--- 1/draft-ietf-drip-reqs-01.txt 2020-07-13 14:13:42.548181426 -0700 +++ 2/draft-ietf-drip-reqs-02.txt 2020-07-13 14:13:42.612183046 -0700 @@ -1,101 +1,109 @@ DRIP S. Card, Ed. Internet-Draft A. Wiethuechter Intended status: Informational AX Enterprize -Expires: 26 November 2020 R. Moskowitz +Expires: 14 January 2021 R. Moskowitz HTT Consulting A. Gurtov - Linköping University - 25 May 2020 + Linköping University + 13 July 2020 Drone Remote Identification Protocol (DRIP) Requirements - draft-ietf-drip-reqs-01 + draft-ietf-drip-reqs-02 Abstract This document defines the requirements for Drone Remote Identification Protocol (DRIP) Working Group protocols to support Unmanned Aircraft System Remote Identification and tracking (UAS RID) - for safety, regulatory compliance and other purposes. - - Complementing external technical standards as regulator-accepted - means of compliance with UAS RID regulations, DRIP will: + for security, safety and other purposes. Complementing external + technical standards as regulator-accepted means of compliance with + UAS RID regulations, DRIP will: facilitate use of existing Internet resources to support UAS RID and to enable enhanced related services; - enable on-line and off-line verification that UAS RID information - is trustworthy. + enable online and offline verification that UAS RID information is + trustworthy. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 26 November 2020. + This Internet-Draft will expire on 14 January 2021. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 - 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 6 - 2.1. Requirements Terminology . . . . . . . . . . . . . . . . 6 - 2.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 6 - 3. UAS RID Problem Space . . . . . . . . . . . . . . . . . . . . 12 - 3.1. Network RID . . . . . . . . . . . . . . . . . . . . . . . 13 - 3.2. Broadcast RID . . . . . . . . . . . . . . . . . . . . . . 14 - 3.3. DRIP Focus . . . . . . . . . . . . . . . . . . . . . . . 14 - 4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 15 - 4.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 16 - 4.2. Identifier . . . . . . . . . . . . . . . . . . . . . . . 17 - 4.3. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 18 - 4.4. Registries . . . . . . . . . . . . . . . . . . . . . . . 18 - 5. Discussion and Limitations . . . . . . . . . . . . . . . . . 19 - 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 - 7. Security Considerations . . . . . . . . . . . . . . . . . . . 20 - Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 21 - References . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 - Normative References . . . . . . . . . . . . . . . . . . . . . 21 - Informative References . . . . . . . . . . . . . . . . . . . . 21 - Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 22 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 + 1. Introduction (Informative) . . . . . . . . . . . . . . . . . 2 + 1.1. Overall Context . . . . . . . . . . . . . . . . . . . . . 3 + 1.2. Intended Use . . . . . . . . . . . . . . . . . . . . . . 5 + 1.3. DRIP Scope . . . . . . . . . . . . . . . . . . . . . . . 7 + 2. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 7 + 2.1. Requirements Terminology . . . . . . . . . . . . . . . . 7 + 2.2. Definitions . . . . . . . . . . . . . . . . . . . . . . . 7 + 3. UAS RID Problem Space . . . . . . . . . . . . . . . . . . . . 14 + 3.1. Network RID . . . . . . . . . . . . . . . . . . . . . . . 15 + 3.2. Broadcast RID . . . . . . . . . . . . . . . . . . . . . . 16 + 3.3. DRIP Focus . . . . . . . . . . . . . . . . . . . . . . . 16 + 4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 17 + 4.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 18 + 4.2. Identifier . . . . . . . . . . . . . . . . . . . . . . . 19 + 4.3. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 20 + 4.4. Registries . . . . . . . . . . . . . . . . . . . . . . . 20 + 5. Discussion and Limitations . . . . . . . . . . . . . . . . . 21 + 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 23 + 8. Privacy and Transparency Considerations . . . . . . . . . . . 23 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 + 9.1. Normative References . . . . . . . . . . . . . . . . . . 24 + 9.2. Informative References . . . . . . . . . . . . . . . . . 24 + Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 27 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 -1. Introduction +1. Introduction (Informative) +1.1. Overall Context - Many considerations (especially safety) dictate that UAS be remotely - identifiable. Any observer with responsibilities involving aircraft - inherently must classify them situationally according to basic - considerations, as illustrated notionally in Figure 1 below. + Many considerations (especially safety and security) dictate that UAS + be remotely identifiable. Any Observer with responsibilities + involving aircraft inherently must classify Unmanned Aircraft (UA) + situationally according to basic considerations, as illustrated + notionally in Figure 1 below. An Observer who classifies an UAS: as + Taskable, can ask it to do something useful; as Low Concern, can + reasonably assume it is not malicious, and would cooperate with + requests to modify its flight plans for safety reasons; as High + Concern or Unidentified, is worth focused surveillance. xxxxxxx +--------------+ x x No | | x ID? x+---->| UNIDENTIFIED | x x | | xxxxxxx +--------------+ + | Yes v xxxxxxx @@ -104,217 +112,261 @@ | x x | | xxxxxxx | | + | v v v +--------------+ +--------------+ +--------------+ | | | | | | | TASKABLE | | LOW CONCERN | | HIGH CONCERN | | | | | | | +--------------+ +--------------+ +--------------+ - Figure 1 + Figure 1: "Notional UAS Classification"> Civil Aviation Authorities (CAAs) worldwide are mandating Unmanned Aircraft System Remote Identification and tracking (UAS RID). The European Union Aviation Safety Agency (EASA) has published [Delegated] and [Implementing] Regulations. The United States (US) Federal Aviation Administration (FAA) has published a Notice of - Proposed Rule Making ([NPRM]) and has described the key role that UAS + Proposed Rule Making [NPRM] and has described the key role that UAS RID plays in UAS Traffic Management (UTM [CONOPS] especially Section 2.6). CAAs currently (2020) promulgate