Internet-Draft LDACS May 2021
Maeurer, et al. Expires 11 November 2021 [Page]
Workgroup:
RAW
Published:
Intended Status:
Informational
Expires:
Authors:
N. Maeurer, Ed.
German Aerospace Center (DLR)
T. Graeupl, Ed.
German Aerospace Center (DLR)
C. Schmitt, Ed.
Research Institute CODE, UniBwM

L-band Digital Aeronautical Communications System (LDACS)

Abstract

This document provides an overview of the architecture of the L-band Digital Aeronautical Communications System (LDACS), which provides a secure, scalable and spectrum efficient terrestrial data link for civil aviation. LDACS is a scheduled, reliable multi-application cellular broadband system with support for IPv6. LDACS shall provide a data link for IP network-based aircraft guidance. High reliability and availability for IP connectivity over LDACS are therefore essential.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 11 November 2021.

Table of Contents

1. Introduction

One of the main pillars of the modern Air Traffic Management (ATM) system is the existence of a communication infrastructure that enables efficient aircraft control and safe separation in all phases of flight. Current systems are technically mature but suffering from the Very High Frequency (VHF) band's increasing saturation in high-density areas and the limitations posed by analogue radio communications. Therefore, aviation globally and the European Union (EU) in particular, strives for a sustainable modernization of the aeronautical communication infrastructure.

In the long-term, ATM communication shall transition from analogue VHF voice [KAMA2010] and VHF Data Linke mode 2 (VDLM2) communication to more spectrum efficient digital data communication. The European ATM Master Plan foresees this transition to be realized for terrestrial communications by the development (and potential implementation) of the L-band Digital Aeronautical Communications System (LDACS). LDACS shall enable IPv6 based air- ground communication related to the aviation safety and regularity of flight [ICAO20152]. The particular challenge is that no additional spectrum can be made available for terrestrial aeronautical communication. It was thus necessary to develop co-existence mechanism/procedures to enable the interference free operation of LDACS in parallel with other aeronautical services/systems in the same frequency band.

Since LDACS shall be used for aircraft guidance, high reliability and availability for IP connectivity over LDACS are essential.

2. Terminology

The following terms are used in the context of RAW in this document:

A2A
Air-to-Air
AeroMACS
Aeronautical Mobile Airport Communication System
A2G
Air-to-Ground
ACARS
Aircraft Communications Addressing and Reporting System
ADS-C
Automatic Dependent Surveillance - Contract
AM(R)S
Aeronautical Mobile (Route) Service
ANSP
Air Traffic Network Service Provider
AOC
Aeronautical Operational Control
AS
Aircraft Station
ATC
Air Traffic Control
ATM
Air Traffic Management
ATN
Aeronautical Telecommunication Network
ATS
Air Traffic Service
CCCH
Common Control Channel
COTS IP
Commercial Off-The-Shelf
CM
Context Management
CNS
Communication Navigation Surveillance
CPDLC
Controller Pilot Data Link Communication
DCCH
Dedicated Control Channel
DCH
Data Channel
DLL
Data Link Layer
DLS
Data Link Service
DME
Distance Measuring Equipment
DSB-AM
Double Side-Band Amplitude Modulation
FCI
Future Communication Infrastructure
FL
Forward Link
GBAS
Ground Based Augmentation System
GNSS
Global Navigation Satellite System
GS
Ground-Station
G2A
Ground-to-Air
HF
High Frequency
ICAO
International Civil Aviation Organization
IP
Internet Protocol
IPS
Internet Protocol Suite
kbit/s
kilobit per second
LDACS
L-band Digital Aeronautical Communications System
LLC
Logical Link Control
LME
LDACS Management Entity
MAC
Medium Access Layer
MF
Multi Frame
OFDM
Orthogonal Frequency-Division Multiplexing
OFDMA
Orthogonal Frequency-Division Multiplexing Access
OSI
Open Systems Interconnection
PHY
Physical Layer
RL
Reverse Link
SF
Super-Frame
SN
Serving Network
SNP
Sub-Network Protocol
STS
Station-to-Station
TDMA
Time-Division Multiplexing-Access
VDLM1
VHF Data Link mode 1
VDLM2
VHF Data Link mode 2
VHF
Very High Frequency
VI
Voice Interface

3. Motivation and Use Cases

Aircraft are currently connected to Air Traffic Control (ATC) and Aeronautical Operational Control (AOC) via voice and data communications systems through all phases of a flight. AOC is a generic term referring to the business communication of airlines. Within the airport terminal, connectivity is focused on high bandwidth communications, while during en-route high reliability, robustness, and range is the main focus. Voice communications may use the same or different equipment as data communications systems. In the following the main differences between voice and data communications capabilities are summarized. The assumed use cases for LDACS completes the list of use cases stated in [RAW-USE-CASES] and the list of reliable and available wireless technologies presented in [RAW-TECHNOS].

3.1. Voice Communications Today

Voice links are used for Air-to-Ground (A2G) and Air-to-Air (A2A) communications. The communication equipment is either ground-based working in the High Frequency (HF) or VHF frequency band or satellite-based. All VHF and HF voice communications are operated via open broadcast channels without authentication, encryption or other protective measures. The use of well-proven communication procedures via broadcast channels can help to enhance the safety of communications. The main voice communications media is still the analogue VHF Double Side-Band Amplitude Modulation (DSB-AM) communications technique, supplemented by HF Single Side-Band Amplitude Modulation and satellite communications for remote and oceanic areas. DSB-AM has been in use since 1948, works reliably and safely, and uses low-cost communication equipment. These are the main reasons why VHF DSB-AM communications are still in use, and it is likely that this technology will remain in service for many more years. This however results in current operational limitations and impediments in deploying new Air Traffic Management (ATM) applications, such as flight-centric operation with Point-to-Point communications.

3.2. Data Communications Today

Like for voice, data communications into the cockpit is currently provided by ground-based equipment operating either on HF or VHF radio bands or by legacy satellite systems. All these communication systems are using narrowband radio channels with a data throughput capacity in order of kilobits per second. While the aircraft is on ground some additional communications systems are available, like the Aeronautical Mobile Airport Communication System (AeroMACS) or public cellular networks, operating in the Airport (APT) domain and able to deliver broadband communication capability.

The data communication networks used for the transmission of data relating to the safety and regularity of the flight must be strictly isolated from those providing entertainment services to passengers. This leads to a situation that the flight crews are supported by narrowband services during flight while passengers have access to inflight broadband services. The current HF and VHF data links cannot provide broadband services now or in the future, due to the lack of available spectrum. This technical shortcoming is becoming a limitation to enhanced ATM operations, such as Trajectory-Based Operations and 4D trajectory negotiations.

Satellite-based communications are currently under investigation and enhanced capabilities are under development which will be able to provide inflight broadband services and communications supporting the safety and regularity of flight. In parallel, the ground-based broadband data link technology LDACS is being standardized by ICAO and has recently shown its maturity during flight tests [SCH20191]. The LDACS technology is scalable, secure and spectrum efficient and provides significant advantages to the users and service providers. It is expected that both - satellite systems and LDACS - will be deployed to support the future aeronautical communication needs as envisaged by the ICAO Global Air Navigation Plan.

4. Provenance and Documents

The development of LDACS has already made substantial progress in the Single European Sky ATM Research framework, short SESAR, and is currently being continued in the follow-up program SESAR2020 [RIH2018]. A key objective of the these activities is to develop, implement and validate a modern aeronautical data link able to evolve with aviation needs over long-term. To this end, an LDACS specification has been produced [GRA2019] and is continuously updated; transmitter demonstrators were developed to test the spectrum compatibility of LDACS with legacy systems operating in the L-band [SAJ2014]; and the overall system performance was analyzed by computer simulations, indicating that LDACS can fulfil the identified requirements [GRA2011].

