Link 2000+ Network Planning Document

Edition: 3.007 1

Network Manager Directorate

EUROCONTROL

Link 2000+ Network Planning Document

Edition No. : 3.007

Edition Issue Date : 18 November 2013

Author : David Isaac

Reference : CFC/Datalink/NPD

Distribution : � Internal Use Only � External Distribution � Confidential

Edition: 3.007 2

DOCUMENT APPROVAL

The following table identifies all management authorities who have successively approved the present issue of this document.

Edition: 3.007 3

DOCUMENT CHANGE RECORD

The following table records the complete history of the successive editions of the present document.

EDITION NUMBER

EDITION DATE REASON FOR CHANGE PAGES

AFFECTED

0.1 22 October 99

Document creation, first internal review copy

All

0.2 27 October 99

First incorporation of internal review comments

All

0.3 29 October 99

First draft for external review All

0.4 10 December 99

Updated draft after external review All

0.5 19 April 00 Updated with COM-T comments All

0.6 29 June 00 Updated with changes from Institutional Issues Group 2nd meeting

All

0.7 5 July 00 Updated with changes from Institutional Issues Group 3rd meeting. Certain issues are resolved and no longer identified as institutional resolutions.

All

1.0 6 March 01 Issued document resulting from completion of LINK 2000+ Planning Phase

All

2.0 24 June 02 Issued document resulting from adoption of Baseline Eurocae ED110 and addition of Acars Over AVLC (AOA) references.

All

3.0 27 June 05 Update to reflect current practice within LINK2000+ and in line with “AIFC” meeting (7 Apr 05) action

All

3.4 01 May 2007 Updated to include resolution to comments from SITA, DSNA, Airbus and Rockwell.

All

3.5 12 Mar 2012 Update to : - Remove out of date material,

confirm basic principles - Reflect Datalink Service

Implementing Rule publication - Documents the principles for

handling Non-AOC aircraft

All

3.6 17 Dec 2012 Inclusion of CRO/PSG Comments All

3.7 26 Sept 2013 Alignment with air and ground guidance documents and generic ACSP requirements documents. Change of document reference and introduction of document approval and

All

Edition: 3.007 4

review tables to align with document management procedure.

REVIEW TABLE

Edition No. Review type, scope, depth &

focus

Reviewers Date Conclusion

3.7 Internal review for consistency with other guidance documents

Nick Witt Isabelle Herail Philippe Sacre

September - November 2013

New template. No other changes required.

Edition: 3.007 5

TABLE OF CONTENTS

DOCUMENT APPROVAL ................................. ......................................................................... 2

DOCUMENT CHANGE RECORD .............................................................................................. 3

TABLE OF CONTENTS ................................. ............................................................................ 5

1 Introduction ...................................... ................................................................................ 7 1.1 Purpose ........................................................................................................................ 7 1.2 Background .................................................................................................................. 7 1.3 Reference Documents .................................................................................................. 8

2 The Data Link Services Implementing Rule (DLS-IR) . ................................................... 9

3 LINK Communications Infrastructure and Users ...... ................................................... 10 3.1 Air/Ground Communication Service Provider (ACSP) ................................................ 11 3.2 Air Navigation Service Providers (ANSPs) ................................................................. 11

4 Established NETWORK PLANNING Principles ........... ................................................. 13

5 Network Planning .................................. ......................................................................... 15 5.1 LINK 2000+ Network Overview .................................................................................. 16 5.2 Air/Ground Communications Network - VDL Mode 2 .................................................. 18 5.3 Ground–Ground Communications Networks .............................................................. 18 5.4 Inter Connection Models ............................................................................................ 19

5.4.1 Single Connection with ARINC and SITA inter-connected ................................... 19 5.4.2 Deployment by other ANSPs ............................................................................... 20

6 Air-ground router proliferation ................... ................................................................... 26

7 NON-AOC operators ................................. ..................................................................... 26

8 Naming and Addressing ............................. ................................................................... 27

9 Security .......................................... ................................................................................. 27

GLOSSARY .......................................... ................................................................................... 28

Edition: 3.007 6

Appendix A – Airport Legacy Considerations ........ .............................................................. 30

Appendix B – Air-Ground Router Proliferation ...... .............................................................. 32

Appendix C – Security Considerations .............. ................................................................... 38

NM EUROCONTROL Document Title: Document Reference:

Link 2000+ Network Planning Document CFC/Datalink/NPD

Edition: 3.007 7

1 Introduction

1.1 Purpose

The Network Planning Document (NPD) defines important principles for the deployment of the communication infrastructure required to support the implementation of Data Link Services. These principles were first agreed after consultation with Stakeholders in 2005 and were confirmed without change by further consultation with Air Navigation Services Providers (ANSPs), Airlines and Communications Service Providers in 2011. Deviation from these principles can cause serious interoperability issues.

The implementation phase of LINK 2000+ is governed by the Data Link Services Implementing Rule (DLS-R) published as European Commission Regulation 29/2009 (DLS IR) [1]. Data Link services will be implemented in ATM Systems and Aircraft systems as described in EUROCONTROL Specification on Data Link Services – SPEC-0116 [2]. The ATM Systems and Aircraft will be inter-connected by the LINK 2000+ communications infrastructure.

The NPD is primarily targeted at Air Navigation Service Providers subject to the DLS-IR, it provides guidance in addition to the principles required for deployment.

The NPD is complemented by the Generic ACSP Requirements Document. CFC/Datalink/ACSPGEN Edition 1.009 [6] which provides guidance for use by ANSPs to form the basis of a contract or agreement with an ACSP for the provision of ATN/VDL Mode 2 service.

1.2 Background

The Aeronautical Telecommunications Network (ATN) fulfils the LINK 2000+ requirement for a validated, global, reliable and ICAO SARPS compliant air-ground communication infrastructure. The ATN has therefore been selected as the communication network to support LINK 2000+ services. Different air-ground subnetworks can be used in the future, but LINK 2000+ relies on VHF Digital Link Mode 2 (VDL Mode 2).

Airline operational communications (AOC) messages between Airline Hosts and the Aircraft will be delivered using the same VDL Mode 2 infrastructure as that used to exchange Air Traffic Services Datalink messages. AOC messages do not use the ATN but are exchanged using ACARS over AVLC (AOA).

The Performance requirements to be satisfied by the LINK 2000+ Communications Infrastructure are specified in [4] EUROCAE ED 120 - Initial Continental Safety and Performance Requirements.

Interoperability requirements are laid down in [3] EUROCAE Document ED110B Interoperability Requirements Standard For ATN Baseline 1.

Generic Air/Ground Communication Service Provider requirements are laid down in the [6] Generic ACSP Requirements Document, document developed to be used by ANSPs as the basis for their contractual agreements with the ACSP(s).

Several references are made to the LINK Integration Team (LIT) below; this group was responsible for all systems integration issues in the period 2000-2011. From 2012 this group was replaced by the Datalink Services Central Reporting Office (DLS-CRO).



Edition: 3.007 8

1.3 Reference Documents

[1] European Commission Regulation 29/2009 (DLS IR) [2] EUROCONTROL Specification on Data Link Services – SPEC-0116 [3] EUROCAE Document ED110B Interoperability Requirements Standard For ATN

Baseline 1 [4] EUROCAE ED 120 - Initial Continental Safety and Performance Requirements [5] EUROCONTROL Standard Document For On-Line Data Interchange (OLDI), Edition 4.2 [6] Generic ACSP Requirements Document. CFC/Datalink/ACSPGEN Edition 1.009,

November 2013. [7] EUR NSAP Address Registry [8] LINK2000+ Guidance to Ground Implementers. CFC/Datalink/GGI Edition 2.000,

November 2013.



Edition: 3.007 9

2 The Data Link Services Implementing Rule (DLS-IR)

Figure 1 – Geographical Scope

The DLS-IR prescribes the use of Datalink Services in the geographical region illustrated above. The DLS IR requires implementation of the Data Link Services in the airspace of the EU member states above FL285. The area in yellow is required to commence CPDLC operations by 7th February 2013, The area in light red is required to commence CPDLC operations by 5th February 2015. Aircraft with a certificate of airworthiness first issued on or after 1st January 2011 (forward-fit) must be compliant unless exempt. Aircraft individual certificate of airworthiness first issued before 1 January 2011 must be compliant by 5th February 2015 (retro-fit) unless exempt.



