| Internet-Draft | WARN | May 2026 |
| Koga | Expires 11 November 2026 | [Page] |
This document describes WARN, a transport-agnostic compact binary wire protocol used for emergency alerts under constrained hardware and lossy networks. It is designed to reach farther and quicker than OASIS CAP, which tries to deliver full human-readable information at the cost of complexity. It primarily uses fixed fields, with support for TLVs when more expressiveness is required. It also has a mandatory signature to prevent fake alerts propagating through a mesh.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 11 November 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.¶
The current emergency alert infrastructure, [CAP] is flexible and widely deployed, but the structure inherently bears complexity which may fail under extreme conditions such as lossy networks and overloaded devices (i.e. potential outcomes of emergency situations).¶
This document defines a protocol aimed to be maximally resilient, distributed, and lightweight to mitigate those points.¶
Lack of efficient internationalization¶
The size of messages multiply with internationalization.¶
Unbounded¶
On systems that lack proper amounts of available memory, CAP may overwhelm the chip, given that its length is not hard-capped.¶
Centralized¶
Even though the networking around the alert origin may be robust, bottlenecks may exist at any point in between the central origin and client.¶
Physical interruptions of the network may cause connections to fault, and may require an expensive route change.¶
The amount of connections the origin can juggle simultaneously limits the amount of clients that can receive CAP XML alerts.¶
Complex¶
Insecure¶
No legitimate enforcement on signing.¶
Demanding¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
WARN uses a two-level versioning scheme to distinguish wire incompatibility from backward-compatible extensions.¶
Major version (version_major)¶
A change in major version indicates wire-incompatible changes.¶
If version_major is greater than the highest version supported by the implementation, the packet MUST NOT be fully interpreted.¶
Implementations MAY parse only the common prefix for the purposes of safe rejection, logging, or routing, but MUST treat the packet as unsupported.¶
No compatibility guarantees are provided across major versions.¶
If version_major is zero, the packet is considered invalid.¶
Minor version (version_minor)¶
A change in minor version indicates a backward-compatible extension within the same major version.¶
Minor version updates MUST NOT change the meaning of any field defined in the current major version.¶
Minor version updates MAY:¶
However, keeping up to date is strongly recommended.¶
Receivers MUST ignore unknown flag bits and unknown TLV types.¶
Latitude and longitude are signed i32 in 100-nanodegree units (1e-7 degrees).¶
Ranges:¶
Total size: 8 bytes¶
| Offset | Size | Field | Type | Description |
|---|---|---|---|---|
| 0x00 | 4 | magic |
u8[4]
|
ASCII "WARN" |
| 0x04 | 1 | version_major | u8 | v1.0 -> 1 |
| 0x05 | 1 | version_minor | u8 | v1.0 -> 0 |
| 0x06 | 2 | flags | u16 | See Section 5 |
| 0x08 | ... | payload | - | ALERT or non-ALERT fields |
Notes:¶
Bit numbering: Bit 0 is the most significant bit (MSB).¶
| Bit | Name | Meaning |
|---|---|---|
| 0 | ALERT | This is an ALERT packet |
| 1 | URGENT | Forward with priority |
| 2 | UPDATE | Revision of existing event |
| 3 | CANCEL | Cancels an existing event |
| 4 | TEST | Test alert |
| 5-15 | RESERVED | Unused in v1; MUST be ignored by receivers |
| Offset | Size | Field | Type |
|---|---|---|---|
| 0x08 | 8 | timestamp_s | u64 |
| 0x10 | 4 | event_id | u32 |
| 0x14 | 2 | seq | u16 |
| 0x16 | 2 | ttl_s | u16 |
| 0x18 | 1 | hazard_major | u8 |
| 0x19 | 1 | hazard_minor | u8 |
| 0x1A | 1 | urgency | u8 |
| 0x1B | 1 | severity | u8 |
| 0x1C | 1 | certainty | u8 |
| 0x1D | 1 | response | u8 |
| 0x1E | 8 | onset_s | u64 |
| 0x26 | 8 | expiry_s | u64 |
| 0x2E | 8 | effective_time_s | u64 |
| 0x36 | 4 | epicenter_lat | i32 |
| 0x3A | 4 | epicenter_lon | i32 |
