The following documents form a part of this standard manual to the extent specified herein. In the event of conflict between the documents referenced herein and the contents of this standardmanual, the contents of this standard shall be considered the superseding documentprovisions of this manualherein shall take precedence. In the event of a conflict between the manual and the provisions in Annex 10, the provisions of Annex shall take precedence.
Request for Comments (RFCs) RFC-768 User Datagram Protocol, August 1980
RFC-793 Transmission Control Protocol, September 1981
RFC-1323 TCP Extensions for High Performance, May 1992
RFC-2401 Security Architecture for the Internet Protocol, November 1998
RFC-2402 IP Authentication Header, November 1998
RFC-2406 IP Encapsulating Security Payload (ESP), November 1998
RFC-2410 The NULL Encryption Algorithm and Its Use With IPsec, November 1998
RFC-2460 Internet Protocol, Version 6 (IPv6) Specification, December 1998
RFC-2545 Use of BGP-4 Multi-protocol Extensions for IPv6 Inter-Domain Routing, March 1999
RFC-3065 Autonomous System Confederations for BGP, February 2001
RFC-4271 A Border Gateway Protocol 4 (BGP-4), January 2006
RFC-4305 Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH) – (NB proposed standard, obsoletes RFC2402, RFC2406), December 2005
RFC-4306 Internet Key Exchange (IKEv2) Protocol, December 2005
RFC-4307 Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2), December 2005
RFC-4443 Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification, March 2006
2.2 Relevent ICAO Publications
ICAO Annex 2 Rules of the Air
ICAO Annex 3 Meteorological Service for International Air Navigation
ICAO Annex 10 Aeronautical Telecommunications – Volume III, Part I – Digital Data Communication Systems
ICAO Annex 11 Air Traffic Services
ICAO Doc. 9705-AN/956 Edition 3, Manual of Technical Provisions for the ATN, 2002
SNMPv3 Simple Network Management Protocol version 3
SPI Security Parameter Index
UDP User Datagram Protocol
WAN Wide Area Network
Definitions are consistent with IETF terminology. Autonomous System
A set of independent groups
Internet A worldwide computer communications network that interconnects WANs, LANs, and computers by adopting common interface services and protocols based on the TCP/IP technology
LAN A network that interconnects hosts over short distances
Network Collection of computers, printers, routers, switches, and other devices that communicate with each other over a common transmission medium.
Protocol A set of rules and formats (semantic and syntactic) which determine the communication behavior between peer entities in the performance of functions at that layer
Router The communication element that manages the relaying and routing of data while in transit from an originating end system to a destination end system
Inter-Domain Router (Exterior Routing Protocol) These protocols are used to exchange routing information between ASes. They may in some cases be used between routers within an AS, but they primarily deal with exchanging information between ASes.
Intra-Domain Router (Interior Routing Protocol) These protocols are used to exchange routing information between routers within an AS. Intra-domain routing protocols are not used between ASes.
WAN A computer network that spans a large geographical area
This section specifies the RFCs that will be implemented in order to provide a consistent and uniform data transmission environment among ATN users.
4.1 atn ATN IPS Administration
4.1.1 The ATN ATN IPS Internet
220.127.116.11 The ATN ATN IPS Internet consists of IPS Nodes (hosts/routers) and networks operating in a multinational environment. The ATN IPS Internet is capable of supporting Air Traffic Service Communication (ATSC) as well as Aeronautical Industry Service Communication (AINSC), such as Aircraft Administrative Communication (AAC) and Aircraft Operational Communication (AOC). 18.104.22.168 There are two types of ATN IPS Nodes in the ATN. An ATN IPS Router is an ATN IPS Node that forwards Internet Protocol (IP) packets not explicitly addressed to itself. An ATN IPS Host is an IPS Node that is not a router. 22.214.171.124 The ATN ATN IPS Internet will consist of a set of interconnected Administrative Domains (AD). From a management perspective, an Administrative Domain may be an individual state, a group of states or a region. From a Physical perspective, an Administrative Domain is a group of hosts, routers, and networks operated and managed by a single organization. An Administrative Domain is viewed from the outside, for purposes of routing, as a cohesive entity, of which the internal structure is unimportant.
