draft-ietf-ecrit-unauthenticated-access-00.txt   draft-ietf-ecrit-unauthenticated-access-01.txt 
ECRIT H. Schulzrinne ECRIT H. Schulzrinne
Internet-Draft Columbia University Internet-Draft Columbia University
Intended status: Standards Track S. McCann Intended status: Standards Track S. McCann
Expires: March 25, 2011 Research in Motion UK Ltd Expires: April 28, 2011 Research in Motion UK Ltd
G. Bajko G. Bajko
Nokia Nokia
H. Tschofenig H. Tschofenig
D. Kroeselberg D. Kroeselberg
Nokia Siemens Networks Nokia Siemens Networks
September 21, 2010 October 25, 2010
Extensions to the Emergency Services Architecture for dealing with Extensions to the Emergency Services Architecture for dealing with
Unauthenticated and Unauthorized Devices Unauthenticated and Unauthorized Devices
draft-ietf-ecrit-unauthenticated-access-00.txt draft-ietf-ecrit-unauthenticated-access-01.txt
Abstract Abstract
The IETF emergency services architecture assumes that the calling The IETF emergency services architecture assumes that the calling
device has acquired rights to use the access network or that no device has acquired rights to use the access network or that no
authentication is required for the access network, such as for public authentication is required for the access network, such as for public
wireless access points. Subsequent protocol interactions, such as wireless access points. Subsequent protocol interactions, such as
obtaining location information, learning the address of the Public obtaining location information, learning the address of the Public
Safety Answering Point (PSAP) and the emergency call itself are Safety Answering Point (PSAP) and the emergency call itself are
largely decoupled from the underlying network access procedures. largely decoupled from the underlying network access procedures.
In some cases, the device does not have credentials for network In some cases, however, the device does not have these credentials
access, does not have a VoIP provider or application service provider for network access, does not have a VoIP service provider, or the
(ASP), or the credentials have become invalid, e.g., because the user credentials have become invalid, e.g., because the user has exhausted
has exhausted their prepaid balance or the account has expired. their prepaid balance or the account has expired.
This document provides a problem statement, introduces terminology This document provides a problem statement, introduces terminology
and describes an extension for the base IETF emergency services and describes an extension for the base IETF emergency services
architecture to address these scenarios. architecture to address these scenarios.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 25, 2011. This Internet-Draft will expire on April 28, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. No Access Authorization (NAA) . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.2. No ASP (NASP) . . . . . . . . . . . . . . . . . . . . . . 6 3. Use Case Categories . . . . . . . . . . . . . . . . . . . . . 6
1.3. Zero-Balance Application Service Provider (ZBP) . . . . . 6 4. ZBP Considerations . . . . . . . . . . . . . . . . . . . . . . 8
2. A Warning Note . . . . . . . . . . . . . . . . . . . . . . . . 6 5. NASP Considerations . . . . . . . . . . . . . . . . . . . . . 9
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7 5.1. End Host Profile . . . . . . . . . . . . . . . . . . . . . 11
4. Considerations for ISPs to support Unauthenticated 5.1.1. LoST Server Discovery . . . . . . . . . . . . . . . . 11
Emergency Services without Architecture Extensions . . . . . . 7 5.1.2. ESRP Discovery . . . . . . . . . . . . . . . . . . . . 11
5. Considerations for ISPs to support Unauthenticated 5.1.3. Location Determination and Location Configuration . . 11
Emergency Services with Architecture Extensions . . . . . . . 8 5.1.4. Emergency Call Identification . . . . . . . . . . . . 11
6. NAA considerations for the network attachment procedure of 5.1.5. SIP Emergency Call Signaling . . . . . . . . . . . . . 12
IAPs/ISPs . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.1.6. Media . . . . . . . . . . . . . . . . . . . . . . . . 12
6.1. Link layer emergency indication . . . . . . . . . . . . . 12 5.1.7. Testing . . . . . . . . . . . . . . . . . . . . . . . 12
6.2. Higher-layer emergency indication . . . . . . . . . . . . 13 5.2. IAP/ISP Profile . . . . . . . . . . . . . . . . . . . . . 12
6.3. Securing network attachment in NAA cases . . . . . . . . . 14 5.2.1. ESRP Discovery . . . . . . . . . . . . . . . . . . . . 12
7. Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 5.2.2. Location Determination and Location Configuration . . 12
7.1. End Host Profile . . . . . . . . . . . . . . . . . . . . . 16 5.3. ESRP Profile . . . . . . . . . . . . . . . . . . . . . . . 13
7.1.1. LoST Server Discovery . . . . . . . . . . . . . . . . 16 5.3.1. Emergency Call Routing . . . . . . . . . . . . . . . . 13
7.1.2. ESRP Discovery . . . . . . . . . . . . . . . . . . . . 16 5.3.2. Emergency Call Identification . . . . . . . . . . . . 13
7.1.3. Location Determination and Location Configuration . . 16 5.3.3. SIP Emergency Call Signaling . . . . . . . . . . . . . 13
7.1.4. Emergency Call Identification . . . . . . . . . . . . 16 5.3.4. Location Retrieval . . . . . . . . . . . . . . . . . . 13
7.1.5. SIP Emergency Call Signaling . . . . . . . . . . . . . 17 6. Lower Layer Considerations for NAA Case . . . . . . . . . . . 14
7.1.6. Media . . . . . . . . . . . . . . . . . . . . . . . . 17 6.1. Link Layer Emergency Indication . . . . . . . . . . . . . 14
7.1.7. Testing . . . . . . . . . . . . . . . . . . . . . . . 17 6.2. Higher-Layer Emergency Indication . . . . . . . . . . . . 15
7.2. IAP/ISP Profile . . . . . . . . . . . . . . . . . . . . . 17 6.3. Securing Network Attachment in NAA Cases . . . . . . . . . 17
7.2.1. ESRP Discovery . . . . . . . . . . . . . . . . . . . . 17 7. Security Considerations . . . . . . . . . . . . . . . . . . . 18
7.2.2. Location Determination and Location Configuration . . 17 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19
7.3. ESRP Profile . . . . . . . . . . . . . . . . . . . . . . . 18 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
7.3.1. Emergency Call Routing . . . . . . . . . . . . . . . . 18 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
7.3.2. Emergency Call Identification . . . . . . . . . . . . 18 10.1. Normative References . . . . . . . . . . . . . . . . . . . 19
7.3.3. SIP Emergency Call Signaling . . . . . . . . . . . . . 18 10.2. Informative References . . . . . . . . . . . . . . . . . . 20
7.3.4. Location Retrieval . . . . . . . . . . . . . . . . . . 18
8. Security Considerations . . . . . . . . . . . . . . . . . . . 18
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
11.1. Normative References . . . . . . . . . . . . . . . . . . . 19
11.2. Informative References . . . . . . . . . . . . . . . . . . 20
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
Summoning police, the fire department or an ambulance in emergencies Summoning police, the fire department or an ambulance in emergencies
is one of the fundamental and most-valued functions of the telephone. is one of the fundamental and most-valued functions of the telephone.
As telephone functionality moves from circuit-switched telephony to As telephone functionality moves from circuit-switched telephony to
Internet telephony, its users rightfully expect that this core Internet telephony, its users rightfully expect that this core
functionality will continue to work at least as well as it has for functionality will continue to work at least as well as it has for
the older technology. New devices and services are being made the older technology. New devices and services are being made
skipping to change at page 4, line 37 skipping to change at page 4, line 37
PSAP URI by offering LoST [RFC5222] services. PSAP URI by offering LoST [RFC5222] services.
In general, a set of automated configuration mechanisms allows a In general, a set of automated configuration mechanisms allows a
device to function in a variety of architectures, without the user device to function in a variety of architectures, without the user
being aware of the details on who provides location, mapping services being aware of the details on who provides location, mapping services
or call routing services. However, if emergency calling is to be or call routing services. However, if emergency calling is to be
supported when the calling device lacks access network authorization supported when the calling device lacks access network authorization
or does not have an ASP, one or more of the providers may need to or does not have an ASP, one or more of the providers may need to
provide additional services and functions. provide additional services and functions.
In all cases, the end device MUST be able to perform a LoST lookup In all cases, the end device has to be able to perform a LoST lookup
and otherwise conduct the emergency call in the same manner as when and otherwise conduct the emergency call in the same manner as when
the three exceptional conditions discussed below do not apply. the three exceptional conditions discussed below do not apply.