| 0x3E | 2 | radius_10m | u16 |
| 0x40 | N | signed_tlv | bytes |
Field descriptions:¶
timestamp_s: The time this alert was issued¶
event_id: The root ID that this event has. Subsequent updates or queries to a database will utilize this specific key.¶
ttl_s: The baseline amount of time relays SHOULD propagate for.¶
hazard_major, hazard_minor, urgency, certainty, response: Specified in Section 7.¶
onset_s: When the alert becomes active¶
expiry_s: When the alert expires¶
effective_time_s: When the event actually occurred or will occur¶
epicenter_lat, epicenter_lon: Epicenter coordinates in 100-nanodegree units (see Section 3.4).¶
radius_10m: Affected radius used for propagation decisions (see Section 10.2)¶
Deriving signed_tlv bounds: The signed TLV block has no explicit length field. Bounds are derived from the transport-provided packet length:¶
Immediately follows signed_tlv:¶
| Field | Size | Description |
|---|---|---|
| origin_key_id | 4 | Identifies the signing key in the Origin Registry (Section 18) |
| signature | 64 | Ed25519 signature |
These list the possible values for fields in WARN ALERT packets. Most fields are designed to reflect CAP. For advanced meanings of these values, refer to the OASIS [CAP] specs Section 3.2.2. Refer to Section 9 for the tables.¶
NOTE: additional hazard_minor values are to be determined. Should be able to convert from all preexisting CAP messages which have been produced using this table.¶
event_id identifies a physical event.¶
seq is monotonic per event, starting from 0.¶
seq MUST NOT overflow. In the case seq reaches 65535, the origin MUST re-issue an alert with a REPLACES TLV, and that alert SHOULD be URGENT.¶
Receiver rules:¶
seq < highest_seen -> drop¶
seq == highest_seen -> drop duplicate¶
seq > highest_seen -> accept update, advance highest_seen¶
Deduplication state per event:¶
(origin_key_id, event_id) -> highest_seq: u16¶
A packet with the CANCEL flag set cancels the event identified by event_id.¶
CANCEL packets MUST carry a seq strictly greater than the highest previously accepted seq for that event.¶
Upon accepting a CANCEL, receivers MUST immediately expire the event and cease acting on it.¶
The CANCEL's deduplication entry MUST persist in the replay cache for at least ttl_s seconds measured from the CANCEL packet's own timestamp_s. This prevents late-arriving retransmissions of the original alert from slipping through after the CANCEL entry expires.¶
TLV layout:¶
Rules:¶
TLVs:¶
0x00 UNUSED¶
0x01 HAZARD_NAME (UTF-8)¶
0x02 POLYGON ((i32, i32)[])¶
POLYGON MUST contain no less than 3 points and no more than 8 points.¶
POLYGON points MUST be closed, and MUST be ordered in a counterclockwise fashion, abiding to [RFC7946].¶
POLYGON points MUST be the latitude and longitude of the point in 100-nanodegree units (see Section 3.4).¶
0x03 REPLACES (u32[])¶
This is for when an alert origin issues an alert which may replace another for a variety of reasons, such as prevention of seq overflow, merging of two alerts, etc. An alert replacing another SHOULD be marked as URGENT.¶
The ttl_s field represents how many seconds the packet is permitted to spread.¶
Conceptual rule:¶
age_s = now_s - timestamp_s if age_s > ttl_s -> SHOULD NOT forward¶
Under any of the conditions specified below, alerts MAY be propagated regardless of ttl and geographic bounding.¶
| Offset | Size | Field | Type |
|---|---|---|---|
| 0x08 | 2 | kind | u16 |
| 0x0A | ... | general payload | - |
The kind field identifies the packet type. All non-ALERT packets share this header immediately after the Common Prefix.¶
Receivers MUST silently drop any packet whose kind is unknown or whose kind belongs to a different transport's range.¶
The table of reservations for WARN 1.0 is as follows.¶
| Range/Value | Category |
|---|---|
| 0x0000 | RESERVED(invalid) |
| 0x0001-0x00FF | WARN |
| 0x0100-0x01FF | IPWARN |
| 0x0200-0xFEFF | Future use |
| 0xFF00-0xFFFE | Private use |
| 0xFFFF | RESERVED(invalid) |
All ADVISORY packets MUST be signed by the master origin key. Signing is determined by kind, not by a flag.¶