performance-based regulations that do not specify techniques, but rather cite industry consensus technical standards as acceptable means of compliance. ASTM International, Technical Committee F38 (UAS), Subcommittee F38.02 (Aircraft Operations), Work Item WK65041, developed ASTM F3411-19 [F3411-19] Standard Specification for Remote ID and Tracking. It defines two means of UAS RID: Network RID defines a set of information for UAS to make available - globally indirectly via the Internet. + globally indirectly via the Internet, through servers that can be + queried by Observers. Broadcast RID defines a set of messages for Unmanned Aircraft (UA) - to transmit locally directly one-way over Bluetooth or Wi-Fi. + to transmit locally directly one-way over Bluetooth or Wi-Fi, to + be received in real time by local Observers. - Generally the same information must provided via both means. Network - RID depends upon Internet connectivity in several segments from the - UAS to the observer. Broadcast RID should need Internet (or other - Wide Area Network) connectivity only for UAS registry information - lookup using the directly locally received UAS ID as a key. + The same information must be provided via both means. The + presentation may differ, as Network RID defines a data dictionary, + whereas Broadcast RID defines message formats (which carry items from + that same data dictionary). The frequency with which it is sent may + differ, as Network RID can accomodate Observer queries asynchronous + to UAS updates (which generally need be send only when information, + such as position, changes), whereas Broadcast RID depends upon + Observers receiving UA messages at the time they are transmitted. + Network RID depends upon Internet connectivity in several segments + from the UAS to each Observer. Broadcast RID should need Internet + (or other Wide Area Network) connectivity only for UAS registry + information lookup using the directly locally received UAS Identifier + (UAS ID) as a key. - [F3411-19] specifies 3 UAS ID types: + [F3411-19] specifies three UAS ID types: TYPE-1 A static, manufacturer assigned, hardware serial number per ANSI/CTA-2063-A "Small Unmanned Aerial System Serial Numbers" [CTA2063A]. TYPE-2 A CAA assigned (presumably static) ID. TYPE-3 A UTM system assigned UUID [RFC4122], which can but need not be dynamic. The EU allows only Type 1; the US allows Types 1 and 3, but requires Type 3 IDs (if used) each to be used only once (for a single UAS flight, which in the context of UTM is called an "operation"). - [F3411-19] Broadcast RID transmits all information in the clear as - plaintext (ASCII or binary), so static IDs enable trivial correlation - of patterns of use, unacceptable in many applications, e.g., package + [F3411-19] Broadcast RID transmits all information as cleartext + (ASCII or binary), so static IDs enable trivial correlation of + patterns of use, unacceptable in many applications, e.g., package delivery routes of competitors. + [WG105] addreses a "different scope than Direct Remote + Identification... latter being primarily meant for security + purposes... rather than for safety purposes (e.g. hazards + deconfliction..." Aviation community standards set a higher bar for + safety than for security. It "leaves the opportunity for those + manufacturers who would prefer to merge both functions to do so... + The purpose of the e-Identification function is to transmit, towards + the U-space infrastructure and/or other UA, a set of information for + safety (traffic management) purposes..." In addition to RID's + Broadcast and Network one-way to Observers), it will use V2V to other + UA (also perhaps to and/or from some manned aircraft). + +1.2. Intended Use + An ID is not an end in itself; it exists to enable lookups and provision of services complementing mere identification. Minimal specified information must be made available to the public; access to other data, e.g., UAS operator Personally Identifiable Information (PII), must be limited to strongly authenticated personnel, properly authorized per policy. The balance between privacy and transparency remains a subject for public debate and regulatory action; DRIP can only offer tools to expand the achievable trade space and enable trade-offs within that space. [F3411-19] - specifies only how to get the UAS ID to the observer; how the - observer can perform these lookups, and how the registries first can + specifies only how to get the UAS ID to the Observer; how the + Observer can perform these lookups, and how the registries first can be populated with information, is unspecified. Using UAS RID to facilitate vehicular (V2X) communications and applications such as Detect And Avoid (DAA, which would impose tighter latency bounds than RID itself) is an obvious possibility, explicitly contemplated in the FAA NPRM. However, applications of RID beyond RID itself have been omitted from [F3411-19]; DAA has been explicitly declared out of scope in ASTM working group discussions, based on a distinction between RID as a security standard vs DAA as a safety application. Although dynamic establishment of secure - communications between the observer and the UAS pilot seems to have + communications between the Observer and the UAS pilot seems to have been contemplated by the FAA UAS ID and Tracking Aviation Rulemaking Committee (ARC) in their [Recommendations], it is not addressed in any of the subsequent proposed regulations or technical specifications. The need for near-universal deployment of UAS RID is pressing. This - implies the need to support use by observers of already ubiquitous + implies the need to support use by Observers of already ubiquitous mobile devices (typically smartphones and tablets). Anticipating likely CAA requirements to support legacy devices, especially in light of [Recommendations], [F3411-19] specifies that any UAS sending Broadcast RID over Bluetooth must do so over Bluetooth 4, regardless of whether it also does so over newer versions; as UAS sender devices - and observer receiver devices are unpaired, this implies extremely + and Observer receiver devices are unpaired, this implies extremely short "advertisement" (beacon) frames. UA onboard RID devices are severely constrained in Cost, Size, Weight and Power ($SWaP). Cost is a significant impediment to the