--- 1/draft-ietf-ecrit-unauthenticated-access-01.txt 2011-03-29 21:16:20.000000000 +0200 +++ 2/draft-ietf-ecrit-unauthenticated-access-02.txt 2011-03-29 21:16:20.000000000 +0200 @@ -1,25 +1,26 @@ ECRIT H. Schulzrinne Internet-Draft Columbia University Intended status: Standards Track S. McCann -Expires: April 28, 2011 Research in Motion UK Ltd +Expires: September 30, 2011 Research in Motion UK Ltd G. Bajko Nokia H. Tschofenig - D. Kroeselberg Nokia Siemens Networks - October 25, 2010 + D. Kroeselberg + Siemens + March 29, 2011 Extensions to the Emergency Services Architecture for dealing with Unauthenticated and Unauthorized Devices - draft-ietf-ecrit-unauthenticated-access-01.txt + draft-ietf-ecrit-unauthenticated-access-02.txt Abstract The IETF emergency services architecture assumes that the calling device has acquired rights to use the access network or that no authentication is required for the access network, such as for public wireless access points. Subsequent protocol interactions, such as obtaining location information, learning the address of the Public Safety Answering Point (PSAP) and the emergency call itself are largely decoupled from the underlying network access procedures. @@ -41,71 +42,69 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on April 28, 2011. + This Internet-Draft will expire on September 30, 2011. Copyright Notice - Copyright (c) 2010 IETF Trust and the persons identified as the + Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 - 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 6 - 3. Use Case Categories . . . . . . . . . . . . . . . . . . . . . 6 - 4. ZBP Considerations . . . . . . . . . . . . . . . . . . . . . . 8 - 5. NASP Considerations . . . . . . . . . . . . . . . . . . . . . 9 - 5.1. End Host Profile . . . . . . . . . . . . . . . . . . . . . 11 - 5.1.1. LoST Server Discovery . . . . . . . . . . . . . . . . 11 - 5.1.2. ESRP Discovery . . . . . . . . . . . . . . . . . . . . 11 - 5.1.3. Location Determination and Location Configuration . . 11 - 5.1.4. Emergency Call Identification . . . . . . . . . . . . 11 - 5.1.5. SIP Emergency Call Signaling . . . . . . . . . . . . . 12 - 5.1.6. Media . . . . . . . . . . . . . . . . . . . . . . . . 12 - 5.1.7. Testing . . . . . . . . . . . . . . . . . . . . . . . 12 - 5.2. IAP/ISP Profile . . . . . . . . . . . . . . . . . . . . . 12 - 5.2.1. ESRP Discovery . . . . . . . . . . . . . . . . . . . . 12 - 5.2.2. Location Determination and Location Configuration . . 12 - 5.3. ESRP Profile . . . . . . . . . . . . . . . . . . . . . . . 13 - 5.3.1. Emergency Call Routing . . . . . . . . . . . . . . . . 13 - 5.3.2. Emergency Call Identification . . . . . . . . . . . . 13 - 5.3.3. SIP Emergency Call Signaling . . . . . . . . . . . . . 13 - 5.3.4. Location Retrieval . . . . . . . . . . . . . . . . . . 13 - 6. Lower Layer Considerations for NAA Case . . . . . . . . . . . 14 - 6.1. Link Layer Emergency Indication . . . . . . . . . . . . . 14 - 6.2. Higher-Layer Emergency Indication . . . . . . . . . . . . 15 - 6.3. Securing Network Attachment in NAA Cases . . . . . . . . . 17 - 7. Security Considerations . . . . . . . . . . . . . . . . . . . 18 - 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 - 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 - 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 - 10.1. Normative References . . . . . . . . . . . . . . . . . . . 19 - 10.2. Informative References . . . . . . . . . . . . . . . . . . 20 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 22 + 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 7 + 3. Use Case Categories . . . . . . . . . . . . . . . . . . . . . 8 + 4. ZBP Considerations . . . . . . . . . . . . . . . . . . . . . . 10 + 5. NASP Considerations . . . . . . . . . . . . . . . . . . . . . 11 + 5.1. End Host Profile . . . . . . . . . . . . . . . . . . . . . 13 + 5.1.1. LoST Server Discovery . . . . . . . . . . . . . . . . 13 + 5.1.2. ESRP Discovery . . . . . . . . . . . . . . . . . . . . 13 + 5.1.3. Location Determination and Location Configuration . . 13 + 5.1.4. Emergency Call Identification . . . . . . . . . . . . 13 + 5.1.5. SIP Emergency Call Signaling . . . . . . . . . . . . . 13 + 5.1.6. Media . . . . . . . . . . . . . . . . . . . . . . . . 14 + 5.1.7. Testing . . . . . . . . . . . . . . . . . . . . . . . 14 + 5.2. IAP/ISP Profile . . . . . . . . . . . . . . . . . . . . . 14 + 5.2.1. ESRP Discovery . . . . . . . . . . . . . . . . . . . . 14 + 5.2.2. Location Determination and Location Configuration . . 14 + 5.3. ESRP Profile . . . . . . . . . . . . . . . . . . . . . . . 14 + 5.3.1. Emergency Call Routing . . . . . . . . . . . . . . . . 