LDACS standardization within the framework of the ICAO started in December 2016. The ICAO standardization group has produced an initial Standards and Recommended Practices document [ICA2018]. It defines the general characteristics of LDACS. The ICAO standardization group plans to produce an ICAO technical manual - the ICAO equivalent to a technical standard - within the next years. Generally, the group is open to input from all sources and develops LDACS in the open.

Up to now LDACS standardization has been focused on the development of the physical layer and the data link layer, only recently have higher layers come into the focus of the LDACS development activities. There is currently no "IPv6 over LDACS" specification publicly available; however, SESAR2020 has started the testing of IPv6-based LDACS testbeds.

The IPv6 architecture for the aeronautical telecommunication network is called the Future Communications Infrastructure (FCI). FCI shall support quality of service, diversity, and mobility under the umbrella of the "multi-link concept". This work is conducted by ICAO Communication Panel working group WG-I.

In addition to standardization activities several industrial LDACS prototypes have been built. One set of LDACS prototypes has been evaluated in flight trials confirming the theoretical results predicting the system performance [GRA2018] [SCH20191].

5. Applicability

LDACS is a multi-application cellular broadband system capable of simultaneously providing various kinds of Air Traffic Services (ATS) including ATS-B3 and AOC communications services from deployed Ground-Stations (GS). The A2G sub-system physical layer and data link layer of LDACS are optimized for data link communications, but the system also supports digital air-ground voice communications.

LDACS supports communication in all airspaces (airport, terminal maneuvering area, and en-route), and on the airport surface. The physical LDACS cell coverage is effectively de-coupled from the operational coverage required for a particular service. This is new in aeronautical communications. Services requiring wide-area coverage can be installed at several adjacent LDACS cells. The handover between the involved LDACS cells is seamless, automatic, and transparent to the user. Therefore, the LDACS A2G communications concept enables the aeronautical communication infrastructure to support future dynamic airspace management concepts.

5.1. Advances Beyond the State-of-the-Art

LDACS offers several capabilities that are not provided in contemporarily deployed aeronautical communication systems.

5.1.1. Priorities

LDACS is able to manage services priorities, an important feature not available in some of the current data link deployments. Thus, LDACS guarantees bandwidth, low latency, and high continuity of service for safety critical ATS applications while simultaneously accommodating less safety-critical AOC services.

5.1.2. Security

LDACS is a secure data link with built-in security mechanisms. It enables secure data communications for ATS and AOC services, including secured private communications for aircraft operators and ANSPs (Air Traffic Network Service Providers). This includes concepts for key and trust management, mutual authenticated key exchange protocols, key derivation measures, user and control message-in-transit confidentiality and authenticity protection, secure logging and availability and robustness measures [MAE20181], [MAE20191], [MAE20192].

5.1.3. High Data Rates

The user data rate of LDACS is 315 kbit/s to 1428 kbit/s on the forward link (FL) for the connection Ground-to-Air (G2A), and 294 kbit/s to 1390 kbit/s on the reverse link (RF) for the connection A2G, depending on coding and modulation. This is 50 times the amount terrestrial digital aeronautical communications systems such as VDLM2 provide [SCH20191].

5.2. Application

LDACS shall be used by several aeronautical applications ranging from enhanced communication protocol stacks (multi-homed mobile IPv6 networks in the aircraft and potentially ad-hoc networks between aircraft) to classical communication applications (sending Ground Based Augmentation System (GBAS) correction data) and integration with other service domains (using the communication signal for navigation).

It is expected that LDACS together with upgraded satellite-based communications systems will be deployed within the FCI and constitute one of the main components of the multilink concept within the FCI.

Both technologies, LDACS and satellite systems, have their specific benefits and technical capabilities which complement each other. Especially, satellite systems are well-suited for large coverage areas with less dense air traffic, e.g. oceanic regions. LDACS is well-suited for dense air traffic areas, e.g. continental areas or hot-spots around airports and terminal airspace. In addition, both technologies offer comparable data link capacity and, thus, are well-suited for redundancy, mutual back-up, or load balancing.

Technically the FCI multilink concept shall be realized by multi-homed mobile IPv6 networks in the aircraft. The related protocol stack is currently under development by ICAO and the Single European Sky ATM Research framework.

5.2.2. Air-to-Air Extension for LDACS

A potential extension of the multi-link concept is its extension to ad-hoc networks between aircraft.

Direct A2A communication between aircrafts in terms of ad-hoc data networks is currently considered a research topic since there is no immediate operational need for it, although several possible use cases are discussed (digital voice, wake vortex warnings, and trajectory negotiation) [BEL2019]. It should also be noted that currently deployed analog VHF voice radios support direct voice communication between aircraft, making a similar use case for digital voice plausible.

LDACS direct A2A is currently not part of standardization.

5.2.3. Flight Guidance

The FCI (and therefore LDACS) shall be used to host flight guidance. This is realized using three applications:

1.
Context Management (CM): The CM application shall manage the automatic logical connection to the ATC center currently responsible to guide the aircraft. Currently this is done by the air crew manually changing VHF voice frequencies according to the progress of the flight. The CM application automatically sets up equivalent sessions.
2.
Controller Pilot Data Link Communication (CPDLC): The CPDLC application provides the air crew with the ability to exchange data messages similar to text messages with the currently responsible ATC center. The CPDLC application shall take over most of the communication currently performed over VHF voice and enable new services that do not lend themselves to voice communication (e.g., trajectory negotiation).
3.
Automatic Dependent Surveillance - Contract (ADS-C): ADS-C reports the position of the aircraft to the currently active ATC center. Reporting is bound to "contracts", i.e. pre-defined events related to the progress of the flight (i.e. the trajectory). ADS-C and CPDLC are the primary applications used to implement in-flight trajectory management.

CM, CPDLC, and ADS-C are available on legacy datalinks, but not widely deployed and with limited functionality.

Further ATC applications may be ported to use the FCI or LDACS as well. A notable application is GBAS for secure, automated landings: The Global Navigation Satellite System (GNSS) based GBAS is used to improve the accuracy of GNSS to allow GNSS based instrument landings. This is realized by sending GNSS correction data (e.g., compensating ionospheric errors in the GNSS signal) to the aircraft's GNSS receiver via a separate data link. Currently the VDB data link is used. VDB is a narrow-band single-purpose datalink without advanced security only used to transmit GBAS correction data. This makes VDB a natural candidate for replacement by LDACS.

5.2.4. Business Communication of Airlines

In addition to air traffic services AOC services shall be transmitted over LDACS. AOC is a generic term referring to the business communication of airlines. Regulatory this is considered related to the safety and regularity of flight and may therefore be transmitted over LDACS.

AOC communication is considered the main business case for LDACS communication service providers since modern aircraft generate significant amounts of data (e.g., engine maintenance data).

5.2.5. LDACS Navigation

Beyond communication radio signals can always also be used for navigation. LDACS takes this into account.

For future aeronautical navigation, ICAO RECOMMENDS the further development of GNSS based technologies as primary means for navigation. However, the drawback of GNSS is its inherent single point of failure - the satellite. Due to the large separation between navigational satellites and aircraft, the received power of GNSS signals on the ground is very low. As a result, GNSS disruptions might occasionally occur due to unintentional interference, or intentional jamming. Yet the navigation services must be available with sufficient performance for all phases of flight. Therefore, during GNSS outages, or blockages, an alternative solution is needed. This is commonly referred to as Alternative Positioning, Navigation, and Timing (APNT).

One of such APNT solution consists of integrating the navigation functionality into LDACS. The ground infrastructure for APNT is deployed through the implementation of LDACS's GSs and the navigation capability comes "for free".

LDACS navigation has already been demonstrated in practice in a flight measurement campaign [SCH20191].

6. Requirements to LDACS

The requirements to LDACS are mostly defined by its application area: Communication related to safety and regularity of flight.

