Network Working Group L. Melegassi
Internet-Draft Catellix
Intended status: Informational 28 May 2026
Expires: 29 November 2026
MVPS Maritime and Tactical-Edge Profile: Coherence
Monitoring under Disconnected, Intermittent, Limited
Connectivity and GNSS-Denied Holdover
draft-melegassi-ippm-mvps-maritime-edge-00
Abstract
This document defines a deployment profile of Multi-Vantage Path
Snapshot (MVPS) for fleets and fixed installations operating in
Disconnected, Intermittent, Limited (DIL) environments where Global
Navigation Satellite System (GNSS) time may be denied -- for example
naval and maritime critical infrastructure and other tactical-edge
networks. The profile is DEFENSIVE: it concerns detection of
coherence anomalies in the network and timing telemetry (cyber
intrusion, comms tampering, and positioning/timing (PNT) spoofing).
It defines no navigation, targeting, or kinetic function.
MVPS promotes its detection theorems to any surface satisfying its
five axioms. At sea only one axiom is at risk: A1, the bounded
joint-clock-skew requirement, because oscillators drift under GNSS
denial and links are intermittent. This document proves A1 still
holds on an enlarged coherence tick under explicit datasheet-grounded
budgets, after which the core theorems inherit verbatim via the MVPS
Architecture-Invariance Theorem. The closed-form result shows the
binding constraint is store-and-forward latency, not clock drift. All
properties are validated by scripts/validate_maritime_edge.py (7/7
PASS, exit 0) and recorded in evidence/maritime_edge_receipt.json.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on 29 November 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Revised BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Defensive Scope and Non-Goals . . . . . . . . . . . . . . 3
1.2. Which Axiom Is at Risk . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. The DIL Joint-Skew Model . . . . . . . . . . . . . . . . . . 5
4. Re-establishing Axiom A1 (Lemma L-MAR-1) . . . . . . . . . . 6
5. Maximum Tolerable GNSS Denial (Lemma L-MAR-2) . . . . . . . . 6
6. Store-and-Forward Tick Assignment (Lemma L-MAR-4) . . . . . . 7
7. Inheritance of the Core Theorems . . . . . . . . . . . . . . 8
8. Byzantine and Destroyed Vantages . . . . . . . . . . . . . . 8
9. PNT/GNSS Spoofing (Conjecture C-MAR-1) . . . . . . . . . . . 9
10. Operational Logging . . . . . . . . . . . . . . . . . . . . . 9
11. Numerical Receipt . . . . . . . . . . . . . . . . . . . . . . 10
12. Security Considerations . . . . . . . . . . . . . . . . . . . 10
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
14.1. Normative References . . . . . . . . . . . . . . . . . . 11
14.2. Informative References . . . . . . . . . . . . . . . . . 11
Appendix A. Worked Budgets (Normative) . . . . . . . . . . . . . 12
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction
MVPS detects network-propagating anomalies by measuring the COHERENCE
of an observed state across multiple spatially independent vantages.
Its theorems are surface-independent: they hold where the five MVPS
axioms hold, by the Architecture-Invariance Theorem
[I-D.melegassi-iab-mvps-architecture].
Maritime/tactical-edge deployments are exactly the critical, high-
stakes environments MVPS was built for, but they stress the timing
assumptions: ships and remote nodes lose connectivity for long
stretches (Disconnected), regain it briefly (Intermittent) and at low
rate (Limited), and may operate with GNSS time denied by jamming or
spoofing. This profile shows MVPS still applies, by re-establishing
the one axiom that DIL puts at risk and inheriting the rest.
1.1. Defensive Scope and Non-Goals
This profile is strictly DEFENSIVE. It concerns the detection of
anomalies in network and timing telemetry: coordinated intrusion,
communications tampering, and positioning/timing (PNT) spoofing.
This document does NOT define and MUST NOT be claimed to define:
o any navigation, guidance, fire-control, or targeting function;
o any kinetic capability;
o any output other than coherence-anomaly detection and audit logs.
The mathematics here is identical in kind to the terrestrial and
broadband-mesh profiles; only the timing budget differs.