14 + 5.3.2. Emergency Call Identification . . . . . . . . . . . . 14 + 5.3.3. SIP Emergency Call Signaling . . . . . . . . . . . . . 15 + 6. Lower Layer Considerations for NAA Case . . . . . . . . . . . 16 + 6.1. Link Layer Emergency Indication . . . . . . . . . . . . . 16 + 6.2. Securing Network Attachment in NAA Cases . . . . . . . . . 17 + 7. Security Considerations . . . . . . . . . . . . . . . . . . . 20 + 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 21 + 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 + 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 23 + 10.1. Normative References . . . . . . . . . . . . . . . . . . . 23 + 10.2. Informative References . . . . . . . . . . . . . . . . . . 23 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 26 1. Introduction Summoning police, the fire department or an ambulance in emergencies is one of the fundamental and most-valued functions of the telephone. As telephone functionality moves from circuit-switched telephony to Internet telephony, its users rightfully expect that this core functionality will continue to work at least as well as it has for the older technology. New devices and services are being made available that could be used to make a request for help, which are @@ -224,26 +223,25 @@ advertise these capabilities using layer beacons. The end host learns about these unauthenticated emergency services capabilities either from the link layer type or from advertisement. The end host uses the link layer specific network attachment procedures defined for unauthenticated network access in order to get access to the network. Pre-Emergency Service Configuration: When the link layer network attachment procedure is completed the end host learns basic - configuration information using DHCP from the ISP, including the - address of the LoST server. The end host uses a Location - Configuration Protocol (LCP) to retrieve location information. - Subsequently, the LoST protocol [RFC5222] is used to learn the - relevant emergency numbers, and to obtain the PSAP URI applicable - for that location. + configuration information using DHCP from the ISP. The end host + uses a Location Configuration Protocol (LCP) to retrieve location + information. Subsequently, the LoST protocol [RFC5222] is used to + learn the relevant emergency numbers, and to obtain the PSAP URI + applicable for that location. Emergency Call: In case of need for help, a user dials an emergency number and the SIP UA initiates the emergency call procedures by communicating with the PSAP. Figure 1 compiles the basic logic taking place during network entry for requesting an emergency service and shows the interrelation between the three conditions described in the above section. +-----Y @@ -333,252 +331,200 @@ ASP policy and deployment, and is therefore beyond the scope of this document. 5. NASP Considerations To start the description we consider the sequence of steps that are executed in an emergency call based on Figure 2. o As an initial step the devices attaches to the network as shown in step (1). This step is outside the scope of this section. + o When the link layer network attachment procedure is completed the end host learns basic configuration information using DHCP from - the ISP, including the address of the ESRP, as shown in step (2). - o When the IP address configuration is completed then the SIP UA - initiates a SIP INVITE towards the indicated ESRP, as shown in - (3). The INVITE message contains all the necessary parameters - required by Section 5.1.5. + the ISP, as shown in step (2). + + o When the IP address configuration is completed then the end host + starts an interaction with the discovered Location Configuration + Server at the ISP, as shown in step (3). The ISP may in certain + deployments need to interact with the IAP. This protocol exchange + is shown in step (4). + + o Once location information is obtained the end host triggers the + LoST protocol to obtain the address of the ESRP/PSAP. This step + is shown in (5). + + o In step (6), the SIP UA initiates a SIP INVITE towards the + indicated ESRP. The INVITE message contains all the necessary + parameters required by Section 5.1.5. + o The ESRP receives the INVITE and processes it according to the - description in Section 5.3.3. The location of the end host may - need to be determined using a protocol interaction shown in (4). - o Potentially, an interaction between the LCS of the ISP and the LCS - of the IAP may be necessary, see (5). - o Finally, the correct PSAP for the location of the end host has to - be evaluated, see (6). - o The ESRP routes the call to the PSAP, as shown in (7). + description in Section 5.3.3. + + o The ESRP routes the call to the PSAP, as shown in (8), potentially + interacting with a LoST server first to determine the route. + o The PSAP evaluates the initial INVITE and aims to complete the call setup. + o Finally, when the call setup is completed media traffic can be - exchanged between the PSAP and the emergency caller. + exchanged between the PSAP and the SIP UA. For editorial reasons the end-to-end SIP and media exchange between the PSAP and SIP UA are not shown in Figure 2. - Two important aspects are worth to highlight: - - o The IAP/ISP needs to understand the concept of emergency calls or - other emergency applicationsand the SIP profile described in this - document. No other VoIP protocol profile, such as XMPP, Skype, - etc., are supported for emergency calls in this particular - architecture. Other profiles may be added in the future, but the - deployment effort is enormous since they have to be universally - deployed. - o The end host has no obligation to determine location information. - It may attach location information if it has location available - (e.g., from a GPS receiver). - - Figure 2 shows that the ISP needs to deploy SIP-based emergency - services functionality. It is important to note that the ISP itself - may outsource the functionality by simply providing access to them - (e.g., it puts the IP address of an ESRP or a LoST server into an - allow-list). For editorial reasons this outsourcing is not shown. - - +-------+ +-------+ - | PSAP | (7) | ESRP | - | |<----->| | - +-------+ +-------+ + +-------+ + | PSAP | + | | + +-------+ ^ - | (7) - v - +----------+ (6) +----------+ - | Mapping |<----->| ESRP | - | Database | | |<-+ - +----------+ +----------+ | - ^ | - +------------------------|--------|--------------+ + | (8) + | + +----------+(7) +----------+ + | LoST |<-->| ESRP | + | Server | | | + +----------+ +----------+ + ^ ^ + +----------------+----------------|--------------+ | ISP | | | |+----------+ | | +----------+| - || LCS-ISP | | | | DHCP || - || |<-----------+ | | Server || - |+----------+ (4) | +----------+| - +-------^-------------------------|-----------^--+ - +-------|-------------------------|-----------|--+ - | IAP | (5) | | | - | V | | | - |+----------+ | | | - || LCS-IAP | +--------+ | | | - || | | Link | |(3) | | - |+----------+ | Layer | | | | - | | Device | | (2)| | - | +--------+ | | | - | ^ | | | + || LCS-ISP | (3)| | | DHCP || + || |<-+ | | | Server || + |+----------+ | | | +----------+| + +-------^------+-+----------------|-----------^--+ + +-------|------+-+----------------|-----------|--+ + | IAP | (4) | |(5) | | | + | V | | | | | + |+----------+ | | | | | + || LCS-IAP | | | +--------+ | | | + || | | | | Link | |(6) | | + |+----------+ | | | Layer | | | | + | | | | Device | | (2)| | + | | | +--------+ | | | + | | | ^ | | | + | | | | | | | + +--------------+-|-------|--------|-----------|--+ | | | | | - +------------------------|--------|-----------|--+ - | | | - (1)| | | - | | | - | +----+ | - v v | - +----------+ | - | End |<-------------+ - | Host | + | | (1)| | | + | | | | | + | | | +----+ | + | | v | | + | | +----------+ | + | +->| End |<-------------+ + +___>| Host | +----------+ Figure 2: Architectural Overview - Note: Figure 2 does not indicate who runs the ESRP or the mapping - database. There are different options available. + Note: Figure 2 does not indicate who operates the ESRP and the LoST + server. Various deployment options exist. 5.1. End Host Profile 5.1.1. LoST Server Discovery - The end host MAY attempt to use [RFC5222] to discover a LoST server. - If that attempt fails, the end host SHOULD attempt to discover the - address of an ESRP. + The end host MUST discover a LoST server [RFC5222] using DHCP + [RFC5223]. 5.1.2. ESRP Discovery - The end host only needs an ESRP when location configuration or LoST - server discovery fails. If that is the case, then the end host MUST - use the "Dynamic Host Configuration Protocol (DHCP-for-IPv4) Option - for Session Initiation Protocol (SIP) Servers" [RFC3361] (for IPv6) - and / or the "Dynamic Host Configuration Protocol (DHCPv6) Options - for Session Initiation Protocol (SIP) Servers" [RFC3319] to discover - the address of an ESRP. This SIP proxy located in the ISP network - will be used as the ESRP for routing emergency calls. There is no - need to discovery a separate SIP proxy with specific emergency call - functionality since the internal procedure for emergency call - processing is subject of ISP internal operation. + The end host MUST discover the ESRP using the LoST protocol + [RFC5222]. 