A particularity of the current aeronautical communication landscape is that it is heavily regulated. Aeronautical data links (for applications related to safety and regularity of flight) may only use spectrum licensed to aviation and data links endorsed by ICAO. Nation states can change this locally, however, due to the global scale of the air transportation system adherence to these practices is to be expected.

Aeronautical data links for the Aeronautical Telecommunication Network (ATN) are therefore expected to remain in service for decades. The VDLM2 data link currently used for digital terrestrial internetworking was developed in the 1990es (the use of the Open Systems Interconnection (OSI) stack indicates that as well). VDLM2 is expected to be used at least for several decades. In this respect aeronautical communication (for applications related to safety and regularity of flight) is more comparable to industrial applications than to the open Internet.

Internetwork technology is already installed in current aircraft. Current ATS applications use either the Aircraft Communications Addressing and Reporting System (ACARS) or the OSI stack. The objective of the development effort LDACS as part of the FCI is to replace legacy OSI stack and proprietary ACARS internetwork technologies with industry standard IP technology. It is anticipated that the use of Commercial Off-The-Shelf (COTS) IP technology mostly applies to the ground network. The avionics networks on the aircraft will likely be heavily modified or proprietary.

AOC applications currently mostly use the same stack (although some applications, like the graphical weather service may use the commercial passenger network). This creates capacity problems (resulting in excessive amounts of timeouts) since the underlying terrestrial data links (VDLM1/2) do not provide sufficient bandwidth. The use of non-aviation specific data links is considered a security problem. Ideally the aeronautical IP internetwork and the Internet should be completely separated.

The objective of LDACS is to provide a next generation terrestrial data link designed to support IP and provide much higher bandwidth to avoid the currently experienced operational problems.

The requirement for LDACS is therefore to provide a terrestrial high-throughput data link for IP internetworking in the aircraft.

In order to fulfil the above requirement LDACS needs to be interoperable with IP (and IP-based services like Voice-over-IP) at the gateway connecting the LDACS network to other aeronautical ground networks (the totality of them being the ATN). On the avionics side in the aircraft aviation specific solutions are to be expected.

In addition to the functional requirements LDACS and its IP stack need to fulfil the requirements defined in RTCA DO-350A/EUROCAE ED-228A [DO350A]. This document defines continuity, availability, and integrity requirements at different scopes for each air traffic management application (CPDLC, CM, and ADS-C). The scope most relevant to IP over LDACS is the CSP (Communication Service Provider) scope.

Continuity, availability, and integrity requirements are defined in [DO350A] volume 1 Table 5-14, and Table 6-13. Appendix A presents the required information.

In a similar vein, requirements to fault management are defined in the same tables.

7. Characteristics of LDACS

LDACS will become one of several wireless access networks connecting aircraft to the ATN implemented by the FCI and possibly ACARS/FANS networks [FAN2019].

The current LDACS design is focused on the specification of layer 2.

Achieving stringent the continuity, availability, and integrity requirements defined in [DO350A] will require the specification of layer 3 and above mechanisms (e.g. reliable crossover at the IP layer). Fault management mechanisms are similarly undefined. Input from the working group will be appreciated here.

7.1. LDACS Sub-Network

An LDACS sub-network contains an Access Router (AR) and several GS, each of them providing one LDACS radio cell.

User plane interconnection to the ATN is facilitated by the AR peering with an A2G Router connected to the ATN.

The internal control plane of an LDACS sub-network interconnects the GS. An LDACS sub-network is illustrated in Figure 1.



wireless      user
link          plane
  AS-------------GS---------------AR---A2G-----ATN
                 .                |   Router
                 . control        |
                 . plane          |
                 .                |
                 GS...............|
                 .                |
                 .                |
                 GS---------------+



Figure 1: LDACS sub-network with three GSs and one AS

7.2. Topology

LDACS operating in A2G mode is a cellular point-to-multipoint system. The A2G mode assumes a star-topology in each cell where Aircraft Stations (AS) belonging to aircraft within a certain volume of space (the LDACS cell) is connected to the controlling GS. The LDACS GS is a centralized instance that controls LDACS A2G communications within its cell. The LDACS GS can simultaneously support multiple bi-directional communications to the ASs under its control. LDACS's GSs themselves are connected to each other and the AR.

Prior to utilizing the system an AS has to register with the controlling GS to establish dedicated logical channels for user and control data. Control channels have statically allocated resources, while user channels have dynamically assigned resources according to the current demand. Logical channels exist only between the GS and the AS.

The LDACS wireless link protocol stack defines two layers, the physical layer and the data link layer.

7.3. LDACS Physical Layer

The physical layer provides the means to transfer data over the radio channel. The LDACS GS supports bi-directional links to multiple aircraft under its control. The FL direction at the G2A connection and the RL direction at the A2G connection are separated by Frequency Division Duplex. FL and RL use a 500 kHz channel each. The GS transmits a continuous stream of Orthogonal Frequency-Division Multiplexing (OFDM) symbols on the FL. In the RL different aircraft are separated in time and frequency using a combination of Orthogonal Frequency-Division Multiple-Access (OFDMA) and Time-Division Multiple-Access (TDMA). Aircraft thus transmit discontinuously on the RL with radio bursts sent in precisely defined transmission opportunities allocated by the GS.

The data-link layer provides the necessary protocols to facilitate concurrent and reliable data transfer for multiple users. The LDACS data link layer is organized in two sub-layers: The medium access sub-layer and the Logical Link Control (LLC) sub-layer. The medium access sub-layer manages the organization of transmission opportunities in slots of time and frequency. The LLC sub-layer provides acknowledged point-to-point logical channels between the aircraft and the GS using an automatic repeat request protocol. LDACS supports also unacknowledged point-to-point channels and G2A broadcast.

7.5. LDACS Mobility

LDACS supports layer 2 handovers to different LDACS channels. Handovers may be initiated by the aircraft (break-before-make) or by the GS (make-before-break). Make-before-break handovers are only supported for GSs connected to each other.

External handovers between non-connected LDACS sub-networks or different aeronautical data links shall be handled by the FCI multi-link concept.

8. Reliability and Availability

8.1. Layer 2

LDACS has been designed with applications related to the safety and regularity of flight in mind. It has therefore been designed as a deterministic wireless data link (as far as this is possible).

Based on channel measurements of the L-band channel [SCHN2016] and respecting the specific nature of the area of application, LDACS was designed from the PHY layer up with robustness in mind.

In order to maximize the capacity per channel and to optimally use the available spectrum, LDACS was designed as an OFDM-based Frequency Division Duplex system, supporting simultaneous transmissions in FL at the G2A connection and RF at the A2G connection. The legacy systems already deployed in the L-band limit the bandwidth of both channels to approximately 500 kHz.

The LDACS physical layer design includes propagation guard times sufficient for the operation at a maximum distance of 200 nautical miles from the GS. In actual deployment, LDACS can be configured for any range up to this maximum range.

The LDACS FL physical layer is a continuous OFDM transmission. LDACS RL transmission is based on OFDMA-TDMA bursts, with silence between such bursts. The RL resources (i.e. bursts) are assigned to different ASs on demand by the GS.

The LDACS physical layer supports adaptive coding and modulation for user data. Control data is always encoded with the most robust coding and modulation (QPSK coding rate 1/2).

LDACS medium access on top of the physical layer uses a static frame structure to support deterministic timer management. As shown in Figure 3 and Figure 4, LDACS framing structure is based on Super-Frames (SF) of 240ms duration corresponding to 2000 OFDM symbols. FL and RL boundaries are aligned in time (from the GS perspective) allowing for deterministic sending windows for KEEP ALIVE messages and control and data channels in general.