Edition: 3.007 10

3 LINK Communications Infrastructure and Users

Link2000+ Communications

Infrastructure

Airlines ATC Centres Airports

Figure 2 - The LINK2000+ Comms. Infrastructure and its users

As illustrated in the above figure, the LINK2000+ communications infrastructure is a network serving a number of different users. It is primarily air/ground driven and aircraft use this infrastructure to communicate with:

• Their Airlines Operational Centres for a variety of AOC purposes;

• ATC Control Centres in support of LINK 2000+ services;

• Airport Tower Control for DCL and Airport Terminal Information systems for D-ATIS (legacy ACARS implementations, outside the remit of LINK 2000+ and the DLS-IR) .

The LINK2000+ communications infrastructure comprises:

● VDL Mode 2 Air/Ground Networks operated by ACSPs (ARINC and SITA).

● VDL Mode 2 Air/Ground Networks operated by ANSPs.

● The OLDI Ground/Ground Communications Infrastructure

● ANSP operated ground networks.

Whilst this document defines the expected architecture of each component of the communications infrastructure, the final physical topology of the LINK2000+ communications infrastructure is outside of the scope of this document as this falls within the responsibility of the relevant Stakeholders.



Edition: 3.007 11

3.1 Air/Ground Communication Service Provider (ACSP )

In LINK2000+, an ACSP is the operator of an Air/Ground Communications Service, i.e. the VDL Mode 2 services.

Assumption - An ACSP operates:

• An Air/Ground (A/G) Datalink (VDL Mode 2)

• One or more A/G Routers (Note: an ACSP’s A/G Routers shall support ATS services, refer also to Principle NPD-2)

• One or more G/G Routers (Note: for interconnection with other ACSPs and with ANSPs.)

In the case of ARINC and SITA, they will also be supporting legacy ACARS services, and will continue to operate as an ACARS Data Service Providers as well as a LINK2000+ ACSP. They will therefore continue to operate an ACARS Message Switch (M/S) maintaining the existing ACARS service to airline ground systems. ACARS over AVLC (AOA) will be used for AOC communications by aircraft that are also ATC datalink equipped.

A/G RouterA/G Router G/G Router

To ANSPs

To AIRLINES

VDL2

AOC

ATC

ACARS DSP

Figure 3 - ACSP Internal Architecture

3.2 Air Navigation Service Providers (ANSPs)

An ANSP provides Air Traffic Control and related services in a defined airspace and from one or more Air Traffic Control Centres. Under the LINK2000+ Programme, each LINK2000+ ANSP will also offer the LINK2000+ ATS Services i.e. ACM, ACL, AMC and DLIC ATN based services (and possibly legacy DCL and D-ATIS ACARS based services).

Assumption: At each ATC Centre, an ANSP will operat e a Flight Data Processing System (FDPS). This will need to be modified in ord er to support the LINK2000+ ATS Services and to interface to the LINK2000+ Comm unications Infrastructure.

When considering the ATN aspects of the FDPS modifications, two questions arise:



Edition: 3.007 12

• How does the FDPS “plug” into the Communications Infrastructure?

• Where is the end point of the Communications Infrastructure i.e. the ATN End System?

There are different options for the internal architecture of ANSP systems implementing Datalink, these are described in LINK2000+ Guidance to Ground Implementers. CFC/Datalink/GGI Edition 2.0, Ref [8]

Assumption – LINK2000+ ANSPs will choose the most a ppropriate architecture given their existing systems and upgrade plans.

Assumption – Common developments such as a “Front-e nd Processor” and “Datalink Server” can not be imposed but can be con sidered when a sufficient number of States converge on a given physical imple mentation. 1

1 This would require a common interface design.



Edition: 3.007 13

4 Established NETWORK PLANNING Principles The following items were previously identified as Institutional Issues requiring resolution. They were originally tackled by the LINK Institutional Issues group and then refined through stakeholder consultation within the “LINK Integration Team” (LIT) when “ANSP partnerships” with SITA and ARINC first surfaced. The principles were re-examined once more in 2011 in the light of the DLS-IR and alternative proposals, the principles below were confirmed.

Principle NPD-0 - Dual coverage - the two existing commercial ACSPs (ARINC and SITA) provide a DLS-IR compliant ATN/VDL M2 datalin k service throughout the entire DLS-IR application area, either directly or in cooperation with ANSPs for a given airspace.

Note 1: Some of the notes to the below principles cover a deviation from the above assumption.

Note 2: in the following the term “ACSP” refers to “VDL Mode 2 ACSP” and includes “ANSP providing ACSP services”.

Principle NPD-1 – ATC datalink services must be ava ilable to all airlines, irrespective of whether or not they make use of AOC services.

Note 1: In regions where the ACSP(s) contracted by an airline for AOC service does not provide an ATC datalink service that complies with the ANSP requirements, other ACSP(s) nominated by the ANSP providing ATC in that region may be used for ATC datalink communications.

Principle NPD-2 – Aircraft may connect to only one ACSP for ATC and AOC purposes at the same time.

Note 1: Whilst it is technically possible to connect to different VDL2 Service Providers for ATC and AOC when VDL2 is confined to a single frequency this would require unplanned avionics changes. When VDL Mode 2 service providers use different frequencies, an aircraft has to have multiple VDL2 radios.

Note 2: In LINK2000+, ATC and AOC traffic share the same air-ground subnetwork media.

Principle NPD-3 – ACSPs satisfying the established minimum ATC datalink performance requirements, at regional and national level, shall be permitted to provide ATC services in the applicable area.

Note: ANSPs shall not exclude a particular ACSP (“non-exclusiveness”) for reasons other than failure to meet the minimum performance requirements.

Principle NPD-4 – Airlines shall have the freedom t o select any ACSP that meets the minimum Quality-of-Service requirements defined by the ANSP, for ATC Datalink services in an applicable area.

Principle NPD-5 – An ANSP shall connect directly wi th one or more ACSPs of its choice, and indirectly with all other ACSPs, meetin g the minimum Quality-of-Service requirements for the provision of ATC Datal ink services in its airspace.

Note 1: An agreement/contract will be required (service level and costs included).

Note 2: Interconnection of all ACSPs is required for ATC. Interconnection is required between all ACSPs providing ATC data-link service in an ANSP’s airspace, and all adjacent airspace.



Edition: 3.007 14

Principle NPD-6 – ATN Routes advertised to aircraft shall include routes to all adjacent ANSPs.

Principle NPD-7 – Airline contracted ACSPs offering an AOC service shall connect with Airline systems for the delivery of AOC traffi c.

Note: An agreement/contract will be required (service level and costs included).

Principle NPD-8 – The following charging model has been developed to support contracts and service level agreements.

• ACSPs will deploy VDL Mode 2 to support AOC and ATC services.

• ANSPs will not pay for the AOC service.

• ANSPs will pay for the ATC service at a flat rate calculated from the ATC requirements for communication performance (over and above that required for AOC) and predicted traffic flow. The flat rate will be subject to negotiations between contracted parties.

Principle NPD-9 – The implementation of the Communi cations Infrastructure is the responsibility of the committed stakeholders harmon ised through LINK 2000+ working arrangements.



Edition: 3.007 15

5 Network Planning The network planning considerations expressed in the following are based on lessons learnt from extensive ATN Trials activities, the PETAL II extension activities, the LINK2000+ Pioneer phase and early implementation in support of the DLS-IR . The considerations, including the “NPD Principles” listed in section 4, are in line with the outcomes of extensive LINK 2000+ Stakeholder consultation processes.

In addition to the ATN networking aspects, the communications infrastructure must satisfy Airline needs for AOC datalink message delivery between Airline hosts and the aircraft. AOC messages will be delivered via “ACARS Over AVLC” (AOA) infrastructure.

This document does not address the existing network architecture supporting ACARS applications.

Principle NPD-0 – Dual Coverage applies to all the sections below.



