDACS access network.  Via the (8) A2G wireless LDACS data link (9)
   AS the aircraft is connected to the ground network and via the (10)
   aircrafts's VI and (11) aircraft's network interface, aircraft's data
   can be sent via the AS back to the GS, LDACS local access network,
   access routers, LDACS access network, A2G LDACS router to the ground
   Internet Protocol Suite (IPS) network [ICAO20152].

10.5.2.  Entity Identification

   LDACS needs specific identities for (1) the AS, (2) the GS, and (3)
   the Network Operator.  The aircraft itself can be identified using
   the ICAO unique address of an aircraft, the call sign of that
   aircraft or the recently founded Privacy ICAO Address (PIA) program
   [FAA2020].  It is conceivable that the LDACS AS will use a
   combination of aircraft identification, radio component
   identification and even operator features identification to create a
   unique AS LDACS identification tag.  Similar to a 4G's eNodeB Serving
   Network (SN) Identification tag, a GS could be identified using a
   similar field.  The identification of the network operator is again

Maeurer, et al.         Expires 11 November 2021               [Page 25]

Internet-Draft                    LDACS                         May 2021

   similar to 4G (e.g., E-Plus, AT&T, and TELUS), in the way that the
   aeronautical network operators are listed (e.g., ARINC [ARI2020] and
   SITA [SIT2020]).

10.5.3.  Entity Authentication and Key Negotiation

   In order to anchor Trust within the system all LDACS entities
   connected to the ground IPS network shall be rooted in an LDACS
   specific chain-of-trust and PKI solution, quite similar to AeroMACS
   approach [CRO2016].  These X.509 certificates [RFC5280] residing at
   the entities and incorporated in the LDACS PKI proof the ownership of
   their respective public key, include information about the identity
   of the owner and the digital signature of the entity that has
   verified the certificate's content.  First all ground infrastructures
   must mutually authenticate to each other, negotiate and derive keys
   and, thus, secure all ground connections.  How this process is
   handled in detail is still an ongoing discussion.  However,
   established methods to secure user plane by IPSec [RFC4301] and IKEv2
   [RFC7296] or the application layer via TLS 1.3 [RFC8446] are
   conceivable.  The LDACS PKI with their chain-of-trust approach,
   digital certificates and public entity keys lay the groundwork for
   this step.  In a second step the AS with the LDACS radio approaches
   an LDACS cell and performs a cell entry with the corresponding GS.
   Similar to the LTE cell attachment process [TS33.401], where
   authentication happens after basic communication has been enabled
   between AS and GS (step 5a in the UE attachment process [TS33.401]),
   the next step is mutual authentication and key exchange.  Hence, in
   step three using the identity-based Station-to-Station (STS) protocol
   with Diffie-Hellman Key Exchange [MAE2020], AS and GS establish
   mutual trust by authenticating each other, exchanging key material
   and finally, both ending up with derived key material.  A key
   confirmation is mandatory before the communication channel between
   the AS and the GS can be opened for user-data communications.

10.5.4.  Message-in-transit Confidentiality, Integrity and Authenticity

   The subsequent key material from the previous step can then be used
   to protect LDACS Layer 2 communications via applying encryption and
   integrity protection measures on the SNP layer of the LDACS protocol
   stack.  As LDACS transports AOC and ATS data, the integrity of that
   data is most important, while confidentiality only needs to be
   applied to AOC data to protect business interests [ICA2018].  This
   possibility of providing low layered confidentiality and integrity
   protection ensures a secure delivery of user data over the air gap.
   Furthermore, it ensures integrity protection of LDACS control data.

Maeurer, et al.         Expires 11 November 2021               [Page 26]

Internet-Draft                    LDACS                         May 2021

10.6.  LDACS Security Modules

   A draft of the cybersecurity architecture of LDACS can be found in
   [ICA2018] and [MAE20182] and respective updates in [MAE20191],
   [MAE20192], and [MAE2020].

