Secure UAS Stateless Network RID HTT Consulting
Oak Park MI 48237 USA rgm@labs.htt-consult.com
AX Enterprize
4947 Commercial Drive Yorkville NY 13495 USA stu.card@axenterprize.com
AX Enterprize
4947 Commercial Drive Yorkville NY 13495 USA adam.wiethuechter@axenterprize.com
Linköping University
IDA Linköping 58183 Sweden gurtov@acm.org
Internet DRIP RFC Request for Comments I-D Internet-Draft RID This document defines a stateless transport mechanism and message content between an Uncrewed Aircraft System (UAS) and its UAS Service Supplier (USS) for Network Remote ID (Net-RID) messages. It leverages the Broadcast Remote ID (B-RID) messages as constructed by the UA, or constructed by the Ground Control Station (GCS) from the Command-and-Control (C2) messages that are then sent directly over UDP from the UAS. These messages are authenticated by the DRIP Authentication messages if originating from the UA. When originating from the GCS, CBOR Web Tokens (CWT) signed by the GCS's DRIP Entity Tag (DET), are used. Transport privacy is out-of-scope in this approach per the stateless design. Some proposals are offered for data privacy that require some minimal state.
Introduction The ASTM Remote ID standard in Section 4.5 defines that there may be communications from the Uncrewed Aircraft System's (UAS) to its UAS Service Supplier (USS) Network Service Provider (Net-RID SP) to convey the Remote ID data. However, Section 4.5.4 specifically states the standard does not specify the details of this interface. This document provides the UAS to Net-RID SP interface for DRIP enabled UAS. This document leverages the ASTM F3411 Remote ID broadcast messages to inform the Net-RID SP of the UA flight activity. This is realtime data transmission over a UDP connection between the UAS and USS. Direct UDP with CoAP/CBOR (/) was selected for their low communication "cost". This may not be an issue if Net-RID originates from the Ground Control Station (GCS, ), but it may be an important determinant when originating from the UA (). Particularly, very small messages may open Net-RID transmissions over a variety of constrained wireless technologies. If a flight activity originates directly from the Uncrewed Aicraft (UA), the data is protected with DRIP Wrapper Messages . This message may be directly transmitted from the UA to its Net-RID SP over some airborn Internet path, or it may be proxied through the UA's Ground Control Station (GCS). With the GCS in the loop, the GCS handles the Net-RID SP Heartbeat messaging. Other systems MAY act as a proxy for the UA, provided they are configured with a DET. If a flight activity originates directly from the GCS, the GCS constructs the appropriate ASTM F3411 messages based on information it receives from the UA over the Command-and-Control (C2) link (e.g. derived from the MAVLink protocol ). These messages are sent to the Net-RID SP in an ASTM F3411 Message Pack. The GCS's DET is used for the DRIP authentication in this case. The GCS handles all the USS Heartbeat messages. The flight activity MAY originate from another Operator owned device (e.g. a smartphone). This is a device that is capable of receiving all the UA's transmissions and forward them to the Net-RID SP just as the GCS does. This will require this device to have its own DET known to the USS to be owned by the Operator.
Stateless Design Implications Unlike the and where they envision a stateful session between the NRID components. The approach here is stateless. The most compelling justification that is missed in the CONOPS is that there will often not be a single Net-RID SP server but a set of them. Thus major design consideration driving a stateless design is to support handoffs between multiple Net-RID SPs. Two major uses of multiple Net-RID SPs are:
  • Provide load balancing handoff between Net-RID SPs
  • Provide geographic diversity handoff as UA travels
Even in situations where a UA only communicates with a single Net-RID SP during an operation, the Net-RID SP may have a default, starting server for all operations and, based on a filed flight plan, immediately hand off the UA to the best server for that operation. The stateless design here gives the Net-RID SP extensive flexiblity in how this could be deployed. There really is a very minimal piece of state, in that the UAS is transmitting to a specific Net-RID SP and said Net-RID SP is informing the UAS that it is receiving its messages. If the UAS does not get acknowledgments from its Net-RID SP, this MAY impact its CAA (Civil Aviation Authority) operation rules. Likewise if the Net-RID SP is not receiving the messages, it MAY need to flag the operation as ended. This minimal state can be maintained through through a RESTFUL token included within the UDP messaging in place of a stateful TCP connection. To facilitate this, CBOR Web Tokens (CWTs) are used. Thus CWTs are used by the UAS to convey the flight activity and other information to the Net-RID SP. They are used by the Net-RID SP for its communication to the UAS.
