Aerospace and Electronic Systems Magazine November 2017 - 29

Bilzhause et al.

Figure 6.

Security in the DLS. DLS packets are extended with security data (SEC DATA). DLS fragments are transmitted within resource allocations. If a fragment contains errors, it is automatically retransmitted by the DLS in the next resource allocation.

In addition, since resource allocations are assigned per user, individual trust relationships between the ground station and each
aircraft become possible.
However, security at the resource allocation level would still
introduce fate sharing of packets transmitted in the same resource
allocation.

SECURITY IN THE DATA LINK SERVICE
The DLS provides transparent error recovery for the transmission
of subnetwork (SNDCP) packets. To this end, it breaks packets
into fragments of a smaller size and therefore lower error probability, as illustrated in Figure 6. If a bit error is detected in one of
the fragments, the DLS will automatically retransmit the erroneous
fragment.
Introducing security in the DLS would require covering each
fragment with security data. DLS fragments are transmitted in resource allocation and therefore cannot be greater than resource allocations. This approach would thus introduce at least the same
amount of overhead as resource allocation-based security. Since
DLS fragments are the smallest protocol units processed by the
LDACS datalink layer protocol, this is the maximum security
overhead.
Security in the DLS has no significant impact on the latency of
the LDACS protocol. It allows individual trust relationships to be
established between the ground station and each aircraft, and-because security is applied at the fragment level-different security
configurations for each application become possible. In addition, it
mitigates fate sharing, because security validation and error recovery are both applied at the fragment level.

SECURITY IN THE SUBNETWORK DEPENDENT
CONVERGENCE PROTOCOL
The SNDCP provides an adaption layer between the LDACS
and the network layer. It encapsulates network-layer packets in
LDACS-specific subnetwork packets.
Introducing security in the SNDCP would require each subnetwork packet to be covered with security data. The amount of
overhead introduced by this approach depends on the size of the
subnetwork packets, i.e., the size of the network-layer packets to
be transmitted.
Security in the SNDCP has no significant impact on the latency
of the LDACS protocol and allows individual trust relationships to
NOVEMBER 2017

be established between the ground station and each aircraft and for
each application. It is also immune to fate sharing, because error
recovery is performed in the layer below by the DLS.

DISCUSSION
The analysis of the possible security implementation options in the
existing LDACS architecture leaves us five options to consider.
We discuss these options in terms of error resilience, overhead, and
security requirements.

QUANTIFYING THE IMPACT OF FATE SHARING
LDACS recovers from residual bit errors after forward error correction by retransmitting erroneous packets. The retransmission
mechanism is implemented in the DLS. This implies that user data
can contain bit errors at multiframe level, slot level, and resource
allocation level, i.e., in the protocol stack below the DLS. A bit
error in the user data or the security data at these levels would
cause the security verification to fail for all packets covered by
the security data. The DLS cannot correct such errors without circumventing security. Therefore, all packets covered by the same
security data share their fate with the erroneous packet: security
validation failure.
Figure 7 displays the impact of this fate sharing. The lowest
failure probability is achieved by adding security data to DLS fragments in which security validation and error detection coincide.
The size of the DLS fragments is dynamically adjusted (Label A in
Figure 7) to keep the DLS fragment error rate below 5% [30]. At a
bit error rate of 10−5, this limits the size of DLS fragments to 641
bytes [42], making fragmentation necessary for larger subnetwork
packets. The worst-case failure probability is achieved when covering the complete multiframe with security data. Figure 7 displays
the failure probability for multiframes with the strongest coding
and modulation (default) and the weakest coding and highest modulation for increased throughput (labeled aggressive coding and
modulation in Figure 7).
The results indicate that the increase in failure probability due
to residual bit errors (shaded area in Figure 7) is significant. Even
with the strongest coding and modulation, the increase in failure
probability becomes prohibitive at a residual bit error rate of 5 ×
10−6, well below the design goal of 10−5. For more aggressive coding and modulation, applying security below the DLS is not an
option (lightly shaded area in Figure 7).

IEEE A&E SYSTEMS MAGAZINE

Table of Contents for the Digital Edition of Aerospace and Electronic Systems Magazine November 2017