10.6.1.  Placements of Security Functionality in Protocol Stack

   Placing protection mechanisms in the LME and SNP entities within the
   protocol stack of LDACS will be most efficient in securing LDACS.
   MAC and DLS will also receive new tasks like the measurement
   performance for control channel protection.  Security endpoints for
   secure user data communication, control data protection and primary
   entity authentication are the AS and GS.

10.6.2.  Trust

   The LDACS security concept requires all entities in an LDACS network
   to authenticate to each other to ascertain that only trusted
   participants can use the system.  To establish trust within the
   network, inter-operations between all FCI candidates must be
   possible, thus LDACS will follow AeroMACS lead and also use an FCI
   specific PKI [RFC5280].  A PKI can solve the problem of having to
   trust a communication's partner identity claim via involving a
   trusted third party who verifies the identities of the parties who
   wish to engage in communication via issuing a digital certificate.
   As aviation operates worldwide, a hierarchical PKI will have to be
   deployed with several sub-CAs being distributed over the world.

   Basically, there are two proposals on how to achieve worldwide trust

   1.  One root CA is installed per geographic region and then it
      performs cross-certification with distributed root-CAs of all
      other geo-graphic regions around the world.  Subdomains can exist
      within ATM organizations.  Here trust emerges from the assured
      trustworthiness of each regional root CA cross-certifying other
      and being cross-certified by other regional CAs
   2.  The other idea is to have one worldwide (probably offline) root
      CA, hosted by a trusted worldwide entity, such as ICAO, with
      several regions sub-CAs distributed around the world.  That way,
      the ICAO hosted root CA serves as trust bridge.

Maeurer, et al.         Expires 11 November 2021               [Page 27]

Internet-Draft                    LDACS                         May 2021

10.6.3.  Mutual Authentication and Key Exchange (MAKE)

   Via a modified, identity-based STS procedure and digital certificate
   and public keys pre-deployed during maintenance at the respective
   end-entities, the MAKE procedure can guarantee (1) Mutual
   Authentication, (2) Secure Key Agreement, (3) Prefect Forward Secrecy
   and (4) Key Confirmation [MAE2020].  As Diffie-Hellman Key Exchange
   (DHKE) procedure, we are currently evaluating the classic ephemeral
   DHKE [DIF1976] with 3072bit keys, Elliptic Curve DHKE (ECDH) with
   256bit keys [KOB1987] and the Supersingular Isogeny DHKE (SIDH) with
   2624bit key sizes [JAO2011].  As minimization of security data on the
   datalink is key, ECDH is currently the favorite way forward.
   Assuming that an LDACS security header consists of TYPE, ID, UA and
   PRIO fields, the entire header is of length 48bit [GRA2019].
   Cryptographic nonces are 96bit long, signatures 512bit and the public
   elliptic curve Diffie-Hellman keys 256bit.  With these bit sizes, the
   entire STS-MAKE procedure between AS and GS requires a total of 4
   messages and 1920bit [MAE2021].

10.6.4.  Key Derivation and Key Hierarchy

   Once all parties within the network have successfully authenticated
   to each other, key derivation is necessary to generate different keys
   for different purposes.  We need different keys for user data
   protection and keys for control data protection.  As key derivation
   function, we propose the Hash-based Message Authentication Code
   (HMAC) Key Derivation Function (KDF) - HKDF [RFC5869].  First the
   input keying material (here: master key/static Diffie Hellman shared
   key) is taken and a fixed-length pseudo-random key is extracted.  We
   extract a pseudorandom key from the master key by adding a salt
   value, which can be any fixed non-secret string chosen at random.  In
   the process the pseudo random key becomes indistinguishable from a
   uniform distribution of bits.  As LDACS will be deployed in 2024 with
   a recommendation of a minimum-security level of 128bit.