5.1.3. Location Determination and Location Configuration - The end host SHOULD attempt to use the supported LCPs to configure - its location. If no LCP is supported in the end host or the location - configuration is not successful, then the end host MUST attempt to - discover an ESRP, which would assist the end host in providing the - location to the PSAP. + The end host MUST support location acquisition and the LCPs described + in Section 6.5 of [I-D.ietf-ecrit-phonebcp]. The description in + Section 6.5 and 6.6 of [I-D.ietf-ecrit-phonebcp] regarding the + interaction between the device and the LIS applies to this document. The SIP UA in the end host MUST attach available location information in a PIDF-LO [RFC4119] when making an emergency call. When constructing the PIDF-LO the guidelines in PIDF-LO profile [RFC5491] MUST be followed. For civic location information the format defined in [RFC5139] MUST be supported. 5.1.4. Emergency Call Identification To determine which calls are emergency calls, some entity needs to map a user entered dialstring into this URN scheme. A user may "dial" 1-1-2, but the call would be sent to urn:service:sos. This mapping SHOULD be performed at the endpoint device. End hosts MUST use the Service URN mechanism [RFC5031] to mark calls - as emergency calls for their home emergency dial string (if known). - For visited emergency dial string the translation into the Service - URN mechanism is not mandatory since the ESRP in the ISPs network - knows the visited emergency dial strings. + as emergency calls for their home emergency dial string. 5.1.5. SIP Emergency Call Signaling SIP signaling capabilities [RFC3261] are mandated for end hosts. The initial SIP signaling method is an INVITE. The SIP INVITE request MUST be constructed according to the requirements in Section 9.2 [I-D.ietf-ecrit-phonebcp]. - Regarding callback behavior SIP UAs MUST have a globally routable URI - in a Contact: header. + Regarding callback behavior SIP UAs SHOULD place a globally routable + URI in a Contact: header. 5.1.6. Media End points MUST comply with the media requirements for end points placing an emergency call found in Section 14 of [I-D.ietf-ecrit-phonebcp]. 5.1.7. Testing The description in Section 15 of [I-D.ietf-ecrit-phonebcp] is fully applicable to this document. 5.2. IAP/ISP Profile 5.2.1. ESRP Discovery - An ISP hosting an ESRP MUST implement the server side part of - "Dynamic Host Configuration Protocol (DHCP-for-IPv4) Option for - Session Initiation Protocol (SIP) Servers" [RFC3361] (for IPv4) and / - or the "Dynamic Host Configuration Protocol (DHCPv6) Options for - Session Initiation Protocol (SIP) Servers" [RFC3319]. + An ISP MUST provision a DHCP server with information about LoST + servers [RFC5223]. An ISP operator may choose to deploy a LoST + server or to outsource it to other parties. 5.2.2. Location Determination and Location Configuration - When receiving an INVITE message the following steps are done: - 1. If the INVITE message does not include location information the - ESRP-registrar MUST use HELD identity - [I-D.ietf-geopriv-held-identity-extensions] to obtain the - location of the device as both a location value and reference. - In order to contact the LIS the ESRP-registrar SHOULD determine - the LIS address using the mechanism described in - [I-D.thomson-geopriv-res-gw-lis-discovery]. The ESRP-registrar - MAY use other methods for LIS determination where available. - 2. If the INVITE message contains a location URI then the ESRP- - registrar MUST dereference it so that it has a location available - to route the impending emergency call. The ESRP-registrar MAY - validate the LIS address in the location URI with that of the LIS - serving the network from which the INVITE message originated. - 3. The INVITE message contains location information by value. Any - actions performed by the ESRP-registrar to valid this information - are specific to the jurisdiction in which the ESRP operates and - are out of the scope of this document. + The ISP is responsible for location determination and exposes this + information to the end points via location configuration protocols. + The considerations described in [I-D.ietf-ecrit-location-hiding-req] + are applicable to this document. + + The ISP MUST support one of the LCPs described in Section 6.5 of + [I-D.ietf-ecrit-phonebcp]. The description in Section 6.5 and 6.6 of + [I-D.ietf-ecrit-phonebcp] regarding the interaction between the end + device and the LIS applies to this document. + + The interaction between the LIS at the ISP and the IAB is often + priorietary but the description in + [I-D.winterbottom-geopriv-lis2lis-req] may be relevant to the reader. 