necessary - near-universal adoption of UAS send and observer receive RID + near-universal adoption of UAS send and Observer receive RID capabilities. $SWaP is a burden not only on the designers of new UA for production and sale, but also on owners of existing UA that must be retrofit. Radio Controlled (RC) aircraft modelers, "hams" who use licensed amateur radio frequencies to control UAS, drone hobbyists and others who custom build UAS all need means of participating in UAS RID sensitive to both generic $SWaP and application-specific considerations. To accommodate the most severely constrained cases, all these conspire to motivate system design decisions, especially for the Broadcast RID data link, which complicate the protocol design problem: one-way links; extremely short packets; and Internet- disconnected operation of UA onboard devices. Internet-disconnected - operation of observer devices has been deemed by ASTM F38.02 too + operation of Observer devices has been deemed by ASTM F38.02 too infrequent to address, but for some users is important and presents further challenges. Despite work by regulators and Standards Development Organizations (SDOs), there are substantial gaps in UAS standards generally and UAS - RID specifically. [Roadmap] especially Section 7.8 catalogs UAS RID - standards, ongoing standardization activities and gaps. + RID specifically. [Roadmap] catalogs UAS related standards, ongoing + standardization activities and gaps (as of early 2020); Section 7.8 + catalogs those related specifically to UAS RID. Given not only packet payload length and bandwidth, but also processing and storage within the $SWaP constraints of very small (e.g. consumer toy) UA, heavyweight cryptographic security protocols are infeasible, yet trustworthiness of UAS RID information is essential. Under [F3411-19], even the most basic datum, the UAS ID string (typically number) itself can be merely an unsubstantiated claim. Observer devices being ubiquitous, thus popular targets for malware or other compromise, cannot be generally trusted (although the user of each device is compelled to trust that device, to some - extent); a "fair witness" functionality (inspired by [Stranger]) may - be desirable. + extent); a "fair witness" functionality (inspired by [Stranger]) is + desirable. + +1.3. DRIP Scope DRIP's initial goal is to make RID immediately actionable, in both Internet and local-only connected scenarios (especially emergencies), in severely constrained UAS environments, balancing legitimate (e.g., public safety) authorities' Need To Know trustworthy information with UAS operators' privacy. By "immediately actionable" is meant information of sufficient precision, accuracy, timeliness, etc. for - an observer to use it as the basis for immediate decisive action, + an Observer to use it as the basis for immediate decisive action, whether that be to trigger a defensive counter-UAS system, to attempt to initiate communications with the UAS operator, to accept the presence of the UAS in the airspace where/when observed as not requiring further action, or whatever, with potentially severe consequences of any action or inaction chosen based on that information. Potential follow-on goals may extend beyond providing timely and trustworthy identification data, to using it to enable identity-oriented networking of UAS. DRIP (originally Trustworthy Multipurpose Remote Identification, TM- RID) potentially could be applied to verifiably identify other types of registered things reported to be in specified physical locations, but the urgent motivation and clear initial focus is UAS. Existing Internet resources (protocol standards, services, infrastructure, and business models) should be leveraged. A natural Internet based architecture for UAS RID conforming to proposed regulations and external technical standards is described in a companion architecture - document [I-D.ietf-drip-arch]; this document describes only relevant - requirements. + document [drip-architecture] and elaborated in other DRIP documents; + this document describes only relevant requirements and defines + terminology for the set of DRIP documents. 2. Terms and Definitions 2.1. Requirements Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2.2. Definitions - This section defines a set of terms that are used in DRIP documents. - This list is meant to be the DRIP terminology reference. Some of the - terms listed below are not used in this document. + This section defines a set of terms expected to be used in DRIP + documents. This list is meant to be the DRIP terminology reference. + Some of the terms listed below are not used in this document. + [RFC4949] provides a glossary of Internet security terms that should + be used where applicable. In the UAS community, the plural form of + acronyms generally is the same as the singular form, e.g. Unmanned + Aircraft System (singular) and Unmanned Aircraft Systems (plural) are + both represented as UAS. On this and other terminological issues, to + encourage comprehension necessary for adoption of DRIP by the + intended user community, that community's norms are respected herein, + and definitions are quoted in cases where they have been found in + that community's documents. $SWaP Cost, Size, Weight and Power. AAA Attestation, Authentication, Authorization, Access Control, - Accounting, Attribution, Audit. + Accounting, Attribution, Audit, or any subset thereof (uses differ + by application, author and context). ABDAA - AirBorne DAA. Also known as "self-separation". + AirBorne DAA. Accomplished using systems onboard the aircraft + involved. Also known as "self-separation". ADS-B Automatic Dependent Surveillance - Broadcast. "ADS-B Out" equipment obtains aircraft position from other on-board systems - (typically GPS) and periodically broadcasts it to "ADS-B In" + (typically GNSS) and periodically broadcasts it to "ADS-B In" equipped entities, including other aircraft, ground stations and satellite based monitoring systems. AGL Above Ground Level. Relative altitude, above the variously - defined local ground level, typically of an UA, typically measured - in feet. + defined local ground level, typically of an UA, measured in feet + or meters. ATC Air Traffic Control. Explicit flight direction to pilots from ground controllers. Contrast with