10.6.5.  User Data Security

   It is proposed to secure LDACS Sub-Network Packet Data Units (SN-
   PDU)s, as their size can vary from 128 to 1536 Byte [GRA2019], which
   makes them possibly the largest PDUs within LDACS.  This helps
   minimizing security data overhead, in case a Message Authentication
   Code (MAC) tag is attached to the SN-PDU.  For confidentiality
   protection, it is recommended symmetric approaches for data
   encryption, due to low computational overhead and fast operation
   times.  As encryption algorithm, it is recommended to use AES-128-
   GCM/AES-256-GCM [RFC5288] with Galois Counter Mode (GCM) being a mode
   of operation on symmetric key block.  It provides authenticated
   encryption and decryption operations and it proves robust against

Maeurer, et al.         Expires 11 November 2021               [Page 28]

Internet-Draft                    LDACS                         May 2021

   currently known quantum-computer-based algorithms [BER2017].  For
   message integrity/authenticity protection, it is recommended either
   to use the aforementioned AES-GCM with tag lengths of at least 128bit
   or HMAC with hash-functions from the SHA-3 family [PRI2014].  At
   least HMAC-SHA3-128 with a tag length of 128bit is recommended.  This
   way the tag security data overhead ranges from 1.04 to 12.50% for
   user data, depending on the SN-PDU size.

10.6.6.  Control Data Security

   LDACS has four control channels: AS announce their existence in the
   RA, at the beginning of each SF in the RL, where each AS can transmit
   56bit.  GS announce their existence in the BC, at the beginning of
   each SF in the FL, where the GS can transmit a total of 2304bit.  AS
   can request resources in the DC, where each AS has an 83bit long slot
   and GS can grant those resources in the CC, with 728bit per CC-PHY-
   SDU.  As the control channels of LDACS are very small-size, it is
   obvious that protection is challenging.  Having security requirements
   in mind it is recommended to introduce group key mechanisms for
   LDACS.  Thus, after the MAKE procedure of LDACS, a control plane
   related group key is derived by the GS and shared with all AS in a
   protected manner.  As group key procedure, several approaches are
   investigated (e.g., G-IKEv2 [I-D.ietf-ipsecme-g-ikev2], CRGT
   [ZHE2007], CAKE [GUG2018], LKH [SAK2014], and OFT [KUM2020]).  As OFT
   has the least requirements on network operations compared to the
   other, LDACS will use OFT with a fixed tree of 512-member nodes for a
   maximum of 512 supported AS in an LDACS cell.  All AS and GS use this
   group key to protect the exchanged control data in the CC/DC slots.
   As these messages remain valid for a time period in the order of 10
   ms and the transmission is distance bound by the MAC protocol of
   LDACS, very small digest tags of 16 or 32bit can suffice to protect a
   minimum of integrity of control messages of LDACS.  To that end, it
   is proposed to use blake2b or blake2s and to trim the tag after 4
   bytes [RFC7693].

11.  Privacy Considerations

   LDACS provides a Quality-of-Service, and the generic considerations
   for such mechanisms apply.

12.  IANA Considerations

   This memo includes no request to IANA.

13.  Acknowledgements

   Thanks to all contributors to the development of LDACS and ICAO PT-T.

Maeurer, et al.         Expires 11 November 2021               [Page 29]

Internet-Draft                    LDACS                         May 2021

   Thanks to Klaus-Peter Hauf, Bart Van Den Einden, and Pierluigi
   Fantappie for further input to this draft.

   Thanks to the Chair for Network Security and the research institute
   CODE for their comments and improvements.

   Thanks to SBA Research Vienna for fruitful discussions on
   aeronautical communications concerning security incentives for
   industry and potential economic spillovers.

14.  Normative References

   [RFC4301]  Kent, S. and K. Seo, "Security Architecture for the
              Internet Protocol", RFC 4301, DOI 10.17487/RFC4301,
              December 2005, <https://www.rfc-editor.org/info/rfc4301>.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, May 2008,

   [RFC7296]  Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
              Kivinen, "Internet Key Exchange Protocol Version 2
              (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, October
              2014, <https://www.rfc-editor.org/info/rfc7296>.