LDACS medium access is always under the control of the GS of a radio cell. Any medium access for the transmission of user data has to be requested with a resource request message stating the requested amount of resources and class of service. The GS performs resource scheduling on the basis of these requests and grants resources with resource allocation messages. Resource request and allocation messages are exchanged over dedicated contention-free control channels.

The purpose of Quality-of-Service in LDACS medium access is to provide prioritized medium access at the bottleneck (the wireless link). The signaling of higher layer Quality-of-Service requirements to LDACS is yet to be defined. A DiffServ-based solution with a small number of priorities is to be expected.

LDACS has two mechanisms to request resources from the scheduler in the GS.

Resources can either be requested "on demand" with a given priority. On the FL, this is done locally in the GS, on the RL a dedicated contention-free control channel is used called Dedicated Control Channel (DCCH), which is roughly 83 bit every 60 ms. A resource allocation is always announced in the control channel of the FL, short Common Control Channel (CCCH) having variable size. Due to the spacing of the RL control channels every 60 ms, a medium access delay in the same order of magnitude is to be expected.

Resources can also be requested "permanently". The permanent resource request mechanism supports requesting recurring resources in given time intervals. A permanent resource request has to be canceled by the user (or by the GS, which is always in control).

User data transmissions over LDACS are therefore always scheduled by the GS, while control data uses statically (i.e. at cell entry) allocated recurring resources (DCCH and CCCH). The current specification specifies no scheduling algorithm. Scheduling of RL resources is done in physical Protocol Data Units of 112 bit (or larger if more aggressive coding and modulation is used). Scheduling on the FL is done Byte-wise since the FL is transmitted continuously by the GS.

In addition to having full control over resource scheduling, the GS can send forced Handover commands for off-loading or RF channel management, e.g. when the signal quality declines and a more suitable GS is in the AS reach. With robust resource management of the capacities of the radio channel, reliability and robustness measures are therefore also anchored in the LDACS management entity.

In addition, to radio resource management, the LDACS control channels are also used to send keep-alive messages, when they are not otherwise used. Since the framing of the control channels is deterministic, missing keep-alive messages can thus be immediately detected. This information is made available to the multi-link protocols for fault management.

The protocol used to communicate faults is not defined in the LDACS specification. It is assumed that vendors would use industry standard protocols like the Simple Network Management Protocol or the Network Configuration Protocol where security permits.

The LDACS data link layer protocol running on top of the medium access sub-layer uses ARQ to provide reliable data transmission on layer 2.

It employs selective repeat ARQ with transparent fragmentation and reassembly to the resource allocation size to achieve low latency and a low overhead without losing reliability. It ensures correct order of packet delivery without duplicates. In case of transmission errors it identifies lost fragments with deterministic timers synced to the medium access frame structure and initiates retransmission. Additionally, the priority mechanism of LDACS ensures the timely delivery of messages with high importance.

8.2. Beyond Layer 2

LDACS availability can be increased by appropriately deploying LDACS infrastructure: This means proliferating the number of terrestrial base stations. However, the scarcity of aeronautical spectrum for data link communication (in the case of LDACS: tens of MHz in the L-band) and the long range (in the case of LDACS: up to 400 km) make this quite hard. The deployment of a larger number of small cells is certainly possible, suffers, however, also from the scarcity of spectrum. An additional constraint to consider, is that Distance Measuring Equipment (DME) is the primary user of the aeronautical L-band. That is, any LDACS deployment has to take DME frequency planning into account, too.

The aeronautical community has therefore decided not to rely on a single communication system or frequency band. It is envisioned to have multiple independent data link technologies in the aircraft (e.g., terrestrial and satellite communications) in addition to legacy VHF voice.

However, as of now no reliability and availability mechanisms that could utilize the multi-link have been specified on Layer 3 and above. Even if LDACS has been designed for reliability, the wireless medium presents significant challenges to achieve deterministic properties such as low packet error rate, bounded consecutive losses, and bounded latency. Support for high reliability and availability for IP connectivity over LDACS is therefore highly desirable, needs, however, be adapted to the specific use case.

Below Layer 2 aeronautics usually relies on hardware redundancy. To protect availability of the LDACS link, an aircraft equipped with LDACS will have access to two L-band antennae with triple redundant radio systems as required for any safety relevant aeronautical systems by ICAO.

9. Protocol Stack

The protocol stack of LDACS is implemented in the AS and GS: It consists of the Physical Layer (PHY) with five major functional blocks above it. Four are placed in the Data Link Layer (DLL) of the AS and GS: (1) Medium Access Layer (MAC), (2) Voice Interface (VI), (3) Data Link Service (DLS), and (4) LDACS Management Entity (LME). The last entity resides within the Sub-Network Layer: Sub-Network Protocol (SNP). The LDACS network is externally connected to voice units, radio control units, and the ATN Network Layer.

Figure 2 shows the protocol stack of LDACS as implemented in the AS and GS.



         IPv6                   Network Layer
          |
          |
+------------------+  +----+
|        SNP       |--|    |   Sub-Network
|                  |  |    |   Layer
+------------------+  |    |
          |           | LME|
+------------------+  |    |
|        DLS       |  |    |   Logical Link
|                  |  |    |   Control Layer
+------------------+  +----+
          |             |
         DCH         DCCH/CCCH
          |          RACH/BCCH
          |             |
+--------------------------+
|           MAC            |   Medium Access
|                          |   Layer
+--------------------------+
             |
+--------------------------+
|           PHY            |   Physical Layer
+--------------------------+
             |
             |
           ((*))
           FL/RL              radio channels
                              separated by
                              Frequency Division Duplex


Figure 2: LDACS protocol stack in AS and GS

9.1. Medium Access Control (MAC) Entity Services

The MAC time framing service provides the frame structure necessary to realize slot-based Time Division Multiplex (TDM) access on the physical link. It provides the functions for the synchronization of the MAC framing structure and the PHY Layer framing. The MAC time framing provides a dedicated time slot for each logical channel.

The MAC Sub-Layer offers access to the physical channel to its service users. Channel access is provided through transparent logical channels. The MAC Sub-Layer maps logical channels onto the appropriate slots and manages the access to these channels. Logical channels are used as interface between the MAC and LLC Sub-Layers.

The LDACS framing structure for FL and RL is based on Super-Frames (SF) of 240 ms duration. Each SF corresponds to 2000 OFDM symbols. The FL and RL SF boundaries are aligned in time (from the view of the GS).

In the FL, an SF contains a Broadcast Frame of duration 6.72 ms (56 OFDM symbols) for the Broadcast Control Channel (BCCH), and four Multi-Frames (MF), each of duration 58.32 ms (486 OFDM symbols).

In the RL, each SF starts with a Random Access (RA) slot of length 6.72 ms with two opportunities for sending RL random access frames for the Random Access Channel (RACH), followed by four MFs. These MFs have the same fixed duration of 58.32 ms as in the FL, but a different internal structure

Figure 3 and Figure 4 illustrate the LDACS frame structure.


^
|     +------+------------+------------+------------+------------+
|  FL | BCCH |     MF     |     MF     |     MF     |     MF     |
F     +------+------------+------------+------------+------------+
r     <---------------- Super-Frame (SF) - 240ms ---------------->
e
q     +------+------------+------------+------------+------------+
u  RL | RACH |     MF     |     MF     |     MF     |     MF     |
e     +------+------------+------------+------------+------------+
n     <---------------- Super-Frame (SF) - 240ms ---------------->
c
y
|
----------------------------- Time ------------------------------>
|

Figure 3: SF structure for LDACS

^
|     +-------------+------+-------------+
|  FL |     DCH     | CCCH |     DCH     |
F     +-------------+------+-------------+
r     <---- Multi-Frame (MF) - 58.32ms -->
e
q     +------+---------------------------+
u  RL | DCCH |             DCH           |
e     +------+---------------------------+
n     <---- Multi-Frame (MF) - 58.32ms -->
c
y
|
-------------------- Time ------------------>
|

Figure 4: MF structure for LDACS

The DLS provides acknowledged and unacknowledged (including broadcast and packet mode voice) bi-directional exchange of user data. If user data is transmitted using the acknowledged DLS, the sending DLS entity will wait for an acknowledgement from the receiver. If no acknowledgement is received within a specified time frame, the sender may automatically try to retransmit its data. However, after a certain number of failed retries, the sender will suspend further retransmission attempts and inform its client of the failure.

