[Sis-dtn] [dtn] [EXT] Re: Bundle custody transfer and reliable CLs
Felix.Flentge at esa.int
Felix.Flentge at esa.int
Mon Mar 28 14:53:45 UTC 2022
Yes, I do think there is a need for reliability mechanisms above the CLA
Layer. BIBE as a generic reliable CLA allows to address the case of
reliability for uni-directional links (although in this case the setting
of the timers may already get difficult) but it is currently not
addressing:
- non-timer based re-transmission (which might be very specific to a
certain node and deployment and therefore might be better addressed as
part of the BPA / AA)
- forwarding a bundle without explicitly addressing a (singleton) next hop
(eg, an opportunistic downlink where some signal about reception or
delivery is uplinked at some later time).
I agree that we somehow can consider all received bundles as 'custodial'
as a node should attempt to store and forward them. I also think that the
typical use of custody transfer for BPv6 has been probably more to be
informed about the reception (or deletion) of a bundle then whatever
(additional ???) responsibility would be taken by the receiving node. So,
maybe we should abandon the term 'custody' altogether. However, there are
certainly situations where a sending node would like to get information
about reception/delivery/deletion/forwarding of a bundle at another node
in an operationally viable and efficient way (so, not using the current
Bundle Status Reports).
Regards,
Felix
From: "Dr. Keith L Scott" <kscott at mitre.org>
To: "Mehmet Adalier" <madalier at antarateknik.com>,
"sburleig.sb at gmail.com" <sburleig.sb at gmail.com>, "'Sipos, Brian J.'"
<Brian.Sipos at jhuapl.edu>, "Felix.Flentge at esa.int" <Felix.Flentge at esa.int>,
"dtn at ietf.org" <dtn at ietf.org>, "sis-dtn at mailman.ccsds.org"
<sis-dtn at mailman.ccsds.org>
Date: 28/03/2022 15:11
Subject: Re: [Sis-dtn] [dtn] [EXT] Re: Bundle custody transfer and
reliable CLs
The question remains: do we need some form of reliability above the CLA
layer? As Scott points out, BIBE is ¡¥just¡¦ a reliable CLA that uses
bundles as its transport mechanism. That allows BIBE to function as a
reliable CLA in environments where other CLAs that require bidirectional
connectivity cannot, but viewed from the standpoint of the sending and
receiving BIBE endpoints, it¡¦s just another reliable CLA.
The not-often-stated assumption here is that bundle nodes that receive
bundles via reliable CLAs do in fact take on the responsibilities of what
was traditionally referred to as ¡¥custody transfer¡¦ ¡V i.e. following
whatever procedures are necessary to ensure that the received bundle
reaches its destination (e.g. store it until a forward path becomes
available, attempt retransmission to the next hop until there¡¦s an
indication that the next hop has (via a reliable CLA in this context)
received the bundle, etc.). I.e. this approach assumes that receipt of a
bundle „» accepting ¡¥custody¡¦ of it. Without this assumption, the service
provided by BP is essentially the same best-effort service that IP
provides, which I think is less than what we want, particularly for space
missions. So I think that in the BPv7 context, all bundles are considered
¡¥custodial¡¦.
If we consider cases where there may be congestion (contention for storage
space at nodes), this means that when congestion happens at a node, the
only course of action available to the node will be to refuse new incoming
bundles (presumably because the receiving CLAs stop accepting them).
There are at least two things to consider here:
1. What if I have a bundle node that is capable of forwarding but
that has quite minimal storage? By receiving a bundle, this node is
committing to storing that bundle until it can be reliably forwarded. It
seems like there could be cases where this is really inefficient,
especially if the reliable forwarding is over something like BIBE where
the RTT to get an acknowledgement could be high. In BPv6, such a node
could simply forward a custody-requesting bundle without actually taking
custody, sort of like a ¡¥transit node¡¦ in a BIBE tunnel. In this case, it
might be able to achieve a higher throughput at the expense of NOT
accepting the storage requirements from the current custodians.
2. Even if a congested node has a lot of storage (but still becomes
congested), in BPv6 there was the notion that the node could drop
(probably lower-priority) non-custodial bundles in favor of (probably
higher-priority) custodial bundles. We don¡¦t currently have any notion of
priority in BPv7, but if we ever want to admit the possibility that a
bundle node might drop a bundle due to congestion, it seems like the
assumption that receipt „³ ¡¥custodial¡¦ acceptance constrains us. In the
BPv7 ¡¥receipt is (custody) acceptance¡¦ model, the node would have to
refuse new bundles.