   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,

   [RFC5869]  Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand
              Key Derivation Function (HKDF)", RFC 5869,
              DOI 10.17487/RFC5869, May 2010,

   [RFC5288]  Salowey, J., Choudhury, A., and D. McGrew, "AES Galois
              Counter Mode (GCM) Cipher Suites for TLS", RFC 5288,
              DOI 10.17487/RFC5288, August 2008,

Maeurer, et al.         Expires 11 November 2021               [Page 30]

Internet-Draft                    LDACS                         May 2021

   [RFC7693]  Saarinen, M-J., Ed. and J-P. Aumasson, "The BLAKE2
              Cryptographic Hash and Message Authentication Code (MAC)",
              RFC 7693, DOI 10.17487/RFC7693, November 2015,

15.  Informative References

   [SCHN2016] Schneckenburger, N., Jost, T., Shutin, D., Walter, M.,
              Thiasiriphet, T., Schnell, M., and U.C. Fiebig,
              "Measurement of the L-band Air-to-Ground Channel for
              Positioning Applications", IEEE Transactions on Aerospace
              and Electronic Systems, 52(5), pp.2281-229 , 2016.

   [MAE20191] Maeurer, N., Graeupl, T., and C. Schmitt, "Evaluation of
              the LDACS Cybersecurity Implementation", IEEE 38th Digital
              Avionics Systems Conference (DACS), pp. 1-10, San Diego,
              CA, USA , 2019.

   [MAE20192] Maeurer, N. and C. Schmitt, "Towards Successful
              Realization of the LDACS Cybersecurity Architecture: An
              Updated Datalink Security Threat- and Risk Analysis", IEEE
              Integrated Communications, Navigation and Surveillance
              Conference (ICNS), pp. 1-13, Herndon, VA, USA , 2019.

   [GRA2019]  Graeupl, T., Rihacek, C., and B. Haindl, "LDACS A/G
              Specification", SESAR2020 PJ14-02-01 D3.3.030 , 2019.

   [FAN2019]  Pierattelli, S., Fantappie, P., Tamalet, S., van den
              Einden, B., Rihacek, C., and T. Graeupl, "LDACS Deployment
              Options and Recommendations", SESAR2020 PJ14-02-01
              D3.4.020 , 2019.

   [MAE20182] Maeurer, N. and A. Bilzhause, "A Cybersecurity
              Architecture for the L-band Digital Aeronautical
              Communications System (LDACS)", IEEE 37th Digital Avionics
              Systems Conference (DASC), pp. 1-10, London, UK , 2017.

   [GRA2011]  Graeupl, T. and M. Ehammer, "L-DACS1 Data Link Layer
              Evolution of ATN/IPS", 30th IEEE/AIAA Digital Avionics
              Systems Conference (DASC), pp. 1-28, Seattle, WA, USA ,

Maeurer, et al.         Expires 11 November 2021               [Page 31]

Internet-Draft                    LDACS                         May 2021

   [GRA2018]  Graeupl, T., Schneckenburger, N., Jost, T., Schnell, M.,
              Filip, A., Bellido-Manganell, M.A., Mielke, D.M., Maeurer,
              N., Kumar, R., Osechas, O., and G. Battista, "L-band
              Digital Aeronautical Communications System (LDACS) flight
              trials in the national German project MICONAV", Integrated
              Communications, Navigation, Surveillance Conference
              (ICNS), pp. 1-7, Herndon, VA, USA , 2018.

   [SCH20191] Schnell, M., "DLR Tests Digital Communications
              Technologies Combined with Additional Navigation Functions
              for the First Time", 2019.

   [ICA2018]  International Civil Aviation Organization (ICAO), "L-Band
              Digital Aeronautical Communication System (LDACS)",
              International Standards and Recommended Practices Annex 10
              - Aeronautical Telecommunications, Vol. III -
              Communication Systems , 2018.

   [SAJ2014]  Haindl, B., Meser, J., Sajatovic, M., Mueller, S.,
              Arthaber, H., Faseth, T., and M. Zaisberger, "LDACS1
              Conformance and Compatibility Assessment", IEEE/AIAA 33rd
              Digital Avionics Systems Conference (DASC), pp. 1-11,
              Colorado Springs, CO, USA , 2014.