5.3. ESRP Profile 5.3.1. Emergency Call Routing - The ESRP must route the emergency call to the PSAP responsible for - the physical location of the end host. However, a standardized - approach for determining the correct PSAP based on a given location - is useful but not mandatory. - - For cases where a standardized protocol is used LoST [RFC5222] is a - suitable mechanism. + The ESRP continues to route the emergency call to the PSAP + responsible for the physical location of the end host. This may + require further interactions with LoST servers but depends on the + specific deployment. 5.3.2. Emergency Call Identification The ESRP MUST understand the Service URN mechanism [RFC5031] (i.e., - the 'urn:service:sos' tree) and additionally the national emergency - dial strings. The ESRP SHOULD perform a mapping of national - emergency dial strings to Service URNs to simplify processing at - PSAPs. + the 'urn:service:sos' tree). 5.3.3. SIP Emergency Call Signaling SIP signaling capabilities [RFC3261] are mandated for the ESRP. The ESRP MUST process the messages sent by the client, according to - Section 5.1.5. Furthermore, the ESRP MUST be able to add a reference - to location information, as described in SIP Location Conveyance - [I-D.ietf-sipcore-location-conveyance], before forwarding the call to - the PSAP. The ISP MUST be prepared to receive incoming dereferencing - requests to resolve the reference to the location information. - -5.3.4. Location Retrieval - - The ESRP acts a location recipient and the usage of HELD [RFC5985] - with the identity extensions - [I-D.ietf-geopriv-held-identity-extensions] may be a possible choice. - The ESRP would thereby act as a HELD client and the corresponding LIS - at the ISP as the HELD server. - - The ESRP needs to obtain enough information to route the call. The - ESRP itself, however, does not necessarily need to process location - information obtained via HELD since it may be used as input to LoST - to obtain the PSAP URI. + Section 5.1.5. 6. Lower Layer Considerations for NAA Case Some radio networks have added support for unauthenticated emergency access, some other type of networks advertise these capabilities using layer beacons. The end host learns about these unauthenticated emergency services capabilities either from the link layer type or from advertisement. This section discusses different methods to indicate an emergency @@ -592,27 +538,31 @@ detection and selection, authentication, and authorization. For initial network attachment of an emergency service requester, the method of how the emergency indication is given to the IAP/ISP is specific to the access technology. However, a number of general approaches can be identified: Link layer emergency indication: The end host provides an indication, e.g. an emergency parameter or flag, as part of the link layer signaling for initial network attachment. Examples include an emergency bit signalled in the IEEE 802.16-2009 - wireless link. signalling allows an IEEE 802.1X to occur without - exchanging cryptogrpahic keys. + wireless link. In IEEE 802.11 WLAN, an emergency support + indicator allows the STA to download before association an NAI + which it can use to request server side authentication only for an + 802.1x network. Higher-layer emergency indication: Typically emergency indication in access authentication. The emergency caller's end host provides an indication as part of the access authentication exchanges. EAP - based authentication is of particular relevance here. [nwgstg3]. + based authentication is of particular relevance here. Examples + are the EAP NAI decoration used in WiMAX networks and modification + of the authentication exchange in IEEE 802.11. [nwgstg3]. 6.1. Link Layer Emergency Indication In general, link layer emergency indications provide good integration into the actual network access procedure regarding the enabling of means to recognize and prioritize an emergency service request from an end host at a very early stage of the network attachment procedure. However, support in end hosts for such methods cannot be considered to be commonly available. @@ -611,163 +561,103 @@ In general, link layer emergency indications provide good integration into the actual network access procedure regarding the enabling of means to recognize and prioritize an emergency service request from an end host at a very early stage of the network attachment procedure. However, support in end hosts for such methods cannot be considered to be commonly available. No general recommendations are given in the scope of this memo due to the following reasons: + o Dependency on the specific