draft-ietf-ecrit-security-threats-01.txt   draft-ietf-ecrit-security-threats-02.txt 
ECRIT T. Taylor ECRIT T. Taylor
Internet-Draft (Editor) Nortel Internet-Draft (Editor) Nortel
Expires: October 19, 2006 H. Tschofenig Expires: December 27, 2006 H. Tschofenig
Siemens Siemens
H. Schulzrinne H. Schulzrinne
Columbia U. Columbia U.
M. Shanmugam M. Shanmugam
Siemens Siemens
April 17, 2006 June 25, 2006
Security Threats and Requirements for Emergency Call Marking and Mapping Security Threats and Requirements for Emergency Call Marking and Mapping
draft-ietf-ecrit-security-threats-01.txt draft-ietf-ecrit-security-threats-02.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 39 skipping to change at page 1, line 39
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 19, 2006. This Internet-Draft will expire on December 27, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document reviews the security threats associated with the two This document reviews the security threats associated with:
current work items of the ECRIT Working Group. The first is the
marking of signalling messages to indicate that they are related to o the marking of signalling messages to indicate that they are
an emergency. The second is the process of mapping from locations to related to an emergency; and
Universal Resource Identifiers (URIs) pointing to Public Safety
Answering Points (PSAPs). This mapping occurs as part of the process o the process of mapping from locations to Universal Resource
of routing emergency calls through the IP network. Based on the Identifiers (URIs) pointing to Public Safety Answering Points
threats, this document establishes a set of security requirements for (PSAPs). This mapping occurs as part of the process of routing
the the mapping protocol and for the handling of emergency-marked emergency calls through the IP network.
calls.
Based on the idnetified threats, this document establishes a set of
security requirements for the the mapping protocol and for the
handling of emergency-marked calls.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Marking, mapping, and the emergency call routing process . . . 5 3. Marking, Mapping, and the Emergency Call Routing Process . . . 5
4. Objectives of attackers . . . . . . . . . . . . . . . . . . . 6 4. Objectives of Attackers . . . . . . . . . . . . . . . . . . . 6
5. Potential attacks . . . . . . . . . . . . . . . . . . . . . . 7 5. Potential Attacks . . . . . . . . . . . . . . . . . . . . . . 7
5.1. Attacks involving the emergency identifier . . . . . . . . 7 5.1. Attacks Involving the Emergency Identifier . . . . . . . . 7
5.2. Attacks against or using the mapping process . . . . . . . 7 5.2. Attacks Against or Using the Mapping Process . . . . . . . 7
5.2.1. Attacks against the emergency response system . . . . 8 5.2.1. Attacks Against the Emergency Response System . . . . 7
5.2.2. Attacks to prevent a specific individual from 5.2.2. Attacks To Prevent a Specific Individual From
receiving aid . . . . . . . . . . . . . . . . . . . . 9 Receiving Aid . . . . . . . . . . . . . . . . . . . . 9
5.2.3. Attacks to gain information about an emergency . . . . 9 5.2.3. Attacks To Gain Information About an Emergency . . . . 9
6. Security requirements relating to ECRIT work items . . . . . . 11 6. Security Requirements Relating To Emergency Marking and
Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 7. Security Considerations . . . . . . . . . . . . . . . . . . . 13
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 14
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16
10.1. Normative References . . . . . . . . . . . . . . . . . . . 16 10.1. Normative References . . . . . . . . . . . . . . . . . . . 16
10.2. Informative References . . . . . . . . . . . . . . . . . . 16 10.2. Informative References . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17
Intellectual Property and Copyright Statements . . . . . . . . . . 18 Intellectual Property and Copyright Statements . . . . . . . . . . 18
1. Introduction 1. Introduction
skipping to change at page 3, line 21 skipping to change at page 3, line 21
location and to route the call to the appropriate Public Safety location and to route the call to the appropriate Public Safety
Answering Point (PSAP) based on that location. With the introduction Answering Point (PSAP) based on that location. With the introduction
of IP-based telephony and multimedia services, support for emergency of IP-based telephony and multimedia services, support for emergency
calling via the Internet also has to be provided. As one of the calling via the Internet also has to be provided. As one of the
steps to achieve this, an emergency marker must be defined that can steps to achieve this, an emergency marker must be defined that can
be attached to call signalling to indicate that the call relates to be attached to call signalling to indicate that the call relates to
an emergency. In addition, a protocol must be developed allowing a an emergency. In addition, a protocol must be developed allowing a
client entity to submit a location and receive a URI pointing to the client entity to submit a location and receive a URI pointing to the
applicable PSAP for that location. applicable PSAP for that location.