   [RIH2018]  Rihacek, C., Haindl, B., Fantappie, P., Pierattelli, S.,
              Graeupl, T., Schnell, M., and N. Fistas, "L-band Digital
              Aeronautical Communications System (LDACS) Activities in
              SESAR2020", Integrated Communications Navigation and
              Surveillance Conference (ICNS), pp. 1-8, Herndon, VA,
              USA , 2018.

   [BEL2019]  Bellido-Manganell, M. A. and M. Schnell, "Towards Modern
              Air-to-Air Communications: the LDACS A2A Mode", IEEE/AIAA
              38th Digital Avionics Systems Conference (DASC), pp. 1-10,
              San Diego, CA, USA , 2019.

   [TS33.401] Zhang, D., "3GPP System Architecture Evolution (SAE);
              Security architecture", T33.401, 3GPP , 2012.

   [CRO2016]  Crowe, B., "Proposed AeroMACS PKI Specification is a Model
              for Global and National Aeronautical PKI Deployments",
              WiMAX Forum at 16th Integrated Communications, Navigation
              and Surveillance Conference (ICNS), pp. 1-19, New York,
              NY, USA , 2016.

Maeurer, et al.         Expires 11 November 2021               [Page 32]

Internet-Draft                    LDACS                         May 2021

   [MAE2020]  Maeurer, N., Graeupl, T., and C. Schmitt, "Comparing
              Different Diffie-Hellman Key Exchange Flavors for LDACS",
              IEEE/AIAA 39th Digital Avionics Systems Conference (DASC),
              pp. 1-10, San Antonio, TX, USA , 2020.

   [STR2016]  Strohmeier, M., Schaefer, M., Pinheiro, R., Lenders, V.,
              and I. Martinovic, "On Perception and Reality in Wireless
              Air Traffic Communication Security", IEEE Transactions on
              Intelligent Transportation Systems, 18(6), pp. 1338-1357,
              New York, NY, USA , 2016.

   [BIL2017]  Bilzhause, A., Belgacem, B., Mostafa, M., and T. Graeupl,
              "Datalink Security in the L-band Digital Aeronautical
              Communications System (LDACS) for Air Traffic Management",
              IEEE Aerospace and Electronic Systems Magazine, 32(11),
              pp. 22-33, New York, NY, USA , 2017.

   [MAE20181] Maeurer, N. and A. Bilzhause, "Paving the Way for an IT
              Security Architecture for LDACS: A Datalink Security
              Threat and Risk Analysis", IEEE Integrated Communications,
              Navigation, Surveillance Conference (ICNS), pp. 1-11, New
              York, NY, USA , 2018.

   [FAA2020]  FAA, "Federal Aviation Administration. ADS-B Privacy.",
              August 2020,

   [GNU2012]  GNU Radio project, "GNU radio", August 2012,

   [SIT2020]  SITA, "Societe Internationale de Telecommunications
              Aeronautiques", August 2020, <https://www.sita.aero/>.

   [ARI2020]  ARINC, "Aeronautical Radio Incorporated", August 2020,

   [DO350A]   RTCA SC-214, "Safety and Performance Standard for Baseline
              2 ATS Data Communications (Baseline 2 SPR Standard)", May
              2016, <https://standards.globalspec.com/std/10003192/rtca-

              International Civil Aviation Organization (ICAO), "Manual
              on VHF Digital Link (VDL) Mode 2, Doc 9776", January 2019,

Maeurer, et al.         Expires 11 November 2021               [Page 33]

Internet-Draft                    LDACS                         May 2021

              International Civil Aviation Organization (ICAO), "Manual
              on the Aeronautical Telecommunication Network (ATN) using
              Internet Protocol Suite (IPS) Standards and Protocols, Doc
              9896", January 2015,

   [KAMA2010] Kamali, B., "An Overview of VHF Civil Radio Network and
              the Resolution of Spectrum Depletion", Integrated
              Communications, Navigation, and Surveillance Conference,
              pp. F4-1-F4-8 , May 2010.

