Rail Safe Transport Application

Rail Safe Transport Application ( RaSTA for short ) is a network protocol that is tailored to the specific needs of railway signaling systems, but can also be used in areas with similar requirements. The special properties of RaSTA include reliable transmission of messages without unnoticed packet loss (similar to TCP ), monitoring of the channel quality using heartbeat messages, guaranteed delivery of messages within a time window and the use of several transport channels to increase reliability . In the context of communication within safety-critical infrastructure such as rail operations , such properties help ensure that the systems function properly. RaSTA is specified in the pre-standard DIN VDE V 0831-200.

scope of application

RaSTA should meet the safety requirements that are placed on control and safety systems in railway operations. A high level of reliability and the avoidance of unsafe error states must be guaranteed there. In the course of the modernization of electronic interlockings and the installation of digitally controllable field elements, which are connected via IP networks , their communication can take place via the RaSTA protocol. RaSTA is independent of the application protocol and can therefore in principle also be used in other areas of application with similar requirements.

Classification in the layer model

The RaSTA protocol is divided into two sub-protocols, which form two new layers between the application layer and the transport layer in the TCP / IP reference model . The first of these layers is the security and retransmission layer , which receives user data from the application layer and packs this into its own Protocol Data Unit (PDU). The main task of the security and retransmission layer is to ensure the integrity of the data to be sent and to ensure that the PDU is retransmitted if receipt of this is not confirmed by the receiving client. Such a PDU is transferred to the second layer generated by RaSTA, the redundancy layer . This can combine several, physically separate transport channels into one logical transport channel, thus increasing the reliability of the network connection in the event of a fault in a single channel. A PDU of the redundancy layer is transferred to the transport layer and there, using a protocol such as UDP, is transmitted identically on all available transport channels.

Security and retransmission layer

The upper of the two RaSTA layers is the security and retransmission layer . It accepts data from the application layer and provides various functions when the message is sent to another RaSTA client. This includes the identification of the sending and receiving clients by means of identification numbers, which are comparable here, but independent of IP addresses . Each packet is given a sequence number by means of which the packet can be identified and a receiving client is thus allowed to confirm receipt of the packet. If there is no confirmation, the missing packet will be transmitted again. Time stamps are also sent in the header of the PDU, which allow the packet cycle time and the age of a packet to be determined. If the maximum accepted age of a message (depending on the configuration, for example one second) is exceeded, the message is declared invalid. The quality of the connection is also monitored through the constant exchange of heartbeat messages. The result of this monitoring can be reported to the application layer for diagnostic purposes. This also applies to error counters which, for example, log the arrival of implausible sequence numbers. Errors in the transmission of RaSTA messages can lead to the disconnection. Finally, a checksum is attached to the actual user data , which is intended to ensure the integrity of the message.

Packet format

A PDU of the security and retransmission layer has the following structure:

Message length

2 bytes wide. Contains the number of bytes of the entire PDU.

Message type

2 bytes wide. Contains the identification number assigned to the corresponding message type. Possible types of messages are connection request , connection response , retransmission request , retransmission answer , disconnect request , vital signs , data and retransmitted data .

Recipient identification

4 bytes wide. Unique identification number of the receiving client within a RaSTA network.

Sender identification

4 bytes wide. Unique identification number of the sending client within a RaSTA network.

Sequence number

4 bytes wide. Number of a message that is incremented with each subsequent message.

Confirmed sequence number

4 bytes wide. Number of a message whose receipt is confirmed by the current message.

time stamp

4 bytes wide. Timestamp of the sender of the message.

Confirmed timestamp

4 bytes wide. Timestamp of the confirmed message.

Payload

Variable width. User data can be control messages of the RaSTA protocol itself as well as transmitted data from the application layer.

Security code

0, 8 or 16 bytes wide. Check sum that is intended to ensure the integrity of the PDU. The PDU is hashed with the MD4 algorithm , which can be used to replace the initialization vector with a code assigned to the RaSTA network. The hash value can be used entirely for the security code (16 bytes), only the lower half of the hash value can be used (8 bytes) or a security code can be dispensed with (0 bytes).

Redundancy layer

The lower of the two RaSTA layers is the redundancy layer . It receives data from the security and retransmission layer and sends the messages via redundancy channels. A redundancy channel is formed from one or more transport channels, such as several physically separate network connections with which data can then be exchanged, for example via UDP. A PDU of the redundancy layer is transmitted identically on all available redundancy and transport channels. This increases the robustness of the entire RaSTA connection against errors on individual transport channels.

Packet format

A PDU of the redundancy layer has the following structure:

length

2 bytes wide. Contains the length of the entire protocol data unit.

reserve

2 bytes wide. Reserved for future protocol extensions.

Sequence number

4 bytes wide. A sequence number assigned to the redundancy layer PDU, which is incremented with each subsequent message.

Payload

Variable width. User data to be transmitted of the security and retransmission layer .

Verification code

0, 2 or 4 bytes wide. Check code to detect transmission errors. Is calculated according to the CRC method. Can be calculated using different polynomials (2 or 4 bytes) or not used (0 bytes).

Security aspects

While RaSTA offers a number of mechanisms that are intended to increase operational security and ensure that everything runs smoothly, it does not offer any guarantees with regard to IT security against malicious attackers. The only aspect that can come into play here is the security code on the security and retransmission layers . If the code used there, which replaces the initialization vector for the MD4 hash function, is kept secret, this is similar to a Message Authentication Code (MAC) based on the secret IV or secret prefix procedure. Such a MAC should ensure the authenticity of the messages and prevent deliberate manipulation. However, since a MAC construction like this does not correspond to the current state of the art and MD4 is an outdated and insecure hash function, RaSTA should be protected by other protocols such as IPsec .

Individual evidence

↑ German Commission for Electrical, Electronic and Information Technologies in DIN and VDE (ed.): Electrical Railway Signaling Systems - Part 200: Safe transmission protocol RaSTA according to DIN EN 50159 (VDE 0831-159) . DIN VDE V 0831-200, June 2015.

[1] German Commission for Electrical, Electronic and Information Technologies in DIN and VDE (ed.): Electrical Railway Signaling Systems - Part 200: Safe transmission protocol RaSTA according to DIN EN 50159 (VDE 0831-159) . DIN VDE V 0831-200, June 2015.