--- 1/draft-ietf-ecrit-unauthenticated-access-06.txt 2013-07-13 07:14:22.864979619 -0700 +++ 2/draft-ietf-ecrit-unauthenticated-access-07.txt 2013-07-13 07:14:22.904980651 -0700 @@ -1,26 +1,26 @@ ECRIT H. Schulzrinne Internet-Draft Columbia University Intended status: Standards Track S. McCann -Expires: November 01, 2013 Research in Motion UK Ltd +Expires: January 14, 2014 Research in Motion UK Ltd G. Bajko Nokia H. Tschofenig Nokia Siemens Networks D. Kroeselberg Siemens - April 30, 2013 + July 13, 2013 Extensions to the Emergency Services Architecture for dealing with Unauthenticated and Unauthorized Devices - draft-ietf-ecrit-unauthenticated-access-06.txt + draft-ietf-ecrit-unauthenticated-access-07.txt Abstract The IETF emergency services architecture assumes that the calling device has acquired rights to use the access network or that no authentication is required for the access network, such as for public wireless access points. Subsequent protocol interactions, such as obtaining location information, learning the address of the Public Safety Answering Point (PSAP) and the emergency call itself are largely decoupled from the underlying network access procedures. @@ -42,21 +42,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on November 01, 2013. + This Internet-Draft will expire on January 14, 2014. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -65,39 +65,39 @@ include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Use Case Categories . . . . . . . . . . . . . . . . . . . . . 5 4. ZBP Considerations . . . . . . . . . . . . . . . . . . . . . 7 - 5. NASP Considerations . . . . . . . . . . . . . . . . . . . . . 7 - 5.1. End Host Profile . . . . . . . . . . . . . . . . . . . . 9 - 5.1.1. LoST Server Discovery . . . . . . . . . . . . . . . . 9 - 5.1.2. ESRP Discovery . . . . . . . . . . . . . . . . . . . 9 - 5.1.3. Location Determination and Location Configuration . . 9 + 5. NASP Considerations . . . . . . . . . . . . . . . . . . . . . 8 + 5.1. End Host Profile . . . . . . . . . . . . . . . . . . . . 10 + 5.1.1. LoST Server Discovery . . . . . . . . . . . . . . . . 10 + 5.1.2. ESRP Discovery . . . . . . . . . . . . . . . . . . . 10 + 5.1.3. Location Determination and Location Configuration . . 10 5.1.4. Emergency Call Identification . . . . . . . . . . . . 10 5.1.5. SIP Emergency Call Signaling . . . . . . . . . . . . 10 - 5.1.6. Media . . . . . . . . . . . . . . . . . . . . . . . . 10 - 5.1.7. Testing . . . . . . . . . . . . . . . . . . . . . . . 10 + 5.1.6. Media . . . . . . . . . . . . . . . . . . . . . . . . 11 + 5.1.7. Testing . . . . . . . . . . . . . . . . . . . . . . . 11 5.2. IAP/ISP Profile . . . . . . . . . . . . . . . . . . . . . 11 5.2.1. ESRP Discovery . . . . . . . . . . . . . . . . . . . 11 5.2.2. Location Determination and Location Configuration . . 11 5.3. ESRP Profile . . . . . . . . . . . . . . . . . . . . . . 11 5.3.1. Emergency Call Routing . . . . . . . . . . . . . . . 11 - 5.3.2. Emergency Call Identification . . . . . . . . . . . . 11 - 5.3.3. SIP Emergency Call Signaling . . . . . . . . . . . . 11 - 6. Lower Layer Considerations for NAA Case . . . . . . . . . . . 11 - 6.1. Link Layer Emergency Indication . . . . . . . . . . . . . 12 - 6.2. Securing Network Attachment in NAA Cases . . . . . . . . 13 + 5.3.2. Emergency Call Identification . . . . . . . . . . . . 12 + 5.3.3. SIP Emergency Call Signaling . . . . . . . . . . . . 12 + 6. Lower Layer Considerations for NAA Case . . . . . . . . . . . 12 + 6.1. Link Layer Emergency Indication . . . . . . . . . . . . . 13 + 6.2. Securing Network Attachment in NAA Cases . . . . . . . . 14 7. Security Considerations . . . . . . . . . . . . . . . . . . . 15 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 10.1. Normative References . . . . . . . . . . . . . . . . . . 16 10.2. Informative References . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 1. Introduction @@ -105,30 +105,30 @@ is one of the fundamental and most-valued functions of the telephone. As telephone functionality moves from circuit-switched telephony to Internet telephony, its users rightfully expect that this core functionality will continue to work at least as well as it has for the older technology. New devices and services are being made available that could be used to make a request for help, which are not traditional telephones, and users are increasingly expecting them to be used to place emergency calls. Roughly speaking, the IETF emergency services architecture (see - [I-D.ietf-ecrit-phonebcp] and [RFC6443]) divides responsibility for - handling emergency calls between the access network (ISP), the - application service provider (ASP) that may be a VoIP service - provider and the provider of emergency signaling services, the - emergency service network (ESN). The access network may provide - location information to end systems, but does not have to provide any - ASP signaling functionality. The emergency caller can reach the ESN - either directly or through the ASP's outbound proxy. Any of the - three parties can provide the mapping from location to PSAP URI by - offering LoST [RFC5222] services. + [RFC6881] and [RFC6443]) divides responsibility for handling + emergency calls between the access network (ISP), the application + service provider (ASP) that may be a VoIP service provider and the + provider of emergency signaling services, the emergency service + network (ESN). The access network may provide location information + to end systems, but does not have to provide any ASP signaling + functionality. The emergency caller can reach the ESN either + directly or through the ASP's outbound proxy. Any of the three + parties can provide the mapping from location to PSAP URI by offering + LoST [RFC5222] services. In general, a set of automated configuration mechanisms allows a device to function in a variety of architectures, without the user being aware of the details on who provides location, mapping services or call routing services. However, if emergency calling is to be supported when the calling device lacks access network authorization or does not have an ASP, one or more of the providers may need to provide additional services and functions. In all cases, the end device has to be able to perform a LoST lookup @@ -268,21 +268,24 @@ network +--->| End | | +---------------+ attachment| `...../ | YES | | NO possible? | | | | v | v v +------------+ | +------------+ +------------+ | Execute | | | Execute | | Execute | | NAA |--------+ | Phone BCP | | NASP | | Procedures | | Procedures | | Procedures | +------------+ +------------+ +------------+ Authorization for| | - Emergency Call? | | + making an | | + + emergency call | | + with the ASP/VSP?| | +--------------+ v | NO | YES +-----Y | | | Done| v v `...../ +------------+ +------------+ | Execute | | Execute | | ZBP | | Phone BCP | | Procedures | | Procedures | +------------+ +------------+ | | @@ -291,52 +294,64 @@ +-----Y +-----Y | Done| | Done| `...../ `...../ Abbreviations: LLA: Link Layer Attachment ES: Emergency Services Figure 1: Flow Diagram + The "No Access Authentication (NAA)" procedures are described in + Section 6. The "Zero-balance ASP (ZBP)" procedures are described in + Section 4. The "No ASP (NASP)" procedures are described in + Section 5. The Phone BCP procedures are described in [RFC6881]. The + "Link Layer Attachment (LLA)" procedures are not described in this + document since they are specific to the link layer technology in use. + 4. ZBP Considerations ZBP includes all cases where a subscriber is known to an ASP, but lacks the necessary authorization to access regular ASP services. Example ZBP cases include empty prepaid accounts, barred accounts, roaming and mobility restrictions, or any other conditions set by ASP policy. - Local regulation might demand that emergency calls are always - authorized. An ASP can identify emergency sessions by identifying - the service URN [RFC5031] used in call setup. Emergency calls can - then be authorized accordingly. The ZBP case therefore only affects - the ASP. + Local regulation might demand that emergency calls cannot proceed + without successful service authorization. In regulatory regimes, + however, it may be possible to allow emergency calls to continue + despite authorization failures. To distinguish an emergency call + from a regular call an ASP can identify emergency sessions by + inspecting the service URN [RFC5031] used in call setup. The ZBP + case therefore only affects the ASP. - Permitting a call with limited authorization could present an - opportunity for abuse. The ASP MAY choose to validate session - initiation messages for valid destinations, see Section 7. + Permitting a call despite authorization failures could present an + opportunity for abuse. The ASP may choose to verify the destination + of the emergency calls and to only permit calls to certain, pre- + configured entities (e.g., to local PSAPs). Section 7 discusses this + topic in more detail. An ASP without a regulatory requirement to authorize emergency calls can deny emergency call setup. Where an ASP does not authorize an - emergency call, the caller can fall back to NASP procedures. + emergency call, the caller may be able to fall back to NASP + procedures. 