This might be right thing for some CONOPS. It would impose backpressure
(at DTN timescales) on the network, eventually to the bundle sources. The
same thing would happen with BPv6 and custodial bundles, the difference
being that a BPv6 node would have the option of dropping non-custodial
bundles to accommodate newer (again, presumably higher-priority) bundles.
I¡¦ll readily admit that calculating a (good) retransmission timer value in
the case where a node does NOT know if the proximate (or even which)
downstream node will take custody is difficult or impossible for some
networks. BIBE still has a bit of this problem, especially if the path to
the BIBE destination is long, as the sender won¡¦t necessarily know the
path the BIBE bundles will take, but it is at least more constrained than
the completely open case.
If we want to have the option of dropping lower-priority bundles that have
already been received and are being stored at a node, we¡¦ll need an
extension block to mark priority, fine. We could then create rules that
operate at the BP layer to drop bundles when congestion occurs according
to their priority markings and address #2 above. I suppose in this case
the ¡¥reliability¡¦ is still at the CLA layer and the decision-making
process on whether or not to drop an incoming bundle is at the BP layer.
That might not address #1 above but maybe #1 is sufficiently rare (or
non-existent) that we decide to ignore it.
Regardless, this has the disadvantage that the transmitting node would
believe that the bundle was accepted (because it would have been, by the
receiving CLA) event though it then got dropped by the BP layer at the
receiving node.
--keith
From: "sis-dtn-bounces at mailman.ccsds.org"
<sis-dtn-bounces at mailman.ccsds.org> on behalf of
"sis-dtn at mailman.ccsds.org" <sis-dtn at mailman.ccsds.org>
Reply-To: Mehmet Adalier <madalier at antarateknik.com>
Date: Friday, March 25, 2022 at 1:21 PM
To: "sburleig.sb at gmail.com" <sburleig.sb at gmail.com>, "'Sipos, Brian J.'"
<Brian.Sipos at jhuapl.edu>, Felix Flentge <Felix.Flentge at esa.int>,
"dtn at ietf.org" <dtn at ietf.org>, "sis-dtn at mailman.ccsds.org"
<sis-dtn at mailman.ccsds.org>
Subject: Re: [Sis-dtn] [dtn] [EXT] Re: Bundle custody transfer and
reliable CLs
I believe Scott¡¦s analysis below succinctly articulates the difference
between the two approaches and I agree that they should be kept separate.
For my intended use cases, approach 1 (BIBE/BPARQ?) is what I would need
to use. I¡¦ll be happy to contribute to this approach and prototype.
Best
mehmet
From: SIS-DTN <sis-dtn-bounces at mailman.ccsds.org> on behalf of
"sburleig.sb--- via SIS-DTN" <sis-dtn at mailman.ccsds.org>
Reply-To: <sburleig.sb at gmail.com>
Date: Friday, March 25, 2022 at 10:07 AM
To: "'Sipos, Brian J.'" <Brian.Sipos at jhuapl.edu>, <Felix.Flentge at esa.int>,
<dtn at ietf.org>, <sis-dtn at mailman.ccsds.org>
Subject: Re: [Sis-dtn] [dtn] [EXT] Re: Bundle custody transfer and
reliable CLs
Hi, Brian. Actually I think Felix¡¦s analysis is pretty much spot-on. We
really are talking about two different behaviors, which respond to two
different sets of requirements.
The ¡§custody transfer¡¨ procedures that I proposed in the BIBE draft are
very specifically aimed at defining a reliable convergence-layer adapter
that happens to use BP as its underlying convergence-layer protocol. There
is a requirement for this capability: Keith Scott has often pointed out
that there are scenarios in which reliable transmission between nodes is
required but no reliable transmission protocol is available, e.g., when
the sender¡¦s communication capability is temporarily unidirectional. These
are not hypothetical; MITRE¡¦s customers must at times operate in such
environments, and some space flight missions and other IoT systems could
be similarly constrained. Under these conditions, the mechanism by which
NAKs and ACKs are returned to the sender may function at a later time
and/or be unrelated to the mechanism by which the sender transmitted the
data. There might be better standardized protocols than BP for supporting
these kinds of scenarios, but none leap to mind.