4.1.2 Administrative Domains
126.96.36.199 Each State participating in the ATN IPS Internet shall1 operate one or more Administrative Domains, comprising one or more Inter-domain Routers as required to interconnect with Inter-domain Routers in other ground-based Administrative Domains.
Note 1.— Adjacent States and/or Organisations (on behalf of States) may alternatively combine their Administrative Domains into a single AD. Note 2.— For routing and addressing purposes an Administrative Domain is further partitioned into one or more Autonomous Systems. Note 3.— The routing protocol within an Administrative Domain is local matter determined by the managing organization. Note 4.— When the Border Gateway Protocol (BGP) is used as the routing protocol for Autonomous Systems within an Administrative Domain, the set of Autonomous Systems forms an Autonomous System Confederation.
4.1.3 Autonomous System Confederation
188.8.131.52 ATN IPv6IPS routers in the ATN within an Administrative Domain which interact using the Border Gateway Protocol should form an Autonomous System Confederation as specified in RFC-3065, Autonomous System Confederations for BGP.
Note 4.— When the Border Gateway Protocol (BGP) is used as the routing protocol for Autonomous Systems within an Administrative Domain, the set of Autonomous Systems forms an Autonomous System Confederation.
4.2 Physical layeR & LINK LAYER REQUIREMENTS
4.2.1 The specification of the physical and link layer characteristics for nodes are relegated to the local matteris local to the interfacing nodes. For options refer to Guidance Material for G/G IPS SARPS.
4.3 Network LAYER ReQUIREMENTS
The IP network layer will implement the IPv6 specification. IPv6 is designed for use in interconnected packet-switched computer communication networks and provides addressing and fragmentation services. The IP network layer shall be implemented in accordance with the following RFCs:
184.108.40.206 ATN IPv6IPS nodes in the ATN shall2 implement IPv6 Specification version 6 of the Internet Protocol (IPv6) as specified in RFC-2460., IPv6 Specification.
220.127.116.11 Regions will be responsible to get address allocations for ground-to-ground routing from IANA.
18.104.22.168 The process of routing a packet across a network or networks via the most appropriate path is enabled using routing protocols. Inter-Domain-routing shall be implemented in accordance with the following RFC::
22.214.171.124 ATN IPv6 routersIPS routers in the ATN shall3 implement version 4 of the Border Gateway Protocol (BGP4) as specified in RFC-4271, BGP4.
126.96.36.199 ATN IPv6IPS routers in the ATN shall4 implement Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing multi-protocol extensions to the Border Gateway Protocol (BGP4+) to support IPv6 Inter-Domain Routing as specified in RFC-2545., Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing.
Error Detection and Reporting
4.3.3 Error Detection and Reporting
188.8.131.52 The IPS network layer will implementuses the Internet Control Message Protocol (ICMPv6) protocol to report errors encountered during packet processing, and to perform other internet-layer functions (e.g., diagnostics and ping). The Error Detection and Reporting shall be implemented in accordance with the following RFC:
184.108.40.206 ATN IPv6IPS nodes shall5 implement Internet Control Message Protocol (ICMPv6) Specification version 6 of the Internet Protocol (IPv6) as specified in RFC-4443., ICMPv6 Specification.
4.3.4 Quality of Services (QoS)
220.127.116.11 ATN IPS routeres shall will advertise routes with an indication of traffic class.
18.104.22.168 ATN IPS nodes Host shall6 forward packets based on traffic class.
22.214.171.124 ATN IPS nodes Host shall7 forward packets based on priority.
4.4 Transport layer REQUIREMENTS
4.4.1 End to End Services
126.96.36.199 The transport layer provides end-to-end service between hosts over the internet to regulate flow, detect and correct errors, and multiplex data.