Edition: 3.007 16

5.1 LINK 2000+ Network Overview

Figure 4 depicts a general overview of the LINK 2000+ infrastructure focussing on the provision of end to end datalink services rather than ATN/VDL M2 coverage. The “#” numbers contained in the figure refer to respective paragraphs below.

Figure 4 - LINK 2000+ Network Overview (ATC datalin k provision)

The above figure allows for the discussion of possible network deployment scenarios for ATC datalink provision using VDL Mode 2 subnetworks, as follows:

• ANSPx contracts ACSP1: ACSP2 and ACSP3 airlines are connected to ANSPx via interconnection(s) between the ACSPs or ANSPx may choose to connect directly to others ACSPs;

• ANSPy contracts ACSP2: ACSP1 and ACSP3 airlines are connected to ANSPy via interconnection(s) between the ACSPs or ANSPx may choose to connect directly to others ACSPs;

AGR/GGR ACSP1

AGR/GGR ACSP2

AGR/GGR ACSP3

ANSPx (ACSP1)

ACSP1 Airline

ACSP2 Airline

ACSP3 Airline

ANSPy (ACSP2)

ANSPz (=ACSP3)

ACSP

ACSP

#5.4.1 #5.4.2.1 .#5.4.2.2

AGR/GGR ACSP1

AGR/GGR ACSP2

AGR/GGR ACSP3

ANSPx (ACSP1)

ACSP1 Airline

ACSP2 Airline

ACSP3 Airline

ANSPy (ACSP2)

ANSPz (=ACSP3)

ACSP INTERCONNECT

ACSP INTERCONNECT

#5.4.2.3b)

#5.4.2.3

ACSP1 ARINC

ACSP1 ARINC

ACSP2 SITA

ACSP2 SITA

ACSP3 ANSPz

ACSP3 ANSPz

ACSP1 ARINC

ACSP1 ARINC

ACSP2 SITA

ACSP2 SITA

ACSP3 ANSPz

ACSP3 ANSPz



Edition: 3.007 17

• ANSPz operates its own network, i.e. operates as ACSP3. Depending on contractual arrangements with the established commercial ACSPs (SITA or ARINC), its ground stations announce themselves as either SITA/ARINC (likely situation) or both.

Implementers should note that no existing avionics can work outside the address space of ARINC and SITA, e.g. through a proprietary ANSP identifier (GSIF).

These general scenarios are further discussed in section 5.4 with respect to internetworking aspects, as indicated by the section numbers in Figure 4. This includes the consideration of AOC traffic flows.



Edition: 3.007 18

5.2 Air/Ground Communications Network - VDL Mode 2

After full stakeholder consultation the VDL Mode 2 air-ground subnetwork was identified as a minimum requirement for datalink services prescribed by the DLS-IR. It is also the Airline choice to replace ACARS as the future means of AOC communications.

Assumption - It is expected that within the LINK ti meframe, deployment of VDL Mode 2 in Europe will be driven by competing ACSPs, primarily ARINC and SITA, to meet ATC and AOC requirements in the DLS-IR Region.

Some ANSPs will also deploy VDL Mode 2 Networks in association/partnership with ACSPs.

Note: If an ANSP provides VDL Mode 2 service in partnership with an ACSP (SITA or ARINC) then the ANSP network forms a sub-network of either the SITA or ARINC global network.

VDL Mode 2 will be used concurrently to support communications using:

a) The ATN in support of DLIC, ACM, AMC and ACL Services.

b) ACARS over AVLC (AOA) in support of AOC communications, DCL and D-ATIS Services.

Several VDL2 ACSPs operating in the same airspace is considered to be the nominal case (as a direct consequence of Principle NPD-5). As long as any VDL2 ACSP meets minimum Quality of Service requirements for ATC datalink services (as set at a national or regional level), there is no reason why they should also not offer an ATC datalink service alongside their AOC service.

For instance (refer to Figure 4), when an airline that uses the VDL2 Service of ACSP1 flies out of the airspace controlled by ANSPx and into the adjacent airspace of ANSPy (contracting ACSP2), CPDLC messages are transferred between the aircraft and the ANSPy’s ATC Centre via the two-way ACSP1 to ACSP2 ATN interconnection.

Once the aircraft is within the ANSPy’s airspace, it is expected to stay with the ACSP1 VDL2 Service (as that is its AOC Service Provider) and hence the ATN communication paths will remain unchanged.

For a detailed discussion on internetworking aspects, refer to Section 5.4.

5.3 Ground–Ground Communications Networks

ANSP interconnection using OLDI is required for the forwarding of CM Logon information and for supporting the CPDLC Transfer of Communications function (ACM).

Assumption: The existing OLDI infrastructure will b e used for this purpose.

The LINK 2000+ DLIC, ACM, AMC and ACL Services require that ANSPs interconnect their ATN networks with ACSPs, using ground-ground communications networks.

The legacy DSC and D-ATIS services require that ANSPs inter-connect with ACARS Service Providers, using ground-ground communications networks.

Assumption: ground-ground interconnection will prob ably use legacy X.25 communications networks during the first phase of d eployment. However, this will evolve to use of TCP/IP networks during the latter part of the deployment.



Edition: 3.007 19

5.4 Inter Connection Models

The Air-Ground and Ground-Ground subnetworks described above will be integrated into a seamless whole by the ATN Internet to service the Airspace and ANSP users of the LINK 2000+ Communications Infrastructure (as depicted in Figure 4).

Based on general network overview description in section 5.1, the following sections detail the various internetworking scenarios based on the actual evolution of the LINK2000+ network. As reference is made to the “real-life” situation, the generic ACSP notations used in section 5.1 are replaced by ARINC and SITA (incl. contracted airlines), and those ANSPs going to operate their own networks, as appropriate.

Starting with the Maastricht model as an example; the “Primary ACSP” refers to the ACSP contracted to provide ATN/VDL2 services via a direct connection to a given ANSP.

Note 1: An ANSP may itself act as the Primary ACSP. In such cases the requirements applicable to the Primary ACSP are also applicable to the ANSP.

An “Alternative ACSP” refers to an ACSP which provides ATN/VDL2 service to participating aircraft under the jurisdiction of a given ANSP, under an agreement that specifies that it is connected via the Primary ACSP to the ANSP.

It is also possible for any ANSP to contract and connect to both ARINC and SITA directly.

5.4.1 Single Connection with ARINC and SITA inter-c onnected

Figure 5 - LINK2000+ Infrastructure at UAC Maastricht

The LINK2000+ infrastructure at Maastricht UAC is given as a starting reference point for this particular model - it supports the service offered by UAC Maastricht and is illustrated in Figure 5. The figure also illustrates the communications paths for AOC messages (green) and ATC messages (red).

e.g. DLHe.g. SAS

SITA VDL2 ARINC VDL2

A/G

Router

A/G

RouterG/G

Router

G/G

Router

G/G

Router

A/G

Router

A/G

RouterG/G

Router

G/G

Router

G/G

Router

UAC Maastricht

Airline

Airline

AOC

ATC

Comms Paths

PRIMARY & ALTERNATIVE

FULL GEOGRAPHICALCOVERAGE BOTH



Edition: 3.007 20

SITA are contracted by UAC Maastricht (as Primary provider) to provide a VDL2 service in Maastricht airspace for ATS purposes. A ground-ground connection with the SITA service has thus been implemented at UAC Maastricht.

Lufthansa are an Airline making use of the Maastricht ATS service; they are also a SITA AOC customer and are using the SITA VDL2 network for AOC purposes.

ARINC also providing VDL2 AOC services in Maastricht airspace (as the Alternative provider) in support of their own AOC customers (e.g. SAS). Their customers need to use the ARINC VDL2 service for both AOC purposes and to access the ATS Service provided by Maastricht.

In order to support the UAC Maastricht ATC datalink via the Alternative provider ARINC and SITA established a ground/ground ATN interconnection since the centre is only connected directly to the Primary provider.

Note that the following technical principles must apply:

a) The SITA VDL2 Ground Stations will advertise the VSDA of the SITA A/G Router.

b) The ARINC VDL2 Ground Stations will advertise the VSDA of the ARINC A/G Router.