We distinguish between three conditions: We distinguish between three conditions:
No access authorization (NAA): The current access network requires No Access Authentication (NAA): In the NAA case, the emergency
access authorization and the caller does not have valid user caller does not posses valid credentials for the access network.
credentials. (This includes the case where the access network This includes the case where the access network allows pay-per-
allows pay-per-use, as is common for wireless hotspots, but there use, as is common for wireless hotspots, but there is insufficient
is insufficient time to pay for access.) time to enter credit card details and other registration
information required for access. It also covers all cases where
No ASP (NASP): The caller does not have an ASP at the time of the either no credentials are available at all, or the available
call. credentials do not work for the given IAP/ISP. As a result, the
NAA case basically combines the below NASP and ZBP cases, but at
Zero-balance ASP (ZBP): The caller has valid credentials with an the IAP/ISP level. Support for emergency call handling in the NAA
ASP, but is not allowed to access services like placing calls in case is subject to the local policy of the ISP. Such policy may
case of a VoIP service, e.g., because the user has a zero balance vary substantially between ISPs and typically depends on external
in a prepaid account. factors that are not under the ISP control.
A user may well suffer from both NAA and NASP or ZBP at the same
time. Depending on local policy and regulations, it may not be
possible to place emergency calls in the NAA case. Unless local
regulations require user identification, it should always be possible
to place calls in the NASP case, with minimal impact on the ISP.
Unless the ESN requires that all calls traverse a known set of VSPs,
a caller should be able to place an emergency call in the ZBP case.
We discuss each case in separate sections below.
1.1. No Access Authorization (NAA)
In the NAA (No Access Authorization) case, the emergency caller does
not posses valid credentials for the access network. If local
regulations or policy allows or requires support for emergency calls
in NAA, the access network may or needs to cooperate in providing
emergency calling services. Support for NAA emergency calls is
subject to the local policy of the ISP. Such policy may vary
substantially between ISPs and typically depends on external factors
that are not under the ISP control. Hence, no global mandates for
supporting emergency calls in relation to NAA can be made. However,
it makes a lot of sense to offer appropriate building blocks that
enable ISPs to flexibly react on the local environment.Generally, the
ISP will want to ensure that devices do not pretend to place
emergency calls, but then abuse the access for obtaining more general
services fraudulently.
In particular, the ISP MUST allow emergency callers to acquire an IP
address and to reach a LoST server, either provided by the ISP or
some third party. It SHOULD also provide location information via
one of the mechanisms specified in [I-D.ietf-ecrit-phonebcp] without
requiring authorization unless it can safely assume that all nodes in
the access network can determine their own location, e.g., via GPS.
The details of how filtering is performed depends on the details of
the ISP architecture and are beyond the scope of this document. We
illustrate a possible model. If the ISP runs its own LoST server, it
would maintain an access control list including all IP addresses
contained in responses returned by the LoST server, as well as the
LoST server itself. (It may need to translate the domain names
returned to IP addresses and hope that the resolution captures all
possible DNS responses.) Since the media destination addresses are
not predictable, the ISP also has to provide a SIP outbound proxy so
that it can determine the media addresses and add those to the filter
list.
1.2. No ASP (NASP)
In the second case, the emergency caller has no current ASP. This
case poses no particular difficulties unless it is assumed that only
ASPs provide LoST server or that ESNs only accept calls that reach it
through a set of known ASPs. However, since the calling device
cannot obtain configuration information from its ASP, the ISP MUST
provide the address of a LoST server via DHCP [RFC5223] if this model
is to be supported. The LoST server may be operated either by the
ISP or a third party.
1.3. Zero-Balance Application Service Provider (ZBP) No ASP (NASP): The caller does not have an ASP at the time of the
call. This can occur either in case the caller does not possess
any valid subscription for a reachable ASP, or in case none of the
ASPs where the caller owns a valid subscription is reachable
through the ISP.
In the case of zero-balance ASP, the ASP can authenticate the caller, Note: The interoperability need is increased with this scenario
but the caller is not authorized to use ASP services, e.g., because since the client software used by the emergency caller must be
the contract has expired or the prepaid account for the customer has compatible with the protocols and extensions deployed by the ESN.
been depleted. Naturally, an ASP can simply disallow access by such
customers, so that all such customers find themselves in the NASP
situation described above. If ASPs desire or are required by
regulation to provide emergency calling services to such customers,
they need to provide LoST services to such customers and may need to
provide outbound SIP proxy services. As usual, the calling device
looks up the LoST server via SIP configuration.
Unless the emergency call traverses a PSTN gateway or the ASP charges Zero-balance ASP (ZBP): In the case of zero-balance ASP, the ASP can
for IP-to-IP calls, there is little potential for fraud. If the ASP authenticate the caller, but the caller is not authorized to use
also operates the LoST server, the outbound proxy MAY restrict ASP services, e.g., because the contract has expired or the
outbound calls to the SIP URIs returned by the LoST server. It is prepaid account for the customer has been depleted.
NOT RECOMMENDED to rely on a fixed list of SIP URIs, as that list may
change.
2. A Warning Note These three cases are not mutually exclusive. A caller in need for
help may find himself/herself in, for example, a NAA and NASP
situation, as explained in more details in Figure 1. Depending on
local policy and regulations, it may not be possible to place
emergency calls in the NAA case. Unless local regulations require
user identification, it should always be possible to place calls in
the NASP case, with minimal impact on the ISP. Unless the ESN
requires that all calls traverse a known set of VSPs, it is
technically possible to let a caller place an emergency call in the
ZBP case. We discuss each case in more details in Section 3.
At the time of writing there is no regulation in place that demands Note: At the time of writing there is no regulation in place that
the functionality described in this memo. SDOs have started their demands the functionality described in this memo. SDOs have started
work on this subject in a proactive fashion in the anticipation that their work on this subject in a proactive fashion in the anticipation
national regulation will demand it for a subset of network that national regulation will demand it for a subset of network
environments. environments.
There are also indications that the functionality of unauthenticated There are also indications that the functionality of unauthenticated
emergency calls (called SIM-less calls) in today's cellular system in emergency calls (called SIM-less calls) in today's cellular system in
certain countries leads to a fair amount of hoax or test calls. This certain countries leads to a fair amount of hoax or test calls. This
causes overload situations at PSAPs which is considered harmful to causes overload situations at PSAPs which is considered harmful to
the overall availability and reliability of emergency services. the overall availability and reliability of emergency services.
As an example, Federal Office of Communications (OFCOM, As an example, Federal Office of Communications (OFCOM, Switzerland)
Switzerland) provided statistics about emergency (112) calls in provided statistics about emergency (112) calls in Switzerland from
Switzerland from Jan. 1997 to Nov. 2001. Switzerland did not Jan. 1997 to Nov. 2001. Switzerland did not offer SIM-less emergency
offer SIM-less emergency calls except for almost a month in July calls except for almost a month in July 2000 where a significant
2000 where a significant increase in hoax and test calls was increase in hoax and test calls was reported. As a consequence, the
reported. As a consequence, the functionality was disabled again. functionality was disabled again. More details can be found in the
More details can be found in the panel presentations of the 3rd panel presentations of the 3rd SDO Emergency Services Workshop
SDO Emergency Services Workshop [esw07]. [esw07].
3. Terminology 2. Terminology
In this document, the key words "MUST", "MUST NOT", "REQUIRED", In this document, the key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" are to be interpreted as described in RFC 2119 and "OPTIONAL" are to be interpreted as described in RFC 2119
[RFC2119]. [RFC2119].
This document reuses terminology from [I-D.ietf-geopriv-l7-lcp-ps] This document reuses terminology from [RFC5687] and [RFC5012], namely
and [RFC5012], namely Internet Access Provider (IAP), Internet Internet Access Provider (IAP), Internet Service Provider (ISP),
Service Provider (ISP), Application Service Provider (ASP), Voice Application Service Provider (ASP), Voice Service Provider (VSP),
Service Provider (VSP), Emergency Service Routing Proxy (ESRP), Emergency Service Routing Proxy (ESRP), Public Safety Answering Point
Public Safety Answering Point (PSAP), Location Configuration Server (PSAP), Location Configuration Server (LCS), (emergency) service dial
(LCS), (emergency) service dial string, and (emergency) service string, and (emergency) service identifier.
identifier.