access technology. + o Dependency on the specific access network architecture. Access authorization and policy decisions typically happen at a different layers of the protocol stack and in different entities than those terminating the link-layer signaling. As a result, link layer indications need to be distributed and translated between the different involved protocol layers and entities. Appropriate methods are specific to the actual architecture of the IAP/ISP network. -6.2. Higher-Layer Emergency Indication - - This section focuses on emergency indications based on authentication - and authorization in EAP-based network access. - - An advantage of combining emergency indications with the actual + o An advantage of combining emergency indications with the actual network attachment procedure performing authentication and - authorization is the fact that the emergency indication can directly - be taken into account in the authentication and authorization server - that owns the policy for granting access to the network resources. - As a result, there is no direct dependency on the access network - architecture that otherwise would need to take care of merging link- - layer indications into the AA and policy decision process. + authorization is the fact that the emergency indication can + directly be taken into account in the authentication and + authorization server that owns the policy for granting access to + the network resources. As a result, there is no direct dependency + on the access network architecture that otherwise would need to + take care of merging link-layer indications into the AA and policy + decision process. - EAP signaling happens at a relatively early stage of network + o EAP signaling happens at a relatively early stage of network attachment, so it is likely to match most requirements for prioritization of emergency signaling. However, it does not cover early stages of link layer activity in the network attachment process. Possible conflicts may arise e.g. in case of MAC-based filtering in entities terminating the link-layer signaling in the network (like a base station). In normal operation, EAP related - information will only be recognized in the NAS. Any entity residing - between end host and NAS should not be expected to understand/parse - EAP messages. - - The following potential methods to provide emergency indications in - combination with EAP-based network attachment, are recognized: - - 1. NAI-based emergency indication: + information will only be recognized in the NAS. Any entity + residing between end host and NAS should not be expected to + understand/parse EAP messages. - An emergency indication can be given by forming a specific NAI + o An emergency indication can be given by forming a specific NAI that is used as the identity in EAP based authentication for - network entry. Methods include: - - 2. - 1.a) NAI Decoration: - - NAI decoration is commonly used in routing EAP responses - within the IAP/ISP AAA infrastructure. Additional decoration - can be used to add an indication that the network attachment - attempt is meant for accessing emergency services. Potential - advantages of such approach include that it requires only - minimal realization effort compared to link-layer indications - with good integration into the authentication and - authorization procedures. The same procedure can be used for - all NAA cases (both unauthenticated and unauthorized) as well - as for normal attachment with a valid subscription. A - potential disadvantage is that such EAP decoration is not - globally defined across all different access technologies. - - 1.b) Emergency NAI: - - The NAI comes with a realm or username part indicating - emergency (e.g. 'emergency@emergency.com'). An advantage of - this method for NAA cases is that no new requirements are put - on the involved signaling procedures. Only the identity used - for network entry is impacted. Potential disadvantages - include that different methods to indicate emergency for NAA - cases and standard emergency network attachments may be - required. Also, modifying the NAI itself (the username@realm - part) may conflict with network selection and network entry - procedures, depending on the actual access network. - 3. Emergency EAP method - - An emergency indication can be given by using a dedicated EAP - method that is reserved for emergency network attachment only. - 2.a) Existing EAP method with New Method Type: - - An existing EAP method may be used. EAP methods themselves - typically do not support emergency indication. One option - would be to pick a common EAP method like EAP-TLS and allocate - a new method