   [DIF1976]  Diffie, W. and M. Hellman, "New Directions in
              Cryptography", IEEE Transactions on Information Theory,
              22(6):644-654 , November 1976.

   [KOB1987]  Koblitz, N. and M. Hellman, "Elliptic Curve
              Cryptosystems", Mathematics of Computation,
              48(177):203-209. , January 1987.

   [JAO2011]  Jao, D. and L. De Feo, "Towards Quantum-Resistant
              Cryptosystems from Super-singular Elliptic Curve
              Isogenies", 4th International Workshop on Post-Quantum
              Cryptography, Springer, Heidelberg, Germany, pp. 19-34 ,
              November 2011.

   [MAE2021]  Maeurer, N., Graeupl, T., and C. Schmitt, "Cybersecurity
              for the L-band DigitalAeronautical Communications System
              (LDACS)", Aviation Cybersecurity: Foundations, Principles,
              and Applications. H. Song, K. Hopkinson, T. De Cola, T.
              Alexandrovich, and D. Liu (Eds.), Chapter 07, in printing
              process , 2021.

   [BER2017]  Bernstein, D.J. and T. Lange, "Post-Quantum Cryptography",
              Nature, 549(7671):188-194 , 2017.

   [PRI2014]  Pritzker, P. and P.D. Gallagher, "SHA-3 standard:
              Permutation-Based Hash and Extendable-Output Functions",
              Information Tech Laboratory National Institute of
              Standards and Technology, pp. 1-35 , 2014.

   [ZHE2007]  Zheng, X., Huang, C.T., and M. Matthews, "Chinese
              Remainder Theorem-Based Group Key Management", 45th Annual
              Southeast Regional Conference, ACM, New York, NY, USA, pp.
              266-271 , March 2007.

Maeurer, et al.         Expires 11 November 2021               [Page 34]

Internet-Draft                    LDACS                         May 2021

   [GUG2018]  Guggemos, T., Streit, K., Knuepfer, M., gentsche Felde,
              N., and P. Hillmann, "No Cookies, Just CAKE: CRTbased Key
              Hierarchy for Efficient Key Management in Dynamic Groups",
              International Conference for Internet Technology and
              Secured Transactions, Cambridge, UK, pp. 25-32 , December

   [SAK2014]  Sakamoto, N., "An Efficient Structure for LKH Key Tree on
              Secure Multi-Cast Communications", 15th IEEE/ACIS
              International Conference on Software Engineering,
              Artificial Intelligence, Networking and Parallel/
              Distributed Computing, New York, NY, USA, pp. 1-7 ,
              November 2014.

   [KUM2020]  Kumar, V., Kumar, R., and S.K. Pandey, "A Computationally
              Efficient Centralized Group Key Distribution Protocol for
              Secure Multicast Communications Based Upon RSA Public Key
              Cryptosystem", Journal of King Saud University - Computer
              and Information Sciences, 32(9):1081-1094 , 2020.

              Thubert, P., Cavalcanti, D., Vilajosana, X., Schmitt, C.,
              and J. Farkas, "Reliable and Available Wireless
              Technologies", Work in Progress, Internet-Draft, draft-
              ietf-raw-technologies-01, 19 February 2021,

              Papadopoulos, G. Z., Thubert, P., Theoleyre, F., and C. J.
              Bernardos, "RAW use cases", Work in Progress, Internet-
              Draft, draft-ietf-raw-use-cases-01, 21 February 2021,

              Smyslov, V. and B. Weis, "Group Key Management using
              IKEv2", Work in Progress, Internet-Draft, draft-ietf-
              ipsecme-g-ikev2-02, 11 January 2021,

Appendix A.  Selected Information from DO-350A

   This appendix includes the continuity, availability, and integrity
   requirements interesting for LDACS defined in [DO350A].