ATM. ATM - Air Traffic Management. All systems that assist aircraft from - departure to landing. A broader functional and geographic scope - and/or a higher layer of abstraction than ATC. + Air Traffic Management. A broader functional and geographic scope + and/or a higher layer of abstraction than ATC. "The dynamic, + integrated management of air traffic and airspace including air + traffic services, airspace management and air traffic flow + management - safely, economically and efficiently - through the + provision of facilities and seamless services in collaboration + with all parties and involving airborne and ground-based + functions." [ICAOATM] Authentication Message F3411 Message Type 2. Provides framing for authentication data, only. Basic ID Message F3411 Message Type 0. Provides UA Type, UAS ID Type and UAS ID, only. BLOS @@ -347,38 +399,48 @@ operation, including the marking of the UA, so that this information can be obtained without physical access to the UA". Requirement could be met with ASTM Broadcast RID: Basic ID message with UAS ID Type 1; Location/Vector message; Operator ID message; System Message. Corresponds roughly to the Broadcast RID portion of FAA NPRM Standard RID. E2E End to End. + EUROCAE + European Organisation for Civil Aviation Equipment. Aviation SDO, + originally European, now with broader membership. Cooperates + extensively with RTCA. + GBDAA - Ground Based DAA. + Ground Based DAA. Accomplished with the aid of ground based + functions. GCS Ground Control Station. The part of the UAS that the remote pilot uses to exercise C2 over the UA, whether by remotely exercising UA flight controls to fly the UA, by setting GPS waypoints, or otherwise directing its flight. + GNSS + Global Navigation Satellite System. Satellite based timing and/or + positioning with global coverage, often used to support + navigation. + GPS - Global Positioning System. In this context, misused in place of - Global Navigation Satellite System (GNSS) or more generally SATNAV - to refer generically to satellite based timing and/or positioning. + Global Positioning System. A specific GNSS, but in this context, + the term is typically misused in place of the more generic term + GNSS. GRAIN - Global Resilient Aviation Information Network. An effort to - develop an international IPv6 overlay network with end-to-end - security supporting all aspects of aviation. + Global Resilient Aviation Interoperable Network. Putative ICAO + managed IPv6 overlay internetwork per IATF. IATF International Aviation Trust Framework. ICAO effort to develop a resilient and secure by design framework for networking in support of all aspects of aviation. ICAO International Civil Aviation Organization. A United Nations specialized agency that develops and harmonizes international standards relating to aviation. @@ -404,145 +466,165 @@ LOS Line Of Sight. An adjectival phrase describing any information transfer that travels in a nearly straight line (e.g. electromagnetic energy, whether in the visual light, RF or other frequency range) and is subject to blockage. A term to be avoided due to ambiguity, in this context, between RF-LOS and V-LOS. MSL Mean Sea Level. Relative altitude, above the variously defined - mean sea level, typically of an UA (but in FAA NPRM for a GCS), - typically measured in feet. + mean sea level, typically of an UA (but in FAA NPRM also for a + GCS), measured in or meters. Net-RID DP Network RID Display Provider. Logical entity that aggregates data from Net-RID SPs as needed in response to user queries regarding UAS operating within specified airspace volumes, to enable display - by a user application on a user device. Under the FAA NPRM, not - recognized as a distinct entity, but a service provided by USS, - including Public Safety USS that may exist primarily for this - purpose rather than to manage any subscribed UAS. + by a user application on a user device. Potentially could provide + not only information sent via UAS RID but also information + retrieved from UAS RID registries, or information beyond UAS RID, + regarding subscribed USS. Under the FAA NPRM, not recognized as a + distinct entity, but a service provided by USS, including Public + Safety USS that may exist primarily for this purpose rather than + to manage any subscribed UAS. Net-RID SP - Network RID Service Provider. Logical entity that participates in - Network RID and provides to NetRID-DPs information on UAS it - manages. Under the FAA NPRM, the USS to which the UAS is - subscribed ("Remote ID USS"). + Network RID Service Provider. Logical entity that collects RID + messages from UAS and responds to NetRID-DP queries for + information on UAS of which it is aware. Under the FAA NPRM, the + USS to which the UAS is subscribed ("Remote ID USS"). Network Identification Service EU regulatory requirement for Network RID. Requirement could be met with ASTM Network RID: Basic ID message with UAS ID Type 1; Location/Vector message; Operator ID message; System Message. Corresponds roughly to the Network RID portion of FAA NPRM Standard RID. Observer - Referred to in other UAS RID documents as a "user", but there are - also other classes of UAS RID users, so here "observer" is - preferred to denote specifically an individual who has observed an - UA and wishes to know something about it, starting with its ID. + An entity (typically but not necessarily an individual human) who + has directly or indirectly observed an UA and wishes to know + something about it, starting with its ID. An observer typically + is on the ground and local (within VLOS of an observed UA), but + could be remote (observing via Network RID or other surveillance), + operating another UA, aboard another aircraft , etc. + + Operation + A flight, or series of flights of the same mission, by the same + UAS, in the same airspace volume, separated by at most brief + ground intervals. Operator - UAS operator. Typically an organization that owns or leases the - UAS. + "A person, organization or enterprise engaged in or offering to + engage in an aircraft operation." [ICAOUTM] Operator ID Message F3411 Message Type 5. Provides CAA issued Operator ID, only. + Operator ID is distinct from UAS ID. + + PIC + Pilot In Command. "The pilot designated by the operator, or in + the case of general aviation, the owner, as being