draft-ietf-ecrit-security-threats-00.txt   draft-ietf-ecrit-security-threats-01.txt 
ECRIT T. Taylor ECRIT T. Taylor
Internet-Draft (Editor) Nortel Internet-Draft (Editor) Nortel
Expires: September 21, 2006 H. Tschofenig Expires: October 19, 2006 H. Tschofenig
Siemens Siemens
H. Schulzrinne H. Schulzrinne
Columbia U. Columbia U.
M. Shanmugam M. Shanmugam
Siemens Siemens
March 20, 2006 April 17, 2006
Security Threats and Requirements for Emergency Call Marking and Mapping Security Threats and Requirements for Emergency Call Marking and Mapping
draft-ietf-ecrit-security-threats-00.txt draft-ietf-ecrit-security-threats-01.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 39 skipping to change at page 1, line 39
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 21, 2006. This Internet-Draft will expire on October 19, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document reviews the security threats associated with the two This document reviews the security threats associated with the two
current work items of the ECRIT Working Group. The first is the current work items of the ECRIT Working Group. The first is the
marking of signalling messages to indicate that they are related to marking of signalling messages to indicate that they are related to
skipping to change at page 2, line 21 skipping to change at page 2, line 21
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Marking, mapping, and the emergency call routing process . . . 5 3. Marking, mapping, and the emergency call routing process . . . 5
4. Objectives of attackers . . . . . . . . . . . . . . . . . . . 6 4. Objectives of attackers . . . . . . . . . . . . . . . . . . . 6
5. Potential attacks . . . . . . . . . . . . . . . . . . . . . . 7 5. Potential attacks . . . . . . . . . . . . . . . . . . . . . . 7
5.1. Attacks involving the emergency identifier . . . . . . . . 7 5.1. Attacks involving the emergency identifier . . . . . . . . 7
5.2. Attacks against or using the mapping process . . . . . . . 7 5.2. Attacks against or using the mapping process . . . . . . . 7
5.2.1. Attacks against the emergency response system . . . . 7 5.2.1. Attacks against the emergency response system . . . . 8
5.2.2. Attacks to prevent a specific individual from 5.2.2. Attacks to prevent a specific individual from
receiving aid . . . . . . . . . . . . . . . . . . . . 9 receiving aid . . . . . . . . . . . . . . . . . . . . 9
5.2.3. Attacks to gain information about an emergency . . . . 9 5.2.3. Attacks to gain information about an emergency . . . . 9
6. Security requirements relating to ECRIT work items . . . . . . 11 6. Security requirements relating to ECRIT work items . . . . . . 11
7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 7. Security Considerations . . . . . . . . . . . . . . . . . . . 13
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16
10.1. Normative References . . . . . . . . . . . . . . . . . . . 16 10.1. Normative References . . . . . . . . . . . . . . . . . . . 16
10.2. Informative References . . . . . . . . . . . . . . . . . . 16 10.2. Informative References . . . . . . . . . . . . . . . . . . 16
skipping to change at page 5, line 36 skipping to change at page 5, line 36
client to pass location information to the mapping server and to client to pass location information to the mapping server and to
receive back a URI which can be used to direct call signalling to a receive back a URI which can be used to direct call signalling to a
PSAP. PSAP.
Since mapping requires location information for input, when and where Since mapping requires location information for input, when and where
the location information is acquired imposes constraints upon when the location information is acquired imposes constraints upon when
mapping can be done and which devices can act as mapping clients. mapping can be done and which devices can act as mapping clients.
The key distinction in "when" is before the emergency or during the The key distinction in "when" is before the emergency or during the
emergency. The key distinction in "where" is at the emergency emergency. The key distinction in "where" is at the emergency
caller's device or at another device in the signalling path between caller's device or at another device in the signalling path between
the emergency caller and the PSAP. The device that acquires the the emergency caller and the PSAP. The mapping client can be the
location information can be the mapping client, and so can any device device that acquires the location information or any device
downstream of that point. It is even possible for a PSAP itself to downstream of that point. It is even possible for a PSAP itself to
initiate mapping, to determine whether an arriving call should be initiate mapping, to determine whether an arriving call should be
handled by a call taker at that PSAP or should be proxied to another handled by a call taker at that PSAP or should be proxied to another
PSAP. PSAP.