4. Considerations for ISPs to support Unauthenticated Emergency
Services without Architecture Extensions
This section provides a recommended configuration for unauthenticated 3. Use Case Categories
emergency services support without architecture extensions.
On a very high-level, the steps to be performed by an end host not On a very high-level, the steps to be performed by an end host not
being attached to the network and the user starting to make an being attached to the network and the user starting to make an
emergency call are the following: emergency call are the following:
o Some radio networks have added support for unauthenticated Link Layer Attachment: Some radio networks have added support for
emergency access, some other type of networks advertise these unauthenticated emergency access, some other type of networks
capabilities using layer beacons. The end host learns about these advertise these capabilities using layer beacons. The end host
unauthenticated emergency services capabilities either from the learns about these unauthenticated emergency services capabilities
link layer type or from advertisement. either from the link layer type or from advertisement.
o The end host uses the link layer specific network attachment
The end host uses the link layer specific network attachment
procedures defined for unauthenticated network access in order to procedures defined for unauthenticated network access in order to
get access to emergency services. get access to the network.
o When the link layer network attachment procedure is completed the Pre-Emergency Service Configuration: When the link layer network
end host learns basic configuration information using DHCP from attachment procedure is completed the end host learns basic
the ISP, including the address of the LoST server. configuration information using DHCP from the ISP, including the
o The end host MUST use a Location Configuration Protocol (LCP) address of the LoST server. The end host uses a Location
supported by the IAP or ISP to learn its own location. Configuration Protocol (LCP) to retrieve location information.
o The end host MUST use the LoST protocol [I-D.ietf-ecrit-lost] to Subsequently, the LoST protocol [RFC5222] is used to learn the
query the LoST server and asks for the PSAP URI responsible for relevant emergency numbers, and to obtain the PSAP URI applicable
that location. for that location.
o After the PSAP URI has been returned to the end host, the SIP UA
in the end host directly initiates a SIP INVITE towards the PSAP
URI.
The IAP and the ISP will probably want to make sure that the claimed Emergency Call: In case of need for help, a user dials an emergency
emergency caller indeed performs an emergency call rather than using number and the SIP UA initiates the emergency call procedures by
the network for other purposes, and thereby acting fraudulent by communicating with the PSAP.
skipping any authentication, authorization and accounting procedures.
By restricting access of the unauthenticated emergency caller to the
LoST server and the PSAP URI, traffic can be restricted only to
emergency calls (see also section 1.1).
Using the above procedures, the unauthenticated emergency caller will Figure 1 compiles the basic logic taking place during network entry
be successful only if: for requesting an emergency service and shows the interrelation
between the three conditions described in the above section.
o the ISP (or the IAP) support an LCP that the end host can use to +-----Y
learn its location. A list of mandatory-to-implement LCPs can be |Start|
found in [I-D.ietf-ecrit-phonebcp]). `...../
o the ISP configures it's firewalls appropriately to allow emergency |
calls to traverse the network towards the PSAP. | Are credentials
| for network attachment
| available?
|
NO v YES
+----------------------------+
| |
| |
V v
.............. ................
| Idle: Wait | |Execute |
| for ES Call| |LLA Procedures|
| Initiation | "--------------'
"------------' |
Is | +---------->O
emergency | | | Is ASP
service | NO +-----Y | | configured?
network +--->| End | | +---------------+
attachment| `...../ | YES | | NO
possible? | | | |
v | v v
+------------+ | +------------+ +------------+
| Execute | | | Execute | | Execute |
| NAA |--------+ | Phone BCP | | NASP |
| Procedures | | Procedures | | Procedures |
+------------+ +------------+ +------------+
Authorization for| |
Emergency Call? | |
+--------------+ v
| NO | YES +-----Y
| | | Done|
v v `...../
+------------+ +------------+
| Execute | | Execute |
| ZBP | | Phone BCP |
| Procedures | | Procedures |
+------------+ +------------+
| |
| |
v v
+-----Y +-----Y
| Done| | Done|
`...../ `...../
Some IAPs/ISPs may not be able to fulfill the above requirements. If Abbreviations:
those IAPs/ISPs want to support unauthenticated emergency calls, then LLA: Link Layer Attachment
they can deploy an extended architecture as described in Section 5. ES: Emergency Services
5. Considerations for ISPs to support Unauthenticated Emergency Figure 1: Flow Diagram
Services with Architecture Extensions
This section provides a recommended configuration for unauthenticated 4. ZBP Considerations
emergency services support without architecture extensions.
For unauthenticated emergency services support it is insufficient to Although subject to local regulatory mandates, it is expected that
provide mechanisms only at the link layer in order to bypass for most ASPs even with a lack of authorization for regular service
authentication for the cases when: an otherwise authenticated and known subscriber must be granted
access to emergency services. Naturally, without an obligation to
support emergency services in ZBP cases an ASP can simply disallow
access by such customers. As a result, all such subscribers may fall
back into a NASP situation as described above.
o the IAP/ISP does not support any Location Configuration Protocol If ASPs desire or are required by regulation to provide emergency
o the IAP/ISP cannot assume the end hosts to support a Location services to subscribers with valid credentials that only fail
Configuration Protocol authorization, the emergency services nature of a call can easily be
determined by inspecting the call setup procedure for the presence of
the emergency service URNs. This example shows that in the context
of this document no specific considerations apply to the ZBP case due
to the fact that the ASP will be able to relate the service request
to an existing subscription or user and will be in control of
adjusting any authorization decision based on its deployemnt specific
policy. It is, however, noted that specific security considerations
apply due to the fact that emergency service access will likely be
granted with limited authorization only, see Section 7.
o the IAP/ISP does not have knowledge of a LoST server (which would ZBP cases in the context of this document cover all cases where an
assist the client to find the correct PSAP) otherwise valid subscription lacks authorization to access or regular
ASP services, i.e., a lack of authorization that would block the
subscriber from using the service for emergency purpose. Example ZBP
cases include empty prepaid accounts, barred accounts, or certain
roaming or mobility restrictions. The exact list of cases where
emergency services need to be supported by the ASP is local to the
ASP policy and deployment, and is therefore beyond the scope of this
document.
A modification to the emergency services architecture is necessary 5. NASP Considerations
since the IAP and the ISP need to make sure that the claimed
emergency caller indeed performs an emergency call rather than using
the network for other purposes, and thereby acting fraudulent by
skipping any authentication, authorization and accounting procedures.
Hence, without introducing some understanding of the specific
application the ISP (and consequently the IAP) will not be able to
detect and filter malicious activities. This leads to the
architecture described in Figure 1 where the IAP needs to implement
extensions to link layer procedures for unauthenticated emergency
service access and the ISP needs to deploy emergency services related
entities used for call routing, such as the Emergency Services
Routing Proxy (ESRP), a Location Configuration Server (LCS) and a
mapping database.
On a very high-level, the interaction is as follows starting with the To start the description we consider the sequence of steps that are
end host not being attached to the network and the user starting to executed in an emergency call based on Figure 2.
make an emergency call.
o Some radio networks have added support for unauthenticated o As an initial step the devices attaches to the network as shown in
emergency access, some other type of networks advertise these step (1). This step is outside the scope of this section.
capabilities using layer beacons. The end host learns about these
unauthenticated emergency services capabilities either from the
link layer type or from advertisement.
o The end host uses the link layer specific network attachment
procedures defined for unauthenticated network access in order to
get access to emergency services.
o When the link layer network attachment procedure is completed the o When the link layer network attachment procedure is completed the
end host learns basic configuration information using DHCP from end host learns basic configuration information using DHCP from
the ISP, including the address of the ESRP, as shown in (2). the ISP, including the address of the ESRP, as shown in step (2).
o When the IP address configuration is completed then the SIP UA o When the IP address configuration is completed then the SIP UA
initiates a SIP INVITE towards the indicated ESRP, as shown in initiates a SIP INVITE towards the indicated ESRP, as shown in
(3). The INVITE message contains all the necessary parameters (3). The INVITE message contains all the necessary parameters
required by Section 7.1.5. required by Section 5.1.5.
o The ESRP receives the INVITE and processes it according to the o The ESRP receives the INVITE and processes it according to the
description in Section 7.3.3. The location of the end host may description in Section 5.3.3. The location of the end host may
need to be determined using a protocol interaction shown in (4). need to be determined using a protocol interaction shown in (4).
o Potentially, an interaction between the LCS of the ISP and the LCS o Potentially, an interaction between the LCS of the ISP and the LCS
of the IAP may be necessary, see (5). of the IAP may be necessary, see (5).
o Finally, the correct PSAP for the location of the end host has to o Finally, the correct PSAP for the location of the end host has to
be evaluated, see (6). be evaluated, see (6).
o The ESRP routes the call to the PSAP, as shown in (7). o The ESRP routes the call to the PSAP, as shown in (7).
o The PSAP evaluates the initial INVITE and aims to complete the o The PSAP evaluates the initial INVITE and aims to complete the
call setup. call setup.
o Finally, when the call setup is completed media traffic can be o Finally, when the call setup is completed media traffic can be
exchanged between the PSAP and the emergency caller. exchanged between the PSAP and the emergency caller.