The ¡¨custody transfer¡¨ procedures for which Felix proposes requirements
are different. Since there is no need for timeout-triggered
retransmission (retransmission is instead triggered by command or by
negative acknowledgment), there is no need for accurate estimation of the
round-trip time; therefore there is no need for the sender to know which
node will issue the responding (positive) custody acknowledgment, exactly
as required. I think of it as a resource management system rather than an
ARQ system. A mechanism very much like BPv6 custody transfer will work
fine.
I would propose that we term the latter procedures ¡§custody transfer¡¨ and
proceed to standardize them, while renaming the former something like
¡§BPARQ¡¨.
I don¡¦t think there¡¦s any need to impose any additional requirements on CL
protocols, TCPCL or other, to satisfy the requirements. These are
separate things. Let¡¦s keep them separate and support them separately and
clearly.
Scott
From: dtn <dtn-bounces at ietf.org> On Behalf Of Sipos, Brian J.
Sent: Friday, March 25, 2022 4:46 AM
To: Felix.Flentge at esa.int; dtn at ietf.org; sis-dtn at mailman.ccsds.org
Subject: Re: [dtn] [EXT] Re: Bundle custody transfer and reliable CLs
Felix,
Thank you for this feedback. There is a misinterpretation of what I (and
maybe also Scott via BIBE) am suggesting about what happens during
reliable reception. The idea isn¡¦t that two different things happen, it¡¦s
that it¡¦s the same BP agent custody acceptance criteria just that some CLs
can provide intrinsic signaling of that acceptance while other CLs have no
means to signal that specific feedback.
While IETF doesn¡¦t (normally) specify internal APIs, the CCSDS documents
do and this can help here. Currently 734.2-B-1 does not actually define a
BPA¡XCLA interface API, but it seems like the rough interface looks like:
Send.request to the CLA
Send.response from the CLA
Receive.indication from the CLA
What I am suggesting is that the Receive side could be changed from the
asynchronous ¡§I just got this transfer. Here it is, thanks.¡¨ to a
synchronous ¡§I just got this transfer. Will you accept it?¡¨ similar to:
Receive.indication from the CLA
Receive.response to the CLA
The TCPCL and LTPCL already provide the negative response over-the-wire
(TCPCL reception can send XFER_REFUSE at any time before the END ACK, and
LTPCL can send ¡§Cancel from the block receiver¡¨ similarly) there is
currently just no specific formal definition of what, from the BPA side,
the positive acknowledgement is required to mean. For example ¡§If the
transfer is not canceled by the receiver and the final ACK is sent, the
transferred bundle SHALL be completely and positively received within the
BP agent¡¦s forwarding or delivery queue.¡¨
As Scott mentioned earlier, custody isn¡¦t an anthropomorphization of the
BPA, it¡¦s a specific behavior, and it seems like by acknowledging that the
bundle was received into the queue for delivery/forwarding the agent has
¡§accepted¡¨ it. If the intent of custody is that it¡¦s a more
restricted/reserved resource pool (e.g. my forwarding queue is size X but
of that only Y (with Y<X) is reserved for bundles over which I have
custody) then that¡¦s a local agent management issue, not an over-the-wire
signaling issue. The BPA has still positively accepted the bundle and some
CLAs can communicate this back to the sending agent synchronously.
Thanks for any further clarification,
Brian S.
From: dtn <dtn-bounces at ietf.org> On Behalf Of Felix.Flentge at esa.int
Sent: Friday, March 25, 2022 6:11 AM
To: dtn at ietf.org; sis-dtn at mailman.ccsds.org
Subject: [EXT] Re: [dtn] Bundle custody transfer and reliable CLs
(cross-posting to CCSDS DTN mailinglist as it seems to be of high
relevance to the on-going discussions in the DTN WG).
I think we clearly need to distinguish between (at least) two different
types of 'custody transfer' according to where it is implemented:
(a) BPv6 - like custody transfer which has been a function of the BPA / AA
Administrative element
(b) BIBE-like custody transfer which is implemented in the CLA
The main differences I see are:
- In (a) the decision whether to take custody or not can be taken on more
available information, eg timely availability of a route toward a next
hop, available storage, policies (eg, checking Bundle Integrity Blocks),
... In (b), the CLA may accept custody and the BPA would just decide to
discard the bundle for whatever reason (of course, there could be
interfaces to make such information available to the CLA but this would
somehow 'blur' the architecture.
- In (b), the node to take custody needs to be explicitly addressed (it's
the BIBE destination) while in (a) any node could take custody.