Attacks against the PSTN (most often focusing on free calling) have Attacks against the PSTN have taken place for decades. The Internet
taken place for decades. The Internet is seen as an even more is seen as an even more hostile environment. Thus it is important to
hostile environment. Thus it is important to understand the types of understand the types of attacks that might be mounted against the
attacks that might be mounted against the infrastructure providing infrastructure providing emergency services, and to develop security
emergency services, and to develop security mechanisms to counter mechanisms to counter those attacks. While this can be a broad
those attacks. In view of the mandate of the ECRIT Working Group, topic, the present document restricts itself to attacks on the
the present document restricts itself to attacks on the mapping of mapping of locations to PSAP URIs and attacks based on emergency
locations to PSAP URIs and attacks based on emergency marking. marking.
This document is organized as follows: Section 2 describes basic This document is organized as follows: Section 2 describes basic
terminology. Section 3 briefly describes how emergency marking and terminology. Section 3 briefly describes how emergency marking and
mapping fit within the process of routing emergency calls. Section 4 mapping fit within the process of routing emergency calls. Section 4
describes some motivations of attackers in the context of ECRIT, describes some motivations of attackers in the context of emergency
Section 5 describes and illustrates the attacks that might be used, calling, Section 5 describes and illustrates the attacks that might
and Section 6 lists the security-related requirements that must be be used, and Section 6 lists the security-related requirements that
met if these attacks are to be mitigated. must be met if these attacks are to be mitigated.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119], with the document are to be interpreted as described in [RFC2119], with the
qualification that unless otherwise stated they apply to the design qualification that unless otherwise stated they apply to the design
of the mapping protocol, not its implementation or application. of the mapping protocol, not its implementation or application.
The terms call taker, mapping service, emergency caller, emergency The terms call taker, mapping service, emergency caller, emergency
skipping to change at page 5, line 5 skipping to change at page 5, line 5
The term "location information" is taken from RFC 3693 [RFC3693]. The term "location information" is taken from RFC 3693 [RFC3693].
The term "emergency caller's device" designates the IP host closest The term "emergency caller's device" designates the IP host closest
to the emergency caller in the signalling path between the emergency to the emergency caller in the signalling path between the emergency
caller and the PSAP. Examples include an IP phone running SIP, caller and the PSAP. Examples include an IP phone running SIP,
H.323, or a proprietary signalling protocol, a PC running a soft H.323, or a proprietary signalling protocol, a PC running a soft
client, or an analogue terminal adapter or a residential gateway client, or an analogue terminal adapter or a residential gateway
controlled by a softswitch. controlled by a softswitch.
3. Marking, mapping, and the emergency call routing process 3. Marking, Mapping, and the Emergency Call Routing Process
The ECRIT Working Group has two work items relating to the routing of This memo deals with two topics relating to the routing of emergency
emergency calls to their proper destination. The first is to enable calls to their proper destination. The first is the marking of call
entities along the signalling path to recognize that a particular signalling to enable entities along the signalling path to recognize
signalling message is associated with an emergency call. The ECRIT that a particular signalling message is associated with an emergency
Working Group is defining content that can be added to the signalling call. Signalling containing the emergency identifier may be given
messages, an emergency identifier, for this purpose. Signalling priority treatment, special processing, and/or special routing.
containing the emergency identifier may be given priority treatment,
special processing, and/or special routing.