For editorial reasons the end-to-end SIP and media exchange between For editorial reasons the end-to-end SIP and media exchange between
the PSAP and SIP UA are not shown in Figure 1. the PSAP and SIP UA are not shown in Figure 2.
Two important aspects are worth to highlight: Two important aspects are worth to highlight:
o The IAP/ISP needs to understand the concept of emergency calls or o The IAP/ISP needs to understand the concept of emergency calls or
other emergency applicationsand the SIP profile described in this other emergency applicationsand the SIP profile described in this
document. No other VoIP protocol profile, such as XMPP, Skype, document. No other VoIP protocol profile, such as XMPP, Skype,
etc., are supported for emergency calls in this particular etc., are supported for emergency calls in this particular
architecture. Other profiles may be added in the future, but the architecture. Other profiles may be added in the future, but the
deployment effort is enormous since they have to be universally deployment effort is enormous since they have to be universally
deployed. deployed.
o The end host has no obligation to determine location information. o The end host has no obligation to determine location information.
It may attach location information if it has location available It may attach location information if it has location available
(e.g., from a GPS receiver). (e.g., from a GPS receiver).
Figure 1 shows that the ISP needs to deploy SIP-based emergency Figure 2 shows that the ISP needs to deploy SIP-based emergency
services functionality. It is important to note that the ISP itself services functionality. It is important to note that the ISP itself
may outsource the functionality by simply providing access to them may outsource the functionality by simply providing access to them
(e.g., it puts the IP address of an ESRP or a LoST server into an (e.g., it puts the IP address of an ESRP or a LoST server into an
allow-list). For editorial reasons this outsourcing is not shown. allow-list). For editorial reasons this outsourcing is not shown.
+---------------------------+ +-------+ +-------+
| | | PSAP | (7) | ESRP |
| Emergency Network | | |<----->| |
| Infrastructure | +-------+ +-------+
| | ^
| +----------+ +----------+ | | (7)
| | PSAP | | ESRP | | v
| | | | | | +----------+ (6) +----------+
| +----------+ +----------+ | | Mapping |<----->| ESRP |
+-------------------^-------+ | Database | | |<-+
| +----------+ +----------+ |
| (7) ^ |
+------------------------+-----------------------+ +------------------------|--------|--------------+
| ISP | | | ISP | | |
| | | |+----------+ | | +----------+|
|+----------+ v | || LCS-ISP | | | | DHCP ||
|| Mapping | (6) +----------+ | || |<-----------+ | | Server ||
|| Database |<----->| ESRP / | | |+----------+ (4) | +----------+|
|+----------+ | SIP Proxy|<-+ | +-------^-------------------------|-----------^--+
|+----------+ +----------+ | +----------+| +-------|-------------------------|-----------|--+
|| LCS-ISP | ^ | | DHCP || | IAP | (5) | | |
|| |<---------+ | | Server || | V | | |
|+----------+ (4) | +----------+| |+----------+ | | |
+-------^-------------------------+-----------^--+ || LCS-IAP | +--------+ | | |
+-------|-------------------------+-----------|--+ || | | Link | |(3) | |
| IAP | (5) | | | |+----------+ | Layer | | | |
| V | | | | | Device | | (2)| |
|+----------+ | | | | +--------+ | | |
|| LCS-IAP | +----------+ | | | | ^ | | |
|| | | Link | |(3) | | | | | | |
|+----------+ | Layer | | | | +------------------------|--------|-----------|--+
| | Device | | (2)| | | | |
| +----------+ | | | (1)| | |
| ^ | | | | | |
| | | | | | +----+ |
+------------------------+--------+-----------+--+ v v |
| | | +----------+ |
(1)| | | | End |<-------------+
| | | | Host |
| +----+ | +----------+
v v |
+----------+ |
| End |<-------------+
| Host |
+----------+
Figure 1: Overview
It is important to note that a single ESRP may also offer it's
service to several ISPs.
6. NAA considerations for the network attachment procedure of IAPs/ISPs
This section discusses different methods to indicate an emergency
service request as part of network attachment. It provides some
general considerations and recommendations that are not specific to
the access technology.
To perform network attachment and get access to the resources
provided by an IAP/ISP, the end host uses access technology specific
network attachment procedures, including for example network
detection and selection, authentication, and authorization. For
initial network attachment of an emergency service requester, the
method of how the emergency indication is given to the IAP/ISP is
specific to the access technology. However, a number of general
approaches can be identified:
- Link layer emergency indication: The end host provides an
indication, e.g. an emergency parameter or flag, as part of the link
layer signaling for initial network attachment. Examples include an
emergency bit signalled in the IEEE 802.16-2009 wireless link.
signalling allows an IEEE 802.1X to occur without exchanging
cryptogrpahic keys
- Higher-layer emergency indication: Typically emergency indication
in access authentication. The emergency caller's end host provides
an indication as part of the access authentication exchanges. EAP
based authentication is of particular relevance here. [nwgstg3].
6.1. Link layer emergency indication
In general, link layer emergency indications provide good integration
into the actual network access procedure regarding the enabling of
means to recognize and prioritize an emergency service request from
an end host at a very early stage of the network attachment
procedure. However, support in end hosts for such methods cannot be
considered to be commonly available.
No general recommendations are given in the scope of this memo due to
the following reasons:
- Dependency on the specific access technology.
- Dependency on the specific access network architecture. Access
authorization and policy decisions typically happen at a different
layers of the protocol stack and in different entities than those
terminating the link-layer signaling. As a result, link layer
indications need to be distributed and translated between the
different involved protocol layers and entities. Appropriate methods
are specific to the actual architecture of the IAP/ISP network.
6.2. Higher-layer emergency indication
This section focuses on emergency indications based on authentication
and authorization in EAP-based network access.
An advantage of combining emergency indications with the actual
network attachment procedure performing authentication and
authorization is the fact that the emergency indication can directly
be taken into account in the authentication and authorization server
that owns the policy for granting access to the network resources.
As a result, there is no direct dependency on the access network
architecture that otherwise would need to take care of merging link-
layer indications into the AA and policy decision process.
EAP signaling happens at a relatively early stage of network
attachment, so it is likely to match most requirements for
prioritization of emergency signaling. However, it does not cover
early stages of link layer activity in the network attachment
process. Possible conflicts may arise e.g. in case of MAC-based
filtering in entities terminating the link-layer signaling in the
network (like a base station). In normal operation, EAP related
information will only be recognized in the NAS. Any entity residing
between end host and NAS should not be expected to understand/parse
EAP messages.
The following potential methods to provide emergency indications in
combination with EAP-based network attachment, are recognized:
1) NAI-based emergency indication:
An emergency indication can be given by forming a specific NAI that
is used as the identity in EAP based authentication for network
entry. Methods include:
1.a) NAI Decoration: NAI decoration is commonly used in routing EAP
responses within the IAP/ISP AAA infrastructure. Additional
decoration can be used to add an indication that the network
attachment attempt is meant for accessing emergency services.
Potential advantages of such approach include that it requires only
minimal realization effort compared to link-layer indications with
good integration into the authentication and authorization
procedures. The same procedure can be used for all NAA cases (both
unauthenticated and unauthorized) as well as for normal attachment
with a valid subscription. A potential disadvantage is that such EAP
decoration is not globally defined across all different access
technologies.
1.b) Emergency NAI: The NAI comes with a realm or username part
indicating emergency (e.g. 'emergency@emergency.com'). An advantage
of this method for NAA cases is that no new requirements are put on
the involved signaling procedures. Only the identity used for
network entry is impacted. Potential disadvantages include that
different methods to indicate emergency for NAA cases and standard
emergency network attachments may be required. Also, modifying the
NAI itself (the username@realm part) may conflict with network
selection and network entry procedures, depending on the actual
access network.
