ROLL Working Group L. Melegassi Internet-Draft Catellix Intended status: Informational 28 May 2026 Expires: 29 November 2026 MVPS-IoT: Multi-Vantage Coherence Detection for Constrained and Low-Power IoT Deployments draft-melegassi-roll-mvps-iot-01 Abstract This document specifies MVPS-IoT, a profile of the Multi-Vantage Path Synchrony (MVPS) framework adapted for constrained-node networks [RFC7228]. MVPS-IoT instantiates the multi-vantage Mahalanobis statistic D^2 over a cluster of N >= 4 constrained sensor nodes observing the SAME physical phenomenon, to answer one operational question single-sensor deployments cannot: "is this anomaly a sensor failure (one vantage disagrees) or a physical phenomenon (the others agree)?" This -01 revision CORRECTS two errors in -00 that were identified in adversarial audit: (1) the claim that the detection statistic D^2 grows without bound, and (2) a mismatch between the bandwidth probability and the operational gate. Both are restated honestly here. Detection-latency bounds are explicitly demoted to conjectures with falsification protocols. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 29 November 2026. Melegassi Expires 29 Nov 2026 [Page 1] Internet-Draft MVPS-IoT May 2026 Copyright Notice Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Cluster and Detector Model . . . . . . . . . . . . . . . . 3 4. Coherence Axes for IoT . . . . . . . . . . . . . . . . . . 4 5. Uplink Gates and Bandwidth (corrected) . . . . . . . . . . 4 6. Detection Statistic: Bounded and Monotone (corrected) . . . 5 7. Sensor-Fault Discrimination . . . . . . . . . . . . . . . . 6 8. Inheritance from the MVPS Core . . . . . . . . . . . . . . 6 9. Conjectures and Falsification Protocols . . . . . . . . . . 7 10. Changes From -00 (Audit Response) . . . . . . . . . . . . . 7 11. Security Considerations . . . . . . . . . . . . . . . . . . 8 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . 8 13. References . . . . . . . . . . . . . . . . . . . . . . . . 8 1. Introduction A single IoT sensor that reports an anomaly cannot, by itself, distinguish a fault in the sensor from a real change in the monitored phenomenon. A cluster of N >= 4 sensors observing the same phenomenon can: a fault perturbs ONE vantage, while a phenomenon perturbs the majority coherently. MVPS-IoT applies the multi-vantage coherence detector of the MVPS core to this setting, under the bandwidth and energy constraints of [RFC7228]. This profile makes claims at three maturity levels following the MVPS adversarial-audit methodology [I-D.melegassi-irtf-mvps-methodology]: [T] machine-checked theorems, [D] engineering designs, and [C] conjectures with explicit falsification protocols. Every [T] claim is backed by a numerical receipt (Section 6). Melegassi Expires 29 Nov 2026 [Page 2] Internet-Draft MVPS-IoT May 2026 2. Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. Cluster: N >= 4 constrained sensor nodes observing one phenomenon and reporting to one edge gateway each tick T_tick. Coherence vector c(t): the triple (C_1, C_2, C_3) in [0,1]^3 defined in Section 4. beta (coherent-shift magnitude): the sigma-normalised magnitude of a phenomenon shared by a majority of sensors. 3. Cluster and Detector Model The gateway maintains a commissioning baseline mu0 in [0,1]^3 and a positive-definite covariance Sigma_0 estimated over a quiet holdout window, with smallest eigenvalue lambda_min > 0. Each tick it forms the Mahalanobis statistic D^2(t) = (c(t) - mu0)^T Sigma_0^-1 (c(t) - mu0) and raises a coherence alarm when D^2(t) > q_chi, the chi-square quantile with 3 degrees of freedom at the configured level (the nominal operational value is the 0.99 quantile, q_chi = 11.345). Class 0/1 nodes [RFC7228] run only an epsilon-gated uplink (Section 5); the Class 2 gateway computes D^2; the broker is conventional cloud or operator infrastructure. 4. Coherence Axes for IoT The three coherence axes are reinstantiated for constrained telemetry as: C_1 cross-sensor agreement: 1 minus the normalised dispersion of the per-sensor standardised residuals; C_2 temporal regularity: agreement of inter-arrival/observation cadence against the commissioned T_tick; C_3 spatial/topological consistency: agreement of the value field against the expected gradient across the cluster. Each axis is mapped into [0,1] (base MVPS Theorem 1); this bound is load-bearing for Section 6. Melegassi Expires 29 Nov 2026 [Page 3] Internet-Draft MVPS-IoT May 2026 5. Uplink Gates and Bandwidth (corrected) Constrained nodes suppress uplinks using ONE of two gates. Let eps be the gate width in sigma-units and assume IID Gaussian readings: Absolute gate G_abs: send iff |s(t) - mu| > eps*sigma. Send probability P_send = 2*Phi(-eps) = erfc(eps/sqrt2). Delta gate G_del: send iff |s(t) - s_last| > eps*sigma. The difference has variance 2*sigma^2, so P_send = 2*Phi(-eps/sqrt2) = erfc(eps/2). With payload p octets and tick T_tick seconds, the per-node uplink bandwidth is B_node = P_send * p * (60 / T_tick) octets/minute. For p = 32 octets and T_tick = 60 s, the LoRaWAN SF12 EU868 1%-duty envelope is approximately 3 octets/minute, and: G_abs, eps = 2: P_send = 0.0455 -> 1.456 B/min (FITS). G_del, eps = 2: P_send = 0.1573 -> 5.03 B/min (EXCEEDS). The delta gate fits the 3 B/min envelope only for eps >= ~2.37. Deployments with a strict LP-WAN duty budget therefore SHOULD use the absolute gate, or a delta gate with eps >= 2.4. This corrects -00, which quoted the delta-gate probability 0.1573 but then used the absolute-gate value 0.0455 to advertise the 1.456 B/min figure (audit finding B-IoT-1). 