Receivers MUST:¶
Verify the Ed25519 signature over the signed region [0x00, packet_len - 64) if they exist.¶
Drop the packet if verification fails.¶
Drop the packet if kind is unknown.¶
Drop the packet if new_registry_version is less than or equal to its own registry's version.¶
Immediately follows the kind-specific payload:¶
| Field | Size | Description |
|---|---|---|
| signature | 64 | Ed25519 signature over [0x00, packet_len - 64)
|
| Kind | Name |
|---|---|
| 0x0001 | ADVISORY_NEW |
| 0x0002 | ADVISORY_REVOKE |
| 0x0003 | ADVISORY_RETIRE |
| 0x0004 | ADVISORY_UPDATE |
| 0x0005 | ADVISORY_REGISTRY_REFRESH |
Registers a new alert origin. Receivers MUST add the entry to their local registry and update their stored registry version to new_registry_version. In the case nodes receive a valid ADVISORY_NEW packet that collides with the current registry, nodes MUST drop that packet and refuse update, and SHOULD do a full resync of its local origin registry.¶
| Offset | Size | Field | Type |
|---|---|---|---|
| 0x0A | 8 | new_registry_version | u64 |
| 0x12 | 4 | origin_key_id | u32 |
| 0x16 | 32 | pubkey_ed25519 |
u8[32]
|
Minimum packet size: 8 (prefix) + 2 (kind) + 44 (payload) + 64 (signature) = 118 bytes¶
Emergency revocation of a compromised or rogue alert origin. Receivers MUST immediately remove the identified origin from their local registry and reject any further ALERTs signed by it, regardless of signature validity.¶
This packet SHOULD have URGENT set.¶
| Offset | Size | Field | Type |
|---|---|---|---|
| 0x0A | 8 | new_registry_version | u64 |
| 0x12 | 4 | origin_key_id | u32 |
Minimum packet size: 8 + 2 + 12 + 64 = 86 bytes¶
Planned decommission of an alert origin. Receivers MUST remove the identified origin from their local registry and update their stored registry version.¶
Unlike ADVISORY_REVOKE, retirement is planned and does not imply compromise. URGENT SHOULD NOT be set.¶
| Offset | Size | Field | Type |
|---|---|---|---|
| 0x0A | 8 | new_registry_version | u64 |
| 0x12 | 4 | origin_key_id | u32 |
Minimum packet size: 86 bytes¶
Notifies nodes of a scheduled WARN protocol update. Implementations MAY ignore it. It carries no enforcement.¶
| Offset | Size | Field | Type |
|---|---|---|---|
| 0x0A | 1 | version_major | u8 |
| 0x0B | 1 | version_minor | u8 |
| 0x0C | 8 | scheduled_update_s | u64 |
Minimum packet size: 8 + 2 + 10 + 64 = 84 bytes¶
Signals that the registry has been updated and nodes SHOULD re-sync via the info-plane. Carries the authoritative current registry version so receivers can determine whether they are behind.¶
| Offset | Size | Field | Type |
|---|---|---|---|
| 0x0A | 8 | current_registry_version | u64 |
Receivers that find their local registry version behind current_registry_version SHOULD fetch the full registry from the info-plane.¶
Minimum packet size: 8 + 2 + 8 + 64 = 82 bytes¶
Alert Origin: signs and issues ALERT packets.¶
Data Relay: receives alerts from Alert Origins and performs first-hop seeding into the mesh.¶
Goals:¶
All alert-plane propagation from Alert Origins MUST pass through at least one Data Relay before reaching leaf clients. General WARN coordination packets MAY originate from any node. Transport-specific seeding rules (relay discovery, registration, forwarding topology) are defined in per-transport specifications. See WARNIP.¶
REQUIRED cache length:¶
Replay cache duration >= ttl_s¶
Transport-specific constraints such as NAT traversal, port binding, and client keepalive are defined in per-transport specifications.¶
This section defines a simple local file or in-memory region that maps origin_key_id -> public key.¶
This file is NOT transmitted on the alert-plane. How it is distributed/updated is out of scope.¶
registry_version: u64, used to manage deltas and versions. The registry version MUST monotonically increase. This MUST match the newest version that the node has obtained, either via a sync or ADVISORY.¶
Each entry MUST contain:¶
