|
|
**This document is out of date. See https://code.briarproject.org/akwizgran/briar-spec/blob/master/protocols/BSP.md for the current version.**
|
|
|
|
|
|
BSP is an application layer data synchronisation protocol for delay-tolerant networks. It can operate over any transport that can deliver packets from a sender to a recipient on a best-effort basis, meaning that packets may be delayed, lost, reordered or duplicated by the transport. BSP does not ensure the confidentiality, authenticity or integrity of packets; that is the responsibility of a transport layer security protocol such as [BTP](BTP).
|
|
|
|
|
|
BSP synchronises data between two devices referred to as the **local** and **remote peers**. The data to be synchronised consists of **messages**, which are organised into **groups**. From BSP's point of view, a message is simply a string of bytes and a group is simply a set of messages. A message created by the local peer is called a **local message**, while a message synchronised from the remote peer is called a **remote message**.
|
|
|
|
|
|
Each group on the local peer belongs to a **client**, which is responsible for deciding which messages are valid (the validity policy), which remote messages should be stored on the local peer (the storage policy), and which local messages should be shared with the remote peer (the sharing policy).
|
|
|
|
|
|
### Notation
|
|
|
|
|
|
We use `||` to denote concatenation, double quotes to denote an ASCII string, and `len(x)` to denote the length of `x` in bytes, represented as a 32-bit integer. All integers in BSP are big-endian.
|
|
|
|
|
|
### Crypto primitives
|
|
|
|
|
|
BSP uses a cryptographic hash function, `H(m)`, with an output length of `HASH_LEN` bytes, and a random number generator, `R(n)`, with an output length of n bytes. `R(n)` must be either a true random number generator or a cryptographically secure pseudo-random number generator. We use `H(m)` to define a multi-argument hash function:
|
|
|
|
|
|
* `HASH(x_1, ..., x_n) == H(len(x_1) || x_1 || ... || len(x_n) || x_n)`
|
|
|
|
|
|
> Implementation note: We propose to use BLAKE2s as the hash function, which gives `HASH_LEN = 32`.
|
|
|
|
|
|
### Client identifiers
|
|
|
|
|
|
Each client has a unique random identifier `HASH_LEN` bytes long:
|
|
|
|
|
|
* `client_id = R(HASH_LEN)`
|
|
|
|
|
|
### Group identifiers
|
|
|
|
|
|
Each grup has a unique identifier `HASH_LEN` bytes long. The identifier is calculated by hashing the client identifier and a data structure called the group descriptor:
|
|
|
|
|
|
* `group_id = HASH("GROUP_ID", client_id, group_descriptor)`
|
|
|
|
|
|
The group descriptor is supplied by the client and is not interpreted by BSP. Including the client identifier in the hash prevents collisions between clients that use similar data structures for their descriptors.
|
|
|
|
|
|
### Message format
|
|
|
|
|
|
Each message consists of one or more blocks. Each block is `BLOCK_LEN` bytes long, except the last block of the message, which may be shorter.
|
|
|
|
|
|
> Implementation note: `BLOCK_LEN` must be ≤ 2^15 . We propose to use `BLOCK_LEN = 2^15`.
|
|
|
|
|
|
* `message = block_1 || ... || block_n`
|
|
|
|
|
|
The blocks form the leaves of a binary hash tree. Each parent node consists of the concatenated hashes of its children. If the number of blocks in the message is not a power of two, some parent nodes will only have one child. The hash of the root node is called the root hash.
|
|
|
|
|
|
* `block_hash = HASH("BLOCK", block)`
|
|
|
* `parent_node = only_child_hash`
|
|
|
* `parent_node = left_child_hash || right_child_hash`
|
|
|
* `parent_hash = HASH("TREE", parent_node)`
|
|
|
|
|
|
The message's unique identifier is calculated by hashing a message header and the root hash. The message header consists of the group identifier, a timestamp, the message length and the message type.
|
|
|
|
|
|
* `message_header = group_id || timestamp || message_length || message_type`
|
|
|
* `message_id = HASH("MESSAGE_ID", message_header, root_hash)`
|
|
|
|
|
|
The timestamp is a 64-bit integer representing seconds since the Unix epoch. (All integers in BSP are big-endian.) The message length is a 64-bit integer representing the length of the message in bytes. The message type is a single byte that is supplied by the client and is not interpreted by BSP.
|
|
|
|
|
|
Each block has a unique identifier, which is calculated by hashing the message header, a block header and the hash of the block itself. The block header consists of the block number and a list of hashes called the path.
|
|
|
|
|
|
* `block_header = block_number || path_1 || ... || path_n`
|
|
|
* `block_id = HASH("BLOCK_ID", message_header, block_header, block_hash)`
|
|
|
|
|
|
The block number is a 64-bit integer starting from zero for the first block of the message. The path consists of the hashes of the siblings of the block's ancestors in the hash tree. If the number of blocks in the message is not a power of two, some of the block's ancestors may not have siblings. The positions of any such ancestors can be calculated from the message length and the block number.