The first goal of emergency call routing is to ensure that any The first goal of emergency call routing is to ensure that any
emergency call is routed to a PSAP. Preferably the call is routed to emergency call is routed to a PSAP. Preferably the call is routed to
the PSAP responsible for the caller's location, since misrouting the PSAP responsible for the caller's location, since misrouting
consumes valuable time while the call taker locates and forwards the consumes valuable time while the call taker locates and forwards the
call to the right PSAP. As described in [I-D.ecrit-requirements], call to the right PSAP. As described in [I-D.ecrit-requirements],
mapping, the second ECRIT work item, is part of the process of mapping is part of the process of achieving this preferable outcome.
achieving this preferable outcome.
In brief, mapping involves a mapping client, a mapping server, and In brief, mapping involves a mapping client, a mapping server, and
the protocol that passes between them. The protocol allows the the protocol that passes between them. The protocol allows the
client to pass location information to the mapping server and to client to pass location information to the mapping server and to
receive back a URI which can be used to direct call signalling to a receive back a URI which can be used to direct call signalling to a
PSAP. PSAP.
Since mapping requires location information for input, when and where Since mapping requires location information for input, when and where
the location information is acquired imposes constraints upon when the location information is acquired imposes constraints upon when
mapping can be done and which devices can act as mapping clients. mapping can be done and which devices can act as mapping clients.
The key distinction in "when" is before the emergency or during the The key distinction in "when" is before the emergency or during the
emergency. The key distinction in "where" is at the emergency emergency. The key distinction in "where" is at the emergency
caller's device or at another device in the signalling path between caller's device or at another device in the signalling path between
the emergency caller and the PSAP. The mapping client can be the the emergency caller and the PSAP. The mapping client can be the
device that acquires the location information or any device device that acquires the location information or any device
downstream of that point. It is even possible for a PSAP itself to downstream of that point. It is even possible for a PSAP itself to
initiate mapping, to determine whether an arriving call should be initiate mapping, to determine whether an arriving call should be
handled by a call taker at that PSAP or should be proxied to another handled by a call taker at that PSAP or should be proxied to another
PSAP. PSAP.
4. Objectives of attackers 4. Objectives of Attackers
Attackers may direct their efforts either against a portion of the Attackers may direct their efforts either against a portion of the
emergency response system or against an individual. Attacks against emergency response system or against an individual. Attacks against
the emergency response system have three possible objectives: the emergency response system have three possible objectives:
o to deny system services to all users in a given area. The o to deny system services to all users in a given area. The
motivation may range from thoughtless vandalism, to wide-scale motivation may range from thoughtless vandalism, to wide-scale
criminality, to terrorism. One interesting variant on this criminality, to terrorism. One interesting variant on this
motivation is the case where a victim of a large emergency hopes motivation is the case where a victim of a large emergency hopes
to gain faster service by blocking others' competing calls for to gain faster service by blocking others' competing calls for
help. help.
o to gain fraudulent use of services, by using an emergency o to gain fraudulent use of services, by using an emergency
identifier to bypass normal authentication, authorization, and identifier to bypass normal authentication, authorization, and
accounting procedures. accounting procedures.
o to divert emergency responders to non-emergency sites. No attacks o to divert emergency responders to non-emergency sites. This memo
affecting the ECRIT Working Group's decisions on the emergency has not identified any attacks within its intended scope that
identifier and mapping protocol have been identified that achieve achieve this objective, so it will not be mentioned further.
this objective
Attacks against an individual fall into two classes: Attacks against an individual fall into two classes:
o attacks to prevent an individual from receiving aid; o attacks to prevent an individual from receiving aid;
o attacks to gain information about an emergency that can be applied o attacks to gain information about an emergency that can be applied
either against an individual involved in that emergency or to the either against an individual involved in that emergency or to the
profit of the attacker; profit of the attacker;
5. Potential attacks 5. Potential Attacks
5.1. Attacks involving the emergency identifier 5.1. Attacks Involving the Emergency Identifier
The main attack possibility involving the emergency identifier is to The main attack possibility involving the emergency identifier is to
use it to bypass normal procedures in order to achieve fraudulent use use it to bypass normal procedures in order to achieve fraudulent use
of services. An attack of this sort is possible only if the of services. An attack of this sort is possible only if the
following conditions are true: following conditions are true:
a. The attacker is the emergency caller. a. The attacker is the emergency caller.
b. The call routing system assumes that the emergency caller's b. The call routing system assumes that the emergency caller's
device addresses emergency calls using the result of mapping device signals the correct PSAP URI for the caller's location.