SCHC Compression usage To further reduce the communication cost, SCHC is defined for both the direct UDP and CoAP layer . UDP SCHC compression is handled separately here from IP header as is currently defined by IP carrier (e.g. LoRaWAN, ). This is to allow for the endpoints to not need to know what constrained carrier is in-path and just design for worst case.
Privacy Requires some State Content privacy via a secure transport is out-of-scope for this protocol. Most secure transports are stateful, breaking the stateless approach taken here. It may seem that confidentiality is optional, as most of the information in Net-RID is sent in the clear in Broadcast Remote ID (B-RID), but this is a potentially flawed analysis. Net-RID has eavesdropping risks not in B-RID and may contain more sensitive information than B-RID. The secure transport for Net-RID should also manage IP address changes (IP mobility) for the UAS. Thus for some use cases a way to provide confidentiality is desirable. CBOR Object Signing and Encryption (COSE) may provide the simplest method to add data encryption to Net-RID. This may be developed at a later time. Another approach that may be investigated later is the Object Security for Constrained RESTful Environments (OSCORE, ) protocol. OSCORE provides a CoAP compliant data encryption, but does not provide the session keys. The Messaging Layer Security (MLS, ) Protocol, may be well suited for the multiple Net-RID model used here and will be discussed further down.
Terms and Definitions
Requirements Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Definitions See for common DRIP terms. The following new terms are used in the document:
B-RID
Broadcast Remote ID. A method of sending RID messages as 1-way transmissions from the UA to any Observers within radio range.
Net-RID
Network Remote ID. A method of sending RID messages via the Internet connection of the UAS directly to the UTM.
Net-RID SP
Net-RID Service Provider. The specific component in the UTM system that provides the communication endpoint for a UAS. It may be a function within a USS, or at may be an external service to the USS.
RID
Remote ID. A unique identifier found on all UA to be used in communication and in regulation of UA operation.
Network Remote ID In UAS Traffic Management (UTM), the purpose of Net-RID is to provide situational awareness of a UA (in the form of flight tracking) in a user specified 4D volume. The data needed for this is already defined in , but standard message formats, protocols, and secure communications methodologies are missing. F3411, and other UTM based standards going through ASTM and other SDOs, provide JSON objects and some of the messages for passing information between various UTM entities (e.g., Net-RID SP to Net-RID SP and Net-RID SP to Net-RID DP) but does not specify how the data gets into UTM to begin with. This document will provide such an open standard for DRIP enabled UAS. A minimal messaging approach, using the Broadcast Remote ID (B-RID) messages in , is sufficient to meet the needs of Net-RID. These messages can be sent to the Net-RID SP when their contents change. Further, a UAS supporting B-RID will have minimal development to add Net-RID support. The ASTM Message Pack (Msg Type 0xF) is used in all Net-RID messaging. Other messages (e.g. Heartbeat) are needed in some Net-RID situations. Thus a simple message multiplexer using CWT over CoAP is defined for a richer messaging environment.
Network RID Endpoints The US FAA defines the Network Remote ID endpoints as a USS Network Service Provider (Net-RID SP) and the UAS. Both of these are rather nebulous items and what they actually are will impact how communications flow between them. The Net-RID SP may be provided by the same entity serving as the USS. This simplifies a number of aspects of the Net-RID communication flow. The Net-RID SP is likely to be stable in the network, that is its IP address will not change during an operation. This simplifies maintaining the Net-RID communications. In practice, a USS may need multiple Net-RID SP, either for load balancing or geographical diversity. The design here is that the UAS communicates with one Net-RID SP server at a time. That SP server MAY redirect the UAS to use a different SP server via the HEARTBEAT message. It is this multiple Net-RID SP server design that mandates the stateless communication model and presents the confidentiality challenge. The UAS component in Net-RID may be either the UA, GCS, or the Operator's Internet connected device (e.g. smartphone or tablet that is not the GCS). In all cases, mobility MUST be assumed. That is the IP address of this end of the Net-RID communication may change during an operation (generally called a flight or mission). The Net-RID mechanism MUST support this.