in command and + charged with the safe conduct of a flight." [ICAOATM] PII Personally Identifiable Information. In this context, typically of the UAS operator, Pilot In Command (PIC) or remote pilot, but possibly of an observer or other party. - RF - Radio Frequency. May be used as an adjective or as a noun; in the - latter case, typically means Radio Frequency energy. + Remote Pilot + A pilot using a GCS to exercise proximate control of an UA. + Either the PIC or under the supervision of the PIC. RF-LOS RF LOS. Typically used in describing operation of a direct radio link between a GCS and the UA under its control, potentially subject to blockage by foliage, structures, terrain or other vehicles, but less so than V-LOS. + RTCA + Radio Technical Commission for Aeronautics. US aviation SDO. + Cooperates extensively with EUROCAE. + Self-ID Message F3411 Message Type 3. Provides a 1 byte descriptor and 23 byte - ASCII free text field, only. + ASCII free text field, only. Expected to be used to provide + context on the operation, e.g. mission intent. Standard RID Per the FAA NPRM, a mode of operation that must use both Network RID (if Internet connectivity is available at the time in the operating area) and Broadcast RID (always and everywhere), and must provide both pilot/GCS location and UA location. This mode is required for UAS that exceed the allowed envelope (e.g. size, range) of Limited RID and for all UAS equipped for Standard RID (even if operated within parameters that would otherwise permit Limited RID). The Broadcast RID portion corresponds roughly to EU Direct RID; the Network RID portion corresponds roughly to EU Network Identification Service. SDO Standards Development Organization. ASTM, IETF, et al. SDSP Supplemental Data Service Provider. An entity that participates in the UTM system, but provides services beyond those specified as - basic UTM system functions. + basic UTM system functions. E.g., provides weather data. System Message F3411 Message Type 4. Provides general UAS information, including remote pilot location, multiple UA group operational area, etc. U-space EU concept and emerging framework for integration of UAS into all classes of airspace, specifically including high density urban areas, sharing airspace with manned aircraft. UA Unmanned Aircraft. An aircraft which is intended to operate with - no pilot on board. In popular parlance, "drone". Plural form of - UA is UA. + no pilot on board. In popular parlance, "drone". UAS Unmanned Aircraft System. Composed of UA, all required on-board subsystems, payload, control station, other required off-board subsystems, any required launch and recovery equipment, all required crew members, and C2 links between UA and control - station. Plural form of UAS is UAS. + station. UAS ID UAS identifier. Although called "UAS ID", unique to the UA: neither to the operator (as previous registration numbers have been assigned), nor to the combination of GCS and UA that comprise - the UAS. Per [F3411-19], maximum length of 20 bytes. + the UAS. Per [F3411-19]: maximum length of 20 bytes; see + Section 1.1, Paragraph 7 for currently defined values. UAS ID Type Identifier type index. Per [F3411-19], 4 bits, values 0-3 already specified. UAS RID UAS Remote Identification. System for identifying UA during flight by other parties. UAS RID Verification Service System component designed to handle the authentication requirements of RID by offloading verification to a web hosted service. USS UAS Service Supplier. "A USS is an entity that assists UAS Operators with meeting UTM operational requirements that enable safe and efficient use of airspace" and "... provide services to support the UAS community, to connect Operators and other entities to enable information flow across the USS Network,and to promote - shared situational awareness among UTM participants." per - [CONOPS]. + shared situational awareness among UTM participants" per [CONOPS]. UTM UAS Traffic Management. Per ICAO, "A specific aspect of air traffic management which manages UAS operations safely, economically and efficiently through the provision of facilities and a seamless set of services in collaboration with all parties and involving airborne and ground-based functions." In the US, per FAA, a "traffic management" ecosystem for "uncontrolled" low altitude UAS operations, separate from, but complementary to, the FAA's ATC system for "controlled" operations of manned aircraft. @@ -601,24 +683,25 @@ information whenever the UA itself is offline. The UA may not have Internet connectivity of its own, but have instead some other form of communications to another node that can relay RID information to the Internet; this would typically be the GCS (which to perform its function must know where the UA is). The UA may have no means of sourcing RID information, in which case the GCS must source it; this is typical under FAA NPRM Limited RID proposed rules, which require providing the location of the GCS (not that of the UA). In the extreme case, this could be the pilot using - a web browser to designate, to an UAS Service Supplier (USS) or other - UTM entity, a time-bounded airspace volume in which an operation will - be conducted; this may impede disambiguation of ID if multiple UAS - operate in the same or overlapping spatio-temporal volumes. + a web browser/application to designate, to an UAS Service Supplier + (USS) or other UTM entity, a time-bounded airspace volume in which an + operation will be conducted; this may impede disambiguation of ID if + multiple UAS operate in the same or overlapping spatio-temporal + volumes. In most cases in the near term, if the RID information is fed to the Internet directly by the UA or GCS, the first hop data links will be cellular Long Term Evolution (LTE) or Wi-Fi, but provided the data link can support at least UDP/IP and ideally also TCP/IP, its type is generally immaterial to the higher layer protocols. An UAS as the ultimate source of Network RID information feeds an USS acting as a Network RID Service Provider (Net-RID SP), which essentially proxies for that and other sources; an observer or other ultimate consumer of Network RID information obtains it from a Network RID Display @@ -630,21 +713,21 @@ Network RID is the more flexible and less constrained of the defined UAS RID means, but