188.8.131.52 The transport layer shallwill support the following types of services:
Connection-Oriented (CO), invoking TCP
Connection-Less (CL), invoking UDP
4.4.13 Transmission Control Protocol (TCP)
The TCP services shall be implemented in accordance with the following RFCs:
184.108.40.206 ATN IPv6IPS nodes Host shall8 implement version 6 of the Internet Protocol (IPv6)Transmission Control Protocol (TCP) as specified in RFC-793, Transport Control Protocol (TCP).
220.127.116.11 ATN IPv6IPS nodesHost shall9 implement TCP version 6 of the Internet Protocol (IPv6)Extensions for High Performance as specified in RFC-1323, High Performance Extensions.
4.4.24 User Datagram Protocol (UDP)
The UDP services shall be implemented in accordance with the following RFCs:
18.104.22.168 ATN IPv6IPS nodesHost shall10 implement version 6 of the Internet Protocol (IPv6)User Datagram Protocol as specified in RFC-768, User Datagram services.
5.0 Network Layer Security using IPsec
This section contains requirements for IPS network layer security.
Note1. - This section contains requirements for IPS network layer security. Support for security is based on system threat and vulnerability analysis. Note 2. – Network layer security in the ATNIPS Internet is implemented using IPsec.
5.1 Basic Architecture
5.1.1 ATN IPv6IPS nodes routers in the ATN which support network layer security shall11 implement the Security Architecture for the Internet Protocol as specified in RFC-2401.
5.2 Security Protocols
5.2.1 ATN IPv6IPS nodes routers in the ATN which support network layer security shall12 implement the IP Encapsulating Security Protocol (ESP) as specified in RFC-2406.
5.2.2 ATN IPv6IPS nodesrouters in the ATN which support network layer security shall13 implement the IP Authentication Header (AH) protocol as specified in RFC-2402.
5.3 Key Management Methods
5.3.1 ATN IPv6IPS nodes routers in the ATN which support network layer security shall14 implement manual configuration of the security key and Security Parameters Index (SPI).
5.3.2 ATN IPv6IPS nodesHost in the ATN which support network layer security should implement key exchange in accordance with RFC-4306, The Internet Key Exchange (IKEv2) Protocol.
5.4 Transforms and Algorithms
5.4.1 ATN IPv6IPS nodes Host in the ATN which support network layer security shall15 implement the Cryptographic Algorithm Implementation Requirements for the Encapsulating Security Payload (ESP) and Authentication Header (AH)required algorithms for ESP and AH as specified in RFC 4305, Cryptographic Algorithm Implementation Requirements for the Encapsulating Security Payload (ESP) and Authentication Header (AH).
5.4.2 ATN IPv6IPS nodesHost in the ATN which support network layer security shall16 implement theThe Null Encryption Algorithm and Its Use With IPsec NULL encryption algorithm as specified in RFC-2410, The Null Encryption Algorithm and Its Use With IPsec.
and5.4.3 IPS nodes in the ATN which support network layer security shall17 implement the IP Encapsulating Security Protocol NULL authentication algorithm as specified in RFC-2406, IP Encapsulating Security Protocol; however, they shall17 not both be null.
5.4.4 IPS nodes in the ATN which support network layer security shall operate either the NULL Encryption Algorithm for the NULL authentication algorithm but not both.
Note. - Since ESP encryption and authentication are both optional, support for the NULL encryption algorithm [RFC-2410] and the NULL authentication algorithm [RFC-2406] is to be provided to maintain consistency with the way these services are negotiated. However, while authentication and encryption can each be NULL, they should not both be NULL.When ESP is used, at least one of these optional services is invoked (i.e. is non-NULL).
5.4.5 ATN IPv6IPS nodesHost in the ATN which support network layer security shall18 implement the Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2) required algorithms for key exchange as specified in RFC-4307, Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2).
Note 1. – There is an internet draft document which identifies Elliptic Curve Cryptography (ECC) groups for IKEv2. ECC aAlgorithms of equivalent or greater strength than those identified in RFC-4307 may be implemented as a local matter on a bi-lateral basis. Note 2. – RFC-4307 identifies two modular exponentiation groups for IKEv2. There have been additional internet draft documents that propose using elliptic curve groups. (ECP Groups For IKE and IKEv2 and Additional ECC Groups For IKE and IKEv2)