Comment by dsab

> battle-tested like TLS instead of reinventing data encryption

Working in the industry, CCSDS SDLS is quite battle tested, albeit in a different way than TLS. It's not reinventing everything from scratch; in most cases, companies have common libraries and services that they've been using since the 90's that implement the standards. I found it interesting that a lot of the CCSDS standards sound a lot like internet standards because many were developed alongside the internet standards, just targeting constrained space systems rather than ground systems.

TLS is difficult because it doesn't work well when you get to large latencies (e.g. 700ms in LEO to ~1.5s in GEO). CCSDS standards target general space systems, so they have to account for that latency.

(author of the post here)

Hey dsab! I agree, but CCSDS is what we have today. We need to support it properly first if we ever want to extend or transition away. It also doesn't help that there's no good open-source implementation of the whole stack, especially the SDLS part, which makes the transition even harder.

On the type-safety side, I found typed combinators really useful for describing parsing and serialising (see my earlier post on ocaml-wire[1]), and keeping the protocol logic pure (separate from I/O) makes the whole thing much easier to test and reason about. OCaml's fuzzing support pairs really well with types too. This is basically the nqsb-TLS approach [2], which has held up in ocaml-tls for a decade.

[1] https://gazagnaire.org/blog/2026-03-31-ocaml-wire.html [2] https://www.usenix.org/conference/usenixsecurity15/technical...

The TL;DR here (https://ccsds.org/Pubs/350x9g2.pdf) seems to be "AES GCM", but with lots of lots of legacy protocols due to older birds in the sky. DTLS or HTTP3 would seem to be a better choice these days...