The DLS uses the logical channels provided by the MAC:

1.
A GS announces its existence and access parameters in the Broadcast Channel (BC).
2.
The RA channel enables AS to request access to an LDACS cell.
3.
In the FL the CCCH is used by the GS to grant access to data channel resources.
4.
The reverse direction is covered by the RL, where ASs need to request resources before sending. This happens via the DCCH.
5.
User data itself is communicated in the Data Channel (DCH) on the FL and RL.

Access to the FL and RL data channel is granted by the scheduling mechanism implemented in the LME discussed below.

9.3. Voice Interface (VI) Services

The VI provides support for virtual voice circuits. Voice circuits may either be set-up permanently by the GS (e.g., to emulate voice party line) or may be created on demand. The creation and selection of voice circuits is performed in the LME. The VI provides only the transmission services.

9.4. LDACS Management Entity (LME) Services

The mobility management service in the LME provides support for registration and de-registration (cell entry and cell exit), scanning RF channels of neighboring cells and handover between cells. In addition, it manages the addressing of aircraft/ ASs within cells.

The resource management service provides link maintenance (power, frequency and time adjustments), support for adaptive coding and modulation, and resource allocation.

The resource management service accepts resource requests from/for different AS and issues resource allocations accordingly. While the scheduling algorithm is not specified and a point of possible vendor differentiation, it is subject to the following requirements:

1.
Resource scheduling must provide channel access according to the priority of the request
2.
Resource scheduling must support "one-time" requests
3.
Resource scheduling must support "permanent" requests that reserve a resource until the request is canceled e.g. for digital voice circuits.

9.5. Sub-Network Protocol (SNP) Services

The DLS provides functions required for the transfer of user plane data and control plane data over the LDACS sub-network.

The security service provides functions for secure communication over the LDACS sub-network. Note that the SNP security service applies cryptographic measures as configured by the GS.

10. Security Considerations

10.1. Reasons for Wireless Digital Aeronautical Communications

Aviation will require secure exchanges of data and voice messages for managing the air traffic flow safely through the airspaces all over the world. Historically Communication Navigation Surveillance (CNS) wireless communications technology emerged from military and a threat landscape where inferior technological and financial capabilities of adversaries were assumed [STR2016]. The main communication method for ATC today is still an open analogue voice broadcast within the aeronautical VHF band. Currently, the information security is purely procedural based by using well-trained personnel and proven communications procedures. This communication method has been in service since 1948. However, since the emergence of civil aeronautical CNS application and today, the world has changed. Civil applications have significant lower spectrum available than military applications. This means several military defence mechanisms such as frequency hopping or pilot symbol scrambling and, thus, a defense-in-depth approach starting at the physical layer is infeasible for civil systems. With the rise of cheap Software Defined Radios, the previously existing financial barrier is almost gone and open source projects such as GNU radio [GNU2012] allow the new type of unsophisticated listeners and possible attackers. Most CNS technology developed in ICAO relies on open standards, thus syntax and semantics of wireless digital aeronautical communications should be expected to be common knowledge for attackers. With increased digitization and automation of civil aviation the human as control instance is being taken gradually out of the loop. Autonomous transport drones or single piloted aircraft demonstrate this trend. However, without profound cybersecurity measures such as authenticity and integrity checks of messages in-transit on the wireless link or mutual entity authentication, this lack of a control instance can prove disastrous. Thus, future digital communications waveforms will need additional embedded security features to fulfill modern information security requirements like authentication and integrity. These security features require sufficient bandwidth which is beyond the capabilities of a VHF narrowband communications system. For voice and data communications, sufficient data throughput capability is needed to support the security functions while not degrading performance. LDACS is a data link technology with sufficient bandwidth to incorporate security without losing too much user throughput.

As digitalization progresses even further with LDACS and automated procedures such as 4D-Trajectories allowing semi-automated en-route flying of aircraft, LDACS requires stronger cybersecurity measures.

10.2. LADACS Requirements

Overall there are several business goals for cybersecurity to protect in FCI in civil aviation:

1.
Safety: The system must sufficiently mitigate attacks, which contribute to safety hazards.
2.
Flight regularity: The system must sufficiently mitigate attacks, which contribute to delays, diversions, or cancellations of flights.
3.
Protection of business interests: The system must sufficiently mitigate attacks which result in financial loss, reputation damage, disclosure of sensitive proprietary information, or disclosure of personal information.

To further analyze assets and derive threats and thus protection scenarios several Threat-and Risk Analysis were performed for LDACS [MAE20181] , [MAE20191]. These results allowed deriving security scope and objectives from the requirements and the conducted Threat-and Risk Analysis.

10.3. LDACS Security Objectives

Security considerations for LDACS are defined by the official Standards And Recommended Practices (SARPS) document by ICAO [ICA2018]:

1.
LDACS shall provide a capability to protect the availability and continuity of the system.
2.
LDACS shall provide a capability including cryptographic mechanisms to protect the integrity of messages in transit.
3.
LDACS shall provide a capability to ensure the authenticity of messages in transit.
4.
LDACS should provide a capability for nonrepudiation of origin for messages in transit.
5.
LDACS should provide a capability to protect the confidentiality of messages in transit.
6.
LDACS shall provide an authentication capability.
7.
LDACS shall provide a capability to authorize the permitted actions of users of the system and to deny actions that are not explicitly authorized.
8.
If LDACS provides interfaces to multiple domains, LDACS shall provide capability to prevent the propagation of intrusions within LDACS domains and towards external domains.

10.4. LDACS Security Functions

These objectives were used to derive several security functions for LDACS required to be integrated in the LDACS cybersecurity architecture: (1) Identification, (2) Authentication, (3) Authorization, (4) Confidentiality, (5) System Integrity, (6) Data Integrity, (7) Robustness, (8) Reliability, (9) Availability, and (10) Key and Trust Management. Several works investigated possible measures to implement these security functions [BIL2017], [MAE20181], [MAE20191]. Having identified security requirements, objectives and functions it must be ensured that they are applicable.

10.5. LDACS Security Architecture

The requirements lead to a LDACS security model including different entities for identification, authentication and authorization purposes ensuring integrity, authenticity and confidentiality of data in-transit especially.

10.5.1. Entities

A simplified LDACS architectural modelrequires the following entities: Network operators such as the Societe Internationale de Telecommunications Aeronautiques (SITA) [SIT2020] and ARINC [ARI2020] are providing access to the (1) Ground IPS network via an (2) A2G LDACS Router. This router is attached to a closed off LDACS Access Network, (3) which connects via further (4) Access Routers to the different (5) LDACS Cell Ranges, each controlled by a (6) GS (serving one LDACS cell), with several interconnected GS (7) spanning a local LDACS access network. Via the (8) A2G wireless LDACS data link (9) AS the aircraft is connected to the ground network and via the (10) aircrafts's VI and (11) aircraft's network interface, aircraft's data can be sent via the AS back to the GS, LDACS local access network, access routers, LDACS access network, A2G LDACS router to the ground Internet Protocol Suite (IPS) network [ICAO20152].