4. Objectives of attackers 4. Objectives of attackers
Attackers may direct their efforts either against a portion of the Attackers may direct their efforts either against a portion of the
emergency response system or against an individual. Attacks against emergency response system or against an individual. Attacks against
the emergency response system have three possible objectives: the emergency response system have three possible objectives:
o to deny system services to all users in a given area. The o to deny system services to all users in a given area. The
motivation may range from thoughtless vandalism, to wide-scale motivation may range from thoughtless vandalism, to wide-scale
criminality, to terrorism. One interesting variant on this criminality, to terrorism. One interesting variant on this
motivation is the case where a victim of a large emergency hopes motivation is the case where a victim of a large emergency hopes
to gain faster service by blocking others' competing calls for to gain faster service by blocking others' competing calls for
help. help.
o attacks by the caller to gain fraudulent use of services, by using o to gain fraudulent use of services, by using an emergency
an emergency identifier to bypass normal authentication, identifier to bypass normal authentication, authorization, and
authorization, and accounting procedures. accounting procedures.
o to divert emergency responders to non-emergency sites. No attacks o to divert emergency responders to non-emergency sites. No attacks
affecting the ECRIT Working Group's decisions on the emergency affecting the ECRIT Working Group's decisions on the emergency
identifier and mapping protocol have been identified that achieve identifier and mapping protocol have been identified that achieve
this objective this objective
Attacks against an individual fall into two classes: Attacks against an individual fall into two classes:
o attacks to prevent an individual from receiving aid; o attacks to prevent an individual from receiving aid;
skipping to change at page 7, line 31 skipping to change at page 7, line 31
it without applying normal procedures for authentication and it without applying normal procedures for authentication and
authorization because the signalling carries the emergency authorization because the signalling carries the emergency
identifier. identifier.
d. The service provider routes it according to the called address d. The service provider routes it according to the called address
(e.g., SIP Request-URI), without verifying that this is the (e.g., SIP Request-URI), without verifying that this is the
address of a PSAP (noting that a URI by itself does not indicate address of a PSAP (noting that a URI by itself does not indicate
the nature of the entity it is pointing to). the nature of the entity it is pointing to).
If these conditions are satisfied, the attacker can bypass normal If these conditions are satisfied, the attacker can bypass normal
ASP/VSP authorization procedures for arbitrary destinations, simply service provider authorization procedures for arbitrary destinations,
by reprogramming the emergency caller's device to add the emergency simply by reprogramming the emergency caller's device to add the
identifier to non-emergency call signalling. Most probably in this emergency identifier to non-emergency call signalling. Most probably
case, the call signalling will not include any location information. in this case, the call signalling will not include any location
information.
An attacker wishing to disrupt the emergency call routing system may An attacker wishing to disrupt the emergency call routing system may
use a similar technique to target components of that system for a use a similar technique to target components of that system for a
denial of service attack. The attacker will find this attractive to denial of service attack. The attacker will find this attractive to
reach components that handle emergency calls only. Flooding attacks reach components that handle emergency calls only. Flooding attacks
are the most likely application of the technique, but it may also be are the most likely application of the technique, but it may also be
used to identify target components for other attacks by analyzing the used to identify target components for other attacks by analyzing the
content of responses to the original signalling messages. content of responses to the original signalling messages.
5.2. Attacks against or using the mapping process 5.2. Attacks against or using the mapping process
skipping to change at page 8, line 16 skipping to change at page 8, line 20
increase the probability that emergency calls are routed to the wrong increase the probability that emergency calls are routed to the wrong
PSAP. This has a double consequence: emergency response to the PSAP. This has a double consequence: emergency response to the
affected calls is delayed, and PSAP call taker resources outside the affected calls is delayed, and PSAP call taker resources outside the
immediate area of the emergency are consumed due to the extra effort immediate area of the emergency are consumed due to the extra effort
required to redirect the calls. Alternatively, attacks that cause required to redirect the calls. Alternatively, attacks that cause
the client to receive a URI that does not lead to a PSAP have the the client to receive a URI that does not lead to a PSAP have the
immediate effect of causing emergency calls to fail. immediate effect of causing emergency calls to fail.