is only partially specified in [F3411-19]. It is presumed that IETF efforts supporting Broadcast RID (see next section) can be easily generalized for Network RID. 3.2. Broadcast RID [F3411-19] specifies three Broadcast RID data links: Bluetooth 4.X; Bluetooth 5.X Long Range; and Wi-Fi with Neighbor Awareness - Networking (NAN). For compliance with this standard, an UA must + Networking (NAN). For compliance with [F3411-19], an UA must broadcast (using advertisement mechanisms where no other option supports broadcast) on at least one of these; if broadcasting on Bluetooth 5.x, it is also required concurrently to do so on 4.x (referred to in [F3411-19] as Bluetooth Legacy). The selection of the Broadcast media was driven by research into what is commonly available on 'ground' units (smartphones and tablets) and what was found as prevalent or 'affordable' in UA. Further, there must be an Application Programming Interface (API) for the observer's receiving application to have access to these messages. As yet only @@ -665,23 +748,23 @@ immediately usable: 1. by making it trustworthy (despite the severe constraints of Broadcast RID); 2. by enabling verification that an UAS is registered, and if so, in which registry (for classification of trusted operators on the basis of known registry vetting, even by observers lacking Internet connectivity at observation time); - 3. by facilitating independent reports of UA location to confirm or - refute the operator self-reports upon which UAS RID and UTM - tracking are based; + 3. by facilitating independent reports of UA's aeronautical data + (location, velocity, etc.) to confirm or refute the operator + self-reports upon which UAS RID and UTM tracking are based; 4. by enabling instant establishment, by authorized parties, of secure communications with the remote pilot. Any UA can assert any ID using the [F3411-19] required Basic ID message, which lacks any provisions for verification. The Position/ Vector message likewise lacks provisions for verification, and does not contain the ID, so must be correlated somehow with a Basic ID message: the developers of [F3411-19] have suggested using the MAC addresses, but these may be randomized by the operating system stack @@ -736,29 +819,29 @@ have multiple IDs, potentially in different registries, but each ID must clearly indicate in which registry it can be found. GEN-4 Readability: DRIP MUST enable information (regulation required elements, whether sent via UAS RID or looked up in registries) to be read and utilized by both humans and software. GEN-5 Gateway: DRIP MUST enable Broadcast RID -> Network RID - gateways to stamp messages with precise date/time received - and receiver location, then relay them to a network service - (e.g. SDSP or distributed ledger), to support three - objectives: mark up a RID message with where and when it was - actually received (which may agree or disagree with the self- - report in the set of messages); defend against reply attacks; - and support optional SDSP services such as multilateration - (to complement UAS position self-reports with independent - measurements). + application layer gateways to stamp messages with precise + date/time received and receiver location, then relay them to + a network service (e.g. SDSP or distributed ledger), to + support three objectives: mark up a RID message with where + and when it was actually received (which may agree or + disagree with the self-report in the set of messages); defend + against reply attacks; and support optional SDSP services + such as multilateration (to complement UAS position self- + reports with independent measurements). GEN-6 Finger (placeholder name): DRIP MUST enable dynamically establishing, with AAA, per policy, E2E strongly encrypted communications with the UAS RID sender and entities looked up from the UAS ID, including at least the remote pilot and USS. GEN-7 QoS: DRIP MUST enable policy based specification of performance and reliability parameters, such as maximum message transmission intervals and delivery latencies. @@ -774,82 +857,94 @@ GEN-10 Multicast: DRIP SHOULD support multicast for efficient and flexible publish-subscribe notifications, e.g., of UAS reporting positions in designated sensitive airspace volumes. GEN-11 Management: DRIP SHOULD support monitoring of the health and coverage of Broadcast and Network RID services. 4.2. Identifier - ID-1 Length: The DRIP [UAS] entity [remote] identifier must be no + ID-1 Length: The DRIP (UAS) entity [remote] identifier must be no longer than 20 bytes (per [F3411-19] to fit in a Bluetooth 4 advertisement payload). ID-2 Registry ID: The DRIP identifier MUST be sufficient to identify - a registry in which the [UAS] entity identified therewith is + a registry in which the (UAS) entity identified therewith is listed. ID-3 Entity ID: The DRIP identifier MUST be sufficient to enable - lookup of other data associated with the [UAS] entity + lookup of other data associated with the (UAS) entity identified therewith in that registry. ID-4 Uniqueness: The DRIP identifier MUST be unique within a to-be- defined scope. ID-5 Non-spoofability: The DRIP identifier MUST be non-spoofable within the context of Remote ID broadcast messages (some collection of messages provides proof of UA ownership of ID). ID-6 Unlinkability: A DRIP UAS ID MUST NOT facilitate adversarial correlation over multiple UAS operations; this may be accomplished e.g. by limiting each identifier to a single use, but if so, the UAS ID MUST support well-defined scalable timely registration methods. + Note that Registry ID and Entity ID are requirements on a single DRIP + entity Identifier, not separate (types of) ID. In the most common + use case, the Entity will be the UA, and the DRIP Identifier will be + the UAS ID; however, other entities may also benefit from having DRIP + identifiers, so the Entity type is not prescribed here. + Whether a UAS ID is generated by the operator, GCS, UA, USS or registry, or some collaboration thereamong, is unspecified; however, there must be agreement on the UAS ID among these entities. 