The Enabling Services

This enabling service ensures the compatibility between the user application and different SafeTRIP On-board units by masking the hardware functionalities behind an abstraction layer. For example, thanks to this enabling service, the user application will be able to access to the display without taking care of the OBU type.

Messaging Dispatching

The DMP Dispatcher manages messaging services using S-MIM Messages as specified by the Denise Message Protocol (DMP).

It implements the “Send Message” interface which is used by the VASP applications that need to send messages to the SafeTRIP Users. It also implements the “Receive Message” interface which handles messages sent by the End Users through the OBU DMP dispatchers.

Messages are encapsulated in UDP and sent to the peer DMP Dispatcher in the User’s OBU.

AAA Services

In computer security, AAA stands for authentication, authorization and accounting protocol.

Authentication refers to the confirmation that a service consumer is entitled to access a given network service. Authentication is accomplished via the presentation of an identity and credentials. Examples of types of credentials are passwords, one-time tokens, digital certificates, and phone numbers (caller/receiver).

Authorization refers to the granting of specific types of service (including "no service") to a service consumer. It is based on their authentication, what services they are requesting, and the current system state. Authorization may be based on restrictions, for example time-of-day restrictions, or physical location restrictions, or restrictions against multiple logins by the same user. Authorization determines the nature of the service which is granted to a service consumer.

Accounting refers to the tracking of the consumption of network resources by service consumers. This information may be used for management, planning, billing, or other purposes. Real-time accounting refers to accounting information that is delivered concurrently with the consumption of the resources. Batch accounting refers to accounting information that is saved until it is delivered at a later time. Typical information that is gathered in accounting is the identity of the service consumer, the nature of the service delivered, when the service began, and when it ended.

AAA Services in SafeTRIP

In the context of the SafeTRIP project three different AAA levels will be taken into account:

1 .Terminal Level AAA

This feature is related to the satellite S-band communication infrastructure. Each S-band terminal has to authenticate itself with the S-band HUB in order to get access the S-band network. Once authorized, the terminal will be ready to route OBU traffic through the S-band satellite network.

Accounting of traffic at terminal level is performed by the HUB/NCC and it is out of the scope of the SEP.

2. OBU level AAA

SafeTRIP OBUs will be connected to the rest of the world via the S-band satellite network and also via Alternative Ground Networks (AGN). The OBU will establish the communication links over each network by logging in these networks and then obtaining IP connectivity over each of them. As the OBU is moving, not all the network connections will be available: for this reason the OBU will have to monitor the status of each link and route the traffic over one of them according to pre-defined rules, quality of the links and their availability.

From the ground side there is the need to contact the OBU at any time using one of the available networks. This means that there shall be a way to know how to reach the OBU in real-time.

In order to keep the status of the connections to all the OBUs on each network, from the server side there is the need for a centralized control of the traffic. This function is implemented by the SEP and is based on a concept named Virtual Private Network (VPN). The implementation of VPNs requires an authentication between the OBU and the SEP for each link that is established over each AGN. This means that another AAA subsystem will be implemented for OBUs. The authentication and authorization processes for the OBUs are based on the mutual exchange of credentials using a data structure called certificate. These certificates are issued by a system which is called certification authority which is part of the SEP (even if this is not mandatory).

Accounting is then performed at IP level, per each VPN link. It will be possible to know how much traffic has been generated during the communications of the OBUs with the rest of the world using any of the available communication channels

3. User Level AAA

SafeTRIP will provide users with a wide range of services. Not all of them will be accessible by any user: only users who have subscriptions to receive a given service will be authorized to use it.

Subscriptions are handled outside the SafeTRIP perimeter by the operators called Existing Service Providers (ESP). ESPs are the companies which “own” the users and can provide the list of services the user is authorized to use with the corresponding service characteristics.

Different users can belong to different ESPs, even when they share the same OBU. A typical example could be the users travelling by coach: there could be some users travelling on a coach which belong to ESP1 and some other belonging to ESP2; ESP1 users can have different user profiles, meaning that they will have different limitations for each service (e.g. number of messages that can be sent, set of channels that can be received, etc.). The coach driver, for instance, would be allowed to display coach alarms, while passengers would be allowed only to watch live streaming or send messages.

Each user will have to carry out authentication before using the services; the authorization message received by the ESP through the SEP will contain information on the user profile and on the services available for that given user. User Level Accounting is then performed at service use level, meaning that information about service use events or durations will be collected.

Positioning

The positioning enabling service abstracts the positioning capability of the on-board unit behind a protocol independent of the hardware. This feature is useful to ensure the compatibility of the user services with different positioning systems.

Live Video/Audio Broadcast

One of the advanced features of satellite communications is the ability to broadcast live streams over a wide area using multicast capability. The DVB-SH standard provides a “built in” feature to broadcast audio and video streams using h264 encoding.

This enabling service offers to the VASP the possibility to use this built in feature and to fully benefits of the low cost live broadcast.

On the SEP side, the enabling service accepts a live video or audio stream that will be correctly encoded and broadcasted.