Three basic attacks on the mapping process can be identified: denial Three basic attacks on the mapping process can be identified: denial
of service, impersonation of the mapping server, or corruption of the of service, impersonation of the mapping server, or corruption of the
mapping database. Denial of service in turn can be achieved in mapping database. Denial of service can be achieved in several ways:
several ways:
o by a flooding attack on the mapping server; o by a flooding attack on the mapping server;
o by taking control of the mapping server and either preventing it o by taking control of the mapping server and either preventing it
from responding or causing it send incorrect responses; or from responding or causing it to send incorrect responses; or
o by taking control of a router through which the mapping queries o by taking control of a router through which the mapping queries
and responses pass and using that control to block them. An and responses pass and using that control to block them. An
adversary may also attempt to modify the mapping protocol adversary may also attempt to modify the mapping protocol
signaling messages. Additionally, it might be possible to replay signaling messages. Additionally, the adversary may be able to
past communication exchanges to fool an emergency caller by replay past communication exchanges to fool an emergency caller by
returning incorrect results. returning incorrect results.
In an impersonation attack, the attacker induces the mapping client In an impersonation attack, the attacker induces the mapping client
to direct its queries to a host under the attacker's control rather to direct its queries to a host under the attacker's control rather
than the real mapping server. Impersonation itself is an issue for than the real mapping server. Impersonation itself is an issue for
mapping server discovery rather than for the mapping protocol mapping server discovery rather than for the mapping protocol
directly. However, the mapping protocol may help to protect against directly. However, the mapping protocol may help to protect against
acceptance of responses from an impersonating entity. acceptance of responses from an impersonating entity.
Corruption of the mapping database cannot be mitigated directly by Corruption of the mapping database cannot be mitigated directly by
skipping to change at page 10, line 4 skipping to change at page 10, line 6
The primary information that interceptions of mapping requests and The primary information that interceptions of mapping requests and
responses will reveal are a location, a URI identifying a PSAP, and responses will reveal are a location, a URI identifying a PSAP, and
the addresses of the mapping client and server. The location the addresses of the mapping client and server. The location
information can be directly useful to an attacker if the attacker has information can be directly useful to an attacker if the attacker has
high assurance that the observed query is related to an emergency high assurance that the observed query is related to an emergency
involving the target. The other pieces of information may provide involving the target. The other pieces of information may provide
the basis for further attacks on emergency call routing, but because the basis for further attacks on emergency call routing, but because
of the time factor, are unlikely to be applicable to the routing of of the time factor, are unlikely to be applicable to the routing of
the current call. However, if the mapping client is the emergency the current call. However, if the mapping client is the emergency
caller's device, the attacker may gain information that allows for caller's device, the attacker may gain information that allows for
interference with the call after it has been set up or interception interference with the call after it has been set up or for
of the media stream between the caller and the PSAP. interception of the media stream between the caller and the PSAP.
6. Security requirements relating to ECRIT work items 6. Security requirements relating to ECRIT work items
This section describes the security requirements which must be This section describes the security requirements which must be
fulfilled to prevent or reduce the effectiveness of the attacks fulfilled to prevent or reduce the effectiveness of the attacks
described in Section 5. The requirements are presented in the same described in Section 5. The requirements are presented in the same
order as the attacks. order as the attacks.
From Section 5.1: From Section 5.1:
Attack: fraudulent calls. Attack: fraudulent calls.
Requirement: for calls which meet conditions a-c of Section 5.1, the Requirement: for calls which meet conditions a) to c) of Section 5.1,
ASP/VSP call routing entity MUST verify that the destination address the service provider's call routing entity MUST verify that the
(e.g., SIP Request-URI) presented in the call signalling is that of a destination address (e.g., SIP Request-URI) presented in the call
PSAP. signalling is that of a PSAP.
Attack: use of emergency identifier to probe in order to identify Attack: use of emergency identifier to probe in order to identify
emergency call routing entities. emergency call routing entities.
Requirement: topology hiding SHOULD be applied to call signalling Requirement: topology hiding SHOULD be applied to call signalling
returned to the emergency caller, so that the identity of returned to the emergency caller, so that the identity of
intermediate routing entities is not disclosed. The obvious intermediate routing entities is not disclosed. The obvious
exception is where these entities are already visible to the caller. exception is where these entities are already visible to the caller.