2) Emergency EAP method
An emergency indication can be given by using a dedicated EAP method
that is reserved for emergency network attachment only.
2.a) Existing EAP method with new type: An existing EAP method may be
used. EAP methods themselves typically do not support emergency
indication. One option would be to pick a common EAP method like
EAP-TLS and allocate a new method type for the same method that is
exclusively reserved to emergency use. Such EAP method should be
chosen in a way that the same method can support NAA cases as well as
standard emergency network attachment.
2.b) Existing EAP method: Same as 2a), but without assigning a new
EAP method type for emergency. In this case some implicit indication
must be used. For example, in cases where EAP-TLS is used in network
attachment in combination with client certificates, the absence of a
client certificate could be interpreted by the network as a request
for emergency network attachment.
2.c) Emergency EAP method: A new EAP method could be defined that is
specifically designed for emergency network entry in NAA cases. Most
likely, such EAP method would not be usable for standard emergency
network attachment with an existing subscription. Such dedicated
emergency EAP method should be key-generating in compliance with
RFC3748 to enable the regular air interface security methods even in
unauthenticated operation.
6.3. Securing network attachment in NAA cases
For network attachment in NAA cases, it may make sense to secure the
link-layer connection between the device and the IAP/ISP. This
especially holds for wireless access with examples being based
access. The latter even mandates secured communication across the
wireless link for all IAP/ISP networks based on [nwgstg3].
Therefore, for network attachment that is by default based on EAP
authentication it is desirable also for NAA network attachment to use
a key-generating EAP method (that provides an MSK key to the
authenticator to bootstrap further key derivation for protecting the
wireless link).
The following approaches to match the above can be identified:
1) Server-only authentication: The device of the emergency service
requester performs an EAP method with the IAP/ISP EAP server that
performs server authentication only. An example for this is EAP-TLS.
This provides a certain level of assurance about the IAP/ISP to the
device user. It requires the device to be provisioned with
appropriate trusted root certificates to be able to verify the server
certificate of the EAP server (unless this step is explicitly skipped
in the device in case of an emergency service request).
2) Null authentication: an EAP method is performed. However, no Figure 2: Architectural Overview
credentials specific to either the server or the device or
subscription are used as part of the authentication exchange. An
example for this would be an EAP-TLS exchange with using the
TLS_DH_anon (anonymous) ciphersuite. Alternatively, a publicly
available static key for emergency access could be used. In the
latter case, the device would need to be provisioned with the
appropriate emergency key for the IAP/ISP in advance.
3) Device authentication: This case extends the server-only Note: Figure 2 does not indicate who runs the ESRP or the mapping
authentication case. If the device is configured with a device database. There are different options available.
certificate and the IAP/ISP EAP server can rely on a trusted root
allowing the EAP server to verify the device certificate, at least
the device identity (e.g. the MAC address) can be authenticated by
the IAP/ISP in NAA cases. An example for this are WiMAX devices that
are shipped with device certificates issued under the global WiMAX
device public-key infrastructure. To perform unauthenticated
emergency calls, if allowed by the IAP/ISP, such devices perform EAP-
TLS based network attachment with client authentication based on the
device certificate.
7. Profiles 5.1. End Host Profile
7.1. End Host Profile
7.1.1. LoST Server Discovery 5.1.1. LoST Server Discovery
The end host MAY attempt to use [I-D.ietf-ecrit-lost] to discover a The end host MAY attempt to use [RFC5222] to discover a LoST server.
LoST server. If that attempt fails, the end host SHOULD attempt to If that attempt fails, the end host SHOULD attempt to discover the
discover the address of an ESRP. address of an ESRP.
7.1.2. ESRP Discovery 5.1.2. ESRP Discovery
The end host only needs an ESRP when location configuration or LoST The end host only needs an ESRP when location configuration or LoST
server discovery fails. If that is the case, then the end host MUST server discovery fails. If that is the case, then the end host MUST
use the "Dynamic Host Configuration Protocol (DHCP-for-IPv4) Option use the "Dynamic Host Configuration Protocol (DHCP-for-IPv4) Option
for Session Initiation Protocol (SIP) Servers" [RFC3361] (for IPv6) for Session Initiation Protocol (SIP) Servers" [RFC3361] (for IPv6)
and / or the "Dynamic Host Configuration Protocol (DHCPv6) Options and / or the "Dynamic Host Configuration Protocol (DHCPv6) Options
for Session Initiation Protocol (SIP) Servers" [RFC3319] to discover for Session Initiation Protocol (SIP) Servers" [RFC3319] to discover
the address of an ESRP. This SIP proxy located in the ISP network the address of an ESRP. This SIP proxy located in the ISP network
will be used as the ESRP for routing emergency calls. There is no will be used as the ESRP for routing emergency calls. There is no
need to discovery a separate SIP proxy with specific emergency call need to discovery a separate SIP proxy with specific emergency call
functionality since the internal procedure for emergency call functionality since the internal procedure for emergency call
processing is subject of ISP internal operation. processing is subject of ISP internal operation.
7.1.3. Location Determination and Location Configuration 5.1.3. Location Determination and Location Configuration
The end host SHOULD attempt to use the supported LCPs to configure The end host SHOULD attempt to use the supported LCPs to configure
its location. If no LCP is supported in the end host or the location its location. If no LCP is supported in the end host or the location
configuration is not successful, then the end host MUST attempt to configuration is not successful, then the end host MUST attempt to
discover an ESRP, which would assist the end host in providing the discover an ESRP, which would assist the end host in providing the
location to the PSAP. location to the PSAP.
The SIP UA in the end host SHOULD attach the location information in The SIP UA in the end host MUST attach available location information
a PIDF-LO [RFC4119] when making an emergency call. When constructing in a PIDF-LO [RFC4119] when making an emergency call. When
the PIDF-LO the guidelines in PIDF-LO profile constructing the PIDF-LO the guidelines in PIDF-LO profile [RFC5491]
[I-D.ietf-geopriv-pdif-lo-profile] MUST be followed. For civic MUST be followed. For civic location information the format defined
location information the format defined in [RFC5139] MUST be in [RFC5139] MUST be supported.
supported.
7.1.4. Emergency Call Identification 5.1.4. Emergency Call Identification
To determine which calls are emergency calls, some entity needs to To determine which calls are emergency calls, some entity needs to
map a user entered dialstring into this URN scheme. A user may map a user entered dialstring into this URN scheme. A user may
"dial" 1-1-2, but the call would be sent to urn:service:sos. This "dial" 1-1-2, but the call would be sent to urn:service:sos. This
mapping SHOULD be performed at the endpoint device. mapping SHOULD be performed at the endpoint device.
End hosts MUST use the Service URN mechanism [RFC5031] to mark calls End hosts MUST use the Service URN mechanism [RFC5031] to mark calls
as emergency calls for their home emergency dial string (if known). as emergency calls for their home emergency dial string (if known).
For visited emergency dial string the translation into the Service For visited emergency dial string the translation into the Service
URN mechanism is not mandatory since the ESRP in the ISPs network URN mechanism is not mandatory since the ESRP in the ISPs network
knows the visited emergency dial strings. knows the visited emergency dial strings.
7.1.5. SIP Emergency Call Signaling 5.1.5. SIP Emergency Call Signaling
SIP signaling capabilities [RFC3261] are mandated for end hosts. SIP signaling capabilities [RFC3261] are mandated for end hosts.
The initial SIP signaling method is an INVITE. The SIP INVITE The initial SIP signaling method is an INVITE. The SIP INVITE
request MUST be constructed according to the requirements in Section request MUST be constructed according to the requirements in Section
9.2 [I-D.ietf-ecrit-phonebcp]. 9.2 [I-D.ietf-ecrit-phonebcp].
Regarding callback behavior SIP UAs MUST have a globally routable URI Regarding callback behavior SIP UAs MUST have a globally routable URI
in a Contact: header. in a Contact: header.
7.1.6. Media 5.1.6. Media
End points MUST comply with the media requirements for end points End points MUST comply with the media requirements for end points
placing an emergency call found in Section 14 of placing an emergency call found in Section 14 of
[I-D.ietf-ecrit-phonebcp]. [I-D.ietf-ecrit-phonebcp].