based on the caller's location.
c. The call enters the domain of a service provider, which accepts c. The call enters the domain of a service provider, which accepts
it without applying normal procedures for authentication and it without applying normal procedures for authentication and
authorization because the signalling carries the emergency authorization because the signalling carries the emergency
identifier. identifier.
d. The service provider routes it according to the called address d. The service provider routes it according to the called address
(e.g., SIP Request-URI), without verifying that this is the (e.g., SIP Request-URI), without verifying that this is the
address of a PSAP (noting that a URI by itself does not indicate address of a PSAP (noting that a URI by itself does not indicate
the nature of the entity it is pointing to). the nature of the entity it is pointing to).
skipping to change at page 7, line 45 skipping to change at page 7, line 44
information. information.
An attacker wishing to disrupt the emergency call routing system may An attacker wishing to disrupt the emergency call routing system may
use a similar technique to target components of that system for a use a similar technique to target components of that system for a
denial of service attack. The attacker will find this attractive to denial of service attack. The attacker will find this attractive to
reach components that handle emergency calls only. Flooding attacks reach components that handle emergency calls only. Flooding attacks
are the most likely application of the technique, but it may also be are the most likely application of the technique, but it may also be
used to identify target components for other attacks by analyzing the used to identify target components for other attacks by analyzing the
content of responses to the original signalling messages. content of responses to the original signalling messages.
5.2. Attacks against or using the mapping process 5.2. Attacks Against or Using the Mapping Process
This section describes classes of attacks involving the mapping This section describes classes of attacks involving the mapping
process that could be used to achieve the attacker goals described in process that could be used to achieve the attacker goals described in
Section 4. Section 4.
5.2.1. Attacks against the emergency response system 5.2.1. Attacks Against the Emergency Response System
This section considers attacks intended to reduce the effectiveness This section considers attacks intended to reduce the effectiveness
of the emergency response system for all callers in a given area. If of the emergency response system for all callers in a given area. If
the mapping operation is disabled, the immediate effect is to the mapping operation is disabled, then the emergency caller's device
increase the probability that emergency calls are routed to the wrong might not have the correct PSAP URI. As a consequence, the
PSAP. This has a double consequence: emergency response to the probability that emergency calls are routed to the wrong PSAP is
affected calls is delayed, and PSAP call taker resources outside the increased. In the worst case the emergency caller's device might not
immediate area of the emergency are consumed due to the extra effort be able to obtain a PSAP URI at all. Routing to the wrong PSAP has a
required to redirect the calls. Alternatively, attacks that cause double consequence: emergency response to the affected calls is
the client to receive a URI that does not lead to a PSAP have the delayed, and PSAP call taker resources outside the immediate area of
immediate effect of causing emergency calls to fail. the emergency are consumed due to the extra effort required to
redirect the calls. Alternatively, attacks that cause the client to
receive a URI that does not lead to a PSAP have the immediate effect
of causing emergency calls to fail.
Three basic attacks on the mapping process can be identified: denial Three basic attacks on the mapping process can be identified: denial
of service, impersonation of the mapping server, or corruption of the of service, impersonation of the mapping server, or corruption of the
mapping database. Denial of service can be achieved in several ways: mapping database. Denial of service can be achieved in several ways:
o by a flooding attack on the mapping server; o by a flooding attack on the mapping server;
o by taking control of the mapping server and either preventing it o by taking control of the mapping server and either preventing it
from responding or causing it to send incorrect responses; or from responding or causing it to send incorrect responses; or
skipping to change at page 8, line 38 skipping to change at page 8, line 37
and responses pass and using that control to block them. An and responses pass and using that control to block them. An
adversary may also attempt to modify the mapping protocol adversary may also attempt to modify the mapping protocol
signaling messages. Additionally, the adversary may be able to signaling messages. Additionally, the adversary may be able to
replay past communication exchanges to fool an emergency caller by replay past communication exchanges to fool an emergency caller by
returning incorrect results. returning incorrect results.