Note that there is little point in hiding the PSAP itself. Note that there is little point in hiding the PSAP itself.
skipping to change at page 11, line 45 skipping to change at page 11, line 45
Requirement: The mapping protocol MUST NOT create new opportunities Requirement: The mapping protocol MUST NOT create new opportunities
for flooding attacks, including amplification attacks. for flooding attacks, including amplification attacks.
Attack: insertion of interfering messages. Attack: insertion of interfering messages.
Requirement: The protocol MUST permit the mapping client to verify Requirement: The protocol MUST permit the mapping client to verify
that the response it receives is responding to the query it sent out. that the response it receives is responding to the query it sent out.
Attack: man-in-the-middle alteration of messages. Attack: man-in-the-middle alteration of messages.
Requirement: The protocol MUST maintain request and response Requirement: The protocol or the system within which it is
integrity. implemented MUST maintain request and response integrity.
Attack: impersonation of the mapping server. Attack: impersonation of the mapping server.
Requirement: the security considerations for any discussion of Requirement: the security considerations for any discussion of
mapping server discovery MUST address measures to prevent mapping server discovery MUST address measures to prevent
impersonation of the mapping server. impersonation of the mapping server.
Requirement: the protocol MUST permit the mapping client to Requirement: the protocol or the system within which it is
authenticate the source of mapping responses. implemented MUST permit the mapping client to authenticate the source
of mapping responses.
Attack: corruption of the mapping database. Attack: corruption of the mapping database.
Requirement: the security considerations for the mapping protocol Requirement: the security considerations for the mapping protocol
MUST address measures to prevent database corruption by an attacker. MUST address measures to prevent database corruption by an attacker.
Requirement: to provide an audit trail, the protocol SHOULD allow the Requirement: to provide an audit trail, the protocol SHOULD allow the
inclusion of an identifier in its response that indicates which inclusion of an identifier in its response that indicates which
database records were used in preparing the response. This database records were used in preparing the response. This
identifier SHOULD be encrypted along with randomizing information identifier SHOULD be encrypted along with randomizing information
such as date/time, to minimize the information provided to an such as date/time, to minimize the information provided to an
attacker in mapping responses. attacker in mapping responses.
From Section 5.2.2: no new requirements. From Section 5.2.2: no new requirements.
From Section 5.2.3: From Section 5.2.3:
Attack: snooping of location and other information. Attack: snooping of location and other information.
Requirement: the protocol MUST maintain confidentiality of the Requirement: the protocol or the system within which it is
request and response. implemented MUST maintain confidentiality of the request and
response.
7. Security Considerations 7. Security Considerations
This document addresses security threats and security requirements. This document addresses security threats and security requirements.
Therefore, security is considered throughout this document. Therefore, security is considered throughout this document.
8. Acknowledgements 8. Acknowledgements
The writing of this document has been a task made difficult by the The writing of this document has been a task made difficult by the
temptation to consider the security concerns of the entire personal temptation to consider the security concerns of the entire personal
skipping to change at page 16, line 20 skipping to change at page 16, line 20
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3693] Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and [RFC3693] Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and
J. Polk, "Geopriv Requirements", RFC 3693, February 2004. J. Polk, "Geopriv Requirements", RFC 3693, February 2004.
10.2. Informative References 10.2. Informative References
[I-D.ecrit-requirements] [I-D.ecrit-requirements]
Schulzrinne, H. and R. Marshall, "Requirements for Schulzrinne, H. and R. Marshall, "Requirements for
Emergency Context Resolution with Internet Technologies", Emergency Context Resolution with Internet Technologies",
February 2006. March 2006.
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC [RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC
Text on Security Considerations", BCP 72, RFC 3552, Text on Security Considerations", BCP 72, RFC 3552,
July 2003. July 2003.
Authors' Addresses Authors' Addresses
Tom Taylor Tom Taylor
Nortel Nortel
1852 Lorraine Ave 1852 Lorraine Ave
 End of changes. 17 change blocks. 
32 lines changed or deleted 34 lines changed or added

This html diff was produced by rfcdiff 1.29, available from http://www.levkowetz.com/ietf/tools/rfcdiff/