|
|
|
|
|
|
A block accompanied by its message and block headers is called a portable block. A portable block is valid if the message length, block number, path and block length are consistent with each other. A valid portable block contains all the information needed to calculate the message identifier. Any valid portable blocks that produce the same message identifier are guaranteed to be consistent with each other.
|
|
|
|
|
|
### Packets
|
|
|
|
|
|
The local and remote peers synchronise data by sending packets to each other. Each packet starts with a packet header that is 4 bytes long, with the following format:
|
|
|
|
|
|
* Bits 0-7: Protocol version
|
|
|
* Bits 8-15: Packet type
|
|
|
* Bits 16-31: Length of the payload in bytes as a 16-bit integer
|
|
|
|
|
|
Packets of any type may be sent in any order. If the recipient does not recognise a packet's protocol version or packet type, the recipient ignores the packet.
|
|
|
|
|
|
The current version of the protocol is 1, which has five packet types:
|
|
|
|
|
|
**0: OFFER** - The payload consists of one or more block identifiers. This packet informs the recipient that the sender holds the listed blocks and asks the recipient whether to send them.
|
|
|
|
|
|
**1: REQUEST** - The payload consists of one or more block identifiers. This packet asks the recipient to send the listed blocks.
|
|
|
|
|
|
**2: DATA** - The payload consists of a portable block.
|
|
|
|
|
|
**3: ACK** - The payload consists of one or more block identifiers. This packet informs the recipient that the sender holds the listed blocks.
|
|
|
|
|
|
**4. RESET** - The payload is empty. This packet asks the recipient to discard any information about which blocks the sender holds.
|
|
|
|
|
|
The local peer is said to hold a block if it is storing the block and sharing it with the remote peer according to the client's sharing policy. If the local peer is storing a block but not sharing it with the remote peer, the local peer acts as though it were not storing the block.
|
|
|
|
|
|
### Synchronisation state
|
|
|
|
|
|
The local peer stores the following synchronisation state for each block it holds:
|
|
|
|
|
|
* Hold flag - Set to 1 if the remote peer is known to hold the block, otherwise 0
|
|
|
* Ack flag - Set to 1 if the local peer needs to acknowledge the block, otherwise 0
|
|
|
* Request flag - Set to 1 if the remote peer has requested the block since it was last sent, otherwise 0
|
|
|
* Send count - The number of times the block has been offered or sent to the remote peer
|
|
|
* Send time - A timestamp indicating when the block can next be offered or sent to the remote peer, measured in seconds since the Unix epoch and initialised to 0
|
|
|
|
|
|
The local peer also stores a list of block identifiers that have been offered by the remote peer and not yet acknowledged or requested by the local peer. The length of this list should be bounded, and the local peer should replace the oldest entry in the list if the maximum length is reached.
|
|
|
|
|
|
### Interactive mode and batch mode
|
|
|
|
|
|
Each time the local peer sends packets to the remote peer, it decides whether to use interactive mode or batch mode. Interactive mode uses less bandwidth than batch mode, but needs two round-trips for synchronisation, whereas batch mode needs one. The local peer's choice may depend on prior knowledge or measurements of the underlying transport. BSP does not specify how to decide which mode to use - the local and remote peers may use different criteria, and peers may change their criteria at any time.
|
|
|
|
|
|
In interactive mode, blocks are offered before being sent. The local peer does the following, in any order:
|
|
|
|
|
|
* Acknowledge any blocks sent by the remote peer
|
|
|
* Acknowledge any blocks offered by the remote peer that the local peer holds
|
|
|
* Request any blocks offered by the remote peer that the local peer does not hold
|
|
|
* Offer any blocks that the local peer does not know whether the remote peer holds
|
|
|
* Send any blocks requested by the remote peer
|
|
|
|
|
|
In batch mode, blocks are sent without being offered. The local peer does the following, in any order:
|
|
|
|
|
|
* Acknowledge any blocks sent by the remote peer
|
|
|
* Acknowledge any blocks offered by the remote peer that the local peer holds
|
|
|
* Request any blocks offered by the remote peer that the local peer does not hold
|
|
|
* Send any blocks requested by the remote peer
|
|
|
* Send any blocks that the local peer does not know whether the remote peer holds
|
|
|
|
|
|
A block is not offered or sent until its send time is reached.
|
|
|
|
|
|
### Retransmission
|
|
|
|
|
|
Whenever the local peer offers or sends a block, it increases the block's send count and send time. BSP does not specify how the send time should be increased, except that the amount by which it is increased should increase exponentially with the send count. The local peer may increase the send time based on measurements of the transport's round-trip time and round-trip time variance, as in TCP, or it may use any other method.
|
|
|
|
|
|
### Resetting
|
|
|
|
|
|
If the local peer crashes, it may fail to store blocks that it has already acknowledged. (This can happen even if the local peer stores the blocks before acknowledging them, as there are many layers of buffers between the application and the physical storage medium.) The remote peer will no longer offer or send blocks that the local peer has acknowledged, so the peers may remain out of sync indefinitely. If the local peer detects that it has crashed, it should send a reset packet to reset the remote peer's information about which blocks the local peer holds. |
|
|
See https://code.briarproject.org/briar/briar-spec/blob/master/protocols/BSP.md for the current version. |
|
|
\ No newline at end of file |