7.1.7. Testing 5.1.7. Testing
The description in Section 15 of [I-D.ietf-ecrit-phonebcp] is fully The description in Section 15 of [I-D.ietf-ecrit-phonebcp] is fully
applicable to this document. applicable to this document.
7.2. IAP/ISP Profile 5.2. IAP/ISP Profile
7.2.1. ESRP Discovery 5.2.1. ESRP Discovery
An ISP hosting an ESRP MUST implement the server side part of An ISP hosting an ESRP MUST implement the server side part of
"Dynamic Host Configuration Protocol (DHCP-for-IPv4) Option for "Dynamic Host Configuration Protocol (DHCP-for-IPv4) Option for
Session Initiation Protocol (SIP) Servers" [RFC3361] (for IPv4) and / Session Initiation Protocol (SIP) Servers" [RFC3361] (for IPv4) and /
or the "Dynamic Host Configuration Protocol (DHCPv6) Options for or the "Dynamic Host Configuration Protocol (DHCPv6) Options for
Session Initiation Protocol (SIP) Servers" [RFC3319]. Session Initiation Protocol (SIP) Servers" [RFC3319].
7.2.2. Location Determination and Location Configuration 5.2.2. Location Determination and Location Configuration
The ISP not hosting an ESRP MUST support at least one widely used
LCP. The ISP hosting an ESRP MUST perform the neccesary steps to
determine the location of the end host. It is not necessary to
standardize a specific mechanism.
The role of the ISP is to operate the LIS. The usage of HELD When receiving an INVITE message the following steps are done:
[I-D.ietf-geopriv-http-location-delivery] with the identity 1. If the INVITE message does not include location information the
extensions [I-D.ietf-geopriv-held-identity-extensions] may be a ESRP-registrar MUST use HELD identity
possible choice. It might be necessary for the ISP to talk to the [I-D.ietf-geopriv-held-identity-extensions] to obtain the
IAP in order to determine the location of the end host. The work on location of the device as both a location value and reference.
LIS-to-LIS communication may be relevant, see In order to contact the LIS the ESRP-registrar SHOULD determine
[I-D.winterbottom-geopriv-lis2lis-req]. the LIS address using the mechanism described in
[I-D.thomson-geopriv-res-gw-lis-discovery]. The ESRP-registrar
MAY use other methods for LIS determination where available.
2. If the INVITE message contains a location URI then the ESRP-
registrar MUST dereference it so that it has a location available
to route the impending emergency call. The ESRP-registrar MAY
validate the LIS address in the location URI with that of the LIS
serving the network from which the INVITE message originated.
3. The INVITE message contains location information by value. Any
actions performed by the ESRP-registrar to valid this information
are specific to the jurisdiction in which the ESRP operates and
are out of the scope of this document.
7.3. ESRP Profile 5.3. ESRP Profile
7.3.1. Emergency Call Routing 5.3.1. Emergency Call Routing
The ESRP must route the emergency call to the PSAP responsible for The ESRP must route the emergency call to the PSAP responsible for
the physical location of the end host. However, a standardized the physical location of the end host. However, a standardized
approach for determining the correct PSAP based on a given location approach for determining the correct PSAP based on a given location
is useful but not mandatory. is useful but not mandatory.
For cases where a standardized protocol is used LoST For cases where a standardized protocol is used LoST [RFC5222] is a
[I-D.ietf-ecrit-lost] is a suitable mechanism. suitable mechanism.
7.3.2. Emergency Call Identification 5.3.2. Emergency Call Identification
The ESRP MUST understand the Service URN mechanism [RFC5031] (i.e., The ESRP MUST understand the Service URN mechanism [RFC5031] (i.e.,
the 'urn:service:sos' tree) and additionally the national emergency the 'urn:service:sos' tree) and additionally the national emergency
dial strings. The ESRP SHOULD perform a mapping of national dial strings. The ESRP SHOULD perform a mapping of national
emergency dial strings to Service URNs to simplify processing at emergency dial strings to Service URNs to simplify processing at
PSAPs. PSAPs.
7.3.3. SIP Emergency Call Signaling 5.3.3. SIP Emergency Call Signaling
SIP signaling capabilities [RFC3261] are mandated for the ESRP. The SIP signaling capabilities [RFC3261] are mandated for the ESRP. The
ESRP MUST process the messages sent by the client, according to ESRP MUST process the messages sent by the client, according to
Section 7.1.5. Furthermore, the ESRP MUST be able to add a reference Section 5.1.5. Furthermore, the ESRP MUST be able to add a reference
to location information, as described in SIP Location Conveyance to location information, as described in SIP Location Conveyance
[I-D.ietf-sip-location-conveyance], before forwarding the call to the [I-D.ietf-sipcore-location-conveyance], before forwarding the call to
PSAP. The ISP MUST be prepared to receive incoming dereferencing the PSAP. The ISP MUST be prepared to receive incoming dereferencing
requests to resolve the reference to the location information. requests to resolve the reference to the location information.
7.3.4. Location Retrieval 5.3.4. Location Retrieval
The ESRP acts a location recipient and the usage of HELD The ESRP acts a location recipient and the usage of HELD [RFC5985]
[I-D.ietf-geopriv-http-location-delivery] with the identity with the identity extensions
extensions [I-D.ietf-geopriv-held-identity-extensions] may be a [I-D.ietf-geopriv-held-identity-extensions] may be a possible choice.
possible choice. The ESRP would thereby act as a HELD client and the The ESRP would thereby act as a HELD client and the corresponding LIS
corresponding LIS at the ISP as the HELD server. at the ISP as the HELD server.
The ESRP needs to obtain enough information to route the call. The The ESRP needs to obtain enough information to route the call. The
ESRP itself, however, does not necessarily need to process location ESRP itself, however, does not necessarily need to process location
information obtained via HELD since it may be used as input to LoST information obtained via HELD since it may be used as input to LoST
to obtain the PSAP URI. to obtain the PSAP URI.
8. Security Considerations 6. Lower Layer Considerations for NAA Case
The security threats discussed in [RFC5069] are applicable to this Some radio networks have added support for unauthenticated emergency
document. A number of security vulnerabilities discussed in access, some other type of networks advertise these capabilities
using layer beacons. The end host learns about these unauthenticated
emergency services capabilities either from the link layer type or
from advertisement.
[I-D.ietf-geopriv-arch] around faked location information are less This section discusses different methods to indicate an emergency
problematic in this case since location information does not need to service request as part of network attachment. It provides some
be provided by the end host itself or it can be verified to fall general considerations and recommendations that are not specific to
within a specific geographical area. the access technology.
To perform network attachment and get access to the resources
provided by an IAP/ISP, the end host uses access technology specific
network attachment procedures, including for example network
detection and selection, authentication, and authorization. For
initial network attachment of an emergency service requester, the
method of how the emergency indication is given to the IAP/ISP is
specific to the access technology. However, a number of general
approaches can be identified:
Link layer emergency indication: The end host provides an
indication, e.g. an emergency parameter or flag, as part of the
link layer signaling for initial network attachment. Examples
include an emergency bit signalled in the IEEE 802.16-2009
wireless link. signalling allows an IEEE 802.1X to occur without
exchanging cryptogrpahic keys.
Higher-layer emergency indication: Typically emergency indication in
access authentication. The emergency caller's end host provides
an indication as part of the access authentication exchanges. EAP
based authentication is of particular relevance here. [nwgstg3].
6.1. Link Layer Emergency Indication
In general, link layer emergency indications provide good integration
into the actual network access procedure regarding the enabling of
means to recognize and prioritize an emergency service request from
an end host at a very early stage of the network attachment
procedure. However, support in end hosts for such methods cannot be
considered to be commonly available.
No general recommendations are given in the scope of this memo due to
the following reasons:
o Dependency on the specific access technology.
o Dependency on the specific access network architecture. Access
authorization and policy decisions typically happen at a different
layers of the protocol stack and in different entities than those
terminating the link-layer signaling. As a result, link layer
indications need to be distributed and translated between the
different involved protocol layers and entities. Appropriate
methods are specific to the actual architecture of the IAP/ISP
network.
6.2. Higher-Layer Emergency Indication
This section focuses on emergency indications based on authentication
and authorization in EAP-based network access.