On the SEL side, the received stream is put at the disposition of the end user applications (video players, radio players…)

Datacast

Satellites can provide a very cost efficient way to broadcast audio/video or data streams. From the user perspective, the datacast enabling service offers the capability to broadcast data files to a wide range of terminals. It uses the DVB-SH “built in” feature to send the content over the air and a FLUTE client embedded in the SEL is in charge of the reception of the data. Once received, the datacast content is passed to the concerned user application.

The broadcast gateway is the part of the system allowing broadcasting data to all the on-board units. It uses the FLUTE (File Delivery over Unidirectional Transport) protocol to communicate with its peer. Data to be transported have to be encapsulated in files.

FLUTE is a protocol used to deliver ﬁles (e.g. documents, images, video/audio clips) over the Internet or unidirectional systems from one or more senders to one or more receivers. It is based on data carousel which is a concept applied for repeatedly delivering data in a continuous cycle. This cycling repetition ensures that every on-board unit can retrieve the file when it starts listening to the satellite signal.

Vertical Handover

From the user perspective, a complete integration of satellite and terrestrial networks means the possibility to move freely across different heterogeneous networks, keeping the on-going connections alive, without the need to put in place any active configuration. The process of changing from one access technology to another is called vertical handover.

The vertical handover mechanism is used to maintain the connections when users switch from one network to another (e.g. UMTS, WI-FI, S-band, Ku band, etc.). This switch may be caused by several reasons: unavailability of the currently selected medium, change in the quality measured on another medium which makes it preferable, change in the weather conditions, and many more.

The decision to make a vertical handover comprises both “when” and “if” the handover must be executed. This decision should take into account factors involving the network the mobile device is leaving and the network it is entering, as well as the quality of the links, user preferences, and so on.

In general, the policy-based support of Quality of Service (QoS) should be considered during the service session, in order to allow decisions for vertical handover not only when the particular access network is no longer available, but also when it is not able to support the required QoS because of the changing network conditions.

This will be also referred to as Smart Routing function. In particular, the smart routing algorithm must be able to decide between the available access networks, which are able to satisfy the QoS requirements of the user and, among these which one is the most suitable considering different policy parameters.

The Smart Routing function therefore shall deliver IP Datagrams over the best quality IP Connection available.

VoIP Protocol-Related Proxies

Several of the key services that the SafeTRIP implements, notably “Emergency Call”, require the real-time, bidirectional transmission of voice data over either the Satellite Network or an Alternative Ground Network. Two enabling services will be included in the SafeTRIP system to allow seamless integration of the SafeTRIP VoIP network with an external ITSP:

- SIP Proxy: in charge of signalling, AAA (including collection of CDRs), address conversion (from phone number to IP address and vice versa) and routing for control data

- RTP Proxy: in charge of address conversion and routing for user data

The Voice-over-IP Server-Side Middleware consists of a SIP Proxy Server which implements the standards defined by the IETF in the RFC 3261.

SIP Proxy servers receive requests, such as invite requests to start a communication session, and perform processes to assist in the establishment of the communication system. These processes involve forwarding of requests as well as modifying information as it passes through the proxy server. In addition, this Middleware works as a SIP Registrar processing SIP REGISTER requests and providing location services which associate an IP address to a certain On Board Unit by means of a SIP URI.

The SIP Proxy server for SafeTRIP also interoperates with the Public Switched Telephone Network (PSTN) allowing SafeTRIP users to send and receive calls from a non-IP network and working as an IP PBX (Private branch exchange).

Voice communications will be provided following a one-tier or two-tier approach, depending on the targeted terminals:

- For Professional Terminals, a two-tier approach is considered. Professional Terminals may have several user devices attached, for which it provides various kinds of services (e.g. voice). In such a case, it is convenient to have all VoIP calls among users connected to the same terminal not go through satellite/AGN resources but rather establish direct calls. This requires the inclusion of a SIP/RTP proxy at the terminal side. On the other hand, a system-level SIP/RTP proxy is included at the Hub side for connectivity and AAA.

- For Consumer Terminals, a one-tier approach will be used. Consumer Terminals have only one user and hence no SIP/RTP proxy at the user side is required. In this case, only the system-level SIP/RTP proxy is required.

With this approach, calls are handled by the SIP/RTP Proxy having visibility of both calling parties. As said above, calls within a Professional Terminal ad hoc network are handled within that network (handled by the user-side SIP/RTP Proxy). Calls between SafeTRIP terminals are handled within the SafeTRIP network (through the system-level SIP/RTP Proxies). Finally, external calls to/from the SafeTRIP network are handled through the ITSP.

Internet Gateway

Professional Terminals provide the user (and the group of devices that may be attached to them) with transparent two-way IP connectivity services and Internet access. These bidirectional services require an enabling service called “Internet gateway” that performs the following functions:

- Gateway towards an Internet ISP

- IP tunneling (if required) for IPv4 end user devices

- Network Address Translation (NAT)

Optionally, a Performance Enhancement Proxy (PEP) may be included at both the OBU and the Hub side for TCP transmission acceleration. This element can significantly boost throughput when the connection is established through the Satellite Network, since it is specially designed to cope with the high delay inherent in satellite communications.

This Internet Gateway is installed at both the OBU-side middleware (in Professional Terminals) and the Server-side middleware.

8 of 17

SAFETRIP.eu is a project co-funded by the European Commission, DG Research