5. NASP Considerations To start the description we consider the sequence of steps that are executed in an emergency call based on Figure 2. o As an initial step the devices attaches to the network as shown in step (1). This step is outside the scope of this section. o When the link layer network attachment procedure is completed the - end host learns basic configuration information using DHCP from + end host learns basic IP configuration information using DHCP from the ISP, as shown in step (2). o When the IP address configuration is completed then the end host starts an interaction with the discovered Location Configuration Server at the ISP, as shown in step (3). The ISP may in certain deployments need to interact with the IAP. This protocol exchange is shown in step (4). o Once location information is obtained the end host triggers the LoST protocol to obtain the address of the ESRP/PSAP. This step @@ -414,82 +428,83 @@ The end host MUST discover a LoST server [RFC5222] using DHCP [RFC5223]. 5.1.2. ESRP Discovery The end host MUST discover the ESRP using the LoST protocol [RFC5222]. 5.1.3. Location Determination and Location Configuration + The end host MUST support location acquisition and the LCPs described - in Section 6.5 of [I-D.ietf-ecrit-phonebcp]. The description in - Section 6.5 and 6.6 of [I-D.ietf-ecrit-phonebcp] regarding the - interaction between the device and the LIS applies to this document. + in Section 6.5 of [RFC6881]. The description in Section 6.5 and 6.6 + of [RFC6881] regarding the interaction between the device and the LIS + applies to this document. The SIP UA in the end host MUST attach available location information in a PIDF-LO [RFC4119] when making an emergency call. When constructing the PIDF-LO the guidelines in PIDF-LO profile [RFC5491] MUST be followed. For civic location information the format defined in [RFC5139] MUST be supported. 5.1.4. Emergency Call Identification To determine which calls are emergency calls, some entity needs to map a user entered dialstring into this URN scheme. A user may - "dial" 1-1-2, but the call would be sent to urn:service:sos. This - mapping SHOULD be performed at the endpoint device. + "dial" 1-1-2, 9-1-1, etc., but the call would be sent to + urn:service:sos. This mapping SHOULD be performed at the endpoint + device. End hosts MUST use the Service URN mechanism [RFC5031] to mark calls as emergency calls for their home emergency dial string. 5.1.5. SIP Emergency Call Signaling SIP signaling capabilities [RFC3261] are mandated for end hosts. The initial SIP signaling method is an INVITE. The SIP INVITE request MUST be constructed according to the requirements in - Section 9.2 [I-D.ietf-ecrit-phonebcp]. + Section 9.2 [RFC6881]. Regarding callback behavior SIP UAs SHOULD place a globally routable URI in a Contact: header. 5.1.6. Media End points MUST comply with the media requirements for end points - placing an emergency call found in Section 14 of - [I-D.ietf-ecrit-phonebcp]. + placing an emergency call found in Section 14 of [RFC6881]. 5.1.7. Testing - The description in Section 15 of [I-D.ietf-ecrit-phonebcp] is fully - applicable to this document. + The description in Section 15 of [RFC6881] is fully applicable to + this document. 5.2. IAP/ISP Profile 5.2.1. ESRP Discovery An ISP MUST provision a DHCP server with information about LoST servers [RFC5223]. An ISP operator may choose to deploy a LoST server or to outsource it to other parties. 5.2.2. Location Determination and Location Configuration The ISP is responsible for location determination and exposes this information to the end points via location configuration protocols. The considerations described in [RFC6444] are applicable to this document. The ISP MUST support one of the LCPs described in Section 6.5 of - [I-D.ietf-ecrit-phonebcp]. The description in Section 6.5 and 6.6 of - [I-D.ietf-ecrit-phonebcp] regarding the interaction between the end - device and the LIS applies to this document. + [RFC6881]. The description in Section 6.5 and 6.6 of [RFC6881] + regarding the interaction between the end device and the LIS applies + to this document. The interaction between the LIS at the ISP and the IAP is often priorietary but the description in [I-D.winterbottom-geopriv-lis2lis-req] may be relevant to the reader. 5.3. ESRP Profile 5.3.1. Emergency Call Routing The ESRP continues to route the emergency call to the PSAP @@ -524,21 +539,21 @@ To perform network attachment and get access to the resources provided by an IAP/ISP, the end host uses access technology specific network attachment procedures, including for example network detection and selection, authentication, and authorization. For initial network attachment of an emergency service requester, the method of how the emergency indication is given to the IAP/ISP is specific to the access technology. However, a number of general approaches can be identified: Link layer emergency indication: The end host provides an - indication, e.g. an emergency parameter or flag, as part of the + indication, e.g., an emergency parameter or flag, as part of the link layer signaling for initial network attachment. Examples include an emergency bit signalled in the IEEE 802.16-2009 