In an impersonation attack, the attacker induces the mapping client In an impersonation attack, the attacker induces the mapping client
to direct its queries to a host under the attacker's control rather to direct its queries to a host under the attacker's control rather
than the real mapping server. Impersonation itself is an issue for than the real mapping server. Impersonation itself is an issue for
mapping server discovery rather than for the mapping protocol mapping server discovery rather than for the mapping protocol
directly. However, the mapping protocol may help to protect against directly. However, the mapping protocol may allow impersonation to
acceptance of responses from an impersonating entity. be detected, thereby preventing acceptance of responses from an
impersonating entity and possibly triggering a more secure discovery
procedure.
Corruption of the mapping database cannot be mitigated directly by Corruption of the mapping database cannot be mitigated directly by
mapping protocol design. The mapping protocol may have a role to mapping protocol design. The mapping protocol may have a role to
play in analysis of which records have been corrupted, once that play in analysis of which records have been corrupted, once that
corruption has been detected. corruption has been detected.
Beyond these attacks on the mapping operation itself, it is possible Beyond these attacks on the mapping operation itself, it is possible
to use mapping to attack other entities. One possibility is that to use mapping to attack other entities. One possibility is that
mapping clients are misled into sending mapping queries to the target mapping clients are misled into sending mapping queries to the target
of the attack instead of the mapping server. Prevention of such an of the attack instead of the mapping server. Prevention of such an
skipping to change at page 8, line 51 skipping to change at page 9, line 4
Corruption of the mapping database cannot be mitigated directly by Corruption of the mapping database cannot be mitigated directly by
mapping protocol design. The mapping protocol may have a role to mapping protocol design. The mapping protocol may have a role to
play in analysis of which records have been corrupted, once that play in analysis of which records have been corrupted, once that
corruption has been detected. corruption has been detected.
Beyond these attacks on the mapping operation itself, it is possible Beyond these attacks on the mapping operation itself, it is possible
to use mapping to attack other entities. One possibility is that to use mapping to attack other entities. One possibility is that
mapping clients are misled into sending mapping queries to the target mapping clients are misled into sending mapping queries to the target
of the attack instead of the mapping server. Prevention of such an of the attack instead of the mapping server. Prevention of such an
attack is an operational issue rather than one of protocol design. attack is an operational issue rather than one of protocol design.
The other possible attack is one where the the mapping server is The other possible attack is one where the the mapping server is
tricked into sending responses to the target of the attack through tricked into sending responses to the target of the attack through
spoofing of the source address in the query. spoofing of the source address in the query.
5.2.2. Attacks to prevent a specific individual from receiving aid 5.2.2. Attacks To Prevent a Specific Individual From Receiving Aid
If an attacker wishes to deny emergency service to a specific If an attacker wishes to deny emergency service to a specific
individual the mass attacks described in Section 5.2.1 will obviously individual the mass attacks described in Section 5.2.1 will obviously
work provided that the target individual is within the affected work provided that the target individual is within the affected
population. Except for the flooding attack on the mapping server, population. Except for the flooding attack on the mapping server,
the attacker can in theory limit these attacks to the target, but the attacker can in theory limit these attacks to the target, but
this requires extra effort that the attacker is unlikely to expend. this requires extra effort that the attacker is unlikely to expend.
It is more likely, if the attacker is using a mass attack but does It is more likely, if the attacker is using a mass attack but does
not wish it to have too broad an effect, that it is used for a not wish it to have too broad an effect, that it is used for a
carefully limited period of time. carefully limited period of time.
skipping to change at page 9, line 32 skipping to change at page 9, line 35
to those for denial of service on the server side: to those for denial of service on the server side:
o a flooding attack on the mapping client; o a flooding attack on the mapping client;
o taking control of a router through which the mapping queries and o taking control of a router through which the mapping queries and
responses pass and using that control to block or modify them. responses pass and using that control to block or modify them.
Taking control of the mapping client is also a logical possibility, Taking control of the mapping client is also a logical possibility,
but raises no issues for the mapping protocol. but raises no issues for the mapping protocol.