1.2. Which Axiom Is at Risk
MVPS rests on axioms A1..A5. A2 (bundle), A3 (coherence axes), A4,
and A5 (Byzantine-tolerant aggregator) are structural and carry over
to sea unchanged. Only A1 -- the requirement that the joint clock
skew across vantages stay below the coherence tick -- is stressed
by GNSS denial (oscillator drift) and intermittency (store-and-
forward delay). Sections 3-6 re-establish A1; Section 7 inherits the
theorems.
2. Terminology
DIL: Disconnected, Intermittent, Limited connectivity.
Holdover: free-running operation of a local oscillator while GNSS or
PTP discipline is unavailable.
eps_sync: residual time-sync error at last GNSS/PTP contact.
rho: holdover fractional-frequency drift rate (s/s).
Delta_d: maximum GNSS-denied (disconnect) interval before re-sync.
tau_store: maximum store-and-forward delivery latency for a source-
timestamped bundle.
T_tick_eff: the enlarged coherence tick chosen for the deployment.
The key words "MUST", "MUST NOT", "SHOULD", "MAY" in this document
are to be interpreted as described in BCP 14 [RFC2119] [RFC8174]
when, and only when, they appear in all capitals.
3. The DIL Joint-Skew Model
A vantage that loses GNSS runs on a holdover oscillator that
accumulates time offset bounded by rho * Delta_d over a denial
interval Delta_d (datasheet OCXO ~ 1e-8 s/s; TCXO ~ 1e-6 s/s). A
bundle is timestamped at the SOURCE and forwarded later; ordering is
recovered from the source timestamp. The effective joint skew is
skew_eff = 2 * ( eps_sync + rho * Delta_d ) + tau_store .
The factor 2 covers two vantages drifting in opposite directions; the
tau_store term covers the worst-case delivery delay absorbed by the
tick window (Section 6).
4. Re-establishing Axiom A1 (Lemma L-MAR-1)
Axiom A1 holds on tick T_tick_eff iff
skew_eff = 2*(eps_sync + rho*Delta_d) + tau_store < T_tick_eff.
For representative budgets (eps_sync = 1 ms, tau_store = 5 s,
T_tick_eff = 60 s):
OCXO (rho 1e-8, Delta_d 24 h): skew_eff = 5.0037 s < 60 s
TCXO (rho 1e-6, Delta_d 1 h): skew_eff = 5.0092 s < 60 s
stress(rho 1e-5, Delta_d 24 h, tau_store 50 s): 51.748 s < 60 s
All satisfy A1 (validator check L-MAR-1).
5. Maximum Tolerable GNSS Denial (Lemma L-MAR-2)
Solving skew_eff = T_tick_eff for the denial interval gives the
closed-form tolerance
Delta_d_max = ( T_tick_eff - tau_store - 2*eps_sync ) / ( 2*rho ).
For the TCXO budget above, Delta_d_max ~ 318 days. The practical
reading is important and honest: with any reasonable oscillator the
BINDING constraint on A1 is the store-and-forward latency tau_store,
not clock drift. The sea problem is the LINK, not the clock.
6. Store-and-Forward Tick Assignment (Lemma L-MAR-4)
A source-timestamped bundle delivered after tau_store is assigned to
its correct tick window (index floor(source_ts / T_tick_eff)) iff
tau_store < T_tick_eff.
If tau_store >= T_tick_eff, a delayed bundle can land in the wrong
window and the joint observation breaks; the operator MUST then
enlarge T_tick_eff. The validator confirms a feasible budget is
accepted and that an infeasible budget (tau_store = 70 s,
T_tick_eff = 60 s; skew_eff = 70.009 s) is correctly rejected.
7. Inheritance of the Core Theorems
If A1 holds (Section 4) and the compromised-vantage fraction f < 1/2,
then by the Architecture-Invariance Theorem
[I-D.melegassi-iab-mvps-architecture] the core results inherit
verbatim on the maritime surface:
T1 multi-vantage D^2 dominates per-vantage max-z;
T2 Phi_D concentration under the null;
T3' empirical-quantile false-alarm calibration;
T9 Byzantine robustness of the geometric-median aggregator.