10.5.2. Entity Identification

LDACS needs specific identities for (1) the AS, (2) the GS, and (3) the Network Operator. The aircraft itself can be identified using the ICAO unique address of an aircraft, the call sign of that aircraft or the recently founded Privacy ICAO Address (PIA) program [FAA2020]. It is conceivable that the LDACS AS will use a combination of aircraft identification, radio component identification and even operator features identification to create a unique AS LDACS identification tag. Similar to a 4G's eNodeB Serving Network (SN) Identification tag, a GS could be identified using a similar field. The identification of the network operator is again similar to 4G (e.g., E-Plus, AT&T, and TELUS), in the way that the aeronautical network operators are listed (e.g., ARINC [ARI2020] and SITA [SIT2020]).

10.5.3. Entity Authentication and Key Negotiation

In order to anchor Trust within the system all LDACS entities connected to the ground IPS network shall be rooted in an LDACS specific chain-of-trust and PKI solution, quite similar to AeroMACS approach [CRO2016]. These X.509 certificates [RFC5280] residing at the entities and incorporated in the LDACS PKI proof the ownership of their respective public key, include information about the identity of the owner and the digital signature of the entity that has verified the certificate's content. First all ground infrastructures must mutually authenticate to each other, negotiate and derive keys and, thus, secure all ground connections. How this process is handled in detail is still an ongoing discussion. However, established methods to secure user plane by IPSec [RFC4301] and IKEv2 [RFC7296] or the application layer via TLS 1.3 [RFC8446] are conceivable. The LDACS PKI with their chain-of-trust approach, digital certificates and public entity keys lay the groundwork for this step. In a second step the AS with the LDACS radio approaches an LDACS cell and performs a cell entry with the corresponding GS. Similar to the LTE cell attachment process [TS33.401], where authentication happens after basic communication has been enabled between AS and GS (step 5a in the UE attachment process [TS33.401]), the next step is mutual authentication and key exchange. Hence, in step three using the identity-based Station-to-Station (STS) protocol with Diffie-Hellman Key Exchange [MAE2020], AS and GS establish mutual trust by authenticating each other, exchanging key material and finally, both ending up with derived key material. A key confirmation is mandatory before the communication channel between the AS and the GS can be opened for user-data communications.

10.5.4. Message-in-transit Confidentiality, Integrity and Authenticity

The subsequent key material from the previous step can then be used to protect LDACS Layer 2 communications via applying encryption and integrity protection measures on the SNP layer of the LDACS protocol stack. As LDACS transports AOC and ATS data, the integrity of that data is most important, while confidentiality only needs to be applied to AOC data to protect business interests [ICA2018]. This possibility of providing low layered confidentiality and integrity protection ensures a secure delivery of user data over the air gap. Furthermore, it ensures integrity protection of LDACS control data.

10.6. LDACS Security Modules

A draft of the cybersecurity architecture of LDACS can be found in [ICA2018] and [MAE20182] and respective updates in [MAE20191], [MAE20192], and [MAE2020].

10.6.1. Placements of Security Functionality in Protocol Stack

Placing protection mechanisms in the LME and SNP entities within the protocol stack of LDACS will be most efficient in securing LDACS. MAC and DLS will also receive new tasks like the measurement performance for control channel protection. Security endpoints for secure user data communication, control data protection and primary entity authentication are the AS and GS.

10.6.2. Trust

The LDACS security concept requires all entities in an LDACS network to authenticate to each other to ascertain that only trusted participants can use the system. To establish trust within the network, inter-operations between all FCI candidates must be possible, thus LDACS will follow AeroMACS lead and also use an FCI specific PKI [RFC5280]. A PKI can solve the problem of having to trust a communication's partner identity claim via involving a trusted third party who verifies the identities of the parties who wish to engage in communication via issuing a digital certificate. As aviation operates worldwide, a hierarchical PKI will have to be deployed with several sub-CAs being distributed over the world.

Basically, there are two proposals on how to achieve worldwide trust coverage:

1.
One root CA is installed per geographic region and then it performs cross-certification with distributed root-CAs of all other geo-graphic regions around the world. Subdomains can exist within ATM organizations. Here trust emerges from the assured trustworthiness of each regional root CA cross-certifying other and being cross-certified by other regional CAs
2.
The other idea is to have one worldwide (probably offline) root CA, hosted by a trusted worldwide entity, such as ICAO, with several regions sub-CAs distributed around the world. That way, the ICAO hosted root CA serves as trust bridge.

10.6.3. Mutual Authentication and Key Exchange (MAKE)

Via a modified, identity-based STS procedure and digital certificate and public keys pre-deployed during maintenance at the respective end-entities, the MAKE procedure can guarantee (1) Mutual Authentication, (2) Secure Key Agreement, (3) Prefect Forward Secrecy and (4) Key Confirmation [MAE2020]. As Diffie-Hellman Key Exchange (DHKE) procedure, we are currently evaluating the classic ephemeral DHKE [DIF1976] with 3072bit keys, Elliptic Curve DHKE (ECDH) with 256bit keys [KOB1987] and the Supersingular Isogeny DHKE (SIDH) with 2624bit key sizes [JAO2011]. As minimization of security data on the datalink is key, ECDH is currently the favorite way forward. Assuming that an LDACS security header consists of TYPE, ID, UA and PRIO fields, the entire header is of length 48bit [GRA2019]. Cryptographic nonces are 96bit long, signatures 512bit and the public elliptic curve Diffie-Hellman keys 256bit. With these bit sizes, the entire STS-MAKE procedure between AS and GS requires a total of 4 messages and 1920bit [MAE2021].

10.6.4. Key Derivation and Key Hierarchy

Once all parties within the network have successfully authenticated to each other, key derivation is necessary to generate different keys for different purposes. We need different keys for user data protection and keys for control data protection. As key derivation function, we propose the Hash-based Message Authentication Code (HMAC) Key Derivation Function (KDF) - HKDF [RFC5869]. First the input keying material (here: master key/static Diffie Hellman shared key) is taken and a fixed-length pseudo-random key is extracted. We extract a pseudorandom key from the master key by adding a salt value, which can be any fixed non-secret string chosen at random. In the process the pseudo random key becomes indistinguishable from a uniform distribution of bits. As LDACS will be deployed in 2024 with a recommendation of a minimum-security level of 128bit.

10.6.5. User Data Security

It is proposed to secure LDACS Sub-Network Packet Data Units (SN-PDU)s, as their size can vary from 128 to 1536 Byte [GRA2019], which makes them possibly the largest PDUs within LDACS. This helps minimizing security data overhead, in case a Message Authentication Code (MAC) tag is attached to the SN-PDU. For confidentiality protection, it is recommended symmetric approaches for data encryption, due to low computational overhead and fast operation times. As encryption algorithm, it is recommended to use AES-128-GCM/AES-256-GCM [RFC5288] with Galois Counter Mode (GCM) being a mode of operation on symmetric key block. It provides authenticated encryption and decryption operations and it proves robust against currently known quantum-computer-based algorithms [BER2017]. For message integrity/authenticity protection, it is recommended either to use the aforementioned AES-GCM with tag lengths of at least 128bit or HMAC with hash-functions from the SHA-3 family [PRI2014]. At least HMAC-SHA3-128 with a tag length of 128bit is recommended. This way the tag security data overhead ranges from 1.04 to 12.50% for user data, depending on the SN-PDU size.

10.6.6. Control Data Security

LDACS has four control channels: AS announce their existence in the RA, at the beginning of each SF in the RL, where each AS can transmit 56bit. GS announce their existence in the BC, at the beginning of each SF in the FL, where the GS can transmit a total of 2304bit. AS can request resources in the DC, where each AS has an 83bit long slot and GS can grant those resources in the CC, with 728bit per CC-PHY-SDU. As the control channels of LDACS are very small-size, it is obvious that protection is challenging. Having security requirements in mind it is recommended to introduce group key mechanisms for LDACS. Thus, after the MAKE procedure of LDACS, a control plane related group key is derived by the GS and shared with all AS in a protected manner. As group key procedure, several approaches are investigated (e.g., G-IKEv2 [I-D.ietf-ipsecme-g-ikev2], CRGT [ZHE2007], CAKE [GUG2018], LKH [SAK2014], and OFT [KUM2020]). As OFT has the least requirements on network operations compared to the other, LDACS will use OFT with a fixed tree of 512-member nodes for a maximum of 512 supported AS in an LDACS cell. All AS and GS use this group key to protect the exchanged control data in the CC/DC slots. As these messages remain valid for a time period in the order of 10 ms and the transmission is distance bound by the MAC protocol of LDACS, very small digest tags of 16 or 32bit can suffice to protect a minimum of integrity of control messages of LDACS. To that end, it is proposed to use blake2b or blake2s and to trim the tag after 4 bytes [RFC7693].