4.3. Privacy PRIV-1 Confidential Handling: DRIP MUST enable confidential handling of private information (i.e., any and all information designated by neither cognizant authority nor the information owner as public, e.g., personal data). PRIV-2 Encrypted Transport: DRIP MUST enable selective strong encryption of private data in motion in such a manner that only authorized actors can recover it. If transport is via IP, then encryption MUST be end-to-end, at or above the IP - layer. + layer. DRIP MUST NOT encrypt safety critical data to be + transmitted over Broadcast RID unless also concurrently + sending that data via Network RID and obtaining frequent + confirmations of receipt. - PRIV-3 Encrypted Storage: DRIP SHOULD enable selective strong + PRIV-3 Encrypted Storage: DRIP SHOULD facilitate selective strong encryption of private data at rest in such a manner that only authorized actors can recover it. - As satisfying these requirements may require that authorized actors - have connectivity to third parties, e.g., Internet to a Remote ID - USS, to enable decryption, and such connectivity cannot be assured, - DRIP SHOULD provide automatic fallback to plaintext transmission of - safety-critical information when necessary. + How information is stored on end systems is out of scope for DRIP. + Encouraging privacy best practices, including end system storage + encryption, by facilitating it with protocol design reflecting such + considerations, is in scope. 4.4. Registries REG-1 Public Lookup: DRIP MUST enable lookup, from the UAS ID, of - information designated by cognizant authority as public. + information designated by cognizant authority as public, and + MUST NOT restrict access to this information based on identity + of the party submitting the query. - REG-2 Private Lookup: DRIP MUST enable lookup, with AAA, per policy, - of private information (i.e., any and all information in a - registry, associated with the UAS ID, that is designated by - neither cognizant authority nor the information owner as - public). + REG-2 Private Lookup: DRIP MUST enable lookup of private information + (i.e., any and all information in a registry, associated with + the UAS ID, that is designated by neither cognizant authority + nor the information owner as public), and MUST, per policy, + enforce AAA, including restriction of access to this + information based on identity of the party submitting the + query. REG-3 Provisioning: DRIP MUST enable provisioning registries with static information on the UAS and its operator, dynamic information on its current operation within the UTM (including means by which the USS under which the UAS is operating may be contacted for further, typically even more dynamic, information), and Internet direct contact information for services related to the foregoing. REG-4 AAA Policy: DRIP MUST enable closing the AAA-policy registry @@ -926,118 +1021,239 @@ This will bring the benefit of a global integrated system creating a global airspace use awareness. 6. IANA Considerations This document does not make any IANA request. 7. Security Considerations DRIP is all about safety and security, so content pertaining to such - is not limited to this section. DRIP information falls into two - classes: that which, to achieve the purpose, must be published openly - in clear plaintext, for the benefit of any observer; and that which - must be protected (e.g., PII of pilots) but made available to - properly authorized parties (e.g., public safety personnel who - urgently need to contact pilots in emergencies). This classification - must be made explicit and reflected with markings, design, etc. - Classifying the information will be addressed primarily in external - standards; herein it will be regarded as a matter for CAA, registry - and operator policies, for which enforcement mechanisms will be - defined within the scope of DRIP WG and offered. Details of the - protection mechanisms will be provided in other DRIP documents. - Mitigation of adversarial correlation will also be addressed. + is not limited to this section. Potential vulnerabilities of DRIP + include but are not limited to: -Acknowledgments + * Sybil attacks - The work of the FAA's UAS Identification and Tracking (UAS ID) - Aviation Rulemaking Committee (ARC) is the foundation of later ASTM - [F3411-19] and IETF DRIP WG efforts. The work of ASTM F38.02 in - balancing the interests of diverse stakeholders is essential to the - necessary rapid and widespread deployment of UAS RID. + * Confusion created by many spoofed unsigned messages -References + * Processing overload induced by attempting to verify many spoofed + signed messages (where verification will fail but still consume + cycles) -Normative References + * Malicious or malfunctioning registries + + * Interception of (e.g. Man In The Middle attacks on) registration + messages + +8. Privacy and Transparency Considerations + + Privacy is closely related to but not synonomous with security, and + conflicts with transparency. Privacy and transparency are important + for legal reasons including regulatory consistency. [EU2018] + [EU2018]states "harmonised and interoperable national registration + systems... should comply with the applicable Union and national law + on privacy and processing of personal data, and the information + stored in those registration systems should be easily accessible." + + Privacy and transparency (where essential to security or safety) are + also ethical and moral imperatives. Even in cases where old + practices (e.g. automobile registration plates) could be imitated, + when new applications involving PII (such as UAS RID) are addressed + and newer technologies could enable improving privacy, such + opportunities should not be squandered. Thus is is recommended that + all DRIP documents give due regard to [RFC6973] and more broadly + [RFC8280]. + + DRIP information falls into two classes: that which, to achieve the + purpose, must be published openly as cleartext, for the benefit of + any Observer (e.g. the basic UAS ID itself); and that which must be + protected (e.g., PII of pilots) but made available to properly + authorized parties (e.g., public safety personnel who urgently need + to contact pilots in emergencies). This classification must be made + explicit and reflected with markings, design, etc. Classifying the + information will be addressed primarily in external standards; herein + it will be regarded as a matter for CAA, registry and operator + policies, for which enforcement mechanisms will be defined within the + scope of DRIP WG and offered. Details of the protection mechanisms + will be provided in other DRIP documents. Mitigation of adversarial + correlation will also be addressed. + +9. References + +9.