6. Detection Statistic: Bounded and Monotone (corrected) Because every coherence axis lies in [0,1] (Section 4), the displacement is bounded and so is D^2. Model the coherent shift as a per-axis monotone saturating map c_i(beta) = mu0_i + (1 - mu0_i)(1 - e^{-beta}). Then: L-IOT-2 [T] (bounded, monotone D^2; existence of beta*): (a) D^2(beta) is monotone non-decreasing in beta; (b) D^2(beta) <= D2_max := (1-mu0)^T Sigma_0^-1 (1-mu0) <= 3/lambda_min < infinity; (c) a finite detection threshold beta* with D^2(beta*) = q_chi EXISTS IF AND ONLY IF D2_max > q_chi. This REPLACES the -00 claim that "D^2 -> infinity" (audit finding B-IoT-2). An important honest consequence of (c): a cluster too noisy relative to the coherence range (D2_max <= q_chi) will NOT Melegassi Expires 29 Nov 2026 [Page 4] Internet-Draft MVPS-IoT May 2026 detect any coherent shift, however large. Commissioning MUST verify D2_max > q_chi before advertising detection. Numerical receipt. scripts/validate_iot_coherence.py exits 0 with 8/8 checks. For a detectable cluster (per-sensor std 0.20, 0.30, 0.25) it reports D2_max = 42.21 (<= 3/lambda_min = 75) and beta* = 0.731 sigma; for a too-noisy cluster (std 2.0 on each axis) it reports D2_max = 0.61 < q_chi and hence NO beta* (no detection), demonstrating (c) constructively. 7. Sensor-Fault Discrimination L-IOT-1 [T] (single-outlier localization): with one outlier among N sensors, the geometric median displaces by at most 2/(N-2) sigma, and the outlier is argmax-localised by its residual. This is a specialization of the geometric-median max-bias result (Minsker/Cohen), equivalently MVPS core Theorem 9, to f = 1 outlier among N points. The receipt reports 1.000 sigma at N = 4 and 0.333 sigma at N = 8. (The -00 attribution to "BE-MVPS Theorem 9" and "Cohen-2016 Theorem 1" was incorrect; corrected per audit finding B-IoT-6.) 8. Inheritance from the MVPS Core A short-range or wired IoT cluster trivially satisfies the bounded joint-skew axiom A1 (NTP/PTP discipline, with T_tick on the order of seconds); axioms A2, A3, A5 are structural. With Byzantine fraction f < 1/2 (e.g. one outlier at N >= 4), the core theorems T1, T2, T3', and T9 hold on the IoT surface verbatim by the Architecture-Invariance Theorem [I-D.melegassi-iab-mvps-architecture]. No re-proof is required; only the axiom preconditions are checked here. 9. Conjectures and Falsification Protocols C-IOT-1 [C] (bounded-latency detection): under cluster-specific calibration of q_chi (e.g. the empirical 99-percentile of D^2 over the commissioning holdout), a coherent shift of beta sigma is detected with latency bounded by max(M-1,1)*T_tick + RTT_gw. observable: tick index of first D^2 > q_chi vs labelled onset; data source: NASA Bearing Dataset; UCI Air Quality; test: paired latency vs per-sensor max-z, Wilson 95% lower bound on detection-time gain > 0; blocker: per-cluster commissioning calibration; held as [C] until that empirical receipt exists. Melegassi Expires 29 Nov 2026 [Page 5] Internet-Draft MVPS-IoT May 2026 This conjecture MUST NOT be cited as a guarantee. The -00 draft over-stated tick-bounded latency; it is demoted here. 10. Changes From -00 (Audit Response) o B-IoT-2 (CRITICAL): the unbounded-D^2 claim is replaced by the bounded/monotone statement L-IOT-2 with an explicit existence condition D2_max > q_chi (Section 6). o B-IoT-1 (CRITICAL): the bandwidth gate is corrected; both gate probabilities are stated and the LP-WAN envelope condition is made explicit (Section 5). o B-IoT-3: the Lipschitz hypothesis is replaced by an explicit per-axis monotonicity precondition. o B-IoT-6: the geometric-median result is attributed to Minsker/Cohen = MVPS core Theorem 9 (Section 7). o Latency claims are demoted to conjecture C-IOT-1 (Section 9). 11. Security Considerations MVPS-IoT is a defensive detection profile. It raises a coherence alarm and localises a likely-faulty vantage; it does NOT actuate. An adversary controlling fewer than N/2 sensors cannot forge a coherent shift without being localised (Section 7). An adversary controlling a majority is out of scope and corresponds to f >= 1/2, where the core theorems do not apply. Gateways MUST authenticate node uplinks (e.g. LoRaWAN/OSCORE) so that residual localisation is not poisoned by spoofed vantages. 12. IANA Considerations This document has no IANA actions. 13. References 13.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, May 2017. [RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for Constrained-Node Networks", RFC 7228, May 2014. Melegassi Expires 29 Nov 2026 [Page 6] Internet-Draft MVPS-IoT May 2026 13.2. Informative References [I-D.melegassi-iab-mvps-architecture] Melegassi, L., "MVPS Architecture and the Architecture-Invariance Theorem", Work in Progress. [I-D.melegassi-irtf-mvps-methodology] Melegassi, L., "An Adversarial-Audit Methodology for MVPS Claims", Work in Progress. [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained Application Protocol (CoAP)", RFC 7252, June 2014. Author's Address Leonardo Melegassi Catellix Brazil Email: leonardo@catellix.com Melegassi Expires 29 Nov 2026 [Page 7]