--- 1/draft-ietf-ecrit-unauthenticated-access-08.txt 2014-07-04 06:14:32.736608546 -0700 +++ 2/draft-ietf-ecrit-unauthenticated-access-09.txt 2014-07-04 06:14:32.796610076 -0700 @@ -1,156 +1,137 @@ ECRIT H. Schulzrinne Internet-Draft Columbia University Intended status: Standards Track S. McCann -Expires: April 22, 2014 Research in Motion UK Ltd +Expires: January 4, 2015 Research in Motion UK Ltd G. Bajko Nokia H. Tschofenig - Nokia Solutions and Networks + D. Kroeselberg Siemens - October 19, 2013 + July 3, 2014 Extensions to the Emergency Services Architecture for dealing with Unauthenticated and Unauthorized Devices - draft-ietf-ecrit-unauthenticated-access-08.txt + draft-ietf-ecrit-unauthenticated-access-09.txt Abstract - The IETF emergency services architecture assumes that the calling - device has acquired rights to use the access network or that no - authentication is required for the access network, such as for public - wireless access points. Subsequent protocol interactions, such as - obtaining location information, learning the address of the Public - Safety Answering Point (PSAP) and the emergency call itself are - largely decoupled from the underlying network access procedures. - - In some cases, however, the device does not have these credentials - for network access, does not have a VoIP service provider, or the - credentials have become invalid, e.g., because the user has exhausted - their prepaid balance or the account has expired. - - With features provided by the Public Switched Telephone Network - (PSTN) there is precedence for some of these use cases and the - transition to IP-based emergency calling creates the desire to - replicate functionality the PSTN already offers today. For example, - in many countries persons seeking help are empowered to initiate - emergency calls without having a Subscriber Identity Module (SIM) in - their mobile phone. - This document provides a problem statement, introduces terminology and describes an extension for the base IETF emergency services - architecture to address these scenarios. + architecture to address cases where an emergency caller is not + authenticated, has no identifiable service provider, or has no + remaining credit with which to pay for access to the network. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on April 22, 2014. + This Internet-Draft will expire on January 4, 2015. Copyright Notice - Copyright (c) 2013 IETF Trust and the persons identified as the + Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Use Case Categories . . . . . . . . . . . . . . . . . . . . . 5 4. ZBP Considerations . . . . . . . . . . . . . . . . . . . . . 11 5. NASP Considerations . . . . . . . . . . . . . . . . . . . . . 11 - 5.1. End Host Profile . . . . . . . . . . . . . . . . . . . . 13 - 5.1.1. LoST Server Discovery . . . . . . . . . . . . . . . . 13 - 5.1.2. ESRP Discovery . . . . . . . . . . . . . . . . . . . 13 + 5.1. End Host Profile . . . . . . . . . . . . . . . . . . . . 14 + 5.1.1. LoST Server Discovery . . . . . . . . . . . . . . . . 14 + 5.1.2. ESRP Discovery . . . . . . . . . . . . . . . . . . . 14 5.1.3. Location Determination and Location Configuration . . 14 5.1.4. Emergency Call Identification . . . . . . . . . . . . 14 5.1.5. SIP Emergency Call Signaling . . . . . . . . . . . . 14 - 5.1.6. Media . . . . . . . . . . . . . . . . . . . . . . . . 14 - 5.1.7. Testing . . . . . . . . . . . . . . . . . . . . . . . 14 - 5.2. IAP/ISP Profile . . . . . . . . . . . . . . . . . . . . . 14 + 5.1.6. Media . . . . . . . . . . . . . . . . . . . . . . . . 15 + 5.1.7. Testing . . . . . . . . . . . . . . . . . . . . . . . 15 + 5.2. IAP/ISP Profile . . . . . . . . . . . . . . . . . . . . . 15 5.2.1. ESRP Discovery . . . . . . . . . . . . . . . . . . . 15 5.2.2. Location Determination and Location Configuration . . 15 5.3. ESRP Profile . . . . . . . . . . . . . . . . . . . . . . 15 5.3.1. Emergency Call Routing . . . . . . . . . . . . . . . 15 5.3.2. Emergency Call Identification . . . . . . . . . . . . 15 - 5.3.3. SIP Emergency Call Signaling . . . . . . . . . . . . 15 - 6. Lower Layer Considerations for NAA Case . . . . . . . . . . . 15 + 5.3.3. SIP Emergency Call Signaling . . . . . . . . . . . . 16 + 6. Lower Layer Considerations for NAA Case . . . . . . . . . . . 16 6.1. Link Layer Emergency Indication . . . . . . . . . . . . . 17 6.2. Securing Network Attachment in NAA Cases . . . . . . . . 18 7. Security Considerations . . . . . . . . . . . . . . . . . . . 19 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20 - 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20 - 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 - 10.1. Normative References . . . . . . . . . . . . . . . . . . 20 - 10.2. Informative References . . . . . . . . . . . . . . . . . 21 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 + 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 + 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 + 10.1. Normative References . . . . . . . . . . . . . . . . . . 