No core theorem is re-derived; the profile only supplies the A1
premise (validator check A-MAR-INHERIT).
8. Byzantine and Destroyed Vantages
A maritime fleet must assume some vantages are compromised, lying, or
physically lost. For f < 1/2 the geometric-median aggregator has
finite max-bias b(f) = C * f/(1-2f) (after [Minsker]; MVPS imported
result I12), diverging only as f -> 1/2. A vantage that goes silent
is treated as missing, not as zero, preserving the bound (validator
check B-MAR-1: b(0.2)=0.333, b(0.4)=2.000).
9. PNT/GNSS Spoofing (Conjecture C-MAR-1)
It is plausible that coordinated GNSS spoofing injects a rank-low,
correlated clock-offset signature across vantages that the multi-
vantage detector flags before any single vantage alarms. This is
stated as a CONJECTURE, not a theorem, with a falsification protocol
(observable: cross-vantage correlated offset vs per-vantage max-z;
data: fleet PTP/GNSS telemetry plus a controlled spoofing testbed;
test: Wilson 95% lower bound on detection-time gain > 0; blocker:
access to a controlled spoofing range). The profile's guarantees do
NOT depend on this conjecture.
10. Operational Logging
Deployments SHOULD log events using the MVPS operational log format
[I-D.melegassi-opsawg-mvps-logging]: append-only, hash-chained, and
anchored opportunistically whenever connectivity returns. Because the
link is intermittent, the anchoring cadence of that format maps
naturally onto re-connection events; records between anchors retain
edit/reorder/delete evidence and gain truncation evidence at the next
anchor.
11. Numerical Receipt
scripts/validate_maritime_edge.py evaluates seven checks (L-MAR-1..4,
A-MAR-INHERIT, B-MAR-1, C-MAR-1) over the budgets above and writes
evidence/maritime_edge_receipt.json with per-scenario skew values,
the closed-form denial tolerance, the inherited theorem list, the
explicit defensive non-claims, and a SHA-256 of its own canonical
body. All seven checks PASS (exit 0).
12. Security Considerations
The profile is a detection and audit capability; no kinetic or
targeting surface. Its security value is the early, coherent
detection of intrusion, comms tampering, and timing manipulation
across a contested fleet, with a tamper-evident audit trail
(Section 10).
GNSS denial is treated as an operating condition, not merely a fault:
the holdover budget (Section 4) and the closed-form denial tolerance
(Section 5) make the time assumptions explicit, auditable. Spoofing
detection itself is a conjecture (Section 9) and MUST NOT be relied
upon as a guarantee. Quantum-era integrity of logs/anchors follows
the Proof Envelope [I-D.melegassi-ippm-mvps-proof-envelope].
13. IANA Considerations
This document has no IANA actions.
14. References
14.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, May 2017.
[I-D.melegassi-iab-mvps-architecture]
Melegassi, L., "MVPS Architecture Invariance",
draft-melegassi-iab-mvps-architecture-00, 2026.
14.2. Informative References
[I-D.melegassi-opsawg-mvps-logging]
Melegassi, L., "The MVPS Operational Log Format",
draft-melegassi-opsawg-mvps-logging-00, 2026.
[I-D.melegassi-ippm-mvps-proof-envelope]
Melegassi, L., "MVPS Proof Envelope", draft-melegassi-
ippm-mvps-proof-envelope-00, 2026.
[Minsker] Minsker, S., "Geometric median and robust estimation in
Banach spaces", Bernoulli 21(4), 2015.
Appendix A. Worked Budgets (Normative)
Three budgets of Section 4 (OCXO, TCXO, stress) and the infeasible
control of Section 6 are the normative vectors. An implementation
claiming conformance MUST reproduce, for each, the skew_eff value and
the A1 verdict emitted by scripts/validate_maritime_edge.py.
Author's Address
Leonardo Melegassi
Catellix
Brazil
Email: melegassi@catellix.com