type for the same method that is exclusively - reserved to emergency use. Such EAP method should be chosen - in a way that the same method can support NAA cases as well as - standard emergency network attachment. - - 2.b) Existing EAP Method: - - Same as 2a), but without assigning a new EAP method type for - emergency. In this case some implicit indication must be - used. For example, in cases where EAP-TLS is used in network - attachment in combination with client certificates, the - absence of a client certificate could be interpreted by the - network as a request for emergency network attachment. - - 2.c) Emergency EAP Method: - - A new EAP method could be defined that is specifically - designed for emergency network entry in NAA cases. Most - likely, such EAP method would not be usable for standard - emergency network attachment with an existing subscription. - Such dedicated emergency EAP method should be key-generating - in compliance with RFC3748 to enable the regular air interface - security methods even in unauthenticated operation. + network entry. -6.3. Securing Network Attachment in NAA Cases +6.2. Securing Network Attachment in NAA Cases For network attachment in NAA cases, it may make sense to secure the link-layer connection between the device and the IAP/ISP. This - especially holds for wireless access with examples being based - access. The latter even mandates secured communication across the - wireless link for all IAP/ISP networks based on [nwgstg3]. + especially holds for wireless access with examples being IEEE 802.11 + or IEEE 802.16 based access. The latter even mandates secured + communication across the wireless link for all IAP/ISP networks based + on [nwgstg3]. Therefore, for network attachment that is by default based on EAP authentication it is desirable also for NAA network attachment to use a key-generating EAP method (that provides an MSK key to the authenticator to bootstrap further key derivation for protecting the wireless link). The following approaches to match the above can be identified: 1) Server-only Authentication: The device of the emergency service requester performs an EAP - method with the IAP/ISP EAP server that performs server + method with the IAP/ISP EAP server that performs server side authentication only. An example for this is EAP-TLS. This provides a certain level of assurance about the IAP/ISP to the device user. It requires the device to be provisioned with appropriate trusted root certificates to be able to verify the server certificate of the EAP server (unless this step is explicitly skipped in the device in case of an emergency service - request). + request). This method is used to provide access of devices + without existing credentials to an 802.1x network. The details + are incorporated into the not yet published 802.11-2011 + specification. 2) Null Authentication: - an EAP method is performed. However, no credentials specific to - either the server or the device or subscription are used as part - of the authentication exchange. An example for this would be an - EAP-TLS exchange with using the TLS_DH_anon (anonymous) - ciphersuite. Alternatively, a publicly available static key for - emergency access could be used. In the latter case, the device - would need to be provisioned with the appropriate emergency key - for the IAP/ISP in advance. + In one case (e.g. WiMAX) an EAP method is performed. However, no + credentials specific to either the server or the device or + subscription are used as part of the authentication exchange. An + example for this would be an EAP-TLS exchange with using the + TLS_DH_anon (anonymous) ciphersuite. Alternatively, a publicly + available static key for emergency access could be used. In the + latter case, the device would need to be provisioned with the + appropriate emergency key for the IAP/ISP in advance. In another + case (e.g. IEEE 802.11), no EAP method is used, so that empty + frames are transported during the over the air IEEE 802.1X + exchange. In this case the authentication state machine completes + with no cryptographic keys being exchanged. 