Note: the NET of the appropriate A/G router will be derived from VSDA.

c) When communications are established with the respective Air/Ground Router, both SITA and ARINC Air/Ground Routers will advertise to ATN equipped aircraft an IDRP route capable of reaching UAC Maastricht.

d) Over the SITA/ARINC interconnection, ARINC will advertise to SITA an IDRP route to each ATN equipped aircraft currently using its VDL2 service. SITA will advertise to ARINC a route to UAC Maastricht.

e) There is no need for SITA to advertise IDRP routes to individual aircraft to UAC Maastricht as it provides the only route to all aircraft, although it may still do so.

Note: The contractual situation depicted at Maastricht above is subject to change. At the time of writing SITA is the Primary provider and ARINC the Alternative – either SITA or ARINC may be selected as Primary or Alternative in other ANSPs.

5.4.2 Deployment by other ANSPs

When other LINK2000+ ANSPs offer ATN/CPDLC services they have two options for the provision of those services. These are either by a simple extension of the 5.4.1 model or by offering their own VDL2 service.

5.4.2.1 Extension of the Maastricht Model

Under this model of operations, the ANSP:

1. Selects an ACSP as their Service Provider. This ACSP is contracted to provide VDL2 communications services throughout the airspace of the ANSP.

2. The ANSP deploys an ATN Ground/Ground Router and connects this with an ATN Router operated by the ACSP. The type of datalink used to connect the two routers is not significant, and may be any datalink that is ATN compatible and meets the Quality of Service requirements. In many cases, the datalink will be provided by a TCP/IP network.

Other ACSPs may also provide AOC services in the same airspace and provide a route to the ANSP for access to the ATN/CPDLC services. To do this, they will need to interconnect via the ANSP’s selected ACSP, following the example of UAC Maastricht (see Figure 5). Alternatively, an ACSP might also directly connect with the ANSPs (refer



Edition: 3.007 21

to section5.4.2.3). The ANSP needs to formulate an interconnection policy in order to ensure a consistent approach.

Figure 6 - Deployment extends to second ANSP

As SITA and ARINC are already interconnected, in support of UAC Maastricht, it is anticipated that most other ANSPs implementing this model of operations will take advantage of this and connect with only a single ACSP. Indeed, ACSP interconnection in support of UAC Maastricht is also regarded as a strategically important objective in this respect.

Figure 6. illustrates this model of operations.

The selected ACSP must be contracted to provide the minimum Quality of Service for ATS Services. The ANSP is also responsible for ensuring that any other ACSP that wishes to provide access to ATS Services in its airspace also meets the minimum Quality of Service requirements.

Assuming the ANSP2 (Other ANSP in Figure 6) is adjacent to ANSP1 (UAC Maastricht in Figure 6), OLDI will also be used to support ground information exchange during the CPDLC Transfer of Communications function (ACM).

Note that the following technical principles must apply:

a) The ARINC VDL2 Ground Stations will advertise the NET of the ARINC A/G Router.

b) The SITA VDL2 Ground Stations will advertise the NET of the SITA A/G Router.

c) When communications are established with the respective Air/Ground Router, both SITA and ARINC Air/Ground Routers will advertise to ATN equipped aircraft a route capable of reaching both ANSP1 and the ANSP2.

e.g. DLHe.g. SAS


A/G

Router

A/G

RouterG/G

Router

G/G

Router

G/G

Router

UAC Maastricht

Airline

Airline

AOC

ATC

Comms PathsG/G

RouterOther

ANSP

OLDI

e.g. DLHe.g. SAS


A/G

Router

A/G

RouterG/G

Router

G/G

Router

G/G

Router

UAC Maastricht

Airline

Airline

AOC

ATC

Comms PathsG/G

RouterOther

ANSP

OLDI

PRIMARY & ALTERNATIVE

FULL GEOGRAPHICALCOVERAGE BOTH



Edition: 3.007 22

d) Over the SITA/ARINC interconnection, SITA will advertise to ARINC an IDRP route to each ATN equipped aircraft currently using its VDL2 service, and a route to the ANSP2.

e) Over the SITA/ARINC interconnection, ARINC will advertise to SITA an IDRP route to each ATN equipped aircraft currently using its VDL2 service, and a route to ANSP1.

f) There is no need for ARINC to advertise IDRP routes to individual aircraft to ANSP1 as it provides the only route to all aircraft (even though this may still be done to monitor individual routes to aircraft).

g) Likewise, there is no need for SITA to advertise IDRP routes to individual aircraft to ANSP2 as it provides the only route to all aircraft (even though this may still be done to monitor individual routes to aircraft).

5.4.2.2 ANSP offering own VDL Mode 2 Service

Assumption (refer also to Principle NPD-0 and NPD-3 ): An ANSP offering a VDL2 Service will make arrangements for full dual covera ge by ARINC and SITA.

Assumption (refer also to Principle NPD-2): An ANSP offering a VDL2 Service will offer it in association with a commercial ACSP offe ring an AOC Service.

The consequence of Principle NPD-2 is that an aircraft must get its AOC and ATS services from a single VDL2 Service Provider. An ANSP (offering a VDL2 service) is therefore assumed to offer both ATC datalink services and to support AOC messaging. As AOC services are contracted for on a worldwide or a regional basis, a single state cannot realistically offer an AOC service except in association with a commercial service provider.

Figure 7 illustrates an example of the implementation of this strategy but for simplicity does not show the need for dual ATN/VDL M2 coverage. Note that the figure has been simplified for reasons of clarity and, in practice other commercial ACSPs might also operate in the ANSP’s airspace.

ARINC VDL2 SITA VDL2

A/GRouter

A/GRouter

G/GRouter

G/GRouter

G/GRouter

OLDI

ARINC

SITA

ANSP1

AirlineAirline

AOC

ATC

Comms Paths

ANSP2 VDL2

A/GRouter

G/GRouterANSP2 ATC Centre

ANSP1 Airspace ANSP2 Airspace

Figure 7 - Example of ANSP Offered VDL2 Service



Edition: 3.007 23

Figure 7 is an example showing ANSP1 with ARINC as Primary ACSP and an adjacent airspace ANSP (ANSP2) where there is an ANSP operated VDL2 service. This service is shown as being operated in association with SITA only for presentation purposes.

The ANSP2 VDL2 system is interconnected at two points with the SITA system.

The first is at the VDL2 level and is for AOC purposes. The ANSP2 VDL2 Ground Stations will advertise themselves as SITA ground stations offering the SITA AOC service. They must do this because, if they advertised themselves under the ANSP2’s own identity, aircraft would not recognise them as offering the SITA AOC service.

The second interconnection is at the ATN level and is between an ATN Ground/Ground Router operated by the ANSP2, and one operated by SITA. The purpose of this interconnection is to permit the exchange of ATN/CPDLC messages:

1. between aircraft in the ANSP2 airspace and ATC Centres in adjacent airspaces, and

2. between the ANSP2 ATC Centre and aircraft in the ANSP2 airspace but which use other VDL2 Service Providers.

The following technical principles apply:

a) The ARINC VDL2 Ground Stations will advertise the NET of the ARINC A/G Router.

b) The SITA VDL2 Ground Stations will advertise the NET of the SITA A/G Router.

c) The ANSP’s VDL2 Ground Stations will advertise the NET of the ANSP’s A/G Router.

d) When communications are established with the respective Air/Ground Router, the SITA, ARINC and ANSP2 Air/Ground Routers will advertise to aircraft an IDRP route capable of reaching both ANSP1 and the ANSP2.

e) Over the SITA/ANSP2 connection, the ANSP2 will advertise to SITA an IDRP route to each ATN equipped aircraft currently using its VDL2 service and a route to ANSP2 ATC Centre(s).

f) Over the SITA/ANSP2 connection, SITA will advertise to the ANSP2 an IDRP route to each ATN equipped aircraft currently using its VDL2 service and also to those using the ARINC VDL2 service and a route to ANSP1.

g) Over the SITA/ARINC interconnection, SITA will advertise to ARINC an IDRP route to each ATN equipped aircraft currently using its VDL2 service and also to those using the ANSP2 VDL2 Service and a route to ANSP2 ATC Centre(s).

h) Over the SITA/ARINC interconnection, ARINC will advertise to SITA an IDRP route to each ATN equipped aircraft currently using its VDL2 service and a route to ANSP1.

i) There is no need for ARINC to advertise IDRP routes to individual aircraft to ANSP1 as it provides the only route to all aircraft.