21 + 10.2. Informative References . . . . . . . . . . . . . . . . . 22 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 1. Introduction Summoning police, the fire department or an ambulance in emergencies is one of the fundamental and most-valued functions of the telephone. As telephone functionality moves from circuit-switched telephony to Internet telephony, its users rightfully expect that this core functionality will continue to work at least as well as it has for the older technology. New devices and services are being made - available that could be used to make a request for help, which are - not traditional telephones, and users are increasingly expecting them - to be used to place emergency calls. + available that could be used to make a request for help, those + devices are not traditional telephones, and users are increasingly + expecting them to be used to place emergency calls. Roughly speaking, the IETF emergency services architecture (see [RFC6881] and [RFC6443]) divides responsibility for handling - emergency calls between the access network (ISP), the application - service provider (ASP) that may be a VoIP service provider (VSP) and - the provider of emergency signaling services, the emergency service - network (ESN). The access network may provide location information - to end systems, but does not have to provide any ASP signaling - functionality. The emergency caller can reach the ESN either - directly or through the ASP's outbound proxy. Any of the three - parties can provide the mapping from location to PSAP URI by offering - LoST [RFC5222] services. + emergency calls among the access network (ISP); the application + service provider (ASP), which may be a VoIP service provider (VSP); + and the provider of emergency signaling services, the emergency + service network (ESN). The access network may provide location + information to end systems, but does not have to provide any ASP + signaling functionality. The emergency caller can reach the ESN + either directly or through the ASP's outbound proxy. Any of the + three parties can provide the mapping from location to PSAP URI by + offering LoST [RFC5222] services. In general, a set of automated configuration mechanisms allows a device to function in a variety of architectures, without the user being aware of the details on who provides location, mapping services or call routing services. However, if emergency calling is to be supported when the calling device lacks access network authorization or does not have an ASP, one or more of the providers may need to provide additional services and functions. In all cases, the end device has to be able to perform a LoST lookup and otherwise conduct the emergency call in the same manner as when the three exceptional conditions discussed below do not apply. - We distinguish between three conditions: + We distinguish among three conditions: No Access Authentication (NAA): In the NAA case, the emergency caller does not posses valid credentials for the access network. This includes the case where the access network allows pay-per- use, as is common for wireless hotspots, but there is insufficient time to enter credit card details and other registration information required for access. It also covers all cases where either no credentials are available at all, or the available credentials do not work for the given IAP/ISP. As a result, the NAA case basically combines the below NASP and ZBP cases, but at @@ -167,30 +148,30 @@ Note: The interoperability need is increased with this scenario since the client software used by the emergency caller must be compatible with the protocols and extensions deployed by the ESN. Zero-balance ASP (ZBP): In the case of zero-balance ASP, the ASP can authenticate the caller, but the caller is not authorized to use ASP services, e.g., because the contract has expired or the prepaid account for the customer has been depleted. - These three cases are not mutually exclusive. A caller in need for - help may find himself/herself in, for example, a NAA and NASP - situation, as explained in more details in Figure 1. Depending on - local policy and regulations, it may not be possible to place - emergency calls in the NAA case. Unless local regulations require - user identification, it should always be possible to place calls in - the NASP case, with minimal impact on the ISP. Unless the ESN - requires that all calls traverse a known set of VSPs, it is - technically possible to let a caller place an emergency call in the - ZBP case. We discuss each case in more details in Section 3. + These three cases are not mutually exclusive. A caller in need of + help may, for example, be in a NAA and NASP situation, as explained + in more detail in Figure 1. Depending on local policy and + regulations, it may not be possible to place emergency calls in the + NAA case. Unless local regulations require user