Requirements regarding custody transfer I would see for space missions
are:
1) Assertion of a high probability that a bundle will reach its
destination once a hop has accepted custody (which would allow the
forwarding node to release storage).
The meaning of 'high probability' does really depend on the mission data
return requirements. While for some missions it may be close to 100%,
other mission may be ready to accept higher data loss in favour of
timeliness (eg, certain types of Earth Observation missions).
2) Forwarding bundles without knowing which node will take custody.
In particular with high data rates and optical direct-to-Earth downlinks
we may have situations where the spacecraft may not know the actual next
hop is sending to but may want to get a confirmation that the bundle has
been received on ground. With high-data rates, bundles might already be
prepared and encoded in frames and be sitting in some buffers within
optical terminal because the data rates on the on-board buses would not
allow to generate and send in real time. Use of optical direct-to-Earth
links may be opportunistic and we may not know in advance how much data
will go down. So, addressing a specific DTN node in a ground station
becomes unpractical (if DTN nodes in ground station would share the same
anycast eID it may be possible but BIBE is currently limited to singleton
endpoints).
It is clear that these requirements cannot be solved by protocol
specification as Scott pointed out below but will also require that
implementing nodes conform to certain behaviours. This will not be
possible for an open, Internet-like DTN network (where we can only try to
take defensive actions). For space missions I would still expect limited,
tightly-controlled network for some time to come (maybe becoming 'trusted
zones' in a larger network). For these, we should have protocol mechanism
which can support above requirements (while being aware that some of these
mechanisms will not work in a fully open DTN).
Finally, 'custody transfer' seems to be always related to timer-base
re-transmission. However, I think there are other options as well, like:
- command-based re-transmission: an explicit command is sent to a DTN node
to re-transmit all bundles for which custody has been requested but no
signal has been received
- sequence-based re-transmission: in some situations it might be possible
(using additional extension blocks) to detect which bundles have not been
received by inspecting the received custody signals and re-send the ones
for which no custody signal have been received
Again, this would likely not work in an open DTN but only in (very)
limited, controlled networks. But this doesn't make such mechanisms less
useful (although I would prefer to have something more generic if
possible) and we should address it in the IETF (if there is general
interest) and/or the CCSDS (if it is for near-to-medium term space mission
use cases only).
Regarding reliable CLs: I currently don't see the point of a reliable CL
taking custody because it would be (only) type (b) custody which is
basically just a confirmation that the bundle has been received and this
can already be assumed by the fact that it is a reliable CL.
Regards,
Felix
From: "William Ivancic" <ivancic at syzygyengineering.com>
To: <sburleig.sb at gmail.com>, "'Sipos, Brian J.'" <
Brian.Sipos at jhuapl.edu>, <dtn at ietf.org>
Date: 25/03/2022 01:16
Subject: Re: [dtn] Bundle custody transfer and reliable CLs
Sent by: "dtn" <dtn-bounces at ietf.org>
¡§Custody¡¨ is a bundle level concept, not transport. Way back when,
¡§Custody¡¨ meant that the node taking ¡§Custody¡¨ would try it¡¦s best to
ensure the bundle was forwarded either to another ¡§Custody¡¨ node or to
eventually the destination node. The idea, as I recall, was this would
allow the original bundle source to clear its memory of that bundle.
For space operations, I don¡¦t think the operations people were ever
comfortable with this concept.
//Will
From: dtn <dtn-bounces at ietf.org> on behalf of <sburleig.sb at gmail.com>
Date: Thursday, March 24, 2022 at 6:04 PM
To: "'Sipos, Brian J.'" <Brian.Sipos at jhuapl.edu>, <dtn at ietf.org>
Subject: Re: [dtn] Bundle custody transfer and reliable CLs
Brian, there was some further discussion of custody transfer in this
morning¡¦s meeting of the CCSDS Space Internetworking Systems DTN Working
Group as well. A couple of notes:
It¡¦s important to remember that we are talking about state machines here,
not people. Anthropomorphizing the DTN architecture is tempting but
treacherous. BP nodes have no will; they cannot take responsibility; they
cannot promise to do anything. All they do is behave, ideally in a
fashion that conforms to the protocol specifications to which they were
allegedly developed.
Also, any given node may have been designed with malign intent or
implemented with errors. Stating a requirement in a protocol
specification does not ensure its satisfaction; what it does is give a
node¡¦s human (maybe eventually AI) network operators a means of assessing
the behavior of another node and possibly taking some sort of out-of-band
administrative action in defense against that behavior as needed.