Figure 7 shows the various communications paths through the two interconnections. AOC traffic is shown in dark green and ATS traffic in red. Note that the ATS flows are more complex than the AOC flows. This is because AOC traffic is simply between an aircraft and its airline via the ACSP. ATS traffic is between the aircraft and the ATC Centre responsible for its current airspace; this will change during the flight.

The importance of the ATN level interconnections becomes clear during the Transfer of Communications. For example, an aircraft flying out of ANSP1 Airspace into the adjacent ANSP2 airspace, must be simultaneously in contact with ANSP1 as its CDA and the ANSP2 (its NDA). The communications paths to support this must be present.



Edition: 3.007 24

In this example, an aircraft that was using the SITA service to communicate with ANSP1 would probably still be using the SITA service during the transfer of communications and hence connect via the SITA A/G Router and the ATN/CPDLC interconnection from SITA to the ANSP2 ATC Centre.

CPDLC transfer of communication and VDL mode 2 handoff are separate uncorrelated events.

Once the aircraft is well within the airspace of the ANSP2 a VDL2 handoff is likely to take place to one of the ANSP2 operated VDL2 Ground Station. At this point the ATN connection will also change to be via the ANSP2 ATN Air/Ground Router. Note that this transition is not visible to CPDLC and affects only the path the messages take through the ATN internet.

5.4.2.3 Direct Interconnection between the ANSP and Alternative ACSPs

Instead of relying on the ACSPs’ interconnection (e.g. ARINC and SITA interconnection), the ANSP may opt for a direct ATN level connection with an Alternative VDL2 ACSP. This may be for reasons of bandwidth requirements, or availability and reliability considerations. If such links are established then it is possible to configure the ground internet so that ATS messages between Aircraft that use (e.g) the ARINC VDL2 Service and the ANSP’s ATC Centre normally use the direct link, but use the ARINC/SITA interconnection as a backup should the main link fail.

In the event that an ANSP is directly connected to two or more interconnected ACSPs, particular provisions will be required at the IDRP level to ensure that proper functionality is achieved

Firstly, IDRP routes to aircraft advertised by the ACSPs to the ANSP must contain sufficient information to allow determination by the ANSP of the optimum route to a given aircraft. Generic prefixes ‘All AINSC’ or ‘All ATSC’ will not allow such a determination. Two possible approaches can be foreseen:

• ANSPs may require ACSPs to advertise long prefixes representing routes to individual aircraft. However, this would imply receipt of routing information updates every time an aircraft connects or disconnects from the ATN, and ANSPs should be aware of the considerable burden on the loading and configuration of their G/G Routers that could arise as a result. ACSPs are recommended to avoid such an approach except where it is specifically required by an ANSP.

• Alternatively, route prefixes to individual airlines or operators may be advertised to the ANSP by the preferred ACSP of those airlines/operators. This would avoid an excessive burden on the G/G Router associated with routes to individual aircraft. Occasionally a dual provider aircraft may connect to its non-preferred provider due to transient anomalies in coverage, and in such cases the ATN route to the aircraft would be sub-optimal (i.e. via the ACSP interconnection), but this phenomenon should occur only very rarely and for short duration. However, additional arrangements might be needed in the case of non-AOC operators without a preferred provider; either long prefixes to individual aircraft could be advertised in such cases, or else a generic prefix which would apply in the absence of a more specific prefix, recognising that ATN traffic routed by means of a generic prefix might be transferred sub-optimally via the ACSP interconnection.

Routing policies must be implemented in the ANSP's G/G Router, taking into account the routes advertised by the ACSP, to ensure that wherever possible the shortest path to an aircraft is selected for end-to-end communication.



Edition: 3.007 25

Finally, policies must be implemented in the G/G Routers of the ANSP to avoid re-advertisement of mobile or fixed routes received from one adjacent ACSP to other adjacent ACSPs, which could lead to inappropriate traffic routing and transit.

5.4.2.4 Shared Air/Ground Routers

An ATN Air/Ground Router is a specialised high availability/high reliability system that will be expected to operate 24 hours a day, 7 days a week. There is thus a significant cost associated with them.

Additionally, when an aircraft transfers from one Air/Ground Router to another, there is a communications penalty in terms of a number of VDL2 messages that have to be exchanged.

There are both thus technical and financial reasons for minimising the number of Air/Ground Routers deployed.

For such reasons, an ANSP providing VDL2 service should also choose to share an Air/Ground Router with its AOC partner. This will avoid the communications overhead on transfer to the ANSP’s VDL2 service and keep down costs.

Sharing the Air/Ground Router does not change the interconnection requirements between the ANSP and its AOC partner. Typically, the ANSP will make use of the ACSP’s Air/Ground Router and hence all ATN messages will flow over the ground/ground connection with the ACSP. The result is illustrated in Figure 8 where ANSP2 is providing VDL2 Service.

ARINC VDL2 SITA VDL2

A/GRouter

A/GRouter

G/GRouter

G/GRouter

G/GRouter

OLDI

ARINC

SITA

ANSP1

AirlineAirline

AOC

ATC

Comms Paths

ANSP2 VDL2

G/GRouter

ANSP2 ATC Centre

ANSP1 Airspace ANSP2 Airspace

Figure 8 - ANSP uses ACSP's Air/Ground Router

Note: For simplicity the figure above does not show the need for dual ATN/VDL M2 coverage according to Principle NPD-0.



Edition: 3.007 26

6 Air-ground router proliferation Air-Ground (A/G) routers are typically deployed by ACSPs as the ATN access point to the ATN/VDL M2 network; both ARINC and SITA operate them. From a networking point of view it is not necessary or even desirable that all ANSPs operate their own air-ground routers, the minimum requirement is for an ATN ground-ground (G/G) router (see Figure 6).

Some ANSPs acting as ACSPs may decide to operate A/G Routers but the number operating in the European network should be kept as low as possible to minimise unnecessary load on the network caused by route updates (IDRP traffic) generated when an aircraft encounter a change in A/G router connectivity. Extra VDL M2 load will also generated due to sub-optimal handoff behaviour. Both will have a negative effect on the VDL M2 network. The more air-ground routers that are deployed, the more negative effect there will be on VDL M2 capacity.

ANSPs are therefore advised not to deploy A/G Routers unless absolutely required; it will save money and network overhead.

See Appendix B – Air-Ground Router Proliferation for a technical discussion on the subject.

7 NON-AOC operators The following principles apply to Operators of aircraft that do not conduct Airline Operational Communications (AOC) over the VDL M2 infrastructure – these are the so-called Non-AOC Operators.

Principle NAOC-1: An institutional solution will be put in place to avoid the need for technical measures to inform a non-AOC aircraft whi ch ACSP is the Primary provider in a given airspace

Principle NAOC-2: Subject to the constraints below, a non-AOC operator should continue to receive ATN/VDL service supporting CPDL C from the ACSP with which it is currently connected, even if the aircraft ent ers airspace in which the ACSP is no longer the Primary provider.

Note: This will also provide technical benefits to the communication network, since it will avoid frequent transitions between ACSPs, which impose a burden on communication capacity due to the need to re-establish an IDRP adjacency following a change of provider.

1. An ACSP will provide ATN/VDL service supporting non-AOC operators where at least:

a. the ACSP offers ATN/VDL coverage at the aircraft’s location, and b. the ACSP has an appropriate contractual arrangement with the relevant ANSP(s)

to convey CPDLC messages as a Primary or Alternative provider, and c. the non-AOC operator’s avionics have been qualified for operation on the ACSP’s

network, and d. the non-AOC operator has entered into an agreement with the ACSP in which the

ACSP commits to deliver the non-AOC operator’s ATC/ATN messages free of charge and is also addressing liability and other relevant matters.



Edition: 3.007 27

2. If any of the above constraints are not satisfied, the ACSP may at their own discretion refuse a connection request from the aircraft, or else should disconnect the aircraft if a link already exists.