   The following terms are used here:

Maeurer, et al.         Expires 11 November 2021               [Page 35]

Internet-Draft                    LDACS                         May 2021

   CPDLC  Controller Pilot Data Link Communication
   DT  Delivery Time (nominal) value for RSP
   ET  Expiration Time value for RCP
   FH  Flight Hour
   MA  Monitoring and Alerting criteria
   OT  Overdue Delivery Time value for RSP
   RCP  Required Communication Performance
   RSP  Required Surveillance Performance
   TT  Transaction Time (nominal) value for RCP

          |                        |   ECP 130   |   ECP 130   |
          | Parameter              |      ET     |    TT95%    |
          | Transaction Time (sec) |     130     |      67     |
          | Continuity             |    0.999    |     0.95    |
          | Availability           |    0.989    |    0.989    |
          | Integrity              | 1E-5 per FH | 1E-5 per FH |

                   Table 1: CPDLC Requirements for ECP

      |              | RCP 240  |   RCP 240    | RCP 400 | RCP 400 |
      | Parameter    |    ET    |    TT95%     |    ET   |  TT95%  |
      | Transaction  |   240    |     210      |   400   |   350   |
      | Time (sec)   |          |              |         |         |
      | Continuity   |  0.999   |     0.95     |  0.999  |   0.95  |
      | Availability |  0.989   |    0.989     |  0.989  |  0.989  |
      |              | (safety) | (efficiency) |         |         |
      | Integrity    | 1E-5 per | 1E-5 per FH  |   1E-5  |   1E-5  |
      |              |    FH    |              |  per FH |  per FH |

                   Table 2: CPDLC Requirements for RCP

   RCP Monitoring and Alerting Criteria in case of CPDLC:

Maeurer, et al.         Expires 11 November 2021               [Page 36]

Internet-Draft                    LDACS                         May 2021

   -  MA-1: The system SHALL be capable of detecting failures and
      configuration changes that would cause the communication service
      no longer meet the RCP specification for the intended use.
   -  MA-2: When the communication service can no longer meet the RCP
      specification for the intended function, the flight crew and/or
      the controller SHALL take appropriate action.

   |              | RSP | RSP | RSP 180  |   RSP 180    | RSP  |RSP 400|
   |              | 160 | 160 |          |              | 400  |       |
   | Parameter    |  OT |DT95%|    OT    |    DT95%     |  OT  | DT95% |
   | Transaction  | 160 |  90 |   180    |      90      | 400  |  300  |
   | Time (sec)   |     |     |          |              |      |       |
   | Continuity   |0.999| 0.95|  0.999   |     0.95     |0.999 |  0.95 |
   | Availability |0.989|0.989|  0.989   |    0.989     |0.989 | 0.989 |
   |              |     |     | (safety) | (efficiency) |      |       |
   | Integrity    | 1E-5| 1E-5| 1E-5 per | 1E-5 per FH  | 1E-5 |  1E-5 |
   |              | per | per |    FH    |              |per FH| per FH|
   |              |  FH |  FH |          |              |      |       |

                        Table 3: ADS-C Requirements

   RCP Monitoring and Alerting Criteria:

   -  MA-1: The system SHALL be capable of detecting failures and
      configuration changes that would cause the ADS-C service no longer
      meet the RSP specification for the intended function.
   -  MA-2: When the ADS-C service can no longer meet the RSP
      specification for the intended function, the flight crew and/or
      the controller SHALL take appropriate action.

Authors' Addresses

   Nils Maeurer (editor)
   German Aerospace Center (DLR)
   Muenchner Strasse 20
   82234 Wessling

   Email: Nils.Maeurer@dlr.de

Maeurer, et al.         Expires 11 November 2021               [Page 37]

Internet-Draft                    LDACS                         May 2021

   Thomas Graeupl (editor)
   German Aerospace Center (DLR)
   Muenchner Strasse 20
   82234 Wessling

   Email: Thomas.Graeupl@dlr.de

   Corinna Schmitt (editor)
   Research Institute CODE, UniBwM
   Werner-Heisenberg-Weg 28
   85577 Neubiberg

   Email: corinna.schmitt@unibw.de

Maeurer, et al.         Expires 11 November 2021               [Page 38]