3) Device Authentication: This case extends the server-only authentication case. If the device is configured with a device certificate and the IAP/ISP EAP server can rely on a trusted root allowing the EAP server to verify the device certificate, at least the device identity (e.g., the MAC address) can be authenticated by the IAP/ISP in NAA cases. An example for this are WiMAX devices that are shipped with device certificates issued under the global WiMAX device public-key @@ -823,112 +713,101 @@ location information does not need to be provided by the end host itself or it can be verified to fall within a specific geographical area. 8. Acknowledgments Parts of this document are derived from [I-D.ietf-ecrit-phonebcp]. Participants of the 2nd and 3rd SDO Emergency Services Workshop provided helpful input. + We would like to thank Richard Barnes, Brian Rosen, James Polk, Marc + Linsner, and Martin Thomson for their feedback at the IETF#80 ECRIT + meeting. + 9. IANA Considerations This document does not require actions by IANA. 10. References 10.1. Normative References - [I-D.ietf-sipcore-location-conveyance] - Polk, J., Rosen, B., and J. Peterson, "Location Conveyance - for the Session Initiation Protocol", - draft-ietf-sipcore-location-conveyance-03 (work in - progress), July 2010. - [RFC5031] Schulzrinne, H., "A Uniform Resource Name (URN) for Emergency and Other Well-Known Services", RFC 5031, January 2008. [RFC4119] Peterson, J., "A Presence-based GEOPRIV Location Object Format", RFC 4119, December 2005. [RFC5491] Winterbottom, J., Thomson, M., and H. Tschofenig, "GEOPRIV Presence Information Data Format Location Object (PIDF-LO) Usage Clarification, Considerations, and Recommendations", RFC 5491, March 2009. [RFC5139] Thomson, M. and J. Winterbottom, "Revised Civic Location Format for Presence Information Data Format Location Object (PIDF-LO)", RFC 5139, February 2008. - [RFC3361] Schulzrinne, H., "Dynamic Host Configuration Protocol - (DHCP-for-IPv4) Option for Session Initiation Protocol - (SIP) Servers", RFC 3361, August 2002. - - [RFC3319] Schulzrinne, H. and B. Volz, "Dynamic Host Configuration - Protocol (DHCPv6) Options for Session Initiation Protocol - (SIP) Servers", RFC 3319, July 2003. - [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [I-D.ietf-ecrit-phonebcp] Rosen, B. and J. Polk, "Best Current Practice for Communications Services in support of Emergency Calling", - draft-ietf-ecrit-phonebcp-15 (work in progress), - July 2010. + draft-ietf-ecrit-phonebcp-17 (work in progress), + March 2011. [RFC5222] Hardie, T., Newton, A., Schulzrinne, H., and H. Tschofenig, "LoST: A Location-to-Service Translation Protocol", RFC 5222, August 2008. [RFC5223] Schulzrinne, H., Polk, J., and H. Tschofenig, "Discovering Location-to-Service Translation (LoST) Servers Using the Dynamic Host Configuration Protocol (DHCP)", RFC 5223, August 2008. 10.2. Informative References [RFC5687] Tschofenig, H. and H. Schulzrinne, "GEOPRIV Layer 7 Location Configuration Protocol: Problem Statement and Requirements", RFC 5687, March 2010. [I-D.ietf-ecrit-framework] Rosen, B., Schulzrinne, H., Polk, J., and A. Newton, "Framework for Emergency Calling using Internet - Multimedia", draft-ietf-ecrit-framework-11 (work in - progress), July 2010. + Multimedia", draft-ietf-ecrit-framework-12 (work in + progress), October 2010. - [I-D.thomson-geopriv-res-gw-lis-discovery] + [I-D.ietf-geopriv-res-gw-lis-discovery] Thomson, M. and R. Bellis, "Location Information Server (LIS) Discovery using IP address and Reverse DNS", - draft-thomson-geopriv-res-gw-lis-discovery-04 (work in - progress), September 2010. + draft-ietf-geopriv-res-gw-lis-discovery-01 (work in + progress), March 2011. [RFC5985] Barnes, M., "HTTP-Enabled Location Delivery (HELD)", RFC 5985, September 2010. [RFC5012] Schulzrinne, H. and R. Marshall, "Requirements for Emergency Context Resolution with Internet Technologies", RFC 5012, January 2008. - [I-D.ietf-geopriv-held-identity-extensions] - Winterbottom, J., Thomson, M., Tschofenig, H., and R. - Barnes, "Use of Device Identity in HTTP-Enabled Location - Delivery (HELD)", - draft-ietf-geopriv-held-identity-extensions-05 (work in - progress), October 2010. + [I-D.ietf-ecrit-location-hiding-req] + Schulzrinne, H., Liess, L., Tschofenig, H., Stark, B., and + A. Kuett, "Location Hiding: Problem Statement and + Requirements", draft-ietf-ecrit-location-hiding-req-04 + (work in progress), February 2010. [I-D.winterbottom-geopriv-lis2lis-req] Winterbottom, J. and S. Norreys, "LIS to LIS Protocol Requirements", draft-winterbottom-geopriv-lis2lis-req-01 (work in progress), November 2007. [RFC5069] Taylor, T., Tschofenig, H., Schulzrinne, H., and M. Shanmugam, "Security Threats and Requirements for Emergency Call Marking and Mapping", RFC 5069, January 2008. @@ -982,17 +861,15 @@ Hannes Tschofenig Nokia Siemens Networks Linnoitustie 6 Espoo 02600 Finland Phone: +358 (50) 4871445 Email: Hannes.Tschofenig@gmx.net URI: http://www.tschofenig.priv.at Dirk Kroeselberg - Nokia Siemens Networks - St.-Martin-Str. 76 - Munich 81541 + Siemens Germany - Phone: +49 (89) 515933019 - Email: Dirk.Kroeselberg@nsn.com + Phone: + Email: dirk.kroeselberg@siemens.com