11. Privacy Considerations

LDACS provides a Quality-of-Service, and the generic considerations for such mechanisms apply.

12. IANA Considerations

This memo includes no request to IANA.

13. Acknowledgements

Thanks to all contributors to the development of LDACS and ICAO PT-T.

Thanks to Klaus-Peter Hauf, Bart Van Den Einden, and Pierluigi Fantappie for further input to this draft.

Thanks to the Chair for Network Security and the research institute CODE for their comments and improvements.

Thanks to SBA Research Vienna for fruitful discussions on aeronautical communications concerning security incentives for industry and potential economic spillovers.

14. Normative References

[RFC4301]
Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, , <https://www.rfc-editor.org/info/rfc4301>.
[RFC5280]
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, DOI 10.17487/RFC5280, , <https://www.rfc-editor.org/info/rfc5280>.
[RFC7296]
Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T. Kivinen, "Internet Key Exchange Protocol Version 2 (IKEv2)", STD 79, RFC 7296, DOI 10.17487/RFC7296, , <https://www.rfc-editor.org/info/rfc7296>.
[RFC8446]
Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, , <https://www.rfc-editor.org/info/rfc8446>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC5869]
Krawczyk, H. and P. Eronen, "HMAC-based Extract-and-Expand Key Derivation Function (HKDF)", RFC 5869, DOI 10.17487/RFC5869, , <https://www.rfc-editor.org/info/rfc5869>.
[RFC5288]
Salowey, J., Choudhury, A., and D. McGrew, "AES Galois Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, DOI 10.17487/RFC5288, , <https://www.rfc-editor.org/info/rfc5288>.
[RFC7693]
Saarinen, M-J., Ed. and J-P. Aumasson, "The BLAKE2 Cryptographic Hash and Message Authentication Code (MAC)", RFC 7693, DOI 10.17487/RFC7693, , <https://www.rfc-editor.org/info/rfc7693>.

15. Informative References

[SCHN2016]
Schneckenburger, N., Jost, T., Shutin, D., Walter, M., Thiasiriphet, T., Schnell, M., and U.C. Fiebig, "Measurement of the L-band Air-to-Ground Channel for Positioning Applications", IEEE Transactions on Aerospace and Electronic Systems, 52(5), pp.2281-229 , .
[MAE20191]
Maeurer, N., Graeupl, T., and C. Schmitt, "Evaluation of the LDACS Cybersecurity Implementation", IEEE 38th Digital Avionics Systems Conference (DACS), pp. 1-10, San Diego, CA, USA , .
[MAE20192]
Maeurer, N. and C. Schmitt, "Towards Successful Realization of the LDACS Cybersecurity Architecture: An Updated Datalink Security Threat- and Risk Analysis", IEEE Integrated Communications, Navigation and Surveillance Conference (ICNS), pp. 1-13, Herndon, VA, USA , .
[GRA2019]
Graeupl, T., Rihacek, C., and B. Haindl, "LDACS A/G Specification", SESAR2020 PJ14-02-01 D3.3.030 , .
[FAN2019]
Pierattelli, S., Fantappie, P., Tamalet, S., van den Einden, B., Rihacek, C., and T. Graeupl, "LDACS Deployment Options and Recommendations", SESAR2020 PJ14-02-01 D3.4.020 , .
[MAE20182]
Maeurer, N. and A. Bilzhause, "A Cybersecurity Architecture for the L-band Digital Aeronautical Communications System (LDACS)", IEEE 37th Digital Avionics Systems Conference (DASC), pp. 1-10, London, UK , .
[GRA2011]
Graeupl, T. and M. Ehammer, "L-DACS1 Data Link Layer Evolution of ATN/IPS", 30th IEEE/AIAA Digital Avionics Systems Conference (DASC), pp. 1-28, Seattle, WA, USA , .
[GRA2018]
Graeupl, T., Schneckenburger, N., Jost, T., Schnell, M., Filip, A., Bellido-Manganell, M.A., Mielke, D.M., Maeurer, N., Kumar, R., Osechas, O., and G. Battista, "L-band Digital Aeronautical Communications System (LDACS) flight trials in the national German project MICONAV", Integrated Communications, Navigation, Surveillance Conference (ICNS), pp. 1-7, Herndon, VA, USA , .
[SCH20191]
Schnell, M., "DLR Tests Digital Communications Technologies Combined with Additional Navigation Functions for the First Time", .
[ICA2018]
International Civil Aviation Organization (ICAO), "L-Band Digital Aeronautical Communication System (LDACS)", International Standards and Recommended Practices Annex 10 - Aeronautical Telecommunications, Vol. III - Communication Systems , .
[SAJ2014]
Haindl, B., Meser, J., Sajatovic, M., Mueller, S., Arthaber, H., Faseth, T., and M. Zaisberger, "LDACS1 Conformance and Compatibility Assessment", IEEE/AIAA 33rd Digital Avionics Systems Conference (DASC), pp. 1-11, Colorado Springs, CO, USA , .
[RIH2018]
Rihacek, C., Haindl, B., Fantappie, P., Pierattelli, S., Graeupl, T., Schnell, M., and N. Fistas, "L-band Digital Aeronautical Communications System (LDACS) Activities in SESAR2020", Integrated Communications Navigation and Surveillance Conference (ICNS), pp. 1-8, Herndon, VA, USA , .
[BEL2019]
Bellido-Manganell, M. A. and M. Schnell, "Towards Modern Air-to-Air Communications: the LDACS A2A Mode", IEEE/AIAA 38th Digital Avionics Systems Conference (DASC), pp. 1-10, San Diego, CA, USA , .
[TS33.401]
Zhang, D., "3GPP System Architecture Evolution (SAE); Security architecture", T33.401, 3GPP , .
[CRO2016]
Crowe, B., "Proposed AeroMACS PKI Specification is a Model for Global and National Aeronautical PKI Deployments", WiMAX Forum at 16th Integrated Communications, Navigation and Surveillance Conference (ICNS), pp. 1-19, New York, NY, USA , .
[MAE2020]
Maeurer, N., Graeupl, T., and C. Schmitt, "Comparing Different Diffie-Hellman Key Exchange Flavors for LDACS", IEEE/AIAA 39th Digital Avionics Systems Conference (DASC), pp. 1-10, San Antonio, TX, USA , .
[STR2016]
Strohmeier, M., Schaefer, M., Pinheiro, R., Lenders, V., and I. Martinovic, "On Perception and Reality in Wireless Air Traffic Communication Security", IEEE Transactions on Intelligent Transportation Systems, 18(6), pp. 1338-1357, New York, NY, USA , .
[BIL2017]
Bilzhause, A., Belgacem, B., Mostafa, M., and T. Graeupl, "Datalink Security in the L-band Digital Aeronautical Communications System (LDACS) for Air Traffic Management", IEEE Aerospace and Electronic Systems Magazine, 32(11), pp. 22-33, New York, NY, USA , .
[MAE20181]
Maeurer, N. and A. Bilzhause, "Paving the Way for an IT Security Architecture for LDACS: A Datalink Security Threat and Risk Analysis", IEEE Integrated Communications, Navigation, Surveillance Conference (ICNS), pp. 1-11, New York, NY, USA , .
[FAA2020]
FAA, "Federal Aviation Administration. ADS-B Privacy.", , <https://www.faa.gov/nextgen/equipadsb/privacy/>.
[GNU2012]
GNU Radio project, "GNU radio", , <http://gnuradio.org>.
[SIT2020]
SITA, "Societe Internationale de Telecommunications Aeronautiques", , <https://www.sita.aero/>.
[ARI2020]
ARINC, "Aeronautical Radio Incorporated", , <https://www.aviation-ia.com/>.
[DO350A]
RTCA SC-214, "Safety and Performance Standard for Baseline 2 ATS Data Communications (Baseline 2 SPR Standard)", , <https://standards.globalspec.com/std/10003192/rtca-do-350-volume-1-2>.
[ICAO20151]
International Civil Aviation Organization (ICAO), "Manual on VHF Digital Link (VDL) Mode 2, Doc 9776", , <https://store.icao.int/en/manual-on-vhf-digital-link-vdl-mode-2-doc-9776>.
[ICAO20152]
International Civil Aviation Organization (ICAO), "Manual on the Aeronautical Telecommunication Network (ATN) using Internet Protocol Suite (IPS) Standards and Protocols, Doc 9896", , <https://standards.globalspec.com/std/10026940/icao-9896>.
[KAMA2010]
Kamali, B., "An Overview of VHF Civil Radio Network and the Resolution of Spectrum Depletion", Integrated Communications, Navigation, and Surveillance Conference, pp. F4-1-F4-8 , .
[DIF1976]
Diffie, W. and M. Hellman, "New Directions in Cryptography", IEEE Transactions on Information Theory, 22(6):644-654 , .
[KOB1987]
Koblitz, N. and M. Hellman, "Elliptic Curve Cryptosystems", Mathematics of Computation, 48(177):203-209. , .
[JAO2011]
Jao, D. and L. De Feo, "Towards Quantum-Resistant Cryptosystems from Super-singular Elliptic Curve Isogenies", 4th International Workshop on Post-Quantum Cryptography, Springer, Heidelberg, Germany, pp. 19-34 , .
[MAE2021]
Maeurer, N., Graeupl, T., and C. Schmitt, "Cybersecurity for the L-band DigitalAeronautical Communications System (LDACS)", Aviation Cybersecurity: Foundations, Principles, and Applications. H. Song, K. Hopkinson, T. De Cola, T. Alexandrovich, and D. Liu (Eds.), Chapter 07, in printing process , .
[BER2017]
Bernstein, D.J. and T. Lange, "Post-Quantum Cryptography", Nature, 549(7671):188-194 , .
[PRI2014]
Pritzker, P. and P.D. Gallagher, "SHA-3 standard: Permutation-Based Hash and Extendable-Output Functions", Information Tech Laboratory National Institute of Standards and Technology, pp. 1-35 , .
[ZHE2007]
Zheng, X., Huang, C.T., and M. Matthews, "Chinese Remainder Theorem-Based Group Key Management", 45th Annual Southeast Regional Conference, ACM, New York, NY, USA, pp. 266-271 , .
[GUG2018]
Guggemos, T., Streit, K., Knuepfer, M., gentsche Felde, N., and P. Hillmann, "No Cookies, Just CAKE: CRTbased Key Hierarchy for Efficient Key Management in Dynamic Groups", International Conference for Internet Technology and Secured Transactions, Cambridge, UK, pp. 25-32 , .
[SAK2014]
Sakamoto, N., "An Efficient Structure for LKH Key Tree on Secure Multi-Cast Communications", 15th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing, New York, NY, USA, pp. 1-7 , .
[KUM2020]
Kumar, V., Kumar, R., and S.K. Pandey, "A Computationally Efficient Centralized Group Key Distribution Protocol for Secure Multicast Communications Based Upon RSA Public Key Cryptosystem", Journal of King Saud University - Computer and Information Sciences, 32(9):1081-1094 , .
[RAW-TECHNOS]
Thubert, P., Cavalcanti, D., Vilajosana, X., Schmitt, C., and J. Farkas, "Reliable and Available Wireless Technologies", Work in Progress, Internet-Draft, draft-ietf-raw-technologies-01, , <https://tools.ietf.org/html/draft-ietf-raw-technologies-01>.
[RAW-USE-CASES]
Papadopoulos, G. Z., Thubert, P., Theoleyre, F., and C. J. Bernardos, "RAW use cases", Work in Progress, Internet-Draft, draft-ietf-raw-use-cases-01, , <https://tools.ietf.org/html/draft-ietf-raw-use-cases-01>.
[I-D.ietf-ipsecme-g-ikev2]
Smyslov, V. and B. Weis, "Group Key Management using IKEv2", Work in Progress, Internet-Draft, draft-ietf-ipsecme-g-ikev2-02, , <https://tools.ietf.org/html/draft-ietf-ipsecme-g-ikev2-02>.