An advantage of combining emergency indications with the actual
network attachment procedure performing authentication and
authorization is the fact that the emergency indication can directly
be taken into account in the authentication and authorization server
that owns the policy for granting access to the network resources.
As a result, there is no direct dependency on the access network
architecture that otherwise would need to take care of merging link-
layer indications into the AA and policy decision process.
EAP signaling happens at a relatively early stage of network
attachment, so it is likely to match most requirements for
prioritization of emergency signaling. However, it does not cover
early stages of link layer activity in the network attachment
process. Possible conflicts may arise e.g. in case of MAC-based
filtering in entities terminating the link-layer signaling in the
network (like a base station). In normal operation, EAP related
information will only be recognized in the NAS. Any entity residing
between end host and NAS should not be expected to understand/parse
EAP messages.
The following potential methods to provide emergency indications in
combination with EAP-based network attachment, are recognized:
1. NAI-based emergency indication:
An emergency indication can be given by forming a specific NAI
that is used as the identity in EAP based authentication for
network entry. Methods include:
2.
1.a) NAI Decoration:
NAI decoration is commonly used in routing EAP responses
within the IAP/ISP AAA infrastructure. Additional decoration
can be used to add an indication that the network attachment
attempt is meant for accessing emergency services. Potential
advantages of such approach include that it requires only
minimal realization effort compared to link-layer indications
with good integration into the authentication and
authorization procedures. The same procedure can be used for
all NAA cases (both unauthenticated and unauthorized) as well
as for normal attachment with a valid subscription. A
potential disadvantage is that such EAP decoration is not
globally defined across all different access technologies.
1.b) Emergency NAI:
The NAI comes with a realm or username part indicating
emergency (e.g. 'emergency@emergency.com'). An advantage of
this method for NAA cases is that no new requirements are put
on the involved signaling procedures. Only the identity used
for network entry is impacted. Potential disadvantages
include that different methods to indicate emergency for NAA
cases and standard emergency network attachments may be
required. Also, modifying the NAI itself (the username@realm
part) may conflict with network selection and network entry
procedures, depending on the actual access network.
3. Emergency EAP method
An emergency indication can be given by using a dedicated EAP
method that is reserved for emergency network attachment only.
2.a) Existing EAP method with New Method Type:
An existing EAP method may be used. EAP methods themselves
typically do not support emergency indication. One option
would be to pick a common EAP method like EAP-TLS and allocate
a new method type for the same method that is exclusively
reserved to emergency use. Such EAP method should be chosen
in a way that the same method can support NAA cases as well as
standard emergency network attachment.
2.b) Existing EAP Method:
Same as 2a), but without assigning a new EAP method type for
emergency. In this case some implicit indication must be
used. For example, in cases where EAP-TLS is used in network
attachment in combination with client certificates, the
absence of a client certificate could be interpreted by the
network as a request for emergency network attachment.
2.c) Emergency EAP Method:
A new EAP method could be defined that is specifically
designed for emergency network entry in NAA cases. Most
likely, such EAP method would not be usable for standard
emergency network attachment with an existing subscription.
Such dedicated emergency EAP method should be key-generating
in compliance with RFC3748 to enable the regular air interface
security methods even in unauthenticated operation.
6.3. Securing Network Attachment in NAA Cases
For network attachment in NAA cases, it may make sense to secure the
link-layer connection between the device and the IAP/ISP. This
especially holds for wireless access with examples being based
access. The latter even mandates secured communication across the
wireless link for all IAP/ISP networks based on [nwgstg3].
Therefore, for network attachment that is by default based on EAP
authentication it is desirable also for NAA network attachment to use
a key-generating EAP method (that provides an MSK key to the
authenticator to bootstrap further key derivation for protecting the
wireless link).
The following approaches to match the above can be identified:
1) Server-only Authentication:
The device of the emergency service requester performs an EAP
method with the IAP/ISP EAP server that performs server
authentication only. An example for this is EAP-TLS. This
provides a certain level of assurance about the IAP/ISP to the
device user. It requires the device to be provisioned with
appropriate trusted root certificates to be able to verify the
server certificate of the EAP server (unless this step is
explicitly skipped in the device in case of an emergency service
request).
2) Null Authentication:
an EAP method is performed. However, no credentials specific to
either the server or the device or subscription are used as part
of the authentication exchange. An example for this would be an
EAP-TLS exchange with using the TLS_DH_anon (anonymous)
ciphersuite. Alternatively, a publicly available static key for
emergency access could be used. In the latter case, the device
would need to be provisioned with the appropriate emergency key
for the IAP/ISP in advance.
3) Device Authentication:
This case extends the server-only authentication case. If the
device is configured with a device certificate and the IAP/ISP EAP
server can rely on a trusted root allowing the EAP server to
verify the device certificate, at least the device identity (e.g.,
the MAC address) can be authenticated by the IAP/ISP in NAA cases.
An example for this are WiMAX devices that are shipped with device
certificates issued under the global WiMAX device public-key
infrastructure. To perform unauthenticated emergency calls, if
allowed by the IAP/ISP, such devices perform EAP-TLS based network
attachment with client authentication based on the device
certificate.
7. Security Considerations
The security threats discussed in [RFC5069] are applicable to this
document.
There are a couple of new vulnerabilities raised with unauthenticated There are a couple of new vulnerabilities raised with unauthenticated
emergency services since the PSAP operator does is not in possession emergency services in NASP/NAA cases since the PSAP operator will
of any identity information about the emergency call via the typically not possess any identity information about the emergency
signaling path itself. In countries where this functionality is used call via the signaling path itself. In countries where this
for GSM networks today this has lead to a significant amount of functionality is used for GSM networks today this has lead to a
misuse. significant amount of misuse.
The link layer mechanisms need to provide a special way of handling In the context of NAA, the IAP and the ISP will probably want to make
unauthenticated emergency services. Although this subject is not a sure that the claimed emergency caller indeed performs an emergency
topic for the IETF itself but there are at least a few high-level call rather than using the network for other purposes, and thereby
assumptions that may need to be collected. This includes security acting fraudulent by skipping any authentication, authorization and
features that may be desirable. accounting procedures. By restricting access of the unauthenticated
emergency caller to the LoST server and the PSAP URI, traffic can be
restricted only to emergency calls. This can be accomplished with
traffic separation. The details, however, e.g. for using filtering,
depend on the deployed ISP architecture and are beyond the scope of
this document.
9. Acknowledgments We only illustrate a possible model. If the ISP runs its own LoST
server, it would maintain an access control list including all IP
addresses contained in responses returned by the LoST server, as well
as the LoST server itself. (It may need to translate the domain
names returned to IP addresses and hope that the resolution captures
all possible DNS responses.) Since the media destination addresses
are not predictable, the ISP also has to provide a SIP outbound proxy
so that it can determine the media addresses and add those to the
filter list.
Section 6 of this document is derived from [I-D.ietf-ecrit-phonebcp]. For the ZBP case the additional aspect of fraud has to be considered.
The WiMax Forum contributed parts of the terminology. Participants Unless the emergency call traverses a PSTN gateway or the ASP charges
of the 2nd and 3rd SDO Emergency Services Workshop provided helpful for IP-to-IP calls, there is little potential for fraud. If the ASP
input. also operates the LoST server, the outbound proxy MAY restrict
outbound calls to the SIP URIs returned by the LoST server. It is
NOT RECOMMENDED to rely on a fixed list of SIP URIs, as that list may
change.
10. IANA Considerations Finally, a number of security vulnerabilities discussed in
[I-D.ietf-geopriv-arch] around faked location information are less
problematic in the context of unauthenticated emergency since
location information does not need to be provided by the end host
itself or it can be verified to fall within a specific geographical
area.
8. Acknowledgments
Parts of this document are derived from [I-D.ietf-ecrit-phonebcp].
Participants of the 2nd and 3rd SDO Emergency Services Workshop
provided helpful input.
9. IANA Considerations
This document does not require actions by IANA. This document does not require actions by IANA.
11. References 10. References
11.1. Normative References 10.1. Normative References
[I-D.ietf-sip-location-conveyance] [I-D.ietf-sipcore-location-conveyance]
Polk, J. and B. Rosen, "Location Conveyance for the Polk, J., Rosen, B., and J. Peterson, "Location Conveyance
Session Initiation Protocol", for the Session Initiation Protocol",
draft-ietf-sip-location-conveyance-13 (work in progress), draft-ietf-sipcore-location-conveyance-03 (work in
March 2009. progress), July 2010.