Principle NAOC-3: The ACSPs (ARINC and SITA) shall report to EUROCONTROL the non-AOC operators with which they failed to ent er into an agreement.

Note1:Consideration will be given to administrative mechanisms to streamline the qualification of avionics and the establishment of agreements with non-AOC operators, possibly involving avionics vendors and/or airframe manufacturers.

Note2: Consideration will also be given to funding models to cover the carriage of CPDLC messages from non-AOC operators, in recognition that an Alternative ACSP may have no contractual obligation to carry such traffic, and will not receive AOC revenue from the operators.

Technical arrangements/details related to the Non-AOC operators are provided by the Generic ACSP Requirements Document Ref [6].

8 Naming and Addressing Refer to [7] EUR NSAP Address Registry which is available at http://www.paris.icao.int/documents_open/files.php?subcategory_id=137

9 Security Deployment of ATC datalink results in a general improvement of air safety including a decrease in the overall vulnerability of ATC (Voice and Data) communications to Denial of Service attacks.

There are currently many technical and physical hurdles for an attacker to overcome before a successful masquerade attack could be launched and, even then, surveillance systems and procedures should ensure that such an attack is ultimately fruitless. Physical Security is relied on to prevent a successful attack based on access to the ground ATN. For a detailed discussion of the assertions made here, refer to Appendix C – Security Considerations



Edition: 3.007 28

GLOSSARY

A/G Air-Ground

ACARS Aircraft Communications and Reporting System

ACL ATC Clearance

ACM AC Communication Management

ACSP Air-Ground Communications Service Provider

ANSP Air Navigation Service Provider

AOC Aircraft Operators Communications

ATC Air Traffic Control

ATN Aeronautical Telecommunications Network

ATS Air Traffic Services

AVLC Aviation VHF Link Control

CDA Current Data Authority

CLNP Connectionless Network Layer Protocol

CPDLC Controller Pilot Data Link Communications

CS Community Specification

DCL Departure Clearance

D-ATIS Digital Operational Terminal Information System

DLS-IR Data Link Services Implementing Rule

DSP Data link Service Provider

EUROCAE European Organization for Civil Aviation Equipment

FANS Future Aeronautical Network System

FANS1/A Future Aeronautical Network System

G/G Ground-Ground (Communication)

ICAO International Civil Aviation Organisation



Edition: 3.007 29

IDRP Inter Domain Routing Protocol

IP Internet Protocol

IR Implementing Rule

NDA Next Data Authority

OLDI On-Line Data Interchange

PDU Protocol Data Unit

PENS Pan-European Network Service

RTCA Radio Technical Commission for Aeronautics

SARPS Standards and Recommended Practices

VDL VHF Data Link

VDL M2 VHF Data Link Mode 2

VGS VHF Ground Station

VPN Virtual Private Network



Edition: 3.007 30

Appendix A – Airport Legacy Considerations Geographical Scope

The DCL and D-ATIS services operate from Tower Control systems are connected to the ACARS/ VDL M2 Infrastructure of SITA and ARINC. Avionics supporting CPDLC may also support these services but this is not required by the DLD-IR.

The Airports concerned are:

France: Paris Charles de Gaulle The United Kingdom: London Gatwick, London Heathrow Belgium: Brussels The Netherlands: Amsterdam Schiphol Germany: D-ATIS: Frankfurt, Munich, Düsseldorf,

Hamburg, Hannover, Stuttgart, Bremen, Münster-Osnabrück, Cologne, Berlin (THF, SXF, TXL), Nurmberg, Erfurt, Leipzig, Dresden, Saarbrücken .DCL: Munich, Stuttgart, Hamburg and Hannover (will be deployed to the remaining ones)

Spain: Madrid Barajas, Barcelona, Palma de Mallorca, Gran Canaria

Slovenia: Ljubljana Italy: Roma Fiumicino, Milano Apensa Ireland: Dublin Austria: Wien Schwechat Switzerland: Geneva Cointrin

Airport Systems Infrastructure

Three modes of DCL operations are possible and may be adopted by different airports, even within the same country. These are:

Option 1. Central slot and departure time allocation – Control Tower receives copy of DCL from remote;

Option 2. Central slot and departure time allocation – Control Tower releases DCL to pilot from remote.

Option 3. Distributed departure time allocation – Control Tower determines DCL locally and sends to pilot.

Assumption: Regional ATS Provider implementation fo r Tower Control will determine Network Design.

Two modes of D-ATIS provision are foreseen:

Option 1. The ATS Provider implements a central ATIS server and airports are providers to that server.

Option 2. ATIS is locally provided and ATIS requests are sent direct to the



Edition: 3.007 31

airport.

Assumption: Regional ATS Provider implementation fo r Terminal Information systems Control will determine Network Design.



Edition: 3.007 32

Appendix B – Air-Ground Router Proliferation Introduction

Protocols exist in the ATN and in VDL Mode 2 to minimise the overhead associated with handoff between VGSs connected to the same ATN A/G Router. However, when a handoff occurs involving connectivity with a new A/G Router, additional overhead on the RF channel is incurred, arising from the establishment of a new IDRP adjacency and LREF compression context.

Furthermore, if aircraft frequently encounter a change of A/G Router, a risk exists that they will experience a reduced quality of the physical Radio Frequency (RF) link by selecting VGSs at handoff to maintain connectivity with their existing A/G Router, rather than to achieve the best signal quality. This could in turn lead to a further overhead as a result of increases in AVLC re-transmissions.

Accordingly it is desirable to minimise the number of occasions where VDL handoff involves contact with a new A/G Router. This implies that the ATN/VDL network should be designed so as to ensure that each A/G Router covers as wide a geographical region as is practical.

This paper aims to highlight the overheads of handoff management and AVLC re-transmissions that may be expected from unnecessary proliferation of A/G Routers, and to quantify these effects by using the existing ACTS VDL Mode 2 simulation model.

Overhead From Handoff Involving Change Of A/G Route r

Current Link 2000+ VDL operation is based purely on air-initiated VDL handoffs. Typically, when the avionics detect falling signal strength (Signal Quality Parameter – SQP), or excessive AVLC re-tries, they will initiate handoff to a new VDL Ground Station (VGS). After such a handoff, the following transactions will always take place when connectivity is supported with at least one ATN Router:

a) XID_CMD_HO frame is sent by the aircraft to initiate handoff b) XID_RSP_HO frame is sent by VGS to complete establishment of AVLC connection

with the new VGS c) VDL8208 CALL REQUEST (including ISH PDU) is sent by aircraft to request a new

SVC via the new VGS d) VDL 8208 CALL CONFIRM (including ISH PDU) is sent by ground system to confirm

establishment of new SVC.

VDL SARPS provide a mechanism allowing a) and c) above to be combined into single frame by use of the ‘Expedited’ procedures, thus improving the efficiency of the VDL handoff. In this event, b) and d) will also be similarly combined.

Note: VDL SARPs also provide for handoff to be initiated by the ground side, which may be useful under certain conditions, such as to recover from poor link performance perceived on the ground side, or else to undertake load balancing between different VGSs. In this case, the transactions above will remain essentially the same, except that the XID_CMD_HO will be sent by the VGS, and the XID_RSP_HO from the aircraft. The establishment of the new SVC by c) and d) will remain as above, although it should be noted that ARINC 631-4 does not support the use of Expedited procedures with Ground Initiated handoffs. This restriction does not apply to the Ground Requested Air Initiated handoff, which may be used under similar conditions to Ground Initiated, at the expense of transmission of an additional XID frame.



Edition: 3.007 33

When a VDL handoff takes place to a new VGS having connectivity to the same A/G Router with which the aircraft already has an adjacency, no further exchanges are required over the VDL link to maintain end-to-end communication. The existing IDRP adjacency between the Aircraft Router and the A/G Router will be maintained. Furthermore, special procedures exist at the interface between the VDL system and the ATN Routers to transfer the LREF compression context from the SVC link via the old VGS, to the new SVC.