Appendix A. Selected Information from DO-350A

This appendix includes the continuity, availability, and integrity requirements interesting for LDACS defined in [DO350A].

The following terms are used here:

CPDLC
Controller Pilot Data Link Communication
DT
Delivery Time (nominal) value for RSP
ET
Expiration Time value for RCP
FH
Flight Hour
MA
Monitoring and Alerting criteria
OT
Overdue Delivery Time value for RSP
RCP
Required Communication Performance
RSP
Required Surveillance Performance
TT
Transaction Time (nominal) value for RCP

Table 1: CPDLC Requirements for ECP
ECP 130 ECP 130
Parameter ET TT95%
Transaction Time (sec) 130 67
Continuity 0.999 0.95
Availability 0.989 0.989
Integrity 1E-5 per FH 1E-5 per FH
Table 2: CPDLC Requirements for RCP
RCP 240 RCP 240 RCP 400 RCP 400
Parameter ET TT95% ET TT95%
Transaction Time (sec) 240 210 400 350
Continuity 0.999 0.95 0.999 0.95
Availability 0.989 (safety) 0.989 (efficiency) 0.989 0.989
Integrity 1E-5 per FH 1E-5 per FH 1E-5 per FH 1E-5 per FH

RCP Monitoring and Alerting Criteria in case of CPDLC:

-
MA-1: The system SHALL be capable of detecting failures and configuration changes that would cause the communication service no longer meet the RCP specification for the intended use.
-
MA-2: When the communication service can no longer meet the RCP specification for the intended function, the flight crew and/or the controller SHALL take appropriate action.

Table 3: ADS-C Requirements
RSP 160 RSP 160 RSP 180 RSP 180 RSP 400 RSP 400
Parameter OT DT95% OT DT95% OT DT95%
Transaction Time (sec) 160 90 180 90 400 300
Continuity 0.999 0.95 0.999 0.95 0.999 0.95
Availability 0.989 0.989 0.989 (safety) 0.989 (efficiency) 0.989 0.989
Integrity 1E-5 per FH 1E-5 per FH 1E-5 per FH 1E-5 per FH 1E-5 per FH 1E-5 per FH

RCP Monitoring and Alerting Criteria:

-
MA-1: The system SHALL be capable of detecting failures and configuration changes that would cause the ADS-C service no longer meet the RSP specification for the intended function.
-
MA-2: When the ADS-C service can no longer meet the RSP specification for the intended function, the flight crew and/or the controller SHALL take appropriate action.

Authors' Addresses

Nils Maeurer (editor)
German Aerospace Center (DLR)
Muenchner Strasse 20
82234 Wessling
Germany
Thomas Graeupl (editor)
German Aerospace Center (DLR)
Muenchner Strasse 20
82234 Wessling
Germany
Corinna Schmitt (editor)
Research Institute CODE, UniBwM
Werner-Heisenberg-Weg 28
85577 Neubiberg
Germany