[RFC5031] Schulzrinne, H., "A Uniform Resource Name (URN) for [RFC5031] Schulzrinne, H., "A Uniform Resource Name (URN) for
Emergency and Other Well-Known Services", RFC 5031, Emergency and Other Well-Known Services", RFC 5031,
January 2008. January 2008.
[RFC4119] Peterson, J., "A Presence-based GEOPRIV Location Object [RFC4119] Peterson, J., "A Presence-based GEOPRIV Location Object
Format", RFC 4119, December 2005. Format", RFC 4119, December 2005.
[I-D.ietf-geopriv-pdif-lo-profile] [RFC5491] Winterbottom, J., Thomson, M., and H. Tschofenig, "GEOPRIV
Winterbottom, J., Thomson, M., and H. Tschofenig, "GEOPRIV Presence Information Data Format Location Object (PIDF-LO)
PIDF-LO Usage Clarification, Considerations and Usage Clarification, Considerations, and Recommendations",
Recommendations", draft-ietf-geopriv-pdif-lo-profile-14 RFC 5491, March 2009.
(work in progress), November 2008.
[RFC5139] Thomson, M. and J. Winterbottom, "Revised Civic Location [RFC5139] Thomson, M. and J. Winterbottom, "Revised Civic Location
Format for Presence Information Data Format Location Format for Presence Information Data Format Location
Object (PIDF-LO)", RFC 5139, February 2008. Object (PIDF-LO)", RFC 5139, February 2008.
[RFC3361] Schulzrinne, H., "Dynamic Host Configuration Protocol [RFC3361] Schulzrinne, H., "Dynamic Host Configuration Protocol
(DHCP-for-IPv4) Option for Session Initiation Protocol (DHCP-for-IPv4) Option for Session Initiation Protocol
(SIP) Servers", RFC 3361, August 2002. (SIP) Servers", RFC 3361, August 2002.
[RFC3319] Schulzrinne, H. and B. Volz, "Dynamic Host Configuration [RFC3319] Schulzrinne, H. and B. Volz, "Dynamic Host Configuration
skipping to change at page 20, line 46 skipping to change at page 20, line 45
[RFC5222] Hardie, T., Newton, A., Schulzrinne, H., and H. [RFC5222] Hardie, T., Newton, A., Schulzrinne, H., and H.
Tschofenig, "LoST: A Location-to-Service Translation Tschofenig, "LoST: A Location-to-Service Translation
Protocol", RFC 5222, August 2008. Protocol", RFC 5222, August 2008.
[RFC5223] Schulzrinne, H., Polk, J., and H. Tschofenig, "Discovering [RFC5223] Schulzrinne, H., Polk, J., and H. Tschofenig, "Discovering
Location-to-Service Translation (LoST) Servers Using the Location-to-Service Translation (LoST) Servers Using the
Dynamic Host Configuration Protocol (DHCP)", RFC 5223, Dynamic Host Configuration Protocol (DHCP)", RFC 5223,
August 2008. August 2008.
11.2. Informative References 10.2. Informative References
[I-D.ietf-ecrit-lost]
Hardie, T., Newton, A., Schulzrinne, H., and H.
Tschofenig, "LoST: A Location-to-Service Translation
Protocol", draft-ietf-ecrit-lost-10 (work in progress),
May 2008.
[I-D.ietf-geopriv-l7-lcp-ps] [RFC5687] Tschofenig, H. and H. Schulzrinne, "GEOPRIV Layer 7
Tschofenig, H. and H. Schulzrinne, "GEOPRIV Layer 7 Location Configuration Protocol: Problem Statement and
Location Configuration Protocol; Problem Statement and Requirements", RFC 5687, March 2010.
Requirements", draft-ietf-geopriv-l7-lcp-ps-10 (work in
progress), July 2009.
[I-D.ietf-ecrit-framework] [I-D.ietf-ecrit-framework]
Rosen, B., Schulzrinne, H., Polk, J., and A. Newton, Rosen, B., Schulzrinne, H., Polk, J., and A. Newton,
"Framework for Emergency Calling using Internet "Framework for Emergency Calling using Internet
Multimedia", draft-ietf-ecrit-framework-11 (work in Multimedia", draft-ietf-ecrit-framework-11 (work in
progress), July 2010. progress), July 2010.
[I-D.ietf-geopriv-http-location-delivery] [I-D.thomson-geopriv-res-gw-lis-discovery]
Barnes, M., Winterbottom, J., Thomson, M., and B. Stark, Thomson, M. and R. Bellis, "Location Information Server
"HTTP Enabled Location Delivery (HELD)", (LIS) Discovery using IP address and Reverse DNS",
draft-ietf-geopriv-http-location-delivery-16 (work in draft-thomson-geopriv-res-gw-lis-discovery-04 (work in
progress), August 2009. progress), September 2010.
[RFC5985] Barnes, M., "HTTP-Enabled Location Delivery (HELD)",
RFC 5985, September 2010.
[RFC5012] Schulzrinne, H. and R. Marshall, "Requirements for [RFC5012] Schulzrinne, H. and R. Marshall, "Requirements for
Emergency Context Resolution with Internet Technologies", Emergency Context Resolution with Internet Technologies",
RFC 5012, January 2008. RFC 5012, January 2008.
[I-D.ietf-geopriv-held-identity-extensions] [I-D.ietf-geopriv-held-identity-extensions]
Winterbottom, J., Thomson, M., Tschofenig, H., and R. Winterbottom, J., Thomson, M., Tschofenig, H., and R.
Barnes, "Use of Device Identity in HTTP-Enabled Location Barnes, "Use of Device Identity in HTTP-Enabled Location
Delivery (HELD)", Delivery (HELD)",
draft-ietf-geopriv-held-identity-extensions-04 (work in draft-ietf-geopriv-held-identity-extensions-05 (work in
progress), June 2010. progress), October 2010.
[I-D.winterbottom-geopriv-lis2lis-req] [I-D.winterbottom-geopriv-lis2lis-req]
Winterbottom, J. and S. Norreys, "LIS to LIS Protocol Winterbottom, J. and S. Norreys, "LIS to LIS Protocol
Requirements", draft-winterbottom-geopriv-lis2lis-req-01 Requirements", draft-winterbottom-geopriv-lis2lis-req-01
(work in progress), November 2007. (work in progress), November 2007.
[RFC5069] Taylor, T., Tschofenig, H., Schulzrinne, H., and M. [RFC5069] Taylor, T., Tschofenig, H., Schulzrinne, H., and M.
Shanmugam, "Security Threats and Requirements for Shanmugam, "Security Threats and Requirements for
Emergency Call Marking and Mapping", RFC 5069, Emergency Call Marking and Mapping", RFC 5069,
January 2008. January 2008.
[I-D.ietf-geopriv-arch] [I-D.ietf-geopriv-arch]
Barnes, R., Lepinski, M., Cooper, A., Morris, J., Barnes, R., Lepinski, M., Cooper, A., Morris, J.,
Tschofenig, H., and H. Schulzrinne, "An Architecture for Tschofenig, H., and H. Schulzrinne, "An Architecture for
Location and Location Privacy in Internet Applications", Location and Location Privacy in Internet Applications",
draft-ietf-geopriv-arch-02 (work in progress), May 2010. draft-ietf-geopriv-arch-03 (work in progress),
October 2010.
[esw07] "3rd SDO Emergency Services Workshop, [esw07] "3rd SDO Emergency Services Workshop,
http://www.emergency-services-coordination.info/2007Nov/", http://www.emergency-services-coordination.info/2007Nov/",
October 30th - November 1st 2007. October 30th - November 1st 2007.
[nwgstg3] "WiMAX Forum WMF-T33-001-R015V01, WiMAX Network [nwgstg3] "WiMAX Forum WMF-T33-001-R015V01, WiMAX Network
Architecture Stage-3 Architecture Stage-3
http://www.wimaxforum.org/sites/wimaxforum.org/files/ tech http://www.wimaxforum.org/sites/wimaxforum.org/files/ tech
nical_document/2009/09/ nical_document/2009/09/
DRAFT-T33-001-R015v01-O_Network-Stage3-Base.pdf", DRAFT-T33-001-R015v01-O_Network-Stage3-Base.pdf",
 End of changes. 81 change blocks. 
569 lines changed or deleted 578 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/