Net-RID from the UA Some UA will be equipped with direct Internet access. These UA will also tend to have multiple radios for their Internet access (e.g., Cellular and WiFi). This protocol is agnostic as to which interface is used when for sending the Net-RID communications. Multi-interface transmissions MAY result in out-of-order packet delivery, thus the SP MUST be prepared to reorder the packets. All B-RID messages contain a timestamp, thus simplifying the reordering process. Multicast (GEN-10 in ) over multiple Internet connection technologies MAY be used improve QOS (GEN-7 in ) for Net-RID. The UA will send DRIP Wrapper messages of the current UA activity. These will be sent in a UA signed CWT that will add the SP DET.
Net-RID from the GCS Many UA will lack direct Internet access, but their GCS are connected. The GCS is then acting as a gateway for the UA. There are two sources of the RID messages for the GCS, both from the UA. These are UA B-RID messages, or content from C2 messages that the GCS converts to RID message format. The protocol stateless design is such that it is agnostic on how the GCS got the data. In a constrained wireless environment for the UA that is not functioning autonomously (i.e., at least C2 traffic to the GCS), this approach may be the most economical. It only uses the wireless to send the UA status once, to the GCS, that then provides the Net-RID functionality.
Net-RID from the Operator Many UAS will have no Internet connectivity, but the UA is sending B-RID messages and the Operator, when within RF range, can receive these B-RID messages on an Internet Connected device that can act as the proxy for these messages, turning them into Net-RID messages.
Net-RID from the Operator Smart Device TBD
Network RID Protocol Net-RID messaging is tied to a UA operation. During the operation, continuous location information is sent by the UA with any needed updates to static operation information. There are four components of the Net-RID protocol:
  1. Setup
  2. Operation start time
  3. UAS messaging
  4. SP messaging
The later two are somewhat asynchronous. Note all participating elements are configured with DETs to participate and they will tend to be in the same Hierarchy ID (HID).
Network RID Protocol Setup There are two steps in setting up a UAS to use the Net-RID protocol:
  1. The operator configures the UAS with the Net-RID SP DET. This is done either the UA or GCS, but the one with Internet connectivity (hereafter the Gateway). (Note: Most likely this DET is in the same HID as the UA, so the operator can be prompted with the 1st 64 bits and need only enter the 64 hash bits.)
  2. The Gateway queries DNS with the Net-RID SP DET.
    1. Gets the HDA Endorsement of the Net-RID SP DET and its IP address as of NOW.
    2. If no response or validation fails, something is wrong with entered DET.
Network RID Operation Start time Net-RID connectivity start can be considered a pre-flight check, so appropriate actions during failures in this phase should be consistent with organization-specific, system-specific, and/or operation-specific pre-flight checklists. All Operational data comes from the UA in a DRIP Wrapper packet. This is transmitted to the SP via the UAS component that has the Internet Connection (the Gateway). It is this element that packs the Wrapper into a CWT. At Operation Start time:
  1. The Gateway queries DNS with the Net-RID SP DET.
    1. It gets the HDA Endorsement of the Net-RID SP DET and its IP address as of NOW.
    2. If no response or validation fails, something is wrong with entered DET.
  2. The UA sends its first packet to the Net-RID SP via the Gateway before operation commences.
    1. This is a "normal" DRIP Wrapper () and SHOULD contain messages with static content.
    2. Vector/Location SHOULD be included in this 1st packet, if room.
    3. This Wrapper is packed by the Gateway into a CWT with the SP DET for sanity check that the right SP is the recipient.
  3. The Net-RID SP ACKs with an Net-RID Heartbeat (defined below).
    1. The first packet/Heartbeat exchange continues for 4 tries. No success, then no operation.
    2. Note that the Heartbeat MAY have a Net-RID SP redirect for load balancing, sending the UA off to a different SP server. The redirect includes the new Net-RID SP's DET, IP addr, and Endorsement.
    3. The Heartbeat flags will inform the UA as to what information the SP is lacking and the UA will send a Message Pack Wrapper with the requested information. If this includes a request for Self-ID and the UA has no Self-ID a Self-ID with null content is sent. The SP MUST ACK with a Heartbeat with updated flags.