However, if a VDL handoff is performed to a VGS not having connectivity to the A/G Router with which the aircraft is already connected, then additional transactions will be required over the air/ground link to establish an adjacency with a new A/G Router. Specifically:

a) IDRP OPEN PDU is sent by new A/G Router to initiate new adjacency b) IDRP OPEN PDU is sent by Aircraft Router to establish new adjacency c) IDRP UPDATE PDU(s) is/are sent by A/G Router d) IDRP UPDATE PDU is sent by Aircraft Router e) Establishment of a new CLNP LREF compression context occurs on exchange of

initial CLNP PDUs.

Accordingly it is clear that a significant additional overhead exists on the air/ground link when a VDL handoff also implies a change to a new A/G Router.

It should also be mentioned that the foregoing discussion has concentrated only on the critical exchanges over the air/ground link. In addition to those, establishment of new IDRP adjacencies will also provoke additional routing exchanges over the ground-ground network. However, since these networks will generally not be constrained by available capacity, ground-ground routing exchanges are considered less significant than those over low capacity air/ground links.

In recognition of the additional overhead incurred when an aircraft moves from one A/G Router to another, the VDL SARPs require that

“From among those ground stations with acceptable link quality, the aircraft LME shall prefer to handoff to a ground station which indicates (in the GSIF) accessibility to the air-ground router(s) to which the aircraft DTE has subnetwork connections.”

so that an aircraft will always seek to preserve connectivity with the same A/G Router with which it already has a connection.

Overhead Resulting From AVLC Re-Tries

VDL Mode 2 uplink and downlink frames are transferred between ground and air radios by means of the AVLC link layer protocol. This provides reliability by re-transmitting frames not acknowledged by the recipient. AVLC re-transmissions are a normal part of VDL Mode 2 operation, but the level of these re-transmissions is dependent on the quality of the physical layer link. As the physical link deteriorates, the number of frames requiring re-transmission increases, thus representing an increased overhead on the link.

The SARPs requirement to seek to preserve connectivity with the same A/G Router may have an impact on the quality of the physical link, and thus on the level of AVLC re-transmissions. In a scenario with a large number of A/G Routers, an aircraft detecting the need to handoff to another VGS might be forced to give preference to a VGS with inferior signal quality in order to preserve connectivity with the A/G Router, rather than select a VGS with better signal quality connected to a different A/G Router. This would not only increase the overall number of handoffs, but would also cause aircraft to experience



Edition: 3.007 34

inferior RF conditions on average, thus increasing the number of AVLC re-transmissions. Both of these effects would tend to increase overall overhead on the VDL Mode 2 link.

Simulation Studies

The EUROCONTROL LINK 2000+ Programme has performed simulation studies to quantify the additional overheads from handoff management and AVLC re-transmissions that might result from an extreme scenario where every ANSP implements an individual A/G Router, contrasted with a scenario where a single A/G Router provides coverage over the entire region.

The simulations have been performed using the existing EUROCONTROL ACTS simulator, based on the following scenario:

• 56 VGSs connected either to a single Regional DSP, or else to six National DSPs • 600 aircraft flying in the core area of Europe between 0800h and 1100h (i.e. 3 hrs total

duration) • AOC traffic by AOA, updated to 2007 levels, plus LINK 2000+ CPDLC in five

sectors/flight by 100% of aircraft, with message scenarios according to 2007 VDL capacity simulations

• air-initiated handoff triggered at SQP 1 • all other settings at default values.

The effects of the two extreme scenarios were emulated by simulating firstly a scenario where the core area of Europe was associated with a single DSP, representing one A/G Router for the entire region. In this case, an aircraft performs a Link Establishment (LE) when making initial contact with the VDL Mode 2 system, and thereafter performs a Handoff (HO) from one VGS to another.

The simulation was then repeated but with each State in the core area corresponding to an individual DSP, representing the case where each ANSP implements its own A/G Router. In this simulated scenario, the aircraft performs an LE each time it encounters a new DSP, performing a HO only between VGSs connected to the same DSP.

The number of LE and HO events in the simulation was determined by counting the number of uplink XID_RSP_LE and XID_RSP_HO frames, and correcting them for the effects of uplink re-transmission, to yield the total number of successful LE and HO events respectively.

In an ATN environment, the establishment of a new IDRP adjacency would only be required when an LE is performed in the simulation, but not when performing a HO. Accordingly, by observing the number of LE and HO events in each scenario, the overhead associated with link management exchanges, including IDRP, can be calculated as a post-process and expressed as a proportion of the messaging traffic. In calculating the overheads, it has been assumed that:

• VDL8208 SVC establishment associated with LE and HO is performed by the ‘expedited’ protocols and the combined XID/VDL 8208 frames have an average length 119 octets on the uplink and 124 octets on the downlink.

• IDRP exchanges to establish a new adjacency following each LE, including update of IDRP routes, involves an additional three uplink and two downlink frames, with an average length of 129 octets on the uplink and 104 octets on the downlink.

Note: The above frames and lengths have been determined from reference to recent flight trial logs. A further review of these values may be required to provide more representative values for an operational scenario.



Edition: 3.007 35

The total application message load (exc. IDRP transactions) during the simulation was calculated by reference to the number of AVLC INFO frames generated (excluding frames re-transmitted), together with the mean frame length over all different categories of data. All percentages of overhead are expressed as a proportion of this total load.

The additional overhead from AVLC re-transmissions was calculated by considering the total number of INFO frames transmitted (including re-transmissions) in each scenario, compared to the number of frames generated.



Edition: 3.007 36

The results obtained from the simulations are as follows:

Single Regional

A/G Router National A/G Routers

Corrected no of LE events 1041 2794 Corrected no of HO events 2330 1706 No of uplink/downlink frames to establish 8208

3371 4500

No of uplink frames to establish IDRP 3123 8382 No of downlink frames to establish IDRP 2082 5588 Total octets for link management 1.44 x 106 2.76 x 106 Total uplink INFO frames generated 88151 84447 Total downlink INFO frames generated 90226 87293 Total uplink INFO frames transmitted 122942 131493 Total downlink INFO frames transmitted 113579 123037 Mean length of uplink INFO frames (octets) 48.23 48.23 Mean length of downlink INFO frames (octets)

48.67 48.67

Total octets for INFO frames generated 8.64 x 106 8.32 x 106 Total octets for INFO frames transmitted 11.46 x 106 12.33 x 106 Total handoff management overhead 16.6% 33.1% Total AVLC re -transmission overhead 32.6% 48.2%

The maximum additional overhead of the scenario with National A/G Routers may calculated in principle by taking the Single Regional Scenario as a baseline, and summing the additional overheads from both handoff management and AVLC re-transmissions. This approach would suggest that the maximum additional overhead of the National A/G Router Scenario would be 32%.

However, it should be recognised that the scenario represented in these simulations was operating very close to the point of saturation of the VDL system. Under more typical operating conditions, the additional effect of the AVLC re-transmission overhead may be lower than predicted by the simulations. Under very lightly loaded conditions, the additional overhead of the National A/G Router Scenario may be dominated by the handoff management overhead, which is just 16%.

Accordingly, the simulation results suggest that an additional overhead in the range of 16% to 32% may be expected in a scenario of National A/G Routers compared to a single Regional A/G Router, expressed as a proportion of the total INFO frames generated (excluding re-transmitted frames).



Edition: 3.007 37

It should be noted that for simplicity, the simulation does not specifically take into account the impact of any Transport layer re-transmissions. These would tend to increase the overhead associated with the National A/G Router scenario, due to the inferior behaviour of the physical RF link in this case.

Conclusions

For the reasons discussed above, the EUROCONTROL Link 2000+ Programme sought to discourage proliferation of A/G Routers with limited geographical connectivity, which is expected to lead to an increase in the number of VDL handoffs invoking additional IDRP exchanges.

Simulation results suggest that the handoff management overhead associated with an extreme scenario involving exclusively National A/G Routers is approximately doubled compared to a scenario where only a single Regional A/G Router is implemented.

In addition, a significant increase in the number of AVLC re-transmissions may also arise with National A/G Routers, as a result aircraft selecting a VGS at handoff with inferior signal quality, in order to preserve connectivity with the current A/G Router, as required by SARPs. The magnitude of this effect is expected to depend on the overall level of VDL loading.