You¡¦re right, the term ¡§custody¡¨ is not defined for BPv7. It is still
widely used to refer to some behavior that future users of DTN for space
flight operations state will be very important, but for which the
requirements are not yet clearly established. It is starting to look like
the BP-based ARQ in the most recent BIBE draft, while needed (I think), is
not exactly what people mean by ¡§custody transfer.¡¨ So it may become
useful to define an additional BP extension (TBD) that we label with this
term.
TCPCL enhancements along the lines you propose here may very well be
valuable; I don¡¦t know, need to think about them some more. But I would
say the BPv7 specification already contains language (in 5.4, Step 5 and
the following two paragraphs, and in 7.2, second bullet point)
constraining the sort of convergence-layer reliability that I think is
indispensable, regardless of what we call it.
Scott
From: dtn <dtn-bounces at ietf.org> On Behalf Of Sipos, Brian J.
Sent: Thursday, March 24, 2022 1:39 PM
To: dtn at ietf.org
Subject: [dtn] Bundle custody transfer and reliable CLs
All,
There was some brief discussion during the BIBE presentation about custody
transfer concept and CL mechanisms. This is also an open topic in the
CCSDS drafting of BPv7 standardization. I would like to add some
additional points for thought in how a reliable convergence layer can
relate to the concept of custody transfer for agents on either side of the
transfer.
Overall, there still seems to be some vagueness about what ¡§custody¡¨ means
(in the sense of a service level agreement) between peers exchanging
bundles. My understanding is that ¡§custody¡¨ means the custodial node is
willing to make some kind of effort to keep the bundle moving toward its
destination until the bundle lifetime expires.
The current RFC 9174 document is silent about what exactly an XFER_ACK
segment with END flag set (an END ACK) means from the perspective of the
BP agent and what is guaranteed about the transferred bundle. This
provides an opportunity for a follow-on clarification of END ACK semantics
for the TCPCL entity and for the BP agent. Two potential ways of making
the behavior more well-defined:
1. A network-specific profile of TCPCL could simply mandate that any
node accepts custody by sending an END ACK. This would simply be a
condition of conformance to the profile in a controlled network. This
could be done immediately without any change elsewhere, but needs
out-of-band coordination.
2. One or more (quite simple) extension types can be defined for
TCPCL to allow an entity to expose its END ACK behavior (RX) and desire
(TX):
a. A session extension can allow an entity to assert what its sent
END ACK means for received transfers. The value in this is to allow the
peer entity to adjust behavior depending on the capability (e.g. use BIBE
if the next-hop doesn¡¦t take END ACK custody), including possibly refusing
to establish a session with (or refusing to send bundles to) a peer that
does not take custody via END ACK.
b. Additionally, a transfer extension can allow a sender to assert
its custody desire on a per-bundle basis (signaling that some bundles need
custody transfer while others do not). The value in this is to allow the
receiving entity to optimize its behavior based on whether or not custody
is needed for a bundle; though I don¡¦t know how much benefit this would
be.
The possible values enumerated by the session extension would be something
like:
¡P Custody is not taken at END ACK
¡P Custody is taken at END ACK
And if there is a transfer extension defined, a the session extension
could indicate:
¡P Reception behavior is unconditional
¡P Reception behavior can be overridden per-transfer based on the
sender¡¦s desire
These changes would all be backward compatible in the sense that a default
policy would be in place in the absence of this extension item. And all of
this is an independent mechanism from BIBE for a custody transfer to take
place; both this mechanism and BIBE have their own costs, benefits, and
side effects of such a transfer.
Trying to make almost-there-already capabilities more obvious,
Brian S.
_______________________________________________ dtn mailing list
dtn at ietf.org https://www.ietf.org/mailman/listinfo/dtn
_______________________________________________
dtn mailing list
dtn at ietf.org
https://www.ietf.org/mailman/listinfo/dtn
_______________________________________________ SIS-DTN mailing list
SIS-DTN at mailman.ccsds.org
https://mailman.ccsds.org/cgi-bin/mailman/listinfo/sis-dtn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.ccsds.org/pipermail/sis-dtn/attachments/20220328/64f66a78/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 11926 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mailman.ccsds.org/pipermail/sis-dtn/attachments/20220328/64f66a78/attachment-0001.bin>
More information about the SIS-DTN
mailing list