wireless link. In IEEE 802.11 WLAN, an emergency support indicator allows the STA to download before association an NAI which it can use to request server side authentication only for an 802.1x network. Higher-layer emergency indication: Typically emergency indication in access authentication. The emergency caller's end host provides an indication as part of the access authentication exchanges. EAP @@ -621,29 +636,29 @@ appropriate trusted root certificates to be able to verify the server certificate of the EAP server (unless this step is explicitly skipped in the device in case of an emergency service request). This method is used to provide access of devices without existing credentials to an 802.1x network. The details are incorporated into the not yet published 802.11-2011 specification. 2) Null Authentication: - In one case (e.g. WiMAX) an EAP method is performed. However, no + In one case (e.g., WiMAX) an EAP method is performed. However, no credentials specific to either the server or the device or subscription are used as part of the authentication exchange. An example for this would be an EAP-TLS exchange with using the TLS_DH_anon (anonymous) ciphersuite. Alternatively, a publicly available static key for emergency access could be used. In the latter case, the device would need to be provisioned with the appropriate emergency key for the IAP/ISP in advance. In another - case (e.g. IEEE 802.11), no EAP method is used, so that empty + case (e.g., IEEE 802.11), no EAP method is used, so that empty frames are transported during the over the air IEEE 802.1X exchange. In this case the authentication state machine completes with no cryptographic keys being exchanged. 3) Device Authentication: This case extends the server-only authentication case. If the device is configured with a device certificate and the IAP/ISP EAP server can rely on a trusted root allowing the EAP server to verify the device certificate, at least the device identity (e.g., @@ -697,23 +712,23 @@ change. Finally, a number of security vulnerabilities discussed in [RFC6280] around faked location information are less problematic in the context of unauthenticated emergency since location information does not need to be provided by the end host itself or it can be verified to fall within a specific geographical area. 8. Acknowledgments - Parts of this document are derived from [I-D.ietf-ecrit-phonebcp]. - Participants of the 2nd and 3rd SDO Emergency Services Workshop - provided helpful input. + Parts of this document are derived from [RFC6881]. Participants of + the 2nd and 3rd SDO Emergency Services Workshop provided helpful + input. We would like to thank Richard Barnes, Brian Rosen, James Polk, Marc Linsner, and Martin Thomson for their feedback at the IETF#80 ECRIT meeting. Furthermore, we would like to thank Martin Thomson and Bernard Aboba for their detailed document review in preparation of the 81st IETF meeting. 9. IANA Considerations @@ -741,54 +756,43 @@ Object (PIDF-LO)", RFC 5139, February 2008. [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. - [I-D.ietf-ecrit-phonebcp] - Rosen, B. and J. Polk, "Best Current Practice for - Communications Services in support of Emergency Calling", - draft-ietf-ecrit-phonebcp-20 (work in progress), September - 2011. + [RFC6881] Rosen, B. and J. Polk, "Best Current Practice for + Communications Services in Support of Emergency Calling", + BCP 181, RFC 6881, March 2013. [RFC5222] Hardie, T., Newton, A., Schulzrinne, H., and H. Tschofenig, "LoST: A Location-to-Service Translation Protocol", RFC 5222, August 2008. [RFC5223] Schulzrinne, H., Polk, J., and H. Tschofenig, "Discovering Location-to-Service Translation (LoST) Servers Using the Dynamic Host Configuration Protocol (DHCP)", RFC 5223, August 2008. 10.2. Informative References [RFC5687] Tschofenig, H. and H. Schulzrinne, "GEOPRIV Layer 7 Location Configuration Protocol: Problem Statement and Requirements", RFC 5687, March 2010. [RFC6443] Rosen, B., Schulzrinne, H., Polk, J., and A. Newton, "Framework for Emergency Calling Using Internet Multimedia", RFC 6443, December 2011. - [I-D.ietf-geopriv-res-gw-lis-discovery] - Thomson, M. and R. Bellis, "Location Information Server - (LIS) Discovery using IP address and Reverse DNS", draft- - ietf-geopriv-res-gw-lis-discovery-05 (work in progress), - April 2013. - - [RFC5985] Barnes, M., "HTTP-Enabled Location Delivery (HELD)", RFC - 5985, September 2010. - [RFC5012] Schulzrinne, H. and R. Marshall, "Requirements for Emergency Context Resolution with Internet Technologies", RFC 5012, January 2008. [RFC6444] Schulzrinne, H., Liess, L., Tschofenig, H., Stark, B., and A. Kuett, "Location Hiding: Problem Statement and Requirements", RFC 6444, January 2012. [I-D.winterbottom-geopriv-lis2lis-req] Winterbottom, J. and S. Norreys, "LIS to LIS Protocol