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . -Informative References +9.2. Informative References [CONOPS] FAA Office of NextGen, "UTM Concept of Operations v2.0", March 2020. [cpdlc] Gurtov, A., Polishchuk, T., and M. Wernberg, "Controller- Pilot Data Link Communication Security", MDPI Sensors 18(5), 1636, 2018, . + [crowd-sourced-rid] + Moskowitz, R., Card, S., Wiethuechter, A., Zhao, S., and + H. Birkholz, "Crowd Sourced Remote ID", Work in Progress, + Internet-Draft, draft-moskowitz-drip-crowd-sourced-rid-04, + 20 May 2020, . + [CTA2063A] ANSI, "Small Unmanned Aerial Systems Serial Numbers", September 2019. [Delegated] European Union Aviation Safety Agency (EASA), "Commission Delegated Regulation (EU) 2019/945 of 12 March 2019 on unmanned aircraft systems and on third-country operators of unmanned aircraft systems", March 2019. + [drip-architecture] + Card, S., Wiethuechter, A., Moskowitz, R., Zhao, S., and + A. Gurtov, "Drone Remote Identification Protocol (DRIP) + Architecture", Work in Progress, Internet-Draft, draft- + ietf-drip-arch-02, 23 June 2020, + . + + [drip-auth] + Wiethuechter, A., Card, S., and R. Moskowitz, "DRIP + Authentication Formats", Work in Progress, Internet-Draft, + draft-wiethuechter-drip-auth-01, 10 July 2020, + . + + [drip-identity-claims] + Wiethuechter, A., Card, S., and R. Moskowitz, "DRIP + Identity Claims", Work in Progress, Internet-Draft, draft- + wiethuechter-drip-identity-claims-00, 23 March 2020, + . + + [drip-secure-nrid-c2] + Moskowitz, R., Card, S., Wiethuechter, A., and A. Gurtov, + "Secure UAS Network RID and C2 Transport", Work in + Progress, Internet-Draft, draft-moskowitz-drip-secure- + nrid-c2-00, 6 April 2020, . + + [drip-uas-rid] + Moskowitz, R., Card, S., Wiethuechter, A., and A. Gurtov, + "UAS Remote ID", Work in Progress, Internet-Draft, draft- + moskowitz-drip-uas-rid-02, 28 May 2020, + . + + [EU2018] European Parliament and Council, "2015/0277 (COD) PE-CONS + 2/18", February 2018. + [F3411-19] ASTM, "Standard Specification for Remote ID and Tracking", December 2019. - [I-D.ietf-drip-arch] - Card, S., Wiethuechter, A., Moskowitz, R., and S. Zhao, - "Drone Remote Identification Protocol (DRIP) - Architecture", Work in Progress, Internet-Draft, draft- - ietf-drip-arch-00, 18 May 2020, - . + [hhit-registries] + Moskowitz, R., Card, S., and A. Wiethuechter, + "Hierarchical HIT Registries", Work in Progress, Internet- + Draft, draft-moskowitz-hip-hhit-registries-02, 9 March + 2020, . + + [hierarchical-hit] + Moskowitz, R., Card, S., and A. Wiethuechter, + "Hierarchical HITs for HIPv2", Work in Progress, Internet- + Draft, draft-moskowitz-hip-hierarchical-hit-05, 13 May + 2020, . [I-D.maeurer-raw-ldacs] Maeurer, N., Graeupl, T., and C. Schmitt, "L-band Digital Aeronautical Communications System (LDACS)", Work in - Progress, Internet-Draft, draft-maeurer-raw-ldacs-02, 1 - April 2020, - . + Progress, Internet-Draft, draft-maeurer-raw-ldacs-04, 2 + July 2020, + . + + [ICAOATM] International Civil Aviation Organization, "Doc 4444: + Procedures for Air Navigation Services: Air Traffic + Management", November 2016. + + [ICAOUTM] International Civil Aviation Organization, "Unmanned + Aircraft Systems Traffic Management (UTM) - A Common + Framework with Core Principles for Global Harmonization, + Edition 2", November 2019. [Implementing] European Union Aviation Safety Agency (EASA), "Commission Implementing Regulation (EU) 2019/947 of 24 May 2019 on the rules and procedures for the operation of unmanned aircraft", May 2019. + [new-hip-crypto] + Moskowitz, R., Card, S., and A. Wiethuechter, "New + Cryptographic Algorithms for HIP", Work in Progress, + Internet-Draft, draft-moskowitz-hip-new-crypto-04, 23 + January 2020, . + + [new-orchid] + Moskowitz, R., Card, S., and A. Wiethuechter, "Using + cSHAKE in ORCHIDs", Work in Progress, Internet-Draft, + draft-moskowitz-orchid-cshake-01, 21 May 2020, + . + [NPRM] United States Federal Aviation Administration (FAA), "Notice of Proposed Rule Making on Remote Identification of Unmanned Aircraft Systems", December 2019. [Recommendations] FAA UAS Identification and Tracking Aviation Rulemaking Committee, "UAS ID and Tracking ARC Recommendations Final Report", September 2017. [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally Unique IDentifier (UUID) URN Namespace", RFC 4122, DOI 10.17487/RFC4122, July 2005, . + [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", + FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, + . + + [RFC6973] Cooper, A., Tschofenig, H., Aboba, B., Peterson, J., + Morris, J., Hansen, M., and R. Smith, "Privacy + Considerations for Internet Protocols", RFC 6973, + DOI 10.17487/RFC6973, July 2013, + . + + [RFC8280] ten Oever, N. and C. Cath, "Research into Human Rights + Protocol Considerations", RFC 8280, DOI 10.17487/RFC8280, + October 2017, . + [Roadmap] American National Standards Institute (ANSI) Unmanned Aircraft Systems Standardization Collaborative (UASSC), "Standardization Roadmap for Unmanned Aircraft Systems draft v2.0", April 2020. [Stranger] Heinlein, R.A., "Stranger in a Strange Land", June 1961. + [WG105] European Parliament and Council, "EUROCAE WG-105 draft + Minimum Operational Performance Standards (MOPS) for + Unmanned Aircraft System (UAS) Electronic + Identification"", June 2020. + Acknowledgments The work of the FAA's UAS Identification and Tracking (UAS ID) Aviation Rulemaking Committee (ARC) is the foundation of later ASTM [F3411-19] and IETF DRIP efforts. The work of ASTM F38.02 in balancing the interests of diverse stakeholders is essential to the necessary rapid and widespread deployment of UAS RID. IETF volunteers who have contributed to this draft include Amelia Andersdotter, Mohamed Boucadair, Toerless Eckert, Susan Hares, Mika Järvenpää, Daniel Migault, Saulo Da Silva and Shuai @@ -1062,16 +1278,16 @@ Email: adam.wiethuechter@axenterprize.com Robert Moskowitz HTT Consulting Oak Park, MI 48237 United States of America Email: rgm@labs.htt-consult.com Andrei Gurtov - Linköping University + Linköping University IDA - SE-58183 Linköping + SE-58183 Linköping Sweden Email: gurtov@acm.org