  4. The Operation Start Phase completes when UA receives Heartbeat with flags indicating no missing information.
Static Messages For simplicity, a class of UAS information is called here "Static", though in practice any of it can change during the operation, but will change infrequently. This information is the contents of the B-RID Self-ID (Msg Type 0x3), Operator ID (Msg Type 0x5), and System Messages (Msg Type 0x4). This information can simply be sent in the same format as the B-RID messages. Alternatively the individual data elements may be send as separate CBOR objects. The Basic ID (Msg Type 0x0) Message may be included as a static message if this information was not used for the secure setup. There may be more than one Basic ID Message needed if as in the case where the Japan Civil Aviation Bureau (JCAB) has mandated that the Civil Aviation Authority (CAA) assigned ID (UA ID type 2) and Serial Number (UA ID type 1) be broadcasted. The information in the System Message is most likely to change during an operation. Notably the Operator Location data elements are subject to change if the GCS is physically moving (e.g. hand-held and the operator is walking or driving in a car). The whole System Message may be sent, or only the changing data elements as CBOR objects.
Network RID UAS Messaging
  1. The UA sends its operational information in a DRIP Wrapper
    1. This Wrapper MUST contain a current Vector/Location Message.
    2. It SHOULD contain any other RID messages with changed content (e.g. System Message).
  2. The Gateway wraps packs this into a CWT and forwards it to the Net-RID SP.
  3. On receipt of a Net-RID SP Heartbeat
    1. If no message was sent to the SP in the past N seconds, resends the last sent message.
    2. If Heartbeat contains a Net-RID SP redirect information, resends the last sent message to the new SP.
  4. If no Net-RID SP Heartbeat was received in the past M seconds.
    1. Resends the last sent message.
    2. If no Heartbeat after resending this last message 4 times, assume lost connection to SP and take appropriate action.
  5. On end of Operation, sends an "End-of-Operation" CWT to the Net-RID SP
    1. MUST receive a Heartbeat with corresponding "End-of-Operation" CWT; resends EoO otherwise.
Vector/Location Message Many CAAs mandate that the UA Vector/Location information be updated at least once per second. Without careful message design, this messaging volume would overwhelm many wireless technologies. Thus to enable the widest deployment choices, a highly compressed format is recommended. The B-RID Vector/Location Message (Msg Type 0x1) is the simplest small object (24 bytes) for sending this information in a Message Pack (Msg Type 0xF).
Network RID SP Messaging The Net-RID SP SHOULD send regular "heartbeats" to the UAS. If the UAS does not receive these heartbeats for some policy set time, the UA MUST take the policy set response to loss of Net-RID SP connectivity. For example, this could be a mandated immediate landing. There may be other messages from the Net-RID SP to the UAS (e.g., call the USS operator at this number NOW!). The UAS MUST follow acknowledge policy for these messages. If the Net-RID SP stops receiving messages from the UAS (), it should notify the UTM of a non-communicating UA while still in operation. The Net-RID SP process flow is as follows:
  1. The Net-RID SP sends a Heartbeat to a Gateway every P seconds.
    1. Even if it received a message (other than EoO) within this time period.
    2. The Heartbeat MAY contain Net-RID SP Redirect content.
  2. If the SP sends R Heartbeats without receipt of a message from the UAS, assume loss connectivity and take appropriate action.
  3. On receipt of an "End-of-Operation" CWT.
    1. Sends Heatbeat with EoO content and closes operation.
CoAP Net-RID messages The CoAP based Net-RID protocol is intended for a rich, bi-directional conversation between the UAS and USS. The USS, through the Net-RID SP, may compare actual UA progress against the filed flight plan and against other UA actual traffic. The USS may then send to the UAS recommended changes to the flight plan to de-conflict traffic or advise the UAS to avoid hazards (1st responder event, avoid space). The UAS may then negotiate changes to the plan, and act on them, as appropriate. Note that this additional USS-to-UAS messaging functionality is not part of the current design and is out of scope for this document. This sort of advanced UAS behavior is envisioned as part of total UTM activities. Discussions now ongoing in UTM will provide the data models and transactional UAS/USS interactions, that will drive UAS communications past the Net-RID defined here toward a more functional CoAP Net-RID protocol. There are three CoAP Net-RID currently defined: Author's Note: This section needs further work. At least (and probably more) uas-update needs the Net-RID SP DET and both need their DET signing.
UAS CWT
USS CWT
UAS End-Of-Operation
IANA Considerations TBD
Security Considerations TBD TBD
Acknowledgments TBD
References FAA Concept of Operations for Unmanned Aircraft Systems (UAS) Traffic Management (UTM) 2.0 US Federal Aviation Administration (FAA) Standard Specification for Remote ID and Tracking - F3411−22a ASTM International Micro Air Vehicle Communication Protocol EU U-Space CONOPS 4th Edition Single European Sky ATM Research (SESAR)