Although WARN alerts are made to be usable in any region, nations SHOULD isolate their mesh against potential attacks by neighboring nations via a false alert. In such cases, nations SHOULD compile in their own keys for their nation, and isolate their trust system.¶
WARN only declares the common protocol which all devices using WARN must be able to parse. Therefore info-plane schemas, key distribution, and propagation will be medium-dependent. There are other specifications that are dependent on the medium, such as IP. Other mediums may distribute WARN messages natively with medium-specific framing. The auxiliary data may change, but the WARN packet itself will be preserved.¶
The security and validity of WARN effectively relies on a single master key, which should be kept airtight, preferably using an HSM or equivalent security measure. If the master key is compromised, then a large-scale firmware update would be necessary for resetting keys.¶
Alert origins should keep their private keys secure, but in the case of a compromise, the master key should be able to revoke the compromised key fairly quickly. Malicious alert relays will not be able to issue alerts or affect another node unless they have a origin private key, and complying implementations will be able to drop invalid packets either forged by a node or replayed from a previous time. A malicious fleet of relays can "dilute" the mesh depending on the medium. On mediums such as IP, if a fleet of relays register but drop packets on a real emergency alert, they may degrade the resilience of the network. A malicious fleet of relays will be able to effectively do a DoS attack on a relay to overwhelm its ability to process and validate the costly Ed25519 signature.¶
IANA will create a new registry group called "WARN." This group includes the "WARN Hazard Codes" "WARN Assigned Ranges" "WARN Advisory Codes" "WARN Response" "WARN Urgency" "WARN Severity" "WARN Certainty" registries described below.¶
IANA will create the following registry:¶
Registry Name: WARN Hazard Codes¶
Registration Procedure: RFC Required¶
NOTE: The complete values of this table are TBD.¶
| hazard_major | hazard_minor | Meaning |
|---|---|---|
| 0 | 0 | RESERVED (invalid) |
| 1 | 0 | Geophysical Unknown |
| 1 | 1 | Earthquake |
| 1 | 2 | Landslide |
| 1 | 3 | Tsunami |
| 2 | 0 | Meteorological Unknown |
| 2 | 1 | Storm |
| 2 | 2 | Flood |
| 3 | 0 | Safety Unknown |
| 4 | 0 | Security Unknown |
| 4 | 1 | Terrorism |
| 4 | 2 | Military Activity |
| 5 | 0 | Rescue Unknown |
| 6 | 0 | Fire Unknown |
| 6 | 1 | Wildfire |
| 6 | 2 | City Fire |
| 6 | 3 | Prescribed Fire |
| 7 | 0 | Health Unknown |
| 8 | 0 | Environmental Unknown |
| 8 | 1 | Air pollution |
| 9 | 0 | Transport Unknown |
| 0x0A | 0 | Infra Unknown |
| 0x0B | 0 | CBRNE Unknown |
| 0xFF | 0 | Other |
IANA will create the following registry:¶
Registry Name: WARN Response¶
Registration Procedure: RFC Required¶
| Value | Meaning |
|---|---|
| 0 | RESERVED(invalid) |
| 1 | All Clear |
| 2 | Assess |
| 3 | Avoid |
| 4 | Evacuate |
| 5 | Execute |
| 6 | Monitor |
| 7 | Prepare |
| 8 | Shelter |
| 9 | None |
IANA will create the following registry:¶
Registry Name: WARN Urgency¶
Registration Procedure: RFC Required¶
| Value | Meaning |
|---|---|
| 0 | RESERVED(invalid) |
| 1 | Expected |
| 2 | Future |
| 3 | Immediate |
| 4 | Past |
| 5 | Unknown |
IANA will create the following registry:¶
Registry Name: WARN Severity¶
Registration Procedure: RFC Required¶
| Value | Meaning |
|---|---|
| 0 | RESERVED(invalid) |
| 1 | Minor |
| 2 | Moderate |
| 3 | Severe |
| 4 | Extreme |
| 5 | Unknown |
IANA will create the following registry:¶
Registry Name: WARN Certainty¶
Registration Procedure: RFC Required¶
| Value | Meaning |
|---|---|
| 0 | RESERVED(invalid) |
| 1 | Unlikely |
| 2 | Likely |
| 3 | Possible |
| 4 | Observed |
| 5 | Unknown |
IANA will create the following registry:¶
Registry Name: WARN Reserved Ranges¶
Registration Procedure: RFC Required¶
| Range/Value | Category |
|---|---|
| 0x0000 | RESERVED(invalid) |
| 0x0001-0x00FF | WARN |
| 0x0100-0x01FF | IPWARN |
| 0x0200-0xFEFF | Future use |
| 0xFF00-0xFFFE | Private use |
| 0xFFFF | RESERVED(invalid) |