5.2.3. Attacks to gain information about an emergency 5.2.3. Attacks To Gain Information About an Emergency
This section discusses attacks used to gain information about an This section discusses attacks used to gain information about an
emergency. The attacker may be seeking the location of the caller emergency. The attacker may be seeking the location of the caller
(e.g., to effect a criminal attack). The attacker may be seeking (e.g., to effect a criminal attack). Alternatively, the attacker may
information that could be used to link an individual (the caller or be seeking information that could be used to link an individual (the
someone else involved in the emergency) with embarrassing information caller or someone else involved in the emergency) with embarrassing
related to the emergency (e.g., "Who did the police take away just information related to the emergency (e.g., "Who did the police take
now?"). Finally, the attacker could be seeking to profit from the away just now?"). Finally, the attacker could be seeking to profit
emergency, perhaps by offering his or her services (e.g., news from the emergency, perhaps by offering his or her services (e.g.,
reporter, lawyer aggressively seeking new business). news reporter, lawyer aggressively seeking new business).
The primary information that interceptions of mapping requests and The primary information that interceptions of mapping requests and
responses will reveal are a location, a URI identifying a PSAP, and responses will reveal are a location, a URI identifying a PSAP, and
the addresses of the mapping client and server. The location the addresses of the mapping client and server. The location
information can be directly useful to an attacker if the attacker has information can be directly useful to an attacker if the attacker has
high assurance that the observed query is related to an emergency high assurance that the observed query is related to an emergency
involving the target. The other pieces of information may provide involving the target. The other pieces of information may provide
the basis for further attacks on emergency call routing, but because the basis for further attacks on emergency call routing, but because
of the time factor, are unlikely to be applicable to the routing of of the time factor, are unlikely to be applicable to the routing of
the current call. However, if the mapping client is the emergency the current call. However, if the mapping client is the emergency
caller's device, the attacker may gain information that allows for caller's device, the attacker may gain information that allows for
interference with the call after it has been set up or for interference with the call after it has been set up or for
interception of the media stream between the caller and the PSAP. interception of the media stream between the caller and the PSAP.
6. Security requirements relating to ECRIT work items 6. Security Requirements Relating To Emergency Marking and Mapping
This section describes the security requirements which must be This section describes the security requirements which must be
fulfilled to prevent or reduce the effectiveness of the attacks fulfilled to prevent or reduce the effectiveness of the attacks
described in Section 5. The requirements are presented in the same described in Section 5. The requirements are presented in the same
order as the attacks. order as the attacks.
From Section 5.1: From Section 5.1:
Attack: fraudulent calls. Attack: fraudulent calls.
skipping to change at page 14, line 16 skipping to change at page 14, line 16
The writing of this document has been a task made difficult by the The writing of this document has been a task made difficult by the
temptation to consider the security concerns of the entire personal temptation to consider the security concerns of the entire personal
emergency calling system, not just the specific pieces of work within emergency calling system, not just the specific pieces of work within
the scope of the ECRIT Working Group. Hannes Tschofenig performed the scope of the ECRIT Working Group. Hannes Tschofenig performed
the initial security analysis for ECRIT, but it has been shaped since the initial security analysis for ECRIT, but it has been shaped since
then by the comments and judgement of the ECRIT WG at large. At an then by the comments and judgement of the ECRIT WG at large. At an
earlier stage in the evolution of this document, Stephen Kent of the earlier stage in the evolution of this document, Stephen Kent of the
Security Directorate was asked to review it and provided extensive Security Directorate was asked to review it and provided extensive
comments which led to a complete rewriting of it. Brian Rosen, Roger comments which led to a complete rewriting of it. Brian Rosen, Roger
Marshall, Andrew Newton, and most recently, Spencer Dawkins have also Marshall, Andrew Newton, and most recently, Spencer Dawkins and
provided detailed reviews of this document at various stages. The Kmaran Aquil have also provided detailed reviews of this document at
authors thank them. various stages. The authors thank them.
9. IANA Considerations 9. IANA Considerations
This document does not require actions by the IANA. This document does not require actions by the IANA.
10. References 10. References
10.1. Normative References 10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
 End of changes. 26 change blocks. 
81 lines changed or deleted 86 lines changed or added

This html diff was produced by rfcdiff 1.32. The latest version is available from http://www.levkowetz.com/ietf/tools/rfcdiff/