Taken together, these effects are predicted to give rise to an additional overhead on the VDL link of between 16% and 32% in the extreme case of implementing National A/G Routers, compared to a single Regional A/G Router.



Edition: 3.007 38

Appendix C – Security Considerations Vulnerability Analysis

The current ATC Voice based system is inherently insecure. Only a low level technical capability is needed to jam the channel, listen in to ATC communications or to masquerade as a controller. Prevention against masquerade largely depends on the professional ability of the pilot and controller to recognise an impostor, and safety is assured by several layers of surveillance and conflict alert systems.

The datalink system should provide better security that the voice based system if only because it requires greater technical knowledge to monitor datalink communications or to masquerade as a pilot or controller. On the other hand, there is nothing in a correctly formed and in context datalink message to betray it as coming from an impostor rather than a genuine pilot or controller.

The first security analysis of the ATN was performed by Eurocontrol as long ago as 1995. This identified the following threats and vulnerabilities to ATN Security:

● Masquerade of a controller potentially leading to loss of separation due to execution of an invalid clearance.

● Masquerade of a pilot leading to confusion (e.g. issuing of a clearance ahead of time).

● Modification of uplink messages leading to loss of separation due to execution of an invalid clearance.

● Modification of downlink messages leading to confusion (e.g. issuing of a clearance ahead of time).

● Denial of Service by jamming or modification or masquerade of routing information.

It should be noted that no threats due to loss of confidentially were identified. In voice based ATC, no attempt is made to keep ATC communications confidential and neither is there any current intent to make datalink ATC confidential.

The development of suitable mechanisms to counter these vulnerabilities was delayed whilst institutional issues relating to the export of cryptographic equipment were investigated. These were resolved and the ATN Security Extensions were incorporated into the 3rd edition of the ATN SARPs.

The ATN Security extensions provide:

● Application level integrity verification and authentication of each and every message exchanged.

● Integrity verification and authentication of IDRP routing information exchanged over an air/ground datalink.

● A Public Key Infrastructure based on elliptic curve algorithms and using Context Management for the negotiation of session keys.

The possibility of integrating the ATN Security Extensions into CPDLC (using App type 22 – ‘Protected Mode’ CPDLC) also exists and should provide for a highly efficient mechanism for authentication of the sender, protecting integrity and protecting against mis-delivery.

Denial of Service attacks based on jamming has to be countered by means to detect the transmitter and physical security. These are outside of the scope of the ATN SARPs. However, mitigation of Denial of Service by providing alternative routes via other



Edition: 3.007 39

air/ground technologies is a feature of the ATN Internet, and one of the reasons why the ATN prefers the most complex of the possible mobile routing scenarios i.e. permitting an aircraft to attach to multiple concurrent Air/Ground Networks.

ATN Security and LINK2000+

No specific technical security mechanisms are proposed for LINK 2000+. Security measures will be limited to aspects such as physical protection, access control (password protection) etc. The justification for this is based on the following consideration of the vulnerabilities discussed above.

Denial of Service Attacks

As with any communications service dependent on the use of free radiating media, the ATN and specifically the VDL Mode 2 datalink used by the ATN, is vulnerable to jamming attacks from a high power transmitter operating on the same or adjacent frequencies. Existing Voice Communications are also vulnerable to the same type of attacks.

Jamming of the VDL Mode 2 service itself is not a safety issue. This is because CPDLC Message Loss is countered procedurally by Air Traffic Controllers and Pilots reverting to the use of Voice Communications. The impact of such attacks is on efficiency, as the efficiency gains of CPDLC are lost when the service ceases to be available, resulting in a potential reduction in airspace capacity, and hence delays. As a high power transmitter has to be deployed, standard triangulation techniques can be used to rapidly locate the source of the interference and an effective security response organised to remove it. The overall impact of such attacks is thus likely to be minimal and transitory.

As the existing Voice Communications are also vulnerable to the same attacks, deployment of the datalink service will increase the safety margin as an attacker will have to jam both services in order to reduce air safety. Currently, they only have to jam the Voice Communications Service. Datalink may also require a higher power jamming signal than Voice Communications, as the digital transmissions are robust to relatively high levels of interference and include error correction codes. Aircraft flying at a high enough altitude may also switch automatically to an alternative ground station which, for reasons of relative power levels and physical separation, is not being jammed by the interference signal.

Masquerade Attacks

A successful masquerade attack is serious, as a pilot would not able to tell the difference between a correctly formed but unauthorised clearance and a genuine message from the Current Data Authority. This is why ICAO has specified communications security mechanisms that can demonstrably prevent such attacks from succeeding. However, there are many technical and physical barriers that an attacker must overcome in order to complete a successful attack, which makes it unlikely even without the security extensions.

Specifically, there are two possible routes to such an attack:

1. Operating an unauthorised VDL Mode 2 Ground Station

2. Gaining unauthorised access to the ATN Ground Network.

The technical obstacles to successfully completing such an attack include:

a) Operating a high powered unauthorised transmitter is a very visible activity. The transmitter masts have to be positioned in a visible location on relatively high ground if they are to be effective and the power level must be high enough for the aircraft to select the transmitter as its preferred Ground Station in preference to an authorised transmitter.



Edition: 3.007 40

b) Even if the above conditions are met, an aircraft’s use of a Ground Station is “sticky” in that it will stay with a preferred ground station until the received power level drops below an acceptable threshold. It is thus non-deterministic as to whether a given aircraft will even use an unauthorised Ground Station. The unauthorised Ground Station will need to be carefully sited on a prime location if it is to be successful. In all probability, such a location will already be occupied by an authorised Ground Station.

c) An unauthorised Ground Station may attempt to mimic an aircraft’s current ground station and hence inject an authorised message that way. However, this is likely to result in a protocol error being detected by the genuine ground station when it receives the VDL2 level response from the aircraft (to an uplink that it had no knowledge of). In turn, this will cause the VDL2 connection to be aborted. The resulting NOCOMM state in the cockpit will force voice completion of the transaction and this will alert the controller to the false message. The result is that such an attack is likely to be detected before a serious outcome is possible.

d) The communications protocols specified by the ICAO SARPs are based on ISO OSI standards and not industry standard TCP/IP standards. They are also modified from the OSI originals. Access to proven implementations is thus limited, and professional and experienced levels of skill are necessary for deployment, placing a significant skill barrier in the way of an attacker. While industry standard IP Networks can and will be used as part of the ATN, the ATN operates as a VPN, tunnelling its own protocols through the IP Network rendering it inaccessible to other users of the IP Network.

e) Physical security mechanisms can and will be deployed by Administrations and Service Providers to prevent access to their Ground Networks to unauthorised parties, thus limiting opportunities for this mode of attack.

f) The connection mode nature of ATN protocols makes it difficult to simply “inject” an authorised message into an established CPDLC dialog between a pilot and a Data Authority. Communications will have to be observed and the protocols fully understood if a message is to be dynamically constructed that is in sequence and acceptable to a receiver.

g) Another user can only take over as an Aircraft’s Data Authority when nominated as such by the Current Data Authority thus significantly limiting the opportunities for unauthorised communications.

h) The stream mode compression used over the air/ground datalink, while not intended to provide cryptographic levels of confidentially, makes any attempt at observation or modification of a data stream, over the VDL Mode 2 datalink, problematic. This is because the compression makes use of dynamically determined entropy codes and references to previous character strings. The dialog has to be observed in its entirety in order to make sense.

i) Surveillance systems including ground based SSR should detect the results of an unauthorised profile changing message and loss of separation avoided through controller intervention or through an automatic system response.

Modification

Modification is only really an issue in the ground ATN. In theory, a carefully constructed jamming signal could modify a genuine air/ground transmission. However, a very high level of technical skill would be needed and, without advance knowledge of the transmission it would be difficult to predict the correct modification signal. In practice, dynamic issues such as multipath would probably frustrate such an attempt.



Edition: 3.007 41

Physical level security at both ATC Centre and by Communications Service Providers is relied on to prevent modification of CPDLC and other messages in the ground ATN.

Date post:	11-Feb-2017
Category:	Documents
Upload:	doanbao
View:	225 times
Download:	1 times