identification, it + should always be possible to place calls in the NASP case, with + minimal impact on the ISP. Unless the ESN requires that all calls + traverse a known set of VSPs, it is technically possible to let a + caller place an emergency call in the ZBP case. We discuss each case + in more details in Section 3. Note: At the time of writing there is no regulation in place that demands the functionality described in this memo. SDOs have started their work on this subject in a proactive fashion in the anticipation that national regulation will demand it for a subset of network environments. As mentioned in the abstract some of the functionality provided in this document is already available in the PSTN. Consequently, there is real-world experience available and not all of it is positive. @@ -218,22 +199,22 @@ This document reuses terminology from [RFC5687] and [RFC5012], namely Internet Access Provider (IAP), Internet Service Provider (ISP), Application Service Provider (ASP), Voice Service Provider (VSP), Emergency Service Routing Proxy (ESRP), Public Safety Answering Point (PSAP), Location Configuration Server (LCS), (emergency) service dial string, and (emergency) service identifier. 3. Use Case Categories - On a very high-level, the steps to be performed by an end host not - being attached to the network and the user starting to make an + On a very high-level, the steps to be performed by an end host that + is not attached to the network and the user starting to make an emergency call are the following: Link Layer Attachment: Some networks have added support for unauthenticated emergency access, some other type of networks advertise these capabilities using layer beacons. The end host learns about these unauthenticated emergency services capabilities either from the link layer type or from advertisement. The end host uses the link layer specific network attachment procedures defined for unauthenticated network access in order to @@ -712,44 +695,46 @@ Some networks have added support for unauthenticated emergency access, some other type of networks advertise these capabilities using layer beacons. The end host learns about these unauthenticated emergency services capabilities either from the link layer type or from advertisement. It is important to highlight that the NAA case is inherently a layer 2 problem, and the general form of the solution is to provide an "emergency only" access type, with appropriate limits/monitoring to prevent abuse. The described mechanisms are informative in nature - since the relationship to the IETF emergency is only indirect, namely - via some protocols developed within the IETF (e.g., EAP and EAP - methods) that require extensions to support this functionality. + since the relationship to the IETF emergency services architecture is + only indirect, namely via some protocols developed within the IETF + (e.g., EAP and EAP methods) that require extensions to support this + functionality. This section discusses different methods to indicate an emergency service request as part of network attachment. It provides some general considerations and recommendations that are not specific to the access technology. To perform network attachment and get access to the resources provided by an IAP/ISP, the end host uses access technology specific network attachment procedures, including for example network detection and selection, authentication, and authorization. For initial network attachment of an emergency service requester, the method of how the emergency indication is given to the IAP/ISP is specific to the access technology. However, a number of general approaches can be identified: Link layer emergency indication: The end host provides an indication, e.g., an emergency parameter or flag, as part of the link layer signaling for initial network attachment. Examples include an emergency bit signalled in the IEEE 802.16-2009 wireless link. In IEEE 802.11 WLAN, an emergency support - indicator allows the STA to download before association an NAI + indicator allows the station (i.e., end host in this context) to + download before association a Network Access Identifier (NAI), which it can use to request server side authentication only for an 802.1x network. Higher-layer emergency indication: Typically, emergency indication is provided in the network access authentication procedure. The emergency caller's end host provides an indication as part of the access authentication exchanges. Authentication via the Extensible Authentication Protocol (EAP) [RFC3748] is of particular relevance here. Examples are the EAP NAI decoration used in WiMAX networks and modification of the authentication @@ -865,58 +850,59 @@ certificate. 7. Security Considerations The security threats discussed in [RFC5069] are applicable to this document. There are a couple of new vulnerabilities raised with unauthenticated emergency services in NASP/NAA cases since the PSAP operator will typically not possess any identity information about the emergency - call via the signaling path itself. In countries where this + caller via the signaling path itself. In countries where this functionality is used for GSM networks today this has lead to a significant amount of misuse. In the context of NAA, the IAP and the ISP will probably want to make sure that the claimed emergency caller indeed performs an emergency call rather than using the network for other purposes, and thereby acting fraudulent by skipping any authentication, authorization and accounting procedures. By restricting access of the unauthenticated emergency caller to the LoST server and the PSAP URI, traffic can be restricted only to emergency calls. This can be accomplished with traffic separation. The details, however, e.g. for using filtering, depend on the deployed ISP architecture and are beyond the scope of this document. - We only illustrate a possible model. If the ISP runs its own LoST - server, it would maintain an access control list including all IP - addresses contained in responses returned by the LoST server, as well - as the LoST server itself. (It may need to translate the domain - names returned to IP addresses and hope that the resolution captures - all possible DNS responses.) Since the media destination addresses - are not predictable, the ISP also has to provide a SIP outbound proxy - so that it can determine the media addresses and add those to the - filter list. + We only illustrate a possible model. If the ISP runs its own + (caching) LoST server, the ISP would maintain an access control list + populated with IP-address information obtained from LoST responses + (in the mappings). These URIs would either be URIs for contacting + further LoST servers or PSAP URIs. It may be necessary to translate + domain names returned in LoST responses to IP addresses. Since the + media destination addresses are not predictable, the ISP also has to + provide a SIP outbound proxy so that it can determine the media + addresses and add those to the filter list. For the ZBP case the additional aspect of fraud has to be considered. Unless the emergency call traverses a PSTN gateway or the ASP charges for IP-to-IP calls, there is little potential for fraud. If the ASP also operates the LoST server, the outbound proxy MAY restrict outbound calls to the SIP URIs returned by the LoST server. It is NOT RECOMMENDED to rely on a fixed list of SIP URIs, as that list may change. - Finally, a number of security vulnerabilities discussed in [RFC6280] - around faked location information are less problematic in the context - of unauthenticated emergency since location information does not need - to be provided by the end host itself or it can be verified to fall - within a specific geographical area. + RFC 6280 [RFC6280] discusses security vulnerabilities that are caused + by an adversary faking location information and thereby lying about + the actual location of the emergency caller. These threats may be + less problematic in the context of unauthenticated emergency when + location information can be verified by the ISP to fall within a + specific geographical area. 8. Acknowledgments Parts of this document are derived from [RFC6881]. Participants of the 2nd and 3rd SDO Emergency Services Workshop provided helpful input. We would like to thank Richard Barnes, Brian Rosen, James Polk, Marc Linsner, and Martin Thomson for their feedback at the IETF#80 ECRIT meeting. @@ -1005,29 +991,29 @@ 3748, June 2004. [RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS Authentication Protocol", RFC 5216, March 2008. [RFC6280] Barnes, R., Lepinski, M., Cooper, A., Morris, J., Tschofenig, H., and H. Schulzrinne, "An Architecture for Location and Location Privacy in Internet Applications", BCP 160, RFC 6280, July 2011. - [esw07] , "3rd SDO Emergency Services Workshop, + [esw07] "3rd SDO Emergency Services Workshop, http://www.emergency-services-coordination.info/2007Nov/", October 30th - November 1st 2007. - [nwgstg3] , "WiMAX Forum WMF-T33-001-R015V01, WiMAX Network + [nwgstg3] "WiMAX Forum WMF-T33-001-R015V01, WiMAX Network Architecture Stage-3 http://www.wimaxforum.org/sites/wimaxforum.org/files/ - technical_document/2009/09/DRAFT-T33-001-R015v01 - -O_Network-Stage3-Base.pdf", September 2009. + technical_document/2009/09/DRAFT-T33-001-R015v01- + O_Network-Stage3-Base.pdf", September 2009. Authors' Addresses Henning Schulzrinne Columbia University Department of Computer Science 450 Computer Science Building New York, NY 10027 US @@ -1043,24 +1030,20 @@ Phone: +44 1753 667099 Email: smccann@rim.com URI: http://www.rim.com Gabor Bajko Nokia Email: Gabor.Bajko@nokia.com Hannes Tschofenig - Nokia Solutions and Networks - Linnoitustie 6 - Espoo 02600 - Finland + Hall in Tirol 6060 + Austria - Phone: +358 (50) 4871445 Email: Hannes.Tschofenig@gmx.net URI: http://www.tschofenig.priv.at - Dirk Kroeselberg Siemens Germany Email: dirk.kroeselberg@siemens.com