Keeping a secure bus in agreement is a job of its own.

Control Plane and Services

Alongside the secured application traffic on the data plane, SPsec runs a control plane that establishes and maintains the security itself.

Three Planes

SPsec keeps three kinds of traffic apart. The data plane carries the application's addressed data units, each wrapped in a Security Stamp. The external control plane carries the SPsec messages exchanged between the roles to set up and maintain security. The internal control plane is optional: it connects the sublayer to its own host application, reporting status changes and security events. A constrained system whose application knows nothing about the security sublayer can ignore it, though the events it reports could form the basis of an auditable event log. The planes are told apart by addressing, which the network mapping defines.

The Control-Plane Services

A small set of services performs all of the security maintenance:

SPsec Session. A secure client-server exchange between a Configurator and a participant, modeled on TLS-PSK but stripped down for small packets. After a Hello and Finished exchange derive a session key, the Configurator reads and writes the participant's registers (installing keys, adjusting timeouts, reading status) until either side ends the session.
Parameter Authentication. A one-round-trip service that authenticates a single value, in practice the synchronized timestamp a participant needs before it can join the secure group.
Time Sync. The Sync role broadcasts the synchronized uniqueness value so every participant shares the same timestamp.
Multi-Participant Grouping. The data-plane service itself: any number of participants share one Communication Key and one uniqueness value, so each can both send and verify secured traffic without per-pair state.
Secure Heartbeat. Each participant in the secure state publishes a short authenticated message at a fixed cycle carrying its security status. A heartbeat that fails to arrive within the timeout is itself a security event.
Internal Events. The sublayer reports state changes and failures, such as a missed heartbeat or an authentication failure, to its host application, which decides whether to log, abort or continue.

The Participant State Machine

Every participant runs a small finite-state automaton. After power-up it enters Waiting and stays there until it has an authenticated synchronization value, then moves to Secure and joins the group. A detected security event, such as an authentication failure, a missed heartbeat or a synchronization timeout, moves it to Warning, where it keeps participating but prepares to abort if the warning is sustained. If the warning clears it returns to Secure; if a sync abort occurs it falls back to Waiting. A separate Configuration state covers the time a Configurator holds a secure session open; the participant leaves it on terminate or timeout.

SPsec participant state machine showing Waiting, Secure and Warning states inside an SPsec Operation group, and a separate SPsec Configuration state, with transitions Start Security, Security Established, Security Event, Events Clear, Security Abort, Enter Config and Exit Config — SPsec participant state machine. Operation cycles between Waiting, Secure and Warning; Configuration is a separate state entered for the duration of a secure configuration session.

Frequently Asked Questions

What is the difference between the data plane and the control plane?

The data plane carries the application's secured traffic. The control plane carries the SPsec messages that establish and maintain security: sessions, time synchronization, heartbeats and the events reported to the host application.

What does a missing Secure Heartbeat mean?

Each participant publishes an authenticated heartbeat on a fixed cycle. If a participant's heartbeat does not